Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis AT-8600, RAPIER I, X900-48FE, AT-8900 manual Create ipsec policy, Software Version 173

Models: AT-9900 AT-8700XL AT-9800 AT-8600 RAPIER I AT-8800 AT-8900 X900-48FE

1 232

Download 232 pages 5.78 Kb

Page 173

Software Version 2.8.1

173

Command Reference Updates

This section describes the changed portions of modified commands and output screens. For modified commands and output, the new parameters, options, and fields are shown in bold.

create ipsec policy

Syntax CREate IPSec POLicy=name INTerface=interface ACtion={DEnyIPsecPErmit} [IPVersion={46}] [BUNDlespecification=bundlespecification-id] [DFBit={SEtCOpyCLear}] [GROup={012}] [ICmptype={listNDALL}] [IPROUtetemplate=template-name] [ISAkmppolicy=isakmp-policy-name] [KEYmanagement={ISakmpMAnual}] [LADdress={ANyipv4add[-ipv4add] ipv6add[/prefix-length]ipv6add-ipv6add}] [LMAsk=ipv4add] [LNAme={ANysystem-name}] [LPort={ANyOPaqueport}] [PEERaddress={ipv4addipv6addANyDYnamic}] [POSition=1..100] [RADdress={ANYipv4add[-ipv4add] ipv6add[/prefix-length]ipv6add-ipv6add}] [RESPondbadspi={TrueFalse}] [RMAsk=ipv4add] [RNAme={ANysystem-name}] [RPort={ANyportOPaque}] [SASElectorfrompkt={ALLLADdressLPortNONERADdress RPortTRAnsportprotocol}] [SRCInterface=interface] [TRAnsportprotocol={ANyEGpESpGReICmpOPaqueOSpf RSvpTCpUDpprotocol}] [UDPHeartbeat={TrueFalse}] [UDPPort=port] [UDPTunnel={TrueFalse}] [USEPFSKey={TrueFalse}]

Parameter	Description

RESPondbadspi	Whether the router or switch sends a notification to the peer when
	an IPsec packet is received with an unknown SPI value. This
	establishes an ISAKMP SA to the sending peer. An initial contact
	notification message is then sent, which tells the peer to delete SAs
	associated with the router or switch.
	This command is only valid when the action parameter is set to
	ipsec, the keymanagement parameter is set to isakmp, and the
	peeraddress parameter is set to an IPv4 address. Messages will only
	be sent if the ISAKMP policy for this peer has the mode parameter
	set to main and the sendnotify parameter set to true.
	Default: false

	False	A notification is not sent.

	True	A notification is sent.

Software Version 2.8.1 C613-10477-00 REV B

Image 173

Allied Telesis AT-8600, RAPIER I, X900-48FE, AT-8900, AT-8700XL, AT-9900, AT-9800 Create ipsec policy, Software Version 173

Contents

Release Note Software VersionRelease Note Software Version Product series Models IntroductionIntroduction Product name Release file GUI resource file CLI help file Backwards Compatibility Issue when UpgradingUpgrading to Software Version Quickly Overview of New FeaturesOverview of New Features AT-8600 AT-9800 AT-8900 X900-48FE AT-9900 Software Version AR400 AR7x5 AR750S Rapier AT-8800Snmp MIBs Restart Log AR400 AR7x5 AR750S Rapier AT-8800System Enhancements Command ChangesClearing System Parameters Extended Monitoring of CPU UtilisationEnable cpu extended Disable cpu extendedReset cpu utilisation Activate cpu extendedDisable cpu extended Command Reference UpdatesEnable cpu extended Activate cpu extendedSet system contact Reset cpu utilisationSet system location Set system nameShow cpu Example output from the show cpu extended commandParameter Meaning More flexibility in Separating Parameters and Values Command Line Interface CLI EnhancementsParts of a Command Command Create config Additional Shortcuts when EditingShow command history Parameter Description Create configCommand Line Interface CLI Enhancements Set command assignmentoperator Example output from the show command history command Show command historyAdd file File System EnhancementFile System Enhancement Create fileFile size Default 204 800 bytes Reset file permanentredirectShow file permanentredirect Software Version Parameter DescriptionFile System Enhancement Release Note Example output from the show file permanentredirect commandOrdering Hardware Filters in 48-Port Switches Switching EnhancementsCommandChange Switching EnhancementsSet switch hwfilter mode New command Show switch hwfilter New mode parameter in outputLimiting Rapid MAC Movement PortDisableEnable switch port vlan Create switch trunkSet switch port Set switch thrashlimitNew command Route Update Queue LengthSet switch hwrouteupdate Changed description parameter Removing a Description from a Switch PortSecuring a Single Vlan through Switch Filters Configuring vlansecure Ethernet Protection Switching Ring Epsr Change of Debug Command SyntaxShow switch debug New DEV option in outputCreate switch trunk Disable switch filter vlansecure Disable switch debugDisable switch port vlan Debugging occurs on operations related to the switch chipEnable switch port vlan Enable switch debugEnable switch filter vlansecure Set lacp Set switch hwrouteupdate Set switch hwfilter modeSet switch port Set switch trunk Set switch thrashlimitAddress learn thrash action ..... Learn Disable Example output from the show lacp commandAddress learn thrash timeout ... second Show lacpShow switch Switching Enhancements ARL, DMA, DEV, PHY, or None Show switch debugWhether the debugging option for the router or switch is Show switch hwfilter Show switch filterNew parameter in output of the show switch filter command VlanSecureNew parameters in output of the show switch port command Show switch portMeaning ModeThrashaction is set to none Add ppp acservice PPPoE Access ConcentratorPPPoE Access Concentrator Delete ppp acserviceSet ppp acservice Show ppp pppoe New parameter in output of the show ppp pppoe commandEth0 InterfaceEnable mstp port Disable mstp portDisable mstp port Enable mstp portShow stp port STP EnhancementShow stp port New Port field in outputMaking Asynchronous Ports Respond More Quickly Asynchronous Port EnhancementSet asyn Show asynShow asyn Set asynTen timer value Ten timer value 100Asynchronous Port Enhancement Release Note Which characters are bundledInternet Group Management Protocol Igmp Enhancements Igmp Proxy on x900 Series SwitchesDownstream interfaces have members GroupMulticast group Downstream interfaceAdd ip interface Igmp filtering extended to all Igmp message typesSet ip interface Set ip igmp interfaceAdd igmp filter Internet Group Management Protocol Igmp EnhancementsSet igmp filter Show igmp filterMonitoring reception of Igmp general query messages MSGType=QUEryREPortLEAVe Add igmp filterSet igmp filter Add ip interfaceSet ip igmp interface Set ip interface Leaves Is attached to Recd Show igmp filterPassed Attached toNew parameters in the output of the show ip igmp command Upstream General Query Reception Timeout .... NoneShow ip igmp An Snmp trap are generatedInternet Protocol IP Enhancements Expanded IP TroubleshootingExpanded number of Eth interfaces per physical interface IP Route Preference OptionsAssigning the Filter Type IPv4 Filter ExpansionWaiting for a Response to an ARP Request Enhancements to Display of UDP Connections over IPv4New Arp wait timeout field Set ip arpwaittimeoutAdding Static ARP Entries with Multicast MAC Addresses Show ipNew IP/MAC address disparity parameter Disable ip macdisparityEnable ip macdisparity Syntax Traffic filter Add ip filterDisable ip macdisparity Set ip arpwaittimeout Enable ip macdisparityReset ip counter Set ip route preference Set ip filterModified parameters on output of the show ip command Arp wait timeout SecsWith multicast MAC addresses. One of Enabled or Show ipInternet Protocol IP Enhancements Release Note Show ip cacheCount Number of times the entry was found When the entry is usedShow ip counter Show ip udp Show ip filterTime synchronisation using the Network Time Protocol UDP on the router or switchGeneration/reception of logs using the Secure Router Log Generation/reception of logs using the Net Manage protocolIPv6 Enhancements Show ipv6 udp New commandDisplay of UDP Connections over IPv6 IPv6 Tunnel ExpansionShow ipv6 udp L2TP Enhancements L2TP EnhancementsProxyauth=offon Resetting General L2TP CountersHandling PPP Link Negotiation Failures Add l2tp ip Disable l2tp debugEnable l2tp debug Reset l2tp counter Show l2tp ip Proxy AuthenticationShow l2tp tunnel DecodeSyntax SHow L2TP TUNnel CALL=1..65535 Show l2tp tunnel callOpen Shortest Path First Enhancements Ospf Interface PasswordNssa Translator Role Add ospf interfaceShow ospf area Add ospf areaSet ospf area Interaction with global Ospf parameters Redistributing External RoutesOspf backward compatibility Enable ospf debug Disable ospf debugAdd ospf redistribute Delete ospf redistributeNSSAStability=1..3600 NSSATranslator=CANdidateALWays Add ospf areaAdd ospf redistribute Add ospf interfaceDelete ospf redistribute Disable ospf debugEnable ospf debug BGPImport=ONOFFTrueFalseYESNO Set ospfSet ospf interface Set ospf areaSet ospf redistribute Stability Interval State Show ospf areaRole Software Version 101 Show ospf redistributeBGP Backoff Lower Threshold BGP EnhancementsUpper and Lower Thresholds BGP EnhancementsBGP Peer and Peer Template Enhancements Enable and Disable BackoffDisplaying Information about Routes from a Peer Displaying Routes Learned from a Specific BGP PeerDisplaying the Number of Routes from a Peer Software Version 105 Add bgp peerAdd bgp peertemplate Disable bgp backoffSet bgp backoff Enable bgp backoffSoftware Version 107 BACkoffSet bgp peer Software Version 109 Set bgp peertemplateBGP Enhancements Release Note Show bgp backoffMem Upper Threshold Value 95% Mem Upper Notify Mem Lower Threshold Value 90% Mem Lower NotifyRoutes learned Show bgp peerShow bgp route MLD Packet Formats MLD and MLD Snooping EnhancementsIcmp type for MLDv2 Reports MLD and MLD Snooping EnhancementsChange of Maximum Query Response Interval for MLD Snooping Group Membership DisplaySoftware Version 113 Show mldsnooping More consistent outputSet ipv6 mld Enable ipv6 mld interfaceShow mldsnooping Show ipv6 mldSoftware Version 115 V2 Draft CompatibleMLD and MLD Snooping EnhancementsRelease Note Previous example output from the show mldsnooping commandCreate classifier Extension to Range of Classifier fields for x900 SwitchesSet classifier Show classifierCreate classifier Extension to Range of Classifier fields for x900 SwitchesSoftware Version 119 Set classifier Software Version 121 Show classifierIcmp code TCP FlagsIcmp type Igmp type 0x17 V2LEAVEVlan1234 Classifier Rules 2222 MAC Address Aa-bb-cc-dd-ee-ff TypeFormat Protocol 1234567890 Layer 3 Byte Offset Value MaskParameter option in brackets if available Igmp TypeTCP Flags One of URG, ACK, RST, SYN, or FINSoftware Version 125 QoS EnhancementsPort Groups Storm protection Create qos trafficclass Set qos policySet qos trafficclass Show qos trafficclassCreate qos policy Add qos portgroup portWith the enable switch port command Default portdisableCreate qos portgroup Protection is enabledCreate qos trafficclass Storm protection is inactiveWith the enable switch port command, or Is matching STORMTimeoutEnable switch port vlan command STORMRateDelete qos portgroup port POrt Port to delete from this port group Default no defaultDestroy qos portgroup Specific port that consistsSoftware Version 133 Reset qos portgroup countersSet qos policy Uses Kbps. If you specify Mbps or Gbps, the rate Set qos portgroupSoftware Version 135 Parameter Description Set qos trafficclassIs disabled by storm protection With the enable switch port or enable switchShow qos policy QoS Enhancements Release Note Parameter DescriptionShow qos port Rate 1kbps Window 100ms Timeout NonePorts Assigned to Port Groups Assigned to 213-24 Storm Protection StatusPort Group Trunk Group None Show qos portgroupQoS EnhancementsRelease Note Show qos portgroup counters Parameters in output of the show qos portgroup commandSoftware Version 139 Integer from 1 to140 Storm Protection Show qos trafficclassNumber of bytes that conforms with band with class Configuring the Server Configuring Secure CopyConfiguring the Client Secure Copy SCPUse the show ssh session command to see current sessions Configuring UsersManaging Secure Copy Sessions Software Version 143Loading Files to the Switch Loading using Secure CopyUploading from the Switch Uploading using Secure CopyLoading Files from a Remote Machine Software Version 145Load Uploading Files from a Remote MachineSet loader Show loaderDisable ssh server Disable ssh debugDelete ssh session Software Version 147Whether the SSH server supports SCP connections Enable ssh debugEnable ssh server Software Version 149 LoadSet loader Copy is the default method for loading and uploadingDefault tftp Software Version 151 Set ssh clientShow loader Set ssh server192.168.1.1 AliceShow ssh SSH Server Enabled SCP ServiceSoftware Version 153 DebugShow ssh counter Reset loader commandSoftware Version 155 Show ssh sessionParameter Meaning WriteFileFailed FailureParameter Meaning Secure Shell Session Secure Copy SCP Release NoteCharacters long UploadSoftware Version 157 Show ssl counters SSL Counter EnhancementSSL Counter Enhancement Show ssl countersBadSessionIdLen Software Version 159Session ID longer than 32 bytes Client Counters for the SSL client BadSessionIdLenFirewall Licencing Firewall EnhancementsDisabling SIP ALG Call ID Translation Firewall EnhancementsDisplaying SIP ALG Session Details Set firewall sipalg New commandFirewall Policy Rules Expansion Software Version 161Displaying a Subset of Policy Rules Reset firewall sipalg counterSet firewall sipalg Show firewall policyShow firewall policy Show firewallIp or callid commands Valid with the ip or summary commandsShow firewall sipalg CALLIdService Parameters in output of the show firewall sipalg commandWithin the private network protected by the firewall Active SIP SessionsFirewall Enhancements Release Note Router or switch. The router or switch only translates IPGbl IP Seen on the public side of the firewallSince start up or reset Past sessions Start up or reset Current sessions Audio sessions createdShow firewall sipalg counter Current SIP sessionsThem Total number of SIP messages received that the SIP ALGSoftware Version 169 Enhancements to IPsec/VPNResponding to IPsec Packets from an Unknown Tunnel Modifying the Message Retransmission Delay Retrying Isakmp Phase 1 and 2 Negotiations New retryikeattempts parameter VPN Tunnel LicencingNew retryIkeAttemptsPh1 and retryIkeAttemptsPh2 New usePolIkeRetryGood and usePolIkeRetryFailedSoftware Version 173 Create ipsec policyMsgtimeout value Default incrementalCreate isakmp policy Msgbackoff parameterRETRYIKEattempts After the first 16 attempts, a five minute delayAttempted over new Isakmp SAs Occurs between attemptsSet ipsec policy Software Version 177 Set isakmp policyParameter Meaning VPNs Show ipsecVPNs Maximum Current Peak Software Version 179 Show ipsec policyRespond Bad SPI Respond Bad SPIInBadSpiResponse Show ipsec policy counterInBadSpiResponse To true and packets processed by that policy have anRetryIkeAttemptsPh1 RetryIkeAttemptsPh2 Show isakmp countersSoftware Version 181 UsePolIkeRetryGood UsePolIkeRetryFailed Software Version 183 Show isakmp exchangeMessage Back-off Incremental Same NoneShow isakmp policy Iskamp policy commandMessage Back-off None Show isakmp saSoftware Version 185 Snmp MIBs Snmp MIBsShdsl Line MIB Usage Logging Snmp operationSnmp request not processed due to excessive memory Snmp Trap not sent due to excessive memory usage Traps on Ospf state changesSoftware Version 189 Trap on Vrrp topology changesTraps on Mstp state and topology changes VLAN-based port state changes Trap on Login FailuresRestart Log Software Version 191 Trap on Memory LevelsShow buffer New Buffer level 0 fieldShow buffer New parameters in output of the show buffer commandBuffer level 1500 Parameter Meaning Buffer level nCDP over WAN Interfaces Disable lldp cdp ppptemplate Disable lldp cdp interfaceEnable lldp cdp debug CDP over WAN InterfacesEnable lldp cdp ppptemplate Enable lldp cdp interfaceEnables debugging of PPP events Software Version 195Show lldp cdp PPP Templates Enabled PPP Templates DisabledShow lldp cdp interface Ppp0 Ppp1Software Version 197 Permanent Assignments on AR400 Series RoutersPage Chapter Introduction to Ethernet Protection Switching Ring EpsrEpsr Instances and Domains Introduction to Ethernet Protection Switching Ring EpsrControl Vlan Ethernet Protection Switching Ring EpsrData Vlan Master NodeTransit Node Unsolicited Fault Detection Fault Detection and RecoveryMaster Node Polling Fault Detection Fault Recovery Procedure Restoring Normal Operation Epsr Single Domain, Single Ring Network Configuring Epsr# For Transit Nodes 1, 2 Example script for a 4 node ring networkSingle Ring, Dual Domain Network # Node 1 Master node for RingA Transit Node for RingB Example script for a Single Ring, Two Domain Network NodeExample script for a Single Ring, Two Domain Network Nodes 2 # Node 3 Transit node for RingA Master Node for RingB Epsr and Spanning Tree Operation # For Transit Node # For Transit Nodes 2 Command ReferenceAdd epsr datavlan Add epsr datavlanCreate epsr Ethernet Protection Switching Ring Epsr Create epsrSeconds 32767s. Only configured for the master node Only configured for the master nodeDefault 1s FAilovertime Default 2s RIngflaptimeHyphen character -. The epsr-name cannot be ALL Delete epsr datavlanUnique name for the VLAN. This can be from 1 to Vlan-name cannot be a number or ALLDestroy epsr Destroy epsrEthernet Protection Switching Ring Epsr Disable epsr Disable epsrEpsr instance to be disabled String, 1 to 15 characters long. Valid characters areDisable epsr debug Disable epsr debugEpsr instance to be enabled Enable epsrEthernet Protection Switching Ring Epsr Enable epsr Enable epsr debug Enable epsr debugEpsr instance whose debugging is to be enabled OUTputPurge epsr Ethernet Protection Switching Ring Epsr Purge epsrSet epsr Set epsrSet epsr port Ethernet Protection Switching Ring Epsr Set epsr portEpsr to be set for the port VLANs within the ring domainEpsr instance whose details are displayed Show epsrShow epsr Ethernet Protection Switching Ring Epsr Show epsr Second Port Disabled. This parameter is only shown for a transit nodeShown for a transit node Second Port StatusShow epsr counter Ethernet Protection Switching Ring Epsr Show epsr counterCOUnter Epsr instancesRelated Commands show epsr Show epsr debug Show epsr debug