Page 200
Chapter 15 Configuring Security for the ML-Series Card
RADIUS on the ML-Series Card
For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr.htm.
RADIUS on the ML-Series Card
RADIUS is a distributed client/server system that secures networks against unauthorized access. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco or another software provider.
Many Cisco products offer RADIUS support, including the ONS 15454, ONS 15454 SDH, ONS 15310-CL, ONS 15310-MA, and ONS 15600. The ML-Series card also supports RADIUS.
The ML-Series card can operate either in RADIUS relay mode or in RADIUS stand alone mode (default). In either mode, the RADIUS messages from the ML-Series card are passed to a RADIUS server that is on the data communications network (DCN) used to manage the ONS node.
RADIUS Relay Mode
In RADIUS relay mode, RADIUS on the ML-Series card is configured by CTC or TL1 and uses the AAA/RADIUS features of the ONS node, which contains the ML-Series card. There is no interaction between RADIUS relay mode and RADIUS standalone mode. For information on ONS node security, refer to the “Security” chapter of the ONS node’s reference manual.
An ML-Series card operating in RADIUS relay mode does need to be specified as a client in the RADIUS server entries. The RADIUS server uses the client entry for the ONS node as a proxy for the ML-Series card.
Enabling relay mode disables the Cisco IOS CLI commands used to configure AAA/RADIUS. The user can still use the Cisco IOS CLI commands not related to AAA/RADIUS.
In relay mode, the ML-Series card shows a RADIUS server host with an IP address that is really the internal IP address of the active timing, communications, and control card (XTC). When the ML-Series card actually sends RADIUS packets to this internal address, the XTC converts the RADIUS packet destination into the real IP address of the RADIUS server. In stand alone mode, the ML-Series card shows the true IP addresses of the RADIUS servers.
When in relay mode with multiple RADIUS server hosts, the ML-Series card IOS CLI show run output also shows the internal IP address of the active XTC card. But since the single IP address now represents multiple hosts, different port numbers are paired with the IP address to distinguish the individual hosts. These ports are from 1860 to 1869, one for each authentication server host configured, and from 1870 to 1879, one for each accounting server host configured.
The single IP address will not match the host IP addresses shown in CTC, which uses the true addresses of the RADIUS server hosts. These same true IP addresses appear in the ML-Series card IOS CLI show run output, when the ML-Series card is in stand alone mode.
Note A user can configure up to 10 servers for either authentication or accounting application, and one server host can perform both authentication and accounting applications.
Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5
Contents
Americas Headquarters
Text Part Number
Copyright 2007-2009 Cisco Systems, Inc. All rights reserved
RPR
Startup Configuration File
Configuring POS Interface Framing Mode
Iii
Understanding VLANs
Configuring Encapsulation over EtherChannel or POS Channel
IP ACLs
Role of Sonet Circuits
Vii
Configuration Guidelines
Viii
Using Technical Support C-1
Page
11-3
11-4
11-5
11-7
14-13
14-17
14-18
14-22
10-5
10-6
11-11
11-12
17-8
13-3
17-7
Preface
Revision History
This section provides the following information
Date
Related Documentation
Document Objectives
Audience
Document Conventions
Convention Application
Boldface
Italic
Bewaar Deze Instructies
Warnung Wichtige Sicherheitshinweise
Avvertenza Importanti Istruzioni Sulla Sicurezza
Aviso Instruções Importantes DE Segurança
Page
GEM Disse Anvisninger
Viii
Cisco Optical Networking Product Documentation CD-ROM
Where to Find Safety and Warning Information
Obtaining Optical Networking Information
Page
Overview of the ML-Series Card
ML-Series Card Description
ML-Series Feature List
IRB
Bundling the two POS ports LEX encapsulation only
Key ML-Series Features
Cisco IOS
GFP-F Framing
Cisco IOS Release 12.228SV
Link Aggregation FEC and POS
Rmon
TL1
CTC Operations on the ML-Series Card
Displaying ML-Series POS Statistics in CTC
ML-Series POS Statistics Fields and Buttons
Refresh
ML-Series Ethernet Statistics Fields and Buttons
Displaying ML-Series Ethernet Statistics in CTC
Button Description
CTC
Provisioning Sonet Circuits
Displaying Sonet Alarms
Displaying J1 Path Trace
78-18133-01
Page
Cisco IOS on the ML-Series Card
Initial Configuration of the ML-Series Card
Hardware Installation
Opening a Cisco IOS Session Using CTC
Telnetting to the Node IP Address and Slot Number
Telnetting to a Management Port
CTC Node View Showing IP Address
Connecting a PC or Terminal to the Console Port
ML-Series IOS CLI Console Port
RJ-11 to RJ-45 Console Cable Adapter
RJ-11 Pin RJ-45 Pin
Startup Configuration File
Passwords
Configuring the Management Port
Command Purpose
Router enable
Configuring the Hostname
Nvram
Loading a Cisco IOS Startup Configuration File Through CTC
Click the IOS startup config button
Cisco IOS Command Modes
Database Restore of the Startup Configuration File
Mode What You Use It For How to Access Prompt
Enter the configure terminal
Interface fastethernet 0 for
Enter the line console
Using the Command Modes
Router# configure ?
Exit
Getting Help
Page
MAC Addresses
Configuring Interfaces on the ML-Series Card
General Interface Guidelines
Interface Port ID
MLSeries# show interfaces fastethernet
MLSeriesconfig# interface fastethernet number
Basic Interface Configuration
MLSeries# configure terminal
Basic Fast Ethernet and POS Interface Configuration
Configuring the Fast Ethernet Interfaces
Configuring the POS Interfaces
Monitoring Operations on the Fast Ethernet Interfaces
Hdlc
Example 4-3 show controller Command Output
FCR
Example 4-4 show run interface Command Output
Daytona# show run interface fastethernet
Available Circuit Sizes and Combinations
Configuring POS on the ML-Series Card
Understanding POS on the ML-Series Card
J1 Path Trace, and Sonet Alarms
Lcas Support
Ccat High Order Vcat High Order
Mbps STS-1 STS-1-1v STS-1-2v
Configuring the POS Interface
Encapsulations LEX default Cisco Hdlc
CRC Sizes Bit default None FCS disabled
GFP-F Framing Hdlc Framing
Configuring POS Interface Framing Mode
Framing mode changes on POS ports are
Allowed only when the interface is shut down
Admindown
Sets the framing mode employed by the ONS
Not a keyword choice in the command. The no
Form of the command sets the framing mode
GFP default-The ML-Series card supports
Sonet Alarms
Configuring Sonet Alarms
Configuring Sonet Delay Triggers
All -All alarms/signals
Monitoring and Verifying POS
Hdlc
Page
These sections describe how the spanning-tree features work
Configuring STP and Rstp on the ML-Series Card
STP Features
Bridge Protocol Data Units
STP Overview
Supported STP Instances
Election of the Root Switch
Bridge ID, Switch Priority, and Extended System ID
Spanning-Tree Timers
Switch Priority Value
Bit
Creating the Spanning-Tree Topology
Spanning-Tree Interface States
Blocking State
Spanning-Tree Interface States
Disabled State
Listening State
Learning State
Forwarding State
Spanning Tree and Redundant Connectivity
Spanning-Tree Address Management
STP and Ieee 802.1Q Trunks
Supported Rstp Instances
Rstp Features
Accelerated Aging to Retain Connectivity
Port State Comparison
Port Roles and the Active Topology
Is Port Included
Rapid Convergence
Synchronization of Port Roles
Proposal and Agreement Handshaking for Rapid Convergence
Rstp Bpdu Flags
Bridge Protocol Data Unit Format and Processing
Bit Function
Processing Inferior Bpdu Information
Topology Changes
Processing Superior Bpdu Information
Configuring STP and Rstp Features
Interoperability with Ieee 802.1D STP
Disabling STP and Rstp
Default STP and Rstp Configuration
Feature Default Setting
Port-channel-number
Configuring the Root Switch
Configuring the Port Priority
Configuring the Path Cost
Configuring the Switch Priority of a Bridge Group
Configuring the Hello Time
Verifying and Monitoring STP and Rstp Status
Configuring the Forwarding-Delay Time for a Bridge Group
Configuring the Maximum-Aging Time for a Bridge Group
Commands for Displaying Spanning-Tree Status
Example 6-1 show spanning-tree Commands
Displays detailed STP or Rstp information
Displays brief summary of STP or Rstp information
Page
Configuring VLANs on the ML-Series Card
Understanding VLANs
Configuring Ieee 802.1Q Vlan Encapsulation
Ieee 802.1Q Vlan Configuration
Returns to privileged Exec mode
Optional Saves your configuration changes to
MLSeriesconfig-subif# end
Bridging Ieee 802.1Q VLANs
ML-Series#show vlans
Example 7-2 Output for show vlans Command
Monitoring and Verifying Vlan Operation
Page
Understanding Ieee 802.1Q Tunneling
Ieee 802.1Q Tunnel Ports in a Service-Provider Network
FCS
Configuring an Ieee 802.1Q Tunneling Port
Configuring Ieee 802.1Q Tunneling
Ieee 802.1Q Tunneling and Compatibility with Other Features
Untagged will be switched based on this bridge-group. Other
Displays the tunnel ports on the switch
Optional Saves your entries in the configuration file
Ieee 802.1Q Example
VLAN-Transparent Service Versus VLAN-Specific Services
VLAN-Transparent Services VLAN-Specific Services
Example 8-2 MLSeries B Configuration
Example 8-3 ML-Series Card a Configuration
Example 8-3applies to ML-Series card a
Example 8-4 ML-Series Card B Configuration
Example 8-5 ML-Series Card C Configuration
Example 8-4applies to ML-Series card B
Example 8-5applies to ML-Series card C
Configuring Layer 2 Protocol Tunneling
Understanding Layer 2 Protocol Tunneling
Default Layer 2 Protocol Tunneling Configuration
Layer 2 Protocol Tunneling Configuration Guidelines
2shows the default Layer 2 protocol tunneling configuration
Default Layer 2 Protocol Tunneling Configuration
Configuring Layer 2 Tunneling on a Port
Configuring Layer 2 Tunneling Per-VLAN
Monitoring and Verifying Tunneling Status
Configuring Link Aggregation on the ML-Series Card
Understanding Link Aggregation
Configuring Link Aggregation
Configuring Fast EtherChannel
EtherChannel Configuration Example
Cisco IOS Configuration Fundamentals Configuration Guide
Configuring POS Channel
Configure one POS channel on the ML-Series card
Creates the POS channel interface. You can
Assigns an IP address and subnet mask to the POS
POS Channel Configuration Example
Configuring Encapsulation over EtherChannel or POS Channel
Understanding Encapsulation over FEC or POS Channel
Configuration mode and enable other
Supported interface commands to meet
Example 9-5 MLSeries a Configuration
Encapsulation over EtherChannel Example
Example 9-6 MLSeries B Configuration
Monitoring and Verifying EtherChannel and POS
Load Balancing on the ML-Series cards
For the Frame
XOR Result Port Channel
Port
Used Member
Interface for
Frame
EtherChannel
Second
First
Third
Fourth
Used Member
Configuring IRB on the ML-Series Card
Cisco IOS Command Reference publication
Understanding Integrated Routing and Bridging
This chapter includes the following major sections
Configuring IRB
10-2
IRB Configuration Example
10-3
Example 10-1 Configuring MLSeries a
Example 10-2 Configuring MLSeries B
Monitoring and Verifying IRB
10-4
10-5
Field Description
10-6
Configuring Quality of Service on the ML-Series Card
11-1
IP Precedence and Differentiated Services Code Point
Understanding QoS
Priority Mechanism in IP and Ethernet
11-2
Ethernet CoS
11-3
11-4
ML-Series QoS
Classification
11-5
Policing
Marking and Discarding with a Policer
11-6
Queuing
Scheduling
Control Packets and L2 Tunneled Protocols
11-7
Egress Priority Marking
Ingress Priority Marking
QinQ Implementation
11-8
11-9
QoS on RPR
Flow Control Pause and QoS
11-10
Configuring QoS
Creating a Traffic Class
Creating a Traffic Policy
11-11
Syntax of the class command is
Policy-map policy-nameno policy-map policy-name
Class class-map-name no class class-map-name
Maximum of 40 alphanumeric characters
11-13
Command
11-14
Attaching a Traffic Policy to an Interface
11-15
Monitoring and Verifying QoS Configuration
Configuring CoS-Based QoS
Displays all configured traffic policies
Traffic class
QoS Configuration Examples
11-17
11-18
Traffic Classes Defined Example
Traffic Policy Created Example
Example 11-6 Class Map Match All Command Example
Example 11-7 Class Map Match Any Command Example
Example 11-8 Class Map SPR Interface Command Example
Match spr1 Interface Example
Example 11-9 ML-Series VoIP Commands
ML-Series VoIP Example
ML-Series Policing Example
11-20
Example 11-10 ML-Series Policing Commands
Routerconfig# class-map match-all policer
Routerconfig# policy-map policef0
ML-Series CoS-Based QoS Example
11-22
ML-Series CoS Example
Default Multicast QoS
11-23
11-24
Configuring Multicast Priority Queuing QoS
Multicast Priority Queuing QoS Restrictions
11-25
11-26
QoS not Configured on Egress
ML-Series Egress Bandwidth Example
11-27
Bandwidth
Understanding CoS-Based Packet Statistics
Fast Ethernet
Statistics Collected Interface Subinterface Vlan
11-28
Configuring CoS-Based Packet Statistics
11-29
Understanding IP SLA
11-30
MLSeries# show interface fastethernet 0 cos
MLSeries# show interface pos0 cos
11-31
IP SLA on the ML-Series
IP SLA Restrictions on the ML-Series
11-32
12-1
Understanding the SDM
Understanding SDM Regions
Configuring SDM
Configuring SDM Regions
Default Size
Lookup Type
Configuring Access Control List Size in Tcam
Task Command
Monitoring and Verifying SDM
Entries
12-4
Configuring Access Control Lists on ML-Series Card
Understanding ACLs
ML-Series ACL Support
13-1
IP ACLs
Named IP ACLs
User Guidelines
13-2
13-3
Creating IP ACLs
Creating Numbered Standard and Extended IP ACLs
Creating Named Standard IP ACLs
Creating Named Extended IP ACLs Control Plane Only
Applying the ACL to an Interface
13-4
Controls access to an interface
Modifying ACL Tcam Size
13-5
Applying ACL to Interface
13-6
14-1
Configuring Resilient Packet Ring on ML-Series Card
Understanding RPR
14-2
Role of Sonet Circuits
Packet Handling Operations
Ring Wrapping
14-3
RPR Framing Process
14-4
DA-MAC and 0x00 for Unknown DA-MAC
RPR as the source
14-5
RPR Frame for ML-Series Card
Configuring RPR
MAC Address and Vlan Support
RPR QoS
CTM and RPR
14-7
Configuring CTC Circuits for RPR
CTC Circuit Configuration Example for RPR
14-8
Three-Node RPR Example
14-9
Configures a station ID. The user must configure a
Optional Sets the RPR ring wrap mode to either wrap
Immediate delayed
14-10
Assigning the ML-Series Card POS Ports to the SPR Interface
14-11
14-12
14-13
RPR Cisco IOS Configuration Example
Example 14-1 SPR Station-ID 1 Configuration
Example 14-2 SPR Station-ID 2 Configuration
14-14
14-15
CRC Threshold Configuration and Detection
Example 14-3 SPR Station-ID 3 Configuration
Monitoring and Verifying RPR
14-16
Example 14-4 Example of show interface spr 1 Output
Example 14-5 Example of show run interface spr 1 Output
Add an ML-Series Card into an RPR
14-17
14-18
Three-Node RPR After the Addition
Adding an ML-Series Card into an RPR
14-19
Cisco ONS 15454 Procedure Guide
Enables the port
Endpoint of the first newly created circuit
14-20
Stop. You have completed this procedure
Delete an ML-Series Card from an RPR
Endpoint of the second newly created circuit
14-21
14-22
Three-Node RPR Before the Deletion
Deleting an ML-Series Card from an RPR
Log into Adjacent Node 1 with CTC
Double-click the ML-Series card in Adjacent Node
14-23
14-24
Configuring Cisco Proprietary RPR KeepAlive
Configuring Shortest Path and Topology Discovery
Cisco Proprietary RPR KeepAlive
Cisco Proprietary RPR Shortest Path
Redundant Interconnect
Monitoring and Verifying Shortest Path andTopolgy Discovery
Redundant Interconnect is only supported on 454 platforms
14-26
15-1
Configuring Security for the ML-Series Card
Understanding Security
Secure Login on the ML-Series Card
Disabling the Console Port on the ML-Series Card
Secure Shell on the ML-Series Card
Understanding SSH
Configuring SSH
Configuration Guidelines
Setting Up the ML-Series Card to Run SSH
This section has configuration information
Configuring the SSH Server
15-4
Displaying the SSH Configuration and Status
Router # configure terminal
Router config# ip ssh version 1
Router config# ip ssh timeout
15-6
Radius Relay Mode
Radius on the ML-Series Card
15-7
Radius Stand Alone Mode
Configuring Radius Relay Mode
15-8
Configuring Radius
Understanding Radius
15-9
Default Radius Configuration
Identifying the Radius Server Host
15-10
Configuring AAA Login Authentication
Router# configure terminal Enter global configuration mode
Router config# aaa new-model Enable AAA
Switchconfig# radius-server host host1
15-12
Router config# aaa authentication
Router config# line console tty
Router config# end Return to privileged Exec mode
Router# show running-config Verify your entries
Defining AAA Server Groups
15-13
Router config# aaa group server
Router config-sg-radius# server
Router config-sg-radius# end
Router # show running-config
Radius
15-15
Starting Radius Accounting
15-16
15-17
Configuring a nas-ip-address in the Radius Packet
Configuring Settings for All Radius Servers
Default is 0 the range is 1 to 1440 minutes
Deadtime minutes
Marked as dead, the skipping will not take place
15-18
Send accounting authentication
15-19
Displaying the Radius Configuration
15-20
16-1
Configuring Bridging on the ML-Series Card
Understanding Bridging
Configuring Bridging
16-2
16-3
For any statically configured forwarding entries
Monitoring and Verifying Bridging
Displays detailed information about spanning tree
Bridge-group-number restricts the spanning tree information
To specific bridge groups
Brief displays summary information about spanning tree
CE-100T-8 Ethernet Operation
CE-100T-8 Overview
Sonet
17-1
17-2
CE-100T-8 Ethernet Features
Autonegotiation, Flow Control, and Frame Buffering
Ethernet Link Integrity Support
17-3
17-4
Enhanced State Model for Ethernet and Sonet Ports
Ieee 802.1Q CoS and IP ToS Queuing
CoS Priority Queue Mappings
17-5
IP ToS Priority Queue Mappings
CE-100T-8 Sonet Circuits and Features
Rmon and Snmp Support
Statistics and Counters
17-6
Ccat High Order Vcat High Order Vcat Low Order
Number of STS-3c Circuits Maximum Number of STS-1 Circuits
Maximum Number of STS-1-2v Circuits
17-7
CE-100T-8 Maximum Service Densities
CE-100T-8 STS/VT Allocation Tab
7x=1-12 6x=1-14 5x=1-16 =1-21
17-8
CE-100T-8 Vcat Characteristics
17-9
CE-100T-8 POS Encapsulation, Framing, and CRC
17-10
CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms
17-11
17-12
Command Reference for the ML-Series Card
Related Commands bridge-group
Drpri-rstp
Ieee
Rstp
Router# clear counters
Related Commands show interface
Clear counters
Syntax Description Defaults Command Modes Usage Guidelines
No clock auto
Clock summertime
Clock timezone
Defaults Command Modes
Interface spr
MLSeriesconfig-if # pos mode gfp fcs-disable
No pos mode gfp fcs-disabled
Related Commands shutdown
No pos pdi holdoff time
Pos trigger defects
No pos report alarm
Related Commands
Non pos trigger defects condition
Syntax Description Defaults
Related Commands pos trigger delay
No pos trigger delay time
Time Delay time in milliseconds, 200 to
Default value is 200 milliseconds
Command is 50 milliseconds
No pos vcat defect immediate delayed
Delayed
Parameter Description
Immediate
Show controller pos interface-numberdetails
MLSeries# show controller pos 0 Interface POS0
Related Commands show interface pos Clear counters
Show interface pos interface-number
Use this command to display the status of the POS interface
Related Commands show controller pos Clear counters
Show ons alarm
MLSeries# show ons alarm
78-18133-01
Vcg
Eqpt
Sts
Related Commands show controller pos Show ons alarm failures
MLSeries# show ons alarm defect sts
MLSeries# show ons alarm failure eqpt
ML-Series#show ons alarm failure port
MLSeries# show ons alarm failure sts
Assigns the POS interface to the SPR interface
Interface spr Spr station-id Spr wrap
Related Commands interface spr
No spr load-balance auto port-based
Auto
Port-based
Configures a station ID
DefaultsN/A
Following example sets an ML-Series card SPR station ID to
Spr-intf-id Spr wrap
Interface spr Spr-intf-id Spr station-id
Spr wrap immediate delayed
Wraps RPR traffic after the carrier delay time expires
Unsupported Global Configuration Commands
Unsupported CLI Commands for the ML-Series Card
Unsupported Privileged Exec Commands
Page
Unsupported POS Interface Configuration Commands
Unsupported FastEthernet Interface Configuration Commands
Unsupported Port-Channel Interface Configuration Commands
Unsupported BVI Interface Configuration Commands
Rate-limit Random-detect Timeout Tx-ring-limit
Using Technical Support
Gathering Information About Your Internetwork
Getting the Data from Your ML-Series Card
Providing Data to Your Technical Support Representative
Page
IN-5
IS,AINS
IN-6
IN-7
RPR
Rstp SDM
SSH
CRC
Rstp STP
IN-9
IN-10
See also framing
GFP-F
Lcas
IN-11
IN-12
POS
RPR SDM
IN-13
IN-14
Rmon
Rstp
IN-15
Snmp
See also Bpdu
IN-16
Tcam
Vcat
Configuring as Layer 2 tunnel Configuring Ieee 802.1Q
Customer numbering in service-provider
SDM STP and Rstp status
VTP Layer 2 protocol tunneling Vty
IN-18