Cisco Systems 15310-CL, 15310-MA Radius Stand Alone Mode, Configuring Radius Relay Mode, 15-7

Page 201

Chapter 15 Configuring Security for the ML-Series Card

RADIUS Stand Alone Mode

Configuring RADIUS Relay Mode

This feature is turned on with CTC or TL1. To enable RADIUS Relay Mode through CTC, go to the card-level view of the ML-Series card, check the Enable RADIUS Relay box and click Apply. The user must be logged in at the Superuser level to complete this task.

To enable it using TL1, refer to the Cisco ONS SONET TL1 Command Guide.

Caution Switching the ML-Series card into RADIUS relay mode erases any configuration in the Cisco IOS configuration file related to AAA/RADIUS. The cleared AAA/RADIUS configuration is not restored to the Cisco IOS configuration file when the ML-Series card is put back into stand alone mode.

Caution Do not use the Cisco IOS command copy running-config startup-config while the ML-Series card is in relay mode. This command will save a Cisco IOS configuration file with RADIUS relay enabled. On a reboot, the ML-Series card would come up in RADIUS relay mode, even when the Enable RADIUS Relay box on the CTC is not checked. If this situation arises, the user should check the Enable RADIUS Relay box and click Apply and then uncheck the Enable RADIUS Relay box and click Apply. Doing this will set the ML-Series card in stand alone mode and clear RADIUS relay from the ML-Series card configuration.

RADIUS Stand Alone Mode

In stand alone mode, RADIUS on the ML-Series card is configured with the Cisco IOS CLI in the same general manner as RADIUS on a Cisco Catalyst switch.

This section describes how to enable and configure RADIUS in the stand alone mode on the ML-Series card. RADIUS in stand alone mode is facilitated through AAA and enabled through AAA commands.

Note For the remainder of the chapter, RADIUS refers to the Cisco IOS RADIUS available when the ML-Series card is in stand alone mode. It does not refer to RADIUS relay mode.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2.

These sections contain this configuration information:

Understanding RADIUS, page 15-8

RADIUS Stand Alone Mode, page 15-7

Configuring RADIUS, page 15-8

Displaying the RADIUS Configuration, page 15-20

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

 

78-18133-01

15-7

 

 

 

Image 201
Contents Text Part Number Americas HeadquartersCopyright 2007-2009 Cisco Systems, Inc. All rights reserved RPR Startup Configuration File Iii Configuring POS Interface Framing ModeUnderstanding VLANs Configuring Encapsulation over EtherChannel or POS Channel IP ACLs Vii Role of Sonet CircuitsViii Configuration GuidelinesUsing Technical Support C-1 Page 11-4 11-311-5 11-714-17 14-1314-18 14-2210-6 10-511-11 11-1213-3 17-717-8 Revision History PrefaceThis section provides the following information DateDocument Objectives AudienceRelated Documentation Convention Application Document ConventionsBoldface ItalicWarnung Wichtige Sicherheitshinweise Bewaar Deze InstructiesAviso Instruções Importantes DE Segurança Avvertenza Importanti Istruzioni Sulla SicurezzaPage GEM Disse Anvisninger Viii Where to Find Safety and Warning Information Obtaining Optical Networking InformationCisco Optical Networking Product Documentation CD-ROM Page ML-Series Card Description Overview of the ML-Series CardIRB ML-Series Feature ListBundling the two POS ports LEX encapsulation only Cisco IOS Key ML-Series FeaturesGFP-F Framing Cisco IOS Release 12.228SVRmon Link Aggregation FEC and POSTL1 Displaying ML-Series POS Statistics in CTC CTC Operations on the ML-Series CardML-Series POS Statistics Fields and Buttons RefreshDisplaying ML-Series Ethernet Statistics in CTC Button DescriptionML-Series Ethernet Statistics Fields and Buttons CTC Displaying Sonet Alarms Displaying J1 Path TraceProvisioning Sonet Circuits 78-18133-01 Page Initial Configuration of the ML-Series Card Hardware InstallationCisco IOS on the ML-Series Card Telnetting to the Node IP Address and Slot Number Opening a Cisco IOS Session Using CTCCTC Node View Showing IP Address Telnetting to a Management PortML-Series IOS CLI Console Port Connecting a PC or Terminal to the Console PortRJ-11 to RJ-45 Console Cable Adapter RJ-11 Pin RJ-45 PinStartup Configuration File Configuring the Management Port PasswordsCommand Purpose Router enableNvram Configuring the HostnameClick the IOS startup config button Loading a Cisco IOS Startup Configuration File Through CTCDatabase Restore of the Startup Configuration File Cisco IOS Command ModesEnter the configure terminal Mode What You Use It For How to Access PromptInterface fastethernet 0 for Enter the line consoleRouter# configure ? Using the Command ModesExit Getting HelpPage Configuring Interfaces on the ML-Series Card General Interface GuidelinesMAC Addresses MLSeries# show interfaces fastethernet Interface Port IDBasic Interface Configuration MLSeries# configure terminalMLSeriesconfig# interface fastethernet number Configuring the Fast Ethernet Interfaces Basic Fast Ethernet and POS Interface ConfigurationConfiguring the POS Interfaces Hdlc Monitoring Operations on the Fast Ethernet InterfacesFCR Example 4-3 show controller Command OutputDaytona# show run interface fastethernet Example 4-4 show run interface Command OutputConfiguring POS on the ML-Series Card Understanding POS on the ML-Series CardAvailable Circuit Sizes and Combinations Lcas Support J1 Path Trace, and Sonet AlarmsCcat High Order Vcat High Order Mbps STS-1 STS-1-1v STS-1-2vEncapsulations LEX default Cisco Hdlc Configuring the POS InterfaceCRC Sizes Bit default None FCS disabled GFP-F Framing Hdlc FramingFraming mode changes on POS ports are Configuring POS Interface Framing ModeAllowed only when the interface is shut down AdmindownNot a keyword choice in the command. The no Sets the framing mode employed by the ONSForm of the command sets the framing mode GFP default-The ML-Series card supportsConfiguring Sonet Alarms Sonet AlarmsAll -All alarms/signals Configuring Sonet Delay TriggersMonitoring and Verifying POS Hdlc Page Configuring STP and Rstp on the ML-Series Card STP FeaturesThese sections describe how the spanning-tree features work STP Overview Supported STP InstancesBridge Protocol Data Units Election of the Root Switch Spanning-Tree Timers Bridge ID, Switch Priority, and Extended System IDSwitch Priority Value BitSpanning-Tree Interface States Creating the Spanning-Tree TopologySpanning-Tree Interface States Blocking StateListening State Disabled StateLearning State Forwarding StateSpanning-Tree Address Management STP and Ieee 802.1Q TrunksSpanning Tree and Redundant Connectivity Rstp Features Accelerated Aging to Retain ConnectivitySupported Rstp Instances Port Roles and the Active Topology Is Port IncludedPort State Comparison Rapid Convergence Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port RolesBridge Protocol Data Unit Format and Processing Bit FunctionRstp Bpdu Flags Topology Changes Processing Superior Bpdu InformationProcessing Inferior Bpdu Information Interoperability with Ieee 802.1D STP Configuring STP and Rstp FeaturesDefault STP and Rstp Configuration Feature Default SettingDisabling STP and Rstp Configuring the Root Switch Configuring the Port PriorityPort-channel-number Configuring the Switch Priority of a Bridge Group Configuring the Path CostConfiguring the Hello Time Configuring the Forwarding-Delay Time for a Bridge Group Configuring the Maximum-Aging Time for a Bridge GroupVerifying and Monitoring STP and Rstp Status Example 6-1 show spanning-tree Commands Commands for Displaying Spanning-Tree StatusDisplays detailed STP or Rstp information Displays brief summary of STP or Rstp informationPage Understanding VLANs Configuring VLANs on the ML-Series CardConfiguring Ieee 802.1Q Vlan Encapsulation Returns to privileged Exec mode Ieee 802.1Q Vlan ConfigurationOptional Saves your configuration changes to MLSeriesconfig-subif# endBridging Ieee 802.1Q VLANs Example 7-2 Output for show vlans Command Monitoring and Verifying Vlan OperationML-Series#show vlans Page Understanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network FCS Configuring Ieee 802.1Q Tunneling Ieee 802.1Q Tunneling and Compatibility with Other FeaturesConfiguring an Ieee 802.1Q Tunneling Port Displays the tunnel ports on the switch Untagged will be switched based on this bridge-group. OtherOptional Saves your entries in the configuration file Ieee 802.1Q ExampleVLAN-Transparent Services VLAN-Specific Services Example 8-2 MLSeries B ConfigurationVLAN-Transparent Service Versus VLAN-Specific Services Example 8-3applies to ML-Series card a Example 8-3 ML-Series Card a ConfigurationExample 8-5 ML-Series Card C Configuration Example 8-4 ML-Series Card B ConfigurationExample 8-4applies to ML-Series card B Example 8-5applies to ML-Series card CUnderstanding Layer 2 Protocol Tunneling Configuring Layer 2 Protocol TunnelingLayer 2 Protocol Tunneling Configuration Guidelines Default Layer 2 Protocol Tunneling Configuration2shows the default Layer 2 protocol tunneling configuration Default Layer 2 Protocol Tunneling ConfigurationConfiguring Layer 2 Tunneling on a Port Monitoring and Verifying Tunneling Status Configuring Layer 2 Tunneling Per-VLANUnderstanding Link Aggregation Configuring Link Aggregation on the ML-Series CardConfiguring Fast EtherChannel Configuring Link AggregationCisco IOS Configuration Fundamentals Configuration Guide EtherChannel Configuration ExampleConfigure one POS channel on the ML-Series card Configuring POS ChannelCreates the POS channel interface. You can Assigns an IP address and subnet mask to the POSPOS Channel Configuration Example Understanding Encapsulation over FEC or POS Channel Configuring Encapsulation over EtherChannel or POS ChannelSupported interface commands to meet Configuration mode and enable otherExample 9-5 MLSeries a Configuration Encapsulation over EtherChannel ExampleMonitoring and Verifying EtherChannel and POS Example 9-6 MLSeries B ConfigurationFor the Frame Load Balancing on the ML-Series cardsXOR Result Port Channel PortInterface for Used MemberFrame EtherChannelFirst SecondThird FourthUsed Member Cisco IOS Command Reference publication Configuring IRB on the ML-Series CardUnderstanding Integrated Routing and Bridging This chapter includes the following major sections10-2 Configuring IRB10-3 IRB Configuration ExampleExample 10-2 Configuring MLSeries B Example 10-1 Configuring MLSeries aMonitoring and Verifying IRB 10-410-5 10-6 Field Description11-1 Configuring Quality of Service on the ML-Series CardUnderstanding QoS IP Precedence and Differentiated Services Code PointPriority Mechanism in IP and Ethernet 11-211-3 Ethernet CoSML-Series QoS Classification11-4 Policing Marking and Discarding with a Policer11-5 Queuing Scheduling11-6 11-7 Control Packets and L2 Tunneled ProtocolsIngress Priority Marking Egress Priority MarkingQinQ Implementation 11-8QoS on RPR Flow Control Pause and QoS11-9 Configuring QoS Creating a Traffic Class11-10 11-11 Creating a Traffic PolicyPolicy-map policy-nameno policy-map policy-name Syntax of the class command isClass class-map-name no class class-map-name Maximum of 40 alphanumeric characters11-13 11-14 Command11-15 Attaching a Traffic Policy to an InterfaceConfiguring CoS-Based QoS Monitoring and Verifying QoS ConfigurationDisplays all configured traffic policies Traffic class11-17 QoS Configuration ExamplesTraffic Classes Defined Example Traffic Policy Created Example11-18 Example 11-7 Class Map Match Any Command Example Example 11-6 Class Map Match All Command ExampleExample 11-8 Class Map SPR Interface Command Example Match spr1 Interface ExampleML-Series VoIP Example Example 11-9 ML-Series VoIP CommandsML-Series Policing Example 11-20Routerconfig# class-map match-all policer Example 11-10 ML-Series Policing CommandsRouterconfig# policy-map policef0 ML-Series CoS-Based QoS ExampleML-Series CoS Example 11-2211-23 Default Multicast QoSConfiguring Multicast Priority Queuing QoS Multicast Priority Queuing QoS Restrictions11-24 11-25 QoS not Configured on Egress ML-Series Egress Bandwidth Example11-26 Bandwidth 11-27Fast Ethernet Understanding CoS-Based Packet StatisticsStatistics Collected Interface Subinterface Vlan 11-2811-29 Configuring CoS-Based Packet Statistics11-30 Understanding IP SLAMLSeries# show interface fastethernet 0 cos MLSeries# show interface pos0 cosIP SLA on the ML-Series IP SLA Restrictions on the ML-Series11-31 11-32 Understanding the SDM Understanding SDM Regions12-1 Configuring SDM Regions Configuring SDMDefault Size Lookup TypeTask Command Configuring Access Control List Size in TcamMonitoring and Verifying SDM Entries12-4 Understanding ACLs Configuring Access Control Lists on ML-Series CardML-Series ACL Support 13-1Named IP ACLs IP ACLsUser Guidelines 13-2Creating IP ACLs Creating Numbered Standard and Extended IP ACLs13-3 Creating Named Extended IP ACLs Control Plane Only Creating Named Standard IP ACLsApplying the ACL to an Interface 13-4Modifying ACL Tcam Size Controls access to an interface13-5 Applying ACL to Interface13-6 Configuring Resilient Packet Ring on ML-Series Card Understanding RPR14-1 Role of Sonet Circuits Packet Handling Operations14-2 14-3 Ring Wrapping14-4 RPR Framing ProcessRPR as the source DA-MAC and 0x00 for Unknown DA-MAC14-5 RPR Frame for ML-Series CardMAC Address and Vlan Support Configuring RPRRPR QoS CTM and RPRConfiguring CTC Circuits for RPR CTC Circuit Configuration Example for RPR14-7 Three-Node RPR Example 14-814-9 Optional Sets the RPR ring wrap mode to either wrap Configures a station ID. The user must configure aImmediate delayed 14-1014-11 Assigning the ML-Series Card POS Ports to the SPR Interface14-12 14-13 Example 14-1 SPR Station-ID 1 Configuration RPR Cisco IOS Configuration ExampleExample 14-2 SPR Station-ID 2 Configuration 14-14CRC Threshold Configuration and Detection Example 14-3 SPR Station-ID 3 Configuration14-15 14-16 Monitoring and Verifying RPRExample 14-4 Example of show interface spr 1 Output Example 14-5 Example of show run interface spr 1 Output14-17 Add an ML-Series Card into an RPRThree-Node RPR After the Addition 14-1814-19 Adding an ML-Series Card into an RPREnables the port Cisco ONS 15454 Procedure GuideEndpoint of the first newly created circuit 14-20Delete an ML-Series Card from an RPR Stop. You have completed this procedureEndpoint of the second newly created circuit 14-21Three-Node RPR Before the Deletion 14-22Log into Adjacent Node 1 with CTC Deleting an ML-Series Card from an RPRDouble-click the ML-Series card in Adjacent Node 14-2314-24 Configuring Shortest Path and Topology Discovery Configuring Cisco Proprietary RPR KeepAliveCisco Proprietary RPR KeepAlive Cisco Proprietary RPR Shortest PathMonitoring and Verifying Shortest Path andTopolgy Discovery Redundant InterconnectRedundant Interconnect is only supported on 454 platforms 14-26Configuring Security for the ML-Series Card Understanding Security15-1 Disabling the Console Port on the ML-Series Card Secure Login on the ML-Series CardSecure Shell on the ML-Series Card Understanding SSHConfiguration Guidelines Configuring SSHSetting Up the ML-Series Card to Run SSH This section has configuration information15-4 Configuring the SSH ServerRouter # configure terminal Displaying the SSH Configuration and StatusRouter config# ip ssh version 1 Router config# ip ssh timeoutRadius Relay Mode Radius on the ML-Series Card15-6 Radius Stand Alone Mode Configuring Radius Relay Mode15-7 Configuring Radius Understanding Radius15-8 Default Radius Configuration Identifying the Radius Server Host15-9 15-10 Router# configure terminal Enter global configuration mode Configuring AAA Login AuthenticationRouter config# aaa new-model Enable AAA Switchconfig# radius-server host host1Router config# aaa authentication Router config# line console tty15-12 Router# show running-config Verify your entries Router config# end Return to privileged Exec modeDefining AAA Server Groups 15-13Router config-sg-radius# server Router config# aaa group serverRouter config-sg-radius# end Router # show running-config15-15 Radius15-16 Starting Radius AccountingConfiguring a nas-ip-address in the Radius Packet Configuring Settings for All Radius Servers15-17 Deadtime minutes Default is 0 the range is 1 to 1440 minutesMarked as dead, the skipping will not take place 15-1815-19 Send accounting authentication15-20 Displaying the Radius ConfigurationConfiguring Bridging on the ML-Series Card Understanding Bridging16-1 16-2 Configuring BridgingFor any statically configured forwarding entries Monitoring and Verifying Bridging16-3 Bridge-group-number restricts the spanning tree information Displays detailed information about spanning treeTo specific bridge groups Brief displays summary information about spanning treeCE-100T-8 Overview CE-100T-8 Ethernet OperationSonet 17-1CE-100T-8 Ethernet Features Autonegotiation, Flow Control, and Frame Buffering17-2 17-3 Ethernet Link Integrity SupportEnhanced State Model for Ethernet and Sonet Ports Ieee 802.1Q CoS and IP ToS Queuing17-4 17-5 IP ToS Priority Queue MappingsCoS Priority Queue Mappings Rmon and Snmp Support CE-100T-8 Sonet Circuits and FeaturesStatistics and Counters 17-6Number of STS-3c Circuits Maximum Number of STS-1 Circuits Ccat High Order Vcat High Order Vcat Low OrderMaximum Number of STS-1-2v Circuits 17-7CE-100T-8 STS/VT Allocation Tab CE-100T-8 Maximum Service Densities7x=1-12 6x=1-14 5x=1-16 =1-21 17-817-9 CE-100T-8 Vcat Characteristics17-10 CE-100T-8 POS Encapsulation, Framing, and CRC17-11 CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms17-12 Command Reference for the ML-Series Card Drpri-rstp Related Commands bridge-groupIeee RstpRelated Commands show interface Clear countersRouter# clear counters No clock auto Syntax Description Defaults Command Modes Usage GuidelinesClock summertime Clock timezoneInterface spr Defaults Command ModesNo pos mode gfp fcs-disabled Related Commands shutdownMLSeriesconfig-if # pos mode gfp fcs-disable No pos pdi holdoff time No pos report alarm Related CommandsPos trigger defects Syntax Description Defaults Related Commands pos trigger delayNon pos trigger defects condition Time Delay time in milliseconds, 200 to No pos trigger delay timeDefault value is 200 milliseconds Command is 50 millisecondsDelayed No pos vcat defect immediate delayedParameter Description ImmediateMLSeries# show controller pos 0 Interface POS0 Show controller pos interface-numberdetailsRelated Commands show interface pos Clear counters Use this command to display the status of the POS interface Related Commands show controller pos Clear countersShow interface pos interface-number MLSeries# show ons alarm Show ons alarm78-18133-01 Eqpt StsVcg MLSeries# show ons alarm defect sts Related Commands show controller pos Show ons alarm failuresML-Series#show ons alarm failure port MLSeries# show ons alarm failure eqptMLSeries# show ons alarm failure sts Interface spr Spr station-id Spr wrap Assigns the POS interface to the SPR interfaceNo spr load-balance auto port-based Related Commands interface sprAuto Port-basedDefaultsN/A Configures a station IDFollowing example sets an ML-Series card SPR station ID to Spr-intf-id Spr wrapSpr wrap immediate delayed Wraps RPR traffic after the carrier delay time expiresInterface spr Spr-intf-id Spr station-id Unsupported CLI Commands for the ML-Series Card Unsupported Privileged Exec CommandsUnsupported Global Configuration Commands Page Unsupported POS Interface Configuration Commands Unsupported FastEthernet Interface Configuration Commands Unsupported Port-Channel Interface Configuration Commands Rate-limit Random-detect Timeout Tx-ring-limit Unsupported BVI Interface Configuration CommandsGathering Information About Your Internetwork Using Technical SupportGetting the Data from Your ML-Series Card Providing Data to Your Technical Support Representative Page IN-5 IN-6 IS,AINSIN-7 Rstp SDM RPRSSH CRCIN-9 Rstp STPSee also framing GFP-FIN-10 IN-11 LcasPOS RPR SDMIN-12 IN-13 Rmon RstpIN-14 Snmp See also BpduIN-15 Tcam VcatIN-16 Customer numbering in service-provider Configuring as Layer 2 tunnel Configuring Ieee 802.1QSDM STP and Rstp status VTP Layer 2 protocol tunneling VtyIN-18
Related manuals
Manual 8 pages 60.19 Kb Manual 352 pages 59.1 Kb

15310-CL, 15310-MA specifications

Cisco Systems has established itself as a leader in the networking domain, offering a wide array of solutions to meet the needs of modern businesses. Among its impressive product lineup are the Cisco 15310-CL and 15310-MA routers, designed to provide advanced network performance and reliability.

The Cisco 15310-CL is a versatile platform that primarily serves as a carrier-class router aimed at supporting high-speed data and voice services. It is built to handle the demands of large enterprises and service providers, offering a robust design that ensures maximum uptime and performance. One of its standout features is its modular architecture, which enables users to customize their configurations based on specific application needs. This scalability allows for future expansion without the need for a complete hardware overhaul.

Key technologies integrated into the Cisco 15310-CL include high-density Ethernet interfaces and a comprehensive suite of Layer 2 and Layer 3 protocol support. The device is capable of supporting multiple types of connections, including TDM, ATM, and Ethernet. This flexibility makes it an ideal choice for organizations that require seamless migration between various service types. Moreover, with features such as MPLS (Multiprotocol Label Switching) support and advanced Quality of Service (QoS) mechanisms, the router ensures that critical applications receive the necessary bandwidth and low latency required for optimal performance.

In contrast, the Cisco 15310-MA focuses on access solutions, providing a cost-effective entry point for businesses looking to enhance their network capabilities. It is well-suited for smaller offices or branch locations that need reliable connectivity without the expense and complexity associated with larger systems. The device supports a range of access methods and provides essential features like firewall capabilities, VPN support, and comprehensive security measures to protect sensitive data.

Both models benefit from Cisco's commitment to security and manageability, offering features like enhanced encryption protocols and user authentication mechanisms that help safeguard networks against threats. Additionally, they can be managed through Cisco’s intuitive software tools, simplifying configuration and monitoring tasks for IT administrators.

The Cisco 15310-CL and 15310-MA are ideal solutions for businesses seeking to enhance their network infrastructure, ensuring firms can keep pace with evolving technology demands while maintaining a focus on security and performance. Their combination of advanced features, modular capabilities, and robust support makes them valuable assets in the networking landscape.