Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis RAPIER I, X900-48FE, AT-8900, AT-8700XL, AT-9900 manual Set ipsec policy, RESPondbadspi

Models: AT-9900 AT-8700XL AT-9800 AT-8600 RAPIER I AT-8800 AT-8900 X900-48FE

1 232

Download 232 pages 5.78 Kb

Page 176

176

Enhancements to IPsec/VPN

Release Note

set ipsec policy

Syntax SET IPSec POLIcy=name [ACtion={DEnyIPSecPErmit}] [BUNDlespecification=bundlespecification-id] [DFBit={SEtCOpyCLear}] [GROup={012}] [ICmptype={listNDall}] [IPROUtetemplate=template-name] [IPVersion={46}] [ISAkmppolicy=isakmp-policy-name] [LADdress={ANyipv4add[-ipv4add] ipv6add[/prefix-length]ipv6add-ipv6add}] [LMAsk=ipv4add] [LNAme={ANysystem-name}] [LPort={ANyOPaqueport}] [PEERaddress={ipv4addipv6addANyDYNAMIC}] [PKTDebuglength=1..1500] [POSition=1..100] [RADdress={ANyipv4add[-ipv4add] ipv6add[/prefix-length]ipv6add-ipv6add}] [RESPondbadspi={TrueFalse}] [RMASK=ipv4add] [RNAme={ANysystem-name}] [RPort={ANyportOPaque}] [SASElectorfrompkt={ALLLADdressLPortNONERADdress RPortTRAnsportprotocol}] [SRCInterface=interface] [TRAnsportprotocol={ANyEGpESpGReICmpOPaqueOSpf RSvpTCpUDpprotocol}] [UDPHeartbeat={TrueFalse}] [UDPPort=port] [UDPTunnel={TrueFalse}] [USEPFSKey={TrueFalse}]

Parameter	Description

RESPondbadspi	Whether the router or switch sends a notification to the peer when
	an IPsec packet is received with an unknown SPI value. This
	establishes an ISAKMP SA to the sending peer. An initial contact
	notification message is then sent, which tells the peer to delete SAs
	associated with the router or switch.
	This command is only valid when the action parameter is set to
	ipsec, the keymanagement parameter is set to isakmp, and the
	peeraddress parameter is set to an IPv4 address. Messages will only
	be sent if the ISAKMP policy for this peer has the mode parameter
	set to main and the sendnotify parameter set to true.
	Default: false

	False	A notification is not sent.

	True	A notification is sent.

Software Version 2.8.1 C613-10477-00 REV B

Image 176

Allied Telesis RAPIER I, X900-48FE, AT-8900, AT-8700XL, AT-9900, AT-8600, AT-9800, AT-8800 manual Set ipsec policy, RESPondbadspi

Contents

Software Version Release Note Release Note Software Version Product series Models IntroductionIntroduction Product name Release file GUI resource file CLI help file Backwards Compatibility Issue when UpgradingUpgrading to Software Version Quickly Overview of New FeaturesOverview of New Features Software Version AR400 AR7x5 AR750S Rapier AT-8800 AT-8600 AT-9800 AT-8900 X900-48FE AT-9900 AR400 AR7x5 AR750S Rapier AT-8800 Snmp MIBs Restart Log Command Changes System EnhancementsClearing System Parameters Extended Monitoring of CPU Utilisation Disable cpu extended Enable cpu extendedReset cpu utilisation Activate cpu extended Command Reference Updates Disable cpu extendedEnable cpu extended Activate cpu extended Reset cpu utilisation Set system contactSet system location Set system name Example output from the show cpu extended command Show cpu Parameter Meaning More flexibility in Separating Parameters and Values Command Line Interface CLI EnhancementsParts of a Command Command Create config Additional Shortcuts when EditingShow command history Parameter Description Create configCommand Line Interface CLI Enhancements Set command assignmentoperator Show command history Example output from the show command history command File System Enhancement Add file Create file File System Enhancement Reset file permanentredirect File size Default 204 800 bytesShow file permanentredirect Software Version Parameter Description Example output from the show file permanentredirect command File System Enhancement Release Note Switching Enhancements Ordering Hardware Filters in 48-Port Switches Switching Enhancements CommandChangeSet switch hwfilter mode New command Show switch hwfilter New mode parameter in output PortDisable Limiting Rapid MAC Movement Create switch trunk Enable switch port vlanSet switch port Set switch thrashlimit New command Route Update Queue LengthSet switch hwrouteupdate Changed description parameter Removing a Description from a Switch PortSecuring a Single Vlan through Switch Filters Configuring vlansecure Change of Debug Command Syntax Ethernet Protection Switching Ring EpsrShow switch debug New DEV option in output Create switch trunk Disable switch debug Disable switch filter vlansecureDisable switch port vlan Debugging occurs on operations related to the switch chip Enable switch port vlan Enable switch debugEnable switch filter vlansecure Set lacp Set switch hwfilter mode Set switch hwrouteupdate Set switch port Set switch thrashlimit Set switch trunk Example output from the show lacp command Address learn thrash action ..... Learn DisableAddress learn thrash timeout ... second Show lacp Show switch Switching Enhancements ARL, DMA, DEV, PHY, or None Show switch debugWhether the debugging option for the router or switch is Show switch filter Show switch hwfilterNew parameter in output of the show switch filter command VlanSecure Show switch port New parameters in output of the show switch port commandMeaning Mode Thrashaction is set to none PPPoE Access Concentrator Add ppp acservice PPPoE Access Concentrator Delete ppp acserviceSet ppp acservice New parameter in output of the show ppp pppoe command Show ppp pppoeEth0 Interface Disable mstp port Enable mstp portDisable mstp port Enable mstp port STP Enhancement Show stp portShow stp port New Port field in output Asynchronous Port Enhancement Making Asynchronous Ports Respond More QuicklySet asyn Show asyn Set asyn Show asyn Ten timer value 100 Ten timer valueAsynchronous Port Enhancement Release Note Which characters are bundled Igmp Proxy on x900 Series Switches Internet Group Management Protocol Igmp Enhancements Group Downstream interfaces have membersMulticast group Downstream interface Igmp filtering extended to all Igmp message types Add ip interfaceSet ip interface Set ip igmp interface Internet Group Management Protocol Igmp Enhancements Add igmp filterSet igmp filter Show igmp filter Monitoring reception of Igmp general query messages Add igmp filter MSGType=QUEryREPortLEAVe Add ip interface Set igmp filter Set ip igmp interface Set ip interface Show igmp filter Leaves Is attached to RecdPassed Attached to Upstream General Query Reception Timeout .... None New parameters in the output of the show ip igmp commandShow ip igmp An Snmp trap are generated Expanded IP Troubleshooting Internet Protocol IP EnhancementsExpanded number of Eth interfaces per physical interface IP Route Preference Options IPv4 Filter Expansion Assigning the Filter Type Enhancements to Display of UDP Connections over IPv4 Waiting for a Response to an ARP Request Set ip arpwaittimeout New Arp wait timeout fieldAdding Static ARP Entries with Multicast MAC Addresses Show ip New IP/MAC address disparity parameter Disable ip macdisparityEnable ip macdisparity Add ip filter Syntax Traffic filter Disable ip macdisparity Set ip arpwaittimeout Enable ip macdisparityReset ip counter Set ip filter Set ip route preference Arp wait timeout Secs Modified parameters on output of the show ip commandWith multicast MAC addresses. One of Enabled or Show ip Show ip cache Internet Protocol IP Enhancements Release Note Count Number of times the entry was found When the entry is usedShow ip counter Show ip filter Show ip udp UDP on the router or switch Time synchronisation using the Network Time ProtocolGeneration/reception of logs using the Secure Router Log Generation/reception of logs using the Net Manage protocol Show ipv6 udp New command IPv6 EnhancementsDisplay of UDP Connections over IPv6 IPv6 Tunnel Expansion Show ipv6 udp L2TP Enhancements L2TP Enhancements Proxyauth=offon Resetting General L2TP CountersHandling PPP Link Negotiation Failures Disable l2tp debug Add l2tp ip Enable l2tp debug Reset l2tp counter Proxy Authentication Show l2tp ipShow l2tp tunnel Decode Show l2tp tunnel call Syntax SHow L2TP TUNnel CALL=1..65535 Ospf Interface Password Open Shortest Path First EnhancementsNssa Translator Role Add ospf interface Show ospf area Add ospf areaSet ospf area Redistributing External Routes Interaction with global Ospf parameters Ospf backward compatibility Disable ospf debug Enable ospf debugAdd ospf redistribute Delete ospf redistribute Add ospf area NSSAStability=1..3600 NSSATranslator=CANdidateALWays Add ospf interface Add ospf redistribute Delete ospf redistribute Disable ospf debugEnable ospf debug Set ospf BGPImport=ONOFFTrueFalseYESNO Set ospf area Set ospf interface Set ospf redistribute Stability Interval State Show ospf areaRole Show ospf redistribute Software Version 101 BGP Enhancements BGP Backoff Lower ThresholdUpper and Lower Thresholds BGP Enhancements Enable and Disable Backoff BGP Peer and Peer Template Enhancements Displaying Information about Routes from a Peer Displaying Routes Learned from a Specific BGP PeerDisplaying the Number of Routes from a Peer Add bgp peer Software Version 105 Disable bgp backoff Add bgp peertemplate Enable bgp backoff Set bgp backoffSoftware Version 107 BACkoff Set bgp peer Set bgp peertemplate Software Version 109 Show bgp backoff BGP Enhancements Release NoteMem Upper Threshold Value 95% Mem Upper Notify Mem Lower Threshold Value 90% Mem Lower Notify Routes learned Show bgp peerShow bgp route MLD and MLD Snooping Enhancements MLD Packet FormatsIcmp type for MLDv2 Reports MLD and MLD Snooping Enhancements MLD Snooping Group Membership Display Change of Maximum Query Response Interval forSoftware Version 113 Show mldsnooping More consistent output Enable ipv6 mld interface Set ipv6 mld Show ipv6 mld Show mldsnoopingSoftware Version 115 V2 Draft Compatible Previous example output from the show mldsnooping command MLD and MLD Snooping EnhancementsRelease Note Extension to Range of Classifier fields for x900 Switches Create classifierSet classifier Show classifier Extension to Range of Classifier fields for x900 Switches Create classifier Software Version 119 Set classifier Show classifier Software Version 121 TCP Flags Icmp codeIcmp type Igmp type 0x17 V2LEAVE Classifier Rules 2222 MAC Address Aa-bb-cc-dd-ee-ff Type Vlan1234Format Protocol 1234567890 Layer 3 Byte Offset Value Mask Igmp Type Parameter option in brackets if availableTCP Flags One of URG, ACK, RST, SYN, or FIN Software Version 125 QoS EnhancementsPort Groups Storm protection Set qos policy Create qos trafficclassSet qos trafficclass Show qos trafficclass Add qos portgroup port Create qos policy Default portdisable With the enable switch port command Protection is enabled Create qos portgroupCreate qos trafficclass Storm protection is inactive Is matching STORMTimeout With the enable switch port command, orEnable switch port vlan command STORMRate POrt Port to delete from this port group Default no default Delete qos portgroup portDestroy qos portgroup Specific port that consists Software Version 133 Reset qos portgroup countersSet qos policy Set qos portgroup Uses Kbps. If you specify Mbps or Gbps, the rate Set qos trafficclass Software Version 135 Parameter Description With the enable switch port or enable switch Is disabled by storm protectionShow qos policy QoS Enhancements Release Note Parameter Description Rate 1kbps Window 100ms Timeout None Show qos portPorts Assigned to Port Groups Assigned to 213-24 Storm Protection Status Port Group Trunk Group None Show qos portgroupQoS EnhancementsRelease Note Parameters in output of the show qos portgroup command Show qos portgroup countersSoftware Version 139 Integer from 1 to 140 Storm Protection Show qos trafficclassNumber of bytes that conforms with band with class Configuring Secure Copy Configuring the ServerConfiguring the Client Secure Copy SCP Configuring Users Use the show ssh session command to see current sessionsManaging Secure Copy Sessions Software Version 143 Loading using Secure Copy Loading Files to the Switch Uploading using Secure Copy Uploading from the SwitchLoading Files from a Remote Machine Software Version 145 Uploading Files from a Remote Machine LoadSet loader Show loader Disable ssh debug Disable ssh serverDelete ssh session Software Version 147 Whether the SSH server supports SCP connections Enable ssh debugEnable ssh server Load Software Version 149 Set loader Copy is the default method for loading and uploadingDefault tftp Set ssh client Software Version 151 Set ssh server Show loader192.168.1.1 Alice SSH Server Enabled SCP Service Show sshSoftware Version 153 Debug Reset loader command Show ssh counter Show ssh session Software Version 155Parameter Meaning WriteFileFailed Failure Secure Copy SCP Release Note Parameter Meaning Secure Shell Session Characters long UploadSoftware Version 157 SSL Counter Enhancement Show ssl countersSSL Counter Enhancement Show ssl counters Software Version 159 BadSessionIdLenSession ID longer than 32 bytes Client Counters for the SSL client BadSessionIdLen Firewall Enhancements Firewall LicencingDisabling SIP ALG Call ID Translation Firewall Enhancements Set firewall sipalg New command Displaying SIP ALG Session DetailsFirewall Policy Rules Expansion Software Version 161 Reset firewall sipalg counter Displaying a Subset of Policy RulesSet firewall sipalg Show firewall policy Show firewall Show firewall policy Valid with the ip or summary commands Ip or callid commandsShow firewall sipalg CALLId Parameters in output of the show firewall sipalg command ServiceWithin the private network protected by the firewall Active SIP Sessions Router or switch. The router or switch only translates IP Firewall Enhancements Release NoteGbl IP Seen on the public side of the firewall Start up or reset Current sessions Audio sessions created Since start up or reset Past sessionsShow firewall sipalg counter Current SIP sessions Total number of SIP messages received that the SIP ALG Them Software Version 169 Enhancements to IPsec/VPNResponding to IPsec Packets from an Unknown Tunnel Modifying the Message Retransmission Delay Retrying Isakmp Phase 1 and 2 Negotiations VPN Tunnel Licencing New retryikeattempts parameterNew retryIkeAttemptsPh1 and retryIkeAttemptsPh2 New usePolIkeRetryGood and usePolIkeRetryFailed Create ipsec policy Software Version 173 Default incremental Msgtimeout valueCreate isakmp policy Msgbackoff parameter After the first 16 attempts, a five minute delay RETRYIKEattemptsAttempted over new Isakmp SAs Occurs between attempts Set ipsec policy Set isakmp policy Software Version 177 Parameter Meaning VPNs Show ipsecVPNs Maximum Current Peak Show ipsec policy Software Version 179Respond Bad SPI Respond Bad SPI Show ipsec policy counter InBadSpiResponseInBadSpiResponse To true and packets processed by that policy have an RetryIkeAttemptsPh1 RetryIkeAttemptsPh2 Show isakmp countersSoftware Version 181 UsePolIkeRetryGood UsePolIkeRetryFailed Show isakmp exchange Software Version 183Message Back-off Incremental Same None Iskamp policy command Show isakmp policy Message Back-off None Show isakmp saSoftware Version 185 Snmp MIBs Snmp MIBsShdsl Line MIB Usage Logging Snmp operationSnmp request not processed due to excessive memory Traps on Ospf state changes Snmp Trap not sent due to excessive memory usage Software Version 189 Trap on Vrrp topology changesTraps on Mstp state and topology changes VLAN-based port state changes Trap on Login FailuresRestart Log Trap on Memory Levels Software Version 191Show buffer New Buffer level 0 field New parameters in output of the show buffer command Show bufferBuffer level 1500 Parameter Meaning Buffer level n CDP over WAN Interfaces Disable lldp cdp interface Disable lldp cdp ppptemplateEnable lldp cdp debug CDP over WAN Interfaces Enable lldp cdp interface Enable lldp cdp ppptemplateEnables debugging of PPP events Software Version 195 PPP Templates Enabled PPP Templates Disabled Show lldp cdpShow lldp cdp interface Ppp0 Ppp1 Permanent Assignments on AR400 Series Routers Software Version 197Page Introduction to Ethernet Protection Switching Ring Epsr Chapter Introduction to Ethernet Protection Switching Ring Epsr Epsr Instances and Domains Ethernet Protection Switching Ring Epsr Control VlanData Vlan Master Node Transit Node Unsolicited Fault Detection Fault Detection and RecoveryMaster Node Polling Fault Detection Fault Recovery Procedure Restoring Normal Operation Configuring Epsr Epsr Single Domain, Single Ring Network Example script for a 4 node ring network # For Transit Nodes 1, 2 Single Ring, Dual Domain Network Example script for a Single Ring, Two Domain Network Node # Node 1 Master node for RingA Transit Node for RingB Example script for a Single Ring, Two Domain Network Nodes 2 # Node 3 Transit node for RingA Master Node for RingB Epsr and Spanning Tree Operation # For Transit Node Command Reference # For Transit Nodes 2 Add epsr datavlan Add epsr datavlan Ethernet Protection Switching Ring Epsr Create epsr Create epsr Only configured for the master node Seconds 32767s. Only configured for the master nodeDefault 1s FAilovertime Default 2s RIngflaptime Delete epsr datavlan Hyphen character -. The epsr-name cannot be ALLUnique name for the VLAN. This can be from 1 to Vlan-name cannot be a number or ALL Destroy epsr Destroy epsr Disable epsr Ethernet Protection Switching Ring Epsr Disable epsrEpsr instance to be disabled String, 1 to 15 characters long. Valid characters are Disable epsr debug Disable epsr debug Epsr instance to be enabled Enable epsrEthernet Protection Switching Ring Epsr Enable epsr Enable epsr debug Enable epsr debugEpsr instance whose debugging is to be enabled OUTput Ethernet Protection Switching Ring Epsr Purge epsr Purge epsr Set epsr Set epsr Ethernet Protection Switching Ring Epsr Set epsr port Set epsr portEpsr to be set for the port VLANs within the ring domain Epsr instance whose details are displayed Show epsrShow epsr Ethernet Protection Switching Ring Epsr Show epsr Disabled. This parameter is only shown for a transit node Second PortShown for a transit node Second Port Status Ethernet Protection Switching Ring Epsr Show epsr counter Show epsr counterCOUnter Epsr instances Related Commands show epsr Show epsr debug Show epsr debug