VPN Tunnel Licencing | Allied Telesis AT-9900, RAPIER I, X900-48FE

172

Enhancements to IPsec/VPN

Release Note

ISAKMP will not reattempt XAUTH authentication failures (phase 1.5). XAUTH failures indicate that either the router or switch and its peer have different authentication details, or a third party is attempting to connect to the router or switch. This needs to be investigated manually.

Command Changes

The following table summarises the modified commands:

Command	Change

create isakmp policy	New retryikeattempts parameter.

set isakmp policy	New retryikeattempts parameter.

show isakmp counters	New retryIkeAttemptsPh1 and retryIkeAttemptsPh2
	parameters in output when counters is set to general.
	New usePolIkeRetryGood and usePolIkeRetryFailed
	parameters in output when counters is set to spd.

show isakmp policy	New Retry IKE Attempts, Current IKE Retries, and
	Required IKE Retry Phase parameters in the output when
	a policy is specified.

VPN Tunnel Licencing

By default, the AR415S allows one VPN tunnel. Additional VPN tunnels require a special feature licence. If you need more VPN tunnels, contact your authorised distributor or reseller. Other products do not need a special feature licence for more VPN tunnels.

Command changes

The following table summarises the modified command.

Command	Change

show ipsec	New output parameters

Software Version 2.8.1 C613-10477-00 REV B

Image 172

Allied Telesis AT-9900 VPN Tunnel Licencing, New retryikeattempts parameter, New Retry IKE Attempts , Current IKE Retries

Contents

Software Version Release Note Release Note Software Version Introduction IntroductionProduct series Models Upgrading to Software Version Backwards Compatibility Issue when UpgradingProduct name Release file GUI resource file CLI help file Overview of New Features Overview of New FeaturesQuickly Software Version AR400 AR7x5 AR750S Rapier AT-8800 AT-8600 AT-9800 AT-8900 X900-48FE AT-9900 AR400 AR7x5 AR750S Rapier AT-8800 Snmp MIBs Restart Log Command Changes System EnhancementsClearing System Parameters Extended Monitoring of CPU Utilisation Disable cpu extended Enable cpu extendedReset cpu utilisation Activate cpu extended Command Reference Updates Disable cpu extendedEnable cpu extended Activate cpu extended Reset cpu utilisation Set system contactSet system location Set system name Example output from the show cpu extended command Show cpu Parameter Meaning Parts of a Command Command Line Interface CLI EnhancementsMore flexibility in Separating Parameters and Values Command Show command history Additional Shortcuts when EditingCreate config Command Line Interface CLI Enhancements Create configParameter Description Set command assignmentoperator Show command history Example output from the show command history command File System Enhancement Add file Create file File System Enhancement Reset file permanentredirect File size Default 204 800 bytesShow file permanentredirect Software Version Parameter Description Example output from the show file permanentredirect command File System Enhancement Release Note Switching Enhancements Ordering Hardware Filters in 48-Port Switches Switching Enhancements CommandChangeSet switch hwfilter mode New command Show switch hwfilter New mode parameter in output PortDisable Limiting Rapid MAC Movement Create switch trunk Enable switch port vlanSet switch port Set switch thrashlimit Set switch hwrouteupdate Route Update Queue LengthNew command Securing a Single Vlan through Switch Filters Removing a Description from a Switch PortChanged description parameter Configuring vlansecure Change of Debug Command Syntax Ethernet Protection Switching Ring EpsrShow switch debug New DEV option in output Create switch trunk Disable switch debug Disable switch filter vlansecureDisable switch port vlan Debugging occurs on operations related to the switch chip Enable switch filter vlansecure Enable switch debugEnable switch port vlan Set lacp Set switch hwfilter mode Set switch hwrouteupdate Set switch port Set switch thrashlimit Set switch trunk Example output from the show lacp command Address learn thrash action ..... Learn DisableAddress learn thrash timeout ... second Show lacp Show switch Switching Enhancements Whether the debugging option for the router or switch is Show switch debugARL, DMA, DEV, PHY, or None Show switch filter Show switch hwfilterNew parameter in output of the show switch filter command VlanSecure Show switch port New parameters in output of the show switch port commandMeaning Mode Thrashaction is set to none PPPoE Access Concentrator Add ppp acservice Set ppp acservice Delete ppp acservicePPPoE Access Concentrator New parameter in output of the show ppp pppoe command Show ppp pppoeEth0 Interface Disable mstp port Enable mstp portDisable mstp port Enable mstp port STP Enhancement Show stp portShow stp port New Port field in output Asynchronous Port Enhancement Making Asynchronous Ports Respond More QuicklySet asyn Show asyn Set asyn Show asyn Ten timer value 100 Ten timer valueAsynchronous Port Enhancement Release Note Which characters are bundled Igmp Proxy on x900 Series Switches Internet Group Management Protocol Igmp Enhancements Group Downstream interfaces have membersMulticast group Downstream interface Igmp filtering extended to all Igmp message types Add ip interfaceSet ip interface Set ip igmp interface Internet Group Management Protocol Igmp Enhancements Add igmp filterSet igmp filter Show igmp filter Monitoring reception of Igmp general query messages Add igmp filter MSGType=QUEryREPortLEAVe Add ip interface Set igmp filter Set ip igmp interface Set ip interface Show igmp filter Leaves Is attached to RecdPassed Attached to Upstream General Query Reception Timeout .... None New parameters in the output of the show ip igmp commandShow ip igmp An Snmp trap are generated Expanded IP Troubleshooting Internet Protocol IP EnhancementsExpanded number of Eth interfaces per physical interface IP Route Preference Options IPv4 Filter Expansion Assigning the Filter Type Enhancements to Display of UDP Connections over IPv4 Waiting for a Response to an ARP Request Set ip arpwaittimeout New Arp wait timeout fieldAdding Static ARP Entries with Multicast MAC Addresses Show ip Enable ip macdisparity Disable ip macdisparityNew IP/MAC address disparity parameter Add ip filter Syntax Traffic filter Disable ip macdisparity Reset ip counter Enable ip macdisparitySet ip arpwaittimeout Set ip filter Set ip route preference Arp wait timeout Secs Modified parameters on output of the show ip commandWith multicast MAC addresses. One of Enabled or Show ip Show ip cache Internet Protocol IP Enhancements Release Note Show ip counter When the entry is usedCount Number of times the entry was found Show ip filter Show ip udp UDP on the router or switch Time synchronisation using the Network Time ProtocolGeneration/reception of logs using the Secure Router Log Generation/reception of logs using the Net Manage protocol Show ipv6 udp New command IPv6 EnhancementsDisplay of UDP Connections over IPv6 IPv6 Tunnel Expansion Show ipv6 udp L2TP Enhancements L2TP Enhancements Handling PPP Link Negotiation Failures Resetting General L2TP CountersProxyauth=offon Disable l2tp debug Add l2tp ip Enable l2tp debug Reset l2tp counter Proxy Authentication Show l2tp ipShow l2tp tunnel Decode Show l2tp tunnel call Syntax SHow L2TP TUNnel CALL=1..65535 Ospf Interface Password Open Shortest Path First EnhancementsNssa Translator Role Add ospf interface Set ospf area Add ospf areaShow ospf area Redistributing External Routes Interaction with global Ospf parameters Ospf backward compatibility Disable ospf debug Enable ospf debugAdd ospf redistribute Delete ospf redistribute Add ospf area NSSAStability=1..3600 NSSATranslator=CANdidateALWays Add ospf interface Add ospf redistribute Enable ospf debug Disable ospf debugDelete ospf redistribute Set ospf BGPImport=ONOFFTrueFalseYESNO Set ospf area Set ospf interface Set ospf redistribute Role Show ospf areaStability Interval State Show ospf redistribute Software Version 101 BGP Enhancements BGP Backoff Lower ThresholdUpper and Lower Thresholds BGP Enhancements Enable and Disable Backoff BGP Peer and Peer Template Enhancements Displaying the Number of Routes from a Peer Displaying Routes Learned from a Specific BGP PeerDisplaying Information about Routes from a Peer Add bgp peer Software Version 105 Disable bgp backoff Add bgp peertemplate Enable bgp backoff Set bgp backoffSoftware Version 107 BACkoff Set bgp peer Set bgp peertemplate Software Version 109 Show bgp backoff BGP Enhancements Release NoteMem Upper Threshold Value 95% Mem Upper Notify Mem Lower Threshold Value 90% Mem Lower Notify Show bgp route Show bgp peerRoutes learned MLD and MLD Snooping Enhancements MLD Packet FormatsIcmp type for MLDv2 Reports MLD and MLD Snooping Enhancements MLD Snooping Group Membership Display Change of Maximum Query Response Interval forSoftware Version 113 Show mldsnooping More consistent output Enable ipv6 mld interface Set ipv6 mld Show ipv6 mld Show mldsnoopingSoftware Version 115 V2 Draft Compatible Previous example output from the show mldsnooping command MLD and MLD Snooping EnhancementsRelease Note Extension to Range of Classifier fields for x900 Switches Create classifierSet classifier Show classifier Extension to Range of Classifier fields for x900 Switches Create classifier Software Version 119 Set classifier Show classifier Software Version 121 TCP Flags Icmp codeIcmp type Igmp type 0x17 V2LEAVE Classifier Rules 2222 MAC Address Aa-bb-cc-dd-ee-ff Type Vlan1234Format Protocol 1234567890 Layer 3 Byte Offset Value Mask Igmp Type Parameter option in brackets if availableTCP Flags One of URG, ACK, RST, SYN, or FIN Port Groups QoS EnhancementsSoftware Version 125 Storm protection Set qos policy Create qos trafficclassSet qos trafficclass Show qos trafficclass Add qos portgroup port Create qos policy Default portdisable With the enable switch port command Protection is enabled Create qos portgroupCreate qos trafficclass Storm protection is inactive Is matching STORMTimeout With the enable switch port command, orEnable switch port vlan command STORMRate POrt Port to delete from this port group Default no default Delete qos portgroup portDestroy qos portgroup Specific port that consists Set qos policy Reset qos portgroup countersSoftware Version 133 Set qos portgroup Uses Kbps. If you specify Mbps or Gbps, the rate Set qos trafficclass Software Version 135 Parameter Description With the enable switch port or enable switch Is disabled by storm protectionShow qos policy QoS Enhancements Release Note Parameter Description Rate 1kbps Window 100ms Timeout None Show qos portPorts Assigned to Port Groups Assigned to 213-24 Storm Protection Status QoS EnhancementsRelease Note Show qos portgroupPort Group Trunk Group None Parameters in output of the show qos portgroup command Show qos portgroup countersSoftware Version 139 Integer from 1 to 140 Number of bytes that conforms with band with class Show qos trafficclassStorm Protection Configuring Secure Copy Configuring the ServerConfiguring the Client Secure Copy SCP Configuring Users Use the show ssh session command to see current sessionsManaging Secure Copy Sessions Software Version 143 Loading using Secure Copy Loading Files to the Switch Uploading using Secure Copy Uploading from the SwitchLoading Files from a Remote Machine Software Version 145 Uploading Files from a Remote Machine LoadSet loader Show loader Disable ssh debug Disable ssh serverDelete ssh session Software Version 147 Enable ssh server Enable ssh debugWhether the SSH server supports SCP connections Load Software Version 149 Default tftp Copy is the default method for loading and uploadingSet loader Set ssh client Software Version 151 Set ssh server Show loader192.168.1.1 Alice SSH Server Enabled SCP Service Show sshSoftware Version 153 Debug Reset loader command Show ssh counter Show ssh session Software Version 155Parameter Meaning WriteFileFailed Failure Secure Copy SCP Release Note Parameter Meaning Secure Shell Session Software Version 157 UploadCharacters long SSL Counter Enhancement Show ssl countersSSL Counter Enhancement Show ssl counters Software Version 159 BadSessionIdLenSession ID longer than 32 bytes Client Counters for the SSL client BadSessionIdLen Firewall Enhancements Firewall LicencingDisabling SIP ALG Call ID Translation Firewall Enhancements Set firewall sipalg New command Displaying SIP ALG Session DetailsFirewall Policy Rules Expansion Software Version 161 Reset firewall sipalg counter Displaying a Subset of Policy RulesSet firewall sipalg Show firewall policy Show firewall Show firewall policy Valid with the ip or summary commands Ip or callid commandsShow firewall sipalg CALLId Parameters in output of the show firewall sipalg command ServiceWithin the private network protected by the firewall Active SIP Sessions Router or switch. The router or switch only translates IP Firewall Enhancements Release NoteGbl IP Seen on the public side of the firewall Start up or reset Current sessions Audio sessions created Since start up or reset Past sessionsShow firewall sipalg counter Current SIP sessions Total number of SIP messages received that the SIP ALG Them Responding to IPsec Packets from an Unknown Tunnel Enhancements to IPsec/VPNSoftware Version 169 Modifying the Message Retransmission Delay Retrying Isakmp Phase 1 and 2 Negotiations VPN Tunnel Licencing New retryikeattempts parameterNew retryIkeAttemptsPh1 and retryIkeAttemptsPh2 New usePolIkeRetryGood and usePolIkeRetryFailed Create ipsec policy Software Version 173 Default incremental Msgtimeout valueCreate isakmp policy Msgbackoff parameter After the first 16 attempts, a five minute delay RETRYIKEattemptsAttempted over new Isakmp SAs Occurs between attempts Set ipsec policy Set isakmp policy Software Version 177 VPNs Maximum Current Peak Show ipsecParameter Meaning VPNs Show ipsec policy Software Version 179Respond Bad SPI Respond Bad SPI Show ipsec policy counter InBadSpiResponseInBadSpiResponse To true and packets processed by that policy have an Software Version 181 Show isakmp countersRetryIkeAttemptsPh1 RetryIkeAttemptsPh2 UsePolIkeRetryGood UsePolIkeRetryFailed Show isakmp exchange Software Version 183Message Back-off Incremental Same None Iskamp policy command Show isakmp policy Software Version 185 Show isakmp saMessage Back-off None Shdsl Line MIB Snmp MIBsSnmp MIBs Snmp request not processed due to excessive memory Logging Snmp operationUsage Traps on Ospf state changes Snmp Trap not sent due to excessive memory usage Traps on Mstp state and topology changes Trap on Vrrp topology changesSoftware Version 189 Restart Log Trap on Login FailuresVLAN-based port state changes Trap on Memory Levels Software Version 191Show buffer New Buffer level 0 field New parameters in output of the show buffer command Show bufferBuffer level 1500 Parameter Meaning Buffer level n CDP over WAN Interfaces Disable lldp cdp interface Disable lldp cdp ppptemplateEnable lldp cdp debug CDP over WAN Interfaces Enable lldp cdp interface Enable lldp cdp ppptemplateEnables debugging of PPP events Software Version 195 PPP Templates Enabled PPP Templates Disabled Show lldp cdpShow lldp cdp interface Ppp0 Ppp1 Permanent Assignments on AR400 Series Routers Software Version 197Page Introduction to Ethernet Protection Switching Ring Epsr Chapter Introduction to Ethernet Protection Switching Ring Epsr Epsr Instances and Domains Ethernet Protection Switching Ring Epsr Control VlanData Vlan Master Node Master Node Polling Fault Detection Fault Detection and RecoveryTransit Node Unsolicited Fault Detection Fault Recovery Procedure Restoring Normal Operation Configuring Epsr Epsr Single Domain, Single Ring Network Example script for a 4 node ring network # For Transit Nodes 1, 2 Single Ring, Dual Domain Network Example script for a Single Ring, Two Domain Network Node # Node 1 Master node for RingA Transit Node for RingB Example script for a Single Ring, Two Domain Network Nodes 2 # Node 3 Transit node for RingA Master Node for RingB Epsr and Spanning Tree Operation # For Transit Node Command Reference # For Transit Nodes 2 Add epsr datavlan Add epsr datavlan Ethernet Protection Switching Ring Epsr Create epsr Create epsr Only configured for the master node Seconds 32767s. Only configured for the master nodeDefault 1s FAilovertime Default 2s RIngflaptime Delete epsr datavlan Hyphen character -. The epsr-name cannot be ALLUnique name for the VLAN. This can be from 1 to Vlan-name cannot be a number or ALL Destroy epsr Destroy epsr Disable epsr Ethernet Protection Switching Ring Epsr Disable epsrEpsr instance to be disabled String, 1 to 15 characters long. Valid characters are Disable epsr debug Disable epsr debug Ethernet Protection Switching Ring Epsr Enable epsr Enable epsrEpsr instance to be enabled Enable epsr debug Enable epsr debugEpsr instance whose debugging is to be enabled OUTput Ethernet Protection Switching Ring Epsr Purge epsr Purge epsr Set epsr Set epsr Ethernet Protection Switching Ring Epsr Set epsr port Set epsr portEpsr to be set for the port VLANs within the ring domain Show epsr Show epsrEpsr instance whose details are displayed Ethernet Protection Switching Ring Epsr Show epsr Disabled. This parameter is only shown for a transit node Second PortShown for a transit node Second Port Status Ethernet Protection Switching Ring Epsr Show epsr counter Show epsr counterCOUnter Epsr instances Related Commands show epsr Show epsr debug Show epsr debug