- About this Guide
- Cisco Service Control Overview
- Command Line Interface
- Basic Cisco SCE8000 Platform Operations
- Utilities
- Configuring the Management Interface and Security
- Global Configuration
- Configuring the Line Interface
- Configuring the Connection
- Raw Data Formatting: The RDR Formatter and NetFlow Exporting
- Managing Subscribers
- Redundancy and Fail-Over
- Identifying and Preventing Distributed-Denial-Of-Service Attacks
- Managing the SCMP
- Intelligent Traffic Mirroring
- Cisco Service Control MIBs
- Monitoring SCE Platform Utilization
- Cisco SCE8000 Licensing Information
Cisco SCE8000 GBE Software Configuration Guide, Release 5.2.x
- Updated:
- October 6, 2015
Chapter: Global Configuration
Global Configuration
Introduction
This chapter explains how to perform global configuration tasks, including IP routing and clock and time zone settings:
- IP Routing Configuration
- Configuring Time Clocks and Time Zone
- Configuring SNTP
- Domain Name Server (DNS) Settings
- Configuring Cisco Discovery Protocol
- Enabling the CLI Interface Warning Banner
- OS Fingerprinting and NAT Detection
- Using the Bursty Traffic Convergence
- DNS Assisted Classification/Sampling
IP Routing Configuration
Configuring the IP Routing Table
- How to Configure the Default Gateway
- How to Add an Entry to the IP Routing Table
- How to Display the IP Routing Table
For handling IP packets on the out-of-band MNG port, the Cisco SCE platform maintains a static routing table. When a packet is sent, the system checks the routing table for proper routing, and forwards the packet accordingly. In cases where the Cisco SCE platform cannot determine where to route a packet, it sends the packet to the default gateway.
Cisco SCE platform supports the configuration of the default gateway as the default next hop router, as well as the configuration of the routing table to provide different next hop routers for different subnets (for maximum configuration of 100 subnets).
The following sections explain how to use CLI commands to configure various parameters.
How to Configure the Default Gateway
The following option is available:
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Configuring the Default Gateway: Example
The following example shows how to set the default gateway IP of the Cisco SCE platform to 10.1.1.1:
How to Add an Entry to the IP Routing Table
The following options are available:
- prefix —IP address of the routing entry, in dotted notation.
- mask —The relevant subnet mask, in dotted notation
- next-hop —The IP address of the next hop in the route, in dotted notation.
Must be within the MNG interface subnet.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
How to Add an Entry to the IP Routing Table: Example
The following example shows how to set the router 10.1.1.250 as the next hop to subnet 10.2.0.0:
How to Display the IP Routing Table
How to Display the Entire IP Routing Table
|
|
|
|---|---|
Displays the entire routing table and the destination of last resort (default-gateway). |
Displaying the Entire IP Routing Table: Example
This example shows how to display the routing table:
gateway of last resort is 10.1.1.1
| prefix | mask | next hop |
|-----------------|------------------|-----------------|
| 10.2.0.0 | 255.255.0.0 | 10.1.1.250 |
| 10.3.0.0 | 255.255.0.0 | 10.1.1.253 |
| 198.0.0.0 | 255.0.0.0 | 10.1.1.251 |
| 10.1.60.0 | 255.255.255.0 | 10.1.1.5 |
How to Display the IP Routing Table for a Specified Subnet
The following options are available:
- prefix —IP address of the routing entry, in dotted notation.
- mask —The relevant subnet mask, in dotted notation
|
|
|
|---|---|
Displays the routing table for the specified subnet (prefix/mask). |
Displaying the IP Routing Table for a Specified Subnet: Example
This example shows how to display the routing table for a specified subnet:
| prefix | mask | next hop |
|-----------------|-----------------|-----------------|
| 10.1.60.0 | 255.255.255.0 | 10.1.1.5 |
sce#
IP Advertising
IP advertising is the act of periodically sending ping requests to a configured address at configured intervals. This maintains the Cisco SCE platform IP/MAC addresses in the memory of adaptive network elements, such as switches, even during a long period of inactivity.
Configuring IP Advertising
To configure IP advertising, you must first enable IP advertising. You may then specify a destination address to which the ping request is to be sent and/or the frequency of the ping requests (interval). If no destination or interval is explicitly configured, the default values are assumed.
The following options are available in the IP advertising commands:
How to Enable IP Advertising
From the SCE(config)# prompt, type:
|
|
|
|---|---|
How to Configure the IP Advertising Destination
From the SCE(config)# prompt, type:
|
|
|
|---|---|
How to Configure the IP Advertising Interval
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Configuring IP Advertising: Example
The following example shows how to configure IP advertising, specifying 10.1.1.1 as the destination and an interval of 240 seconds:
How to Display the Current IP Advertising Configuration
|
|
|
|---|---|
Displays the status of IP advertising (enabled or disabled), the configured destination, and the configured interval. |
Configuring Time Clocks and Time Zone
- Displaying the System Time
- Displaying the Calendar Time
- Setting the System Clock
- Setting the Calendar
- Setting the Time Zone
- Removing the Current Time Zone Setting
- Configuring Daylight Saving Time
The Cisco SCE platform has three types of time settings, which can be configured:
It is important to synchronize the clock and calendar to the local time, and to set the time zone properly.
The Cisco SCE platform has the following two time sources:
- A real-time clock, called the calendar, that continuously keeps track of the time, even when the Cisco SCE platform is not powered up. When the Cisco SCE platform reboots, the calendar time is used to set the system clock. The calendar is not used for time tracking during system operation.
- A system clock, which creates all the time stamps during normal operation. This clock clears if the system shuts down. During a system boot, the clock is initialized to show the time indicated by the calendar.
It does not matter which clock you set, as long as you use either the clock update-calendar or the clock read-calendar command to ensure that the two clocks are synchronized.
The time zone settings are important because they allow the system to communicate properly with other systems in other time zones. The system is configured based on Coordinated Universal Time (UTC), which is standard in the industry for coordination with other manufacturers’ hardware and software. For example, Pacific Standard Time would be written as PST-10, meaning that the name of the time zone is PST, which is 10 hours behind Universal Time.
When setting and showing the time, the time is always typed or displayed according to the local time zone configured.
Displaying the System Time
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Displaying the System Time: Example
The following example shows the current system clock:
12:50:03 UTC MON November 13 2001
sce#
Displaying the Calendar Time
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Displaying the Calendar Time: Example
The following example shows the current system calendar.
12:50:03 UTC MON May 11 2007
sce#
Setting the System Clock
Options
The following option is available:
Step 1
From the SCE# prompt, type clock set time-date and press Enter.
Sets the system clock to the specified time and date.
Step 2 From the SCE# prompt, type clock update-calendar and press Enter.
Synchronizes the calendar time with the system clock you just set.
Setting the System Clock: Example
The following example shows how to set the clock to 20 minutes past 10 AM, May 13, 2007. It then synchronizes the calendar with the system clock setting.
SCE#clock update-calendar
SCE#show clock
10:21:10 UTC THU May 13 2007
Setting the Calendar
The calendar is a system clock that continues functioning even when the system shuts down.
Options
The following option is available:
Step 1 From the SCE# prompt, type calendar set time-date and press Enter.
Sets the system calendar to the specified time and date.
The time specified in this command is relative to the configured time zone.
Step 2 From the SCE# prompt, type clock read-calendar and press Enter.
Synchronizes the system clock with the calendar time you just set.
Setting the Calendar: Example
The following example shows that the calendar is set to 10:20 AM, May 13, 2007. The clock is then synchronized with the calendar setting.
SCE#clock read-calendar
SCE#show calendar
10:21:06 UTC THU May 13 2007
Setting the Time Zone
Options
The following options are available:
- minutes —The minutes offset from UTC. This must be an integer in the range of 0 to 59. Use this parameter to specify an additional offset in minutes when the offset is not measured in whole hours.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Sets the timezone to the specified timezone name with the configured offset in hours and minutes. |
Setting the Time Zone: Example
The following example shows how to set the time zone to Pacific Standard Time with an offset of 10 hours behind UTC.
SCE(config)#
Removing the Current Time Zone Setting
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Removes the timezone configuration and resets the timezone to the default value (UTC). |
Configuring Daylight Saving Time
The Cisco SCE platform can be configured to automatically switch to daylight saving time on a specified date, and also to switch back to standard time. In addition, the time zone code can be configured to vary with daylight saving time if required. (For instance, in the eastern United States, standard time is designated EST, and daylight saving time is designated EDT).
Options
The transition times into and out of daylight saving time may be configured in one of two ways, depending on how the dates for the beginning and end of daylight saving time are determined for the particular location:
- recurring—If daylight saving time always begins and ends on the same day every year, (as in the United States), the clock summer-time recurring command is used. The beginning and ending days for daylight saving time can be configured once, and the system will automatically perform the switch every year.
- not recurring—If the start and end of daylight saving time is different every year, (as in Israel), the clock summer-time command is used. In this case, the transitions must be configured every year for that particular year. (Note that "year" is not necessarily a calendar year. If the transition days are determined in the fall, the transitions for that fall and the next spring may be configured.)
The day on which the transition takes place may be defined in several ways:
- Specific date—For example, March 29, 2004. A specific date, including the year, is defined for a not recurring configuration.
- First/last occurrence of a day of the week in a specified month—For example, the last Sunday in March. This is used for a recurring configuration.
- Day of the week in a specific week in a specified month—For example, Sunday of the fourth week of March. (This would be different from the last Sunday of the month whenever there were five Sundays in the month). This is used for a recurring configuration.
The following options are available:
- zone —The time zone code for daylight saving time
- week (recurring only)—The week of the month on which daylight saving begins (week1) and ends (week2)
- day (recurring only)—The day of the week on which daylight savings begin (day1) and ends (day2)
- date (non-recurring only)—The date of the month on which daylight saving begins (date1) and ends (date2)
- month —The month in which daylight saving begins (month1) and ends (month2)
- year (non-recurring only)—The year in which daylight saving begins (year1) and ends (year2)
- offset —The difference in minutes between standard time and daylight saving time.
Guidelines
General guidelines for configuring daylight saving time transitions:
- Specify the time zone code for daylight saving time.
- recurring—Specify a day of the month (week#|first|last/day of the week/month).
- not recurring—Specify a date (month/day of the month/year).
- Define two days:
– Day1—Beginning of daylight saving time.
– Day2—End of daylight saving time.
- In the Southern hemisphere, month2 must be before month1, as daylight saving time begins in the fall and ends in the spring.
- Specify the exact time that the transition should occur (24-hour clock).
– Time of transition into daylight saving time—According to local standard time.
– Time of transition out of daylight saving time—According to local daylight savings time.
- For the clock summer-time recurring command, the default values are the United States transition rules:
– Daylight saving time begins: 2:00 (AM) on the second Sunday of March.
– Daylight saving time ends: 2:00 (AM) on the first Sunday of November.
How to Define Recurring Daylight Saving Time Transitions
From the SCE(config)# prompt, type:
|
|
|
|---|---|
clock summer-time zone recurring |
Configures daylight saving time to start and stop on the specified days every year. |
Defining Recurring Daylight Saving Time Transitions: Example
The following example shows how to configure recurring daylight saving time for a time zone-designated "DST" as follows:
How to Define Nonrecurring Daylight Saving Time Transitions
From the SCE(config)# prompt, type:
|
|
|
|---|---|
clock summer-time |
Defining Nonrecurring Daylight Saving Time Transitions: Example
The following example shows how to configure nonrecurring daylight saving time for a time zone-designated "DST" as follows:
How to Cancel the Daylight Saving Time Configuration
From the SCE(config)# prompt, type:
|
|
|
|---|---|
How to Display the Current Daylight Saving Time Configuration
|
|
|
|---|---|
Displays the current time zone and daylight saving time configuration. |
Configuring SNTP
- How to Enable the SNTP Multicast Client
- How to Disable the SNTP Multicast Client
- How to Enable the SNTP Unicast Client
- Disabling the SNTP Unicast Client
- How to Define the SNTP Unicast Update Interval
- How to Display SNTP Information
The Simple Network Timing Protocol (SNTP) is a simple solution to the problem of synchronizing the clocks in the various elements of the network. SNTP provides access to a time source via the network. The system clock and calendar are then set in accordance with this external source.
There are two options for the SNTP client. These functions are independent, and the system employ either one or both.
- Multicast SNTP client—Listens to SNTP broadcasts and updates the system clock accordingly.
- Unicast SNTP client—Sends a periodic request to a configured SNTP server, and updates the system clock according to the server response.
Note It is recommended that an IP access control list be configured to prevent access from unauthorized SNTP or NTP multicast servers (see “Configuring Access Control Lists” section).
How to Enable the SNTP Multicast Client
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Enables the SNTP multicast client. It will accept time updates from any broadcast server. |
How to Disable the SNTP Multicast Client
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Disables the SNTP multicast client. It will not accept any broadcast time updates. |
How to Enable the SNTP Unicast Client
Options
The following option is available:
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Defines the SNTP unicast server so that SNTP client is able to query that server. |
Enabling SNTP Unicast Client: Example
The following example shows how to enable an SNTP server at IP address 128.182.58.100:
Disabling the SNTP Unicast Client
How to Disable the SNTP Unicast Client and Remove All Servers
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Removes all SNTP unicast servers, preventing unicast SNTP query. |
How to Remove One SNTP Server
The following option is available:
From the SCE(config)# prompt, type:
|
|
|
|---|---|
How to Define the SNTP Unicast Update Interval
Options
The following option is available:
The default interval is 64 seconds.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Configures the SNTP unicast client to query the server at the defined intervals. |
The following example shows how to set the SNTP update interval for 100 seconds:
How to Display SNTP Information
|
|
|
|---|---|
Displays the configuration of both the SNTP unicast client and the SNTP multicast client. |
This example illustrates how to use this command:
SNTP broadcast client: disabled
last update time: not available
SNTP unicast client: enabled
SNTP unicast server: 128.182.58.100
last update time: Feb 10 2002, 14:06:41
update interval: 100 seconds
Domain Name Server (DNS) Settings
- Configuring DNS Lookup
- Configuring a Default Domain Name
- Configuring Name Servers
- How to Add a Host to the Host Table
- How to Display Current DNS Settings
When a name of a host is given as a parameter to a CLI command that expects a host name or an IP address, the system translates the name to an IP address according to the following:
- If the name is in a dotted decimal notation (that is, in the format x.x.x.x), it is directly translated to an IP address it represents.
- If the name does not contain the dot character (.), the system looks it up in the IP Host table. If the name is found on the table, it is mapped to the corresponding IP address. The IP host table can be configured using the command ip host.
- If the name does not contain the dot (.) character, and the domain name function is enabled (See the ip domain-lookup command), and a default domain name is specified (See the ip domain-name command), the default domain name is appended to the given name to form a fully qualified host name. This, in turn, is used to perform a DNS query translating the name to an IP address.
- Otherwise, if the domain name function is enabled, the name is considered to be fully qualified, and is used to perform a DNS query translating the name to an IP address.
Configuring DNS Lookup
How to Enable DNS Lookup
From the SCE(config)# prompt, type:
|
|
|
|---|---|
How to Disable DNS Lookup
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Configuring a Default Domain Name
Options
The following option is available:
- domain-name —The default domain name used to complete host names that do not specify a domain. Do not include the initial period that separates an unqualified name from the domain name.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
The specified domain name is used to complete unqualified domain names. |
Defining a Default Domain Name: Example
The following example shows how to configure cisco.com as the default domain:
Configuring Name Servers
Options
How to Define Domain Name Servers
Use this command to specify the address of one or more name servers to use for name and address resolution.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
ip name-server |
Defines the servers at the specified addresses as domain name servers. |
Defining Domain Name Servers: Example
The following example shows how to configure the two name server (DNS) IP addresses:
How to Remove a Domain Name Server
From the SCE(config)# prompt, type:
|
|
|
|---|---|
no ip name-server server-address1 [server-address2 [server-address3]] |
Removing a Domain Name Server: Example
The following example shows how to remove name server (DNS) IP addresses:
How to Remove All Domain Name Servers
From the SCE(config)# prompt, type:
|
|
|
|---|---|
How to Add a Host to the Host Table
Options
The following options are available:
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Adding Hosts to Removing them from the Host Table: Example
The following example shows how to add a host to the host table:
The following example shows how to remove a hostname together with all its IP mappings:
How to Display Current DNS Settings
|
|
|
|---|---|
Displaying Current DNS Settings: Example
The following example shows how to display current DNS information:
Default domain is Cisco.com
Name/address lookup uses domain service
Name servers are 10.1.1.60, 10.1.1.61
Host Address
---- -------
PC85 10.1.1.61
sce#
Configuring Cisco Discovery Protocol
Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on Cisco manufactured equipment, and is now supported on the Cisco SCE 8000 platform.
- Cisco Discovery Protocol
- Cisco Discovery Protocol on the Cisco SCE 8000 Platform
- Configuring CDP on the Cisco SCE 8000 Platform
- Monitoring and Maintaining CDP
- CDP Configuration Examples
Cisco Discovery Protocol
CDP is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. It is media- and protocol-independent, and runs on all equipment manufactured by Cisco, including routers, bridges, access servers, and switches.
CDP runs on all media that support Subnetwork Access Protocol (SNAP), including LAN, Frame Relay, and ATM physical media. CDP runs over the data link layer only. Therefore, two systems that support different network-layer protocols can learn about each other.
Each device configured for CDP sends periodic messages, known as advertisements, to a multicast address. Each device advertises at least one address where it can receive SNMP messages. The advertisements also contain time-to-live, or holdtime, information, which indicates the length of time a receiving device should hold CDP information before discarding it. Each device also listens to the periodic CDP messages sent by others in order to learn about neighboring devices and determine when their interfaces to the media go up or down.
CDP Version-2 (CDPv2) is the most recent release of the protocol and provides more intelligent device tracking features. These features include a reporting mechanism that allows for more rapid error tracking, thereby reducing costly downtime. Reported error messages can be sent to the console or to a logging server, and include instances of native VLAN IDs (IEEE 802.1Q) on connecting ports that do not match, and port duplex states between connecting devices that do not match.
Type-Length-Value fields (TLVs) are blocks of information embedded in CDP advertisements. Table 6-1 summarizes the TLV definitions for CDP advertisements.
Cisco Discovery Protocol on the Cisco SCE 8000 Platform
Because the Cisco SCE 8000 platform functions differently from a router or a switch, there are several unique features of CDP as supported on this device.
CDP Operational Modes on the Cisco SCE 8000
With a typical Cisco device, CDP is either enabled or disabled. When enabled, CDP packets are received and transmitted. When disabled, CDP packets are discarded and no packets are transmitted.
The Cisco SCE 8000 is not a typical Cisco device. It is usually installed as a bump-in-the-wire device, and transparently forwards packets from one interface to the corresponding interface. This behavior conflicts with typical Cisco CDP packet processing; a typical Cisco device never forwards CDP packets from one interface to another interface. To accommodate this behavior, the Cisco SCE 8000 extends the enabled state with three different CDP modes:
- Standard mode : Standard CDP operation. CDP packets are received and processed, as well as generated.
In this mode CDP functions as it does on a typical Cisco device. This mode should be used in most cases, even though it is not the default mode.
- Bypass mode (default): CDP packets are received and transmitted unchanged. Received packets are not processed. No packets are generated.
In this mode, “bump-in-the-wire” behavior is applied to CDP packets. This is the backward-compatible mode, equivalent to not having CDP support.
- Monitor mode : CDP packets are received, processed, and transmitted unchanged. CDP packets are analyzed and CDP neighbor information is available. No packets are generated.
In this mode “bump-in-the-wire" behavior is applied to CDP packets. This mode may be confusing to operators and network management tools, because it is contrary to the concept of CDP as a physical link protocol.
Table 6-2 summarizes the CDP state and modes behavior in the Cisco SCE 8000.
Note When CDP is either not running or disabled at the interface level, CDP packets are discarded and CDP packets are not generated, regardless of the CDP mode.
|
|
|
|
|---|---|---|
|
|
||
|
|
||
|
|
CDP Limitations on the Cisco SCE 8000
CDP as currently supported on the Cisco SCE 8000 has the following limitations:
Configuring CDP on the Cisco SCE 8000 Platform
To configure CDP, perform the tasks in the following sections:
Enabling CDP Globally
By default, CDP is enabled on the Cisco SCE 8000. If you prefer not to use the CDP device discovery capability, use the following command to disable it.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
To re-enable CDP after disabling it, use the following command.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Note By default, when you enable CDP, it is set to bypass mode. To change the mode, see “Setting the CDP Mode” section.
Setting the CDP Mode
The Cisco SCE 8000 is usually installed as a bump-in-the-wire device, and therefore forwards packets (including CDP packets) from one interface to the corresponding interface, whereas a typical Cisco device never forwards CDP packets from one interface to another interface. Therefore, the Cisco SCE 8000 extends the enabled state with the following three CDP modes:
- standard—Function as a typical CDP device
- monitor—Monitor the CDP packets
- bypass—Bypass the CDP packets
(See “CDP Operational Modes on the Cisco SCE 8000” section for a description of the different CDP modes.)
In cascade topologies, both Cisco SCE 8000 platforms must be configured to the same CDP mode.
By default, the CDP mode is set to bypass.
To reset the CDP mode to the default mode (bypass) use the default cdp mode command.
To change the CDP mode, use the following command in global configuration mode.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Enabling CDP on a Specific Traffic Interface
By default, CDP is enabled on all traffic interfaces (see “CDP Limitations on the Cisco SCE 8000” section).
To disable CDP on a specific traffic interface, use the no cdp enable command in the appropriate interface configuration mode.
To reenable CDP on a specific interface after disabling it, use the following command in the appropriate interface configuration mode. CDP must be enabled globally on the Cisco SCE 8000 platform ( cdp run command) in order to enable a specific interface.
From the SCE(config if)# prompt, type:
|
|
|
|---|---|
Tip For consistent CDP operation, it is recommended that both ports of any one traffic link be either enabled or disabled.
Setting the Hold Time
Use this command to set the mount of time the receiving device should hold a CDP packet from your router before discarding it. Use either the no or the default form of the command to restore the holdtime to the default value.
Options
The following option is available:
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Setting the Timer
Use this command to configure how often the Cisco SCE 8000 platform sends CDP updates. Use either the no or the default form of the command to restore the timer to the default value.
Options
The following option is available:
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Monitoring and Maintaining CDP
To monitor and maintain CDP on the Cisco SCE 8000, use one or more of the following commands.
The clear commands are in privileged EXEC mode. The show commands are in viewer mode.
CDP Configuration Examples
Example: Setting the CDP Mode
The following example illustrates how to configure CDP mode to standard.
In cascade topologies, both Cisco SCE 8000 platforms must be configured to the same CDP mode.
The show command verifies that the CDP configuration has been correctly updated:
Example: Monitoring and Maintaining CDP
The following example shows a typical series of steps for viewing information about CDP neighbors.
Table 6-3 describes the significant fields shown in the output of the show cdp neighbors command.
Enabling the CLI Interface Warning Banner
A warning banner is a message displayed when the user connects to the Cisco SCE using either Telnet or the console connection. It serves as a security warning for unauthorized users trying to connect to Cisco SCE platform. It can also provide device details, as well as information about the service and application.
By default the banner is disabled. You do not have to shutdown the Cisco SCE platform in order to enable or disable the banner.
From the SCE(config)# prompt, type:
|
|
|
|---|---|
Enables the display of the specified text as the warning banner when the CLI interface is accessed. Banner text should be enclosed in quotation marks or other delimiting characters. |
OS Fingerprinting and NAT Detection
OS fingerprinting is the process of determining the identity of a remote host operating system by analyzing packets from that host. It detects the operating system used by the subscriber and whether the subscriber is present in a NAT environment by analyzing subscriber traffic. NAT detection is based on whether the same subscriber is connecting using multiple operating systems.
An encrypted fingerprint file that has the list of OS signatures is packaged with each SCOS release. Signature files are updated as needed, and the updated signature files are available on cisco.com.
The detected OS type is reported using the following mechanisms:
- RDRs—The subscriber OS type is reported in the Real-time Subscriber Usage RDR (SUR). These RDRs can be stored by the CM and interpreted using Insight.
- CLI—The subscriber OS type is available through OS fingerprinting and subscriber information commands.
- VSA—Over mobile interfaces, the OS type is sent as a VSA in CCR-U over Gx.
- SCA BB Console—The OS type is available through an API that displays the OS type on the SCA BB console as part of the status of a subscriber.
Restrictions and Limitations
Due to the nature of the Cisco SCE platform, there are certain limitations to the scope of the OS fingerprinting and NAT detection feature:
- OS information is available only for logged-in and active subscribers.
- OS fingerprinting is not done continuously for any subscriber. If a subscriber changes OS or moves to a NAT environment during the time when they are not sampled, OS type or NAT environment cannot be detected.
- OS fingerprinting depends mainly on the parameters in the TCP-SYN packets. The signature database is built based on the default settings used by various operating systems. If the subscriber changes default parameters, such as TCP window size, through registries, it may lead to misclassification of the OS.
- The OS type will not be detected in any of the following situations:
– If the subscriber connects to the internet using an http-proxy, or if there is a proxy or gateway that changes L3/L4 packets of the subscriber.
– If the subscriber has only one flow.
– If the subscriber has only UDP flows
- In case of multiple IP or IP range subscribers, OS fingerprinting is done only for a limited number IP addresses (default is five).
- NAT detection is based on whether the same subscriber is connecting using multiple operating systems. Therefore, if all the users behind a NAT use the same OS, it is not possible to detect the NAT.
- When a subscriber runs multiple operating systems using vmware, it may be detected as a NAT even though the subscriber is not in NAT environment.
Configuring OS Fingerprinting
By default, the OS fingerprinting feature is disabled. When OS fingerprinting is enabled, you can also configure the following OS fingerprinting parameters:
- Sampling window—How long flows from a subscriber are fingerprinted
- Sampling interval—Interval between OS fingerprinting sampling windows
OS fingerprinting is done for "sampling window" seconds every "sampling interval" minutes.
- NAT detection window—Time period within which detecting multiple operating systems for the same subscriber or IP address triggers NAT identification
- OS flush time–Time interval after which OS information is flushed from the system
- Signature file—Name of OS fingerprint signature file
- Scan port—Port used for opening OS fingerprinting flows
- GX reporting—Enable sending subscriber OS information in Gx messages
SUMMARY STEPS
5. (Optional) os-fingerprinting sampling window window interval interval
6. (Optional) os-fingerprinting NAT-detection-window time
7. (Optional) os-fingerprinting os-flush-time time
8. (Optional) os-fingerprinting signature-file filename
DETAILED STEPS
Monitoring OS Fingerprinting
To monitor OS fingerprinting, use one or more of the following commands.
These commands are in viewer mode.
Using the Bursty Traffic Convergence
During the peak hours, file sharing applications, such as P2P Bittorrent and other similar types of traffic, could go beyond the configured PIR level in the aggregative global controller mode. This is due to the bursty traffic nature of those applications. So, in order to have better convergence bursty traffic convergence enhancement is provided. The following steps are required to enable this bursty traffic convergence support to a particular AGC.
Step 1 Choose AGC mode in Cisco SCABB.
Step 2 It is recommended to create both upstream and downstream dedicated unique service AGC like P2P service AGC and apply SCABB policy.
Step 3 Configure the new cli “bursty-traffic-convergence” for such unique service AGC like P2P directional AGC in both directions.
Step 4 Verify whether the bursty convergence is enabled in the running configuration.
Step 5 Verify whether the traffic is mapped to a unique service AGC such as P2P service dedicated AGC.
Step 6 Verify whether the corresponding traffic, such as P2P traffic, is mapped to the above AGC and is controlled in the configured PIR using insight graph reports.
The following steps are required to enable this bursty traffic convergence support to a particular GC.
Step 1 Choose GC mode in Cisco SCABB.
Step 2 It is recommended to create both upstream and downstream dedicated unique services GC, such as P2P service GC, and apply the SCABB policy.
Step 3 Configure the new cli “bursty-traffic-convergence” for such unique service GC, like P2P directional GC, in both directions.
The enable/disable configuration cli command to be carried in each Ten Gig/One Gig interface port is given below:
The show command to be carried in each Ten Gig/ One Gig interface port is given below:
Attach the bursty cli to the above GC as shown below:
Attach the bursty cli to above GC as shown below:
Step 4 Verify whether the bursty convergence is enabled in the running configuration.
Step 5 Verify whether the traffic is mapped to a unique service GC such as P2P service dedicated GC.
Step 6 Verify whether the corresponding traffic, such as P2P traffic, is mapped to the above GC and is controlled in the configured PIR using insight graph reports.
For more information on bursty traffic convergence CLI, see CLI Command Reference chapter of the Cisco SCE 8000 CLI Command Reference, Release 5.1.0.
Restrictions and Known Limitations in Bursty Traffic Convergence
DNS Assisted Classification/Sampling
DNS Assisted Classification supports existing Traffic-classification techniques to achieve more granular classification of encrypted subscriber traffic using the DNS traffic.
Configuring DNS Assisted Classification
By default DNS Assisted Classification is disabled. Once we enable it, the following parameters can be configured:
SUMMARY STEPS
4. Disable DNS bypass flow-filter rules and enable DNS classification on first packet via Service configuration
6. (Optional) dns-flow sampling sample-time < input in seconds >
7. (Optional) dns-flow sampling max-dns-packets <input as integer>
DETAILED STEPS
|
|
|
|
|---|---|---|
|
|
Enables privileged EXEC mode. Enter your password when prompted. |
|
|
|
||
|
|
||
Disable DNS Bypass flow-filter rules and enable DNS First packet classification |
By default, Flow-filter rules are configured to bypass dns traffic, for the DNS Assisted Classification to take effect, we need to configure the Service Configuration policy to allow SCE to process the dns traffic For more information on configure policy to process DNS traffic, see Cisco Service Control Application for Broadband User Guide |
|
|
|
||
dns-flow sampling sample-time < input in seconds > |
(Optional) Configures the length of the DNS sampling window, in seconds (1-1000) |
|
dns-flow sampling max-dns-packets <input as integer> |
(Optional) Configures the Maximum number of DNS Packets to be processed per sample-time per traffic processor |
|
dns-flow refresh-time <input is days> |
(Optional) Configures the Time Interval, in days, after which DNS Entries that exceed the interval are flushed from each of the traffic processor of the system. (1-1000). |
|
Copies the current configured settings to the startup configuration. |
For more information on dns classification related CLI, see “CLI Command Reference” chapter in Cisco SCE 8000 CLI Command Reference, Release 5.1.x.
Feedback