Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis AT-8900, RAPIER I Show ipsec, VPNs Maximum Current Peak, Parameter Meaning VPNs

Models: AT-9900 AT-8700XL AT-9800 AT-8600 RAPIER I AT-8800 AT-8900 X900-48FE

1 232

Download 232 pages 5.78 Kb

Page 178

178	Enhancements to IPsec/VPN			Release Note

		Parameter	Description

		RETRYIKEattempts	The number of consecutive attempts ISAKMP makes to establish a
			connection. This parameter should only be used for permanent VPNs.
			If an ISAKMP exchange fails, then ISAKMP will attempt the key
			exchange again. If a phase 2 exchange fails, the exchange is
			attempted over new ISAKMP SAs.
			Default: 0

			0	No retry attempts occur.

			1..16	The specified number of retry attempts occur.

			CONTinuous	Retry attempts occur continuously until either the
				connection is established, or 24 hours has passed.
				After the first 16 attempts, a five minute delay
				occurs between attempts.

show ipsec

SHow IPSec

Figure 55: Example output from the show ipsec command

IPSEC Module Configuration
Module Status	ENABLED
IPsec over UDP
Status	OPEN
Listen Port	2746
VPNs
Maximum	1
Current	0
Peak	0

Table 46: New parameters in output of the show ipsec command

Parameter	Meaning

VPNs	Information about Virtual Private Network (VPN) tunnels.

Maximum	The maximum number of concurrent VPN tunnels permitted. Displays
	only if VPN tunnels on your router or switch are limited by licencing.
	You can increase this number with a special feature licence—contact
	your authorised distributor or reseller.

Current	The number of VPN tunnels currently active.

Peak	The highest number of VPN tunnels active at any one time since the
	router or switch started.

Software Version 2.8.1 C613-10477-00 REV B

Image 178

Allied Telesis AT-8900, RAPIER I, X900-48FE, AT-8700XL, AT-9900 Show ipsec, VPNs Maximum Current Peak, Parameter Meaning VPNs

Contents

Software Version Release NoteRelease Note Software Version Introduction IntroductionProduct series Models Upgrading to Software Version Backwards Compatibility Issue when UpgradingProduct name Release file GUI resource file CLI help file Overview of New Features Overview of New FeaturesQuickly Software Version AR400 AR7x5 AR750S Rapier AT-8800 AT-8600 AT-9800 AT-8900 X900-48FE AT-9900AR400 AR7x5 AR750S Rapier AT-8800 Snmp MIBs Restart LogClearing System Parameters Command ChangesSystem Enhancements Extended Monitoring of CPU UtilisationReset cpu utilisation Disable cpu extendedEnable cpu extended Activate cpu extendedEnable cpu extended Command Reference UpdatesDisable cpu extended Activate cpu extendedSet system location Reset cpu utilisationSet system contact Set system nameExample output from the show cpu extended command Show cpuParameter Meaning Parts of a Command Command Line Interface CLI EnhancementsMore flexibility in Separating Parameters and Values Command Show command history Additional Shortcuts when EditingCreate config Command Line Interface CLI Enhancements Create configParameter Description Set command assignmentoperator Show command history Example output from the show command history commandFile System Enhancement Add fileCreate file File System EnhancementShow file permanentredirect Reset file permanentredirectFile size Default 204 800 bytes Software Version Parameter DescriptionExample output from the show file permanentredirect command File System Enhancement Release NoteSwitching Enhancements Ordering Hardware Filters in 48-Port SwitchesSet switch hwfilter mode New command Switching EnhancementsCommandChange Show switch hwfilter New mode parameter in outputPortDisable Limiting Rapid MAC MovementSet switch port Create switch trunkEnable switch port vlan Set switch thrashlimitSet switch hwrouteupdate Route Update Queue LengthNew command Securing a Single Vlan through Switch Filters Removing a Description from a Switch PortChanged description parameter Configuring vlansecure Show switch debug Change of Debug Command SyntaxEthernet Protection Switching Ring Epsr New DEV option in outputCreate switch trunk Disable switch port vlan Disable switch debugDisable switch filter vlansecure Debugging occurs on operations related to the switch chipEnable switch filter vlansecure Enable switch debugEnable switch port vlan Set lacp Set switch hwfilter mode Set switch hwrouteupdateSet switch port Set switch thrashlimit Set switch trunkAddress learn thrash timeout ... second Example output from the show lacp commandAddress learn thrash action ..... Learn Disable Show lacpShow switch Switching Enhancements Whether the debugging option for the router or switch is Show switch debugARL, DMA, DEV, PHY, or None New parameter in output of the show switch filter command Show switch filterShow switch hwfilter VlanSecureMeaning Show switch portNew parameters in output of the show switch port command ModeThrashaction is set to none PPPoE Access Concentrator Add ppp acserviceSet ppp acservice Delete ppp acservicePPPoE Access Concentrator Eth0 New parameter in output of the show ppp pppoe commandShow ppp pppoe InterfaceDisable mstp port Disable mstp portEnable mstp port Enable mstp portShow stp port STP EnhancementShow stp port New Port field in outputSet asyn Asynchronous Port EnhancementMaking Asynchronous Ports Respond More Quickly Show asynSet asyn Show asynAsynchronous Port Enhancement Release Note Ten timer value 100Ten timer value Which characters are bundledIgmp Proxy on x900 Series Switches Internet Group Management Protocol Igmp EnhancementsMulticast group GroupDownstream interfaces have members Downstream interfaceSet ip interface Igmp filtering extended to all Igmp message typesAdd ip interface Set ip igmp interfaceSet igmp filter Internet Group Management Protocol Igmp EnhancementsAdd igmp filter Show igmp filterMonitoring reception of Igmp general query messages Add igmp filter MSGType=QUEryREPortLEAVeAdd ip interface Set igmp filterSet ip igmp interface Set ip interface Passed Show igmp filterLeaves Is attached to Recd Attached toShow ip igmp Upstream General Query Reception Timeout .... NoneNew parameters in the output of the show ip igmp command An Snmp trap are generatedExpanded number of Eth interfaces per physical interface Expanded IP TroubleshootingInternet Protocol IP Enhancements IP Route Preference OptionsIPv4 Filter Expansion Assigning the Filter TypeEnhancements to Display of UDP Connections over IPv4 Waiting for a Response to an ARP RequestAdding Static ARP Entries with Multicast MAC Addresses Set ip arpwaittimeoutNew Arp wait timeout field Show ipEnable ip macdisparity Disable ip macdisparityNew IP/MAC address disparity parameter Add ip filter Syntax Traffic filterDisable ip macdisparity Reset ip counter Enable ip macdisparitySet ip arpwaittimeout Set ip filter Set ip route preferenceWith multicast MAC addresses. One of Enabled or Arp wait timeout SecsModified parameters on output of the show ip command Show ipShow ip cache Internet Protocol IP Enhancements Release NoteShow ip counter When the entry is usedCount Number of times the entry was found Show ip filter Show ip udpGeneration/reception of logs using the Secure Router Log UDP on the router or switchTime synchronisation using the Network Time Protocol Generation/reception of logs using the Net Manage protocolDisplay of UDP Connections over IPv6 Show ipv6 udp New commandIPv6 Enhancements IPv6 Tunnel ExpansionShow ipv6 udp L2TP Enhancements L2TP EnhancementsHandling PPP Link Negotiation Failures Resetting General L2TP CountersProxyauth=offon Disable l2tp debug Add l2tp ipEnable l2tp debug Reset l2tp counter Show l2tp tunnel Proxy AuthenticationShow l2tp ip DecodeShow l2tp tunnel call Syntax SHow L2TP TUNnel CALL=1..65535Nssa Translator Role Ospf Interface PasswordOpen Shortest Path First Enhancements Add ospf interfaceSet ospf area Add ospf areaShow ospf area Redistributing External Routes Interaction with global Ospf parametersOspf backward compatibility Add ospf redistribute Disable ospf debugEnable ospf debug Delete ospf redistributeAdd ospf area NSSAStability=1..3600 NSSATranslator=CANdidateALWaysAdd ospf interface Add ospf redistributeEnable ospf debug Disable ospf debugDelete ospf redistribute Set ospf BGPImport=ONOFFTrueFalseYESNOSet ospf area Set ospf interfaceSet ospf redistribute Role Show ospf areaStability Interval State Show ospf redistribute Software Version 101Upper and Lower Thresholds BGP EnhancementsBGP Backoff Lower Threshold BGP EnhancementsEnable and Disable Backoff BGP Peer and Peer Template EnhancementsDisplaying the Number of Routes from a Peer Displaying Routes Learned from a Specific BGP PeerDisplaying Information about Routes from a Peer Add bgp peer Software Version 105Disable bgp backoff Add bgp peertemplateSoftware Version 107 Enable bgp backoffSet bgp backoff BACkoffSet bgp peer Set bgp peertemplate Software Version 109Mem Upper Threshold Value 95% Mem Upper Notify Show bgp backoffBGP Enhancements Release Note Mem Lower Threshold Value 90% Mem Lower NotifyShow bgp route Show bgp peerRoutes learned Icmp type for MLDv2 Reports MLD and MLD Snooping EnhancementsMLD Packet Formats MLD and MLD Snooping EnhancementsSoftware Version 113 MLD Snooping Group Membership DisplayChange of Maximum Query Response Interval for Show mldsnooping More consistent outputEnable ipv6 mld interface Set ipv6 mldSoftware Version 115 Show ipv6 mldShow mldsnooping V2 Draft CompatiblePrevious example output from the show mldsnooping command MLD and MLD Snooping EnhancementsRelease NoteSet classifier Extension to Range of Classifier fields for x900 SwitchesCreate classifier Show classifierExtension to Range of Classifier fields for x900 Switches Create classifierSoftware Version 119 Set classifier Show classifier Software Version 121Icmp type TCP FlagsIcmp code Igmp type 0x17 V2LEAVEFormat Classifier Rules 2222 MAC Address Aa-bb-cc-dd-ee-ff TypeVlan1234 Protocol 1234567890 Layer 3 Byte Offset Value MaskTCP Flags Igmp TypeParameter option in brackets if available One of URG, ACK, RST, SYN, or FINPort Groups QoS EnhancementsSoftware Version 125 Storm protection Set qos trafficclass Set qos policyCreate qos trafficclass Show qos trafficclassAdd qos portgroup port Create qos policyDefault portdisable With the enable switch port commandCreate qos trafficclass Protection is enabledCreate qos portgroup Storm protection is inactiveEnable switch port vlan command Is matching STORMTimeoutWith the enable switch port command, or STORMRateDestroy qos portgroup POrt Port to delete from this port group Default no defaultDelete qos portgroup port Specific port that consistsSet qos policy Reset qos portgroup countersSoftware Version 133 Set qos portgroup Uses Kbps. If you specify Mbps or Gbps, the rateSet qos trafficclass Software Version 135 Parameter DescriptionShow qos policy With the enable switch port or enable switchIs disabled by storm protection QoS Enhancements Release Note Parameter DescriptionPorts Assigned to Port Groups Assigned to 213-24 Rate 1kbps Window 100ms Timeout NoneShow qos port Storm Protection StatusQoS EnhancementsRelease Note Show qos portgroupPort Group Trunk Group None Software Version 139 Parameters in output of the show qos portgroup commandShow qos portgroup counters Integer from 1 to140 Number of bytes that conforms with band with class Show qos trafficclassStorm Protection Configuring the Client Configuring Secure CopyConfiguring the Server Secure Copy SCPManaging Secure Copy Sessions Configuring UsersUse the show ssh session command to see current sessions Software Version 143Loading using Secure Copy Loading Files to the SwitchLoading Files from a Remote Machine Uploading using Secure CopyUploading from the Switch Software Version 145Set loader Uploading Files from a Remote MachineLoad Show loaderDelete ssh session Disable ssh debugDisable ssh server Software Version 147Enable ssh server Enable ssh debugWhether the SSH server supports SCP connections Load Software Version 149Default tftp Copy is the default method for loading and uploadingSet loader Set ssh client Software Version 151192.168.1.1 Set ssh serverShow loader AliceSoftware Version 153 SSH Server Enabled SCP ServiceShow ssh DebugReset loader command Show ssh counterParameter Meaning WriteFileFailed Show ssh sessionSoftware Version 155 FailureSecure Copy SCP Release Note Parameter Meaning Secure Shell SessionSoftware Version 157 UploadCharacters long SSL Counter Enhancement SSL Counter EnhancementShow ssl counters Show ssl countersSession ID longer than 32 bytes Software Version 159BadSessionIdLen Client Counters for the SSL client BadSessionIdLenDisabling SIP ALG Call ID Translation Firewall EnhancementsFirewall Licencing Firewall EnhancementsFirewall Policy Rules Expansion Set firewall sipalg New commandDisplaying SIP ALG Session Details Software Version 161Set firewall sipalg Reset firewall sipalg counterDisplaying a Subset of Policy Rules Show firewall policyShow firewall Show firewall policyShow firewall sipalg Valid with the ip or summary commandsIp or callid commands CALLIdWithin the private network protected by the firewall Parameters in output of the show firewall sipalg commandService Active SIP SessionsGbl IP Router or switch. The router or switch only translates IPFirewall Enhancements Release Note Seen on the public side of the firewallShow firewall sipalg counter Start up or reset Current sessions Audio sessions createdSince start up or reset Past sessions Current SIP sessionsTotal number of SIP messages received that the SIP ALG ThemResponding to IPsec Packets from an Unknown Tunnel Enhancements to IPsec/VPNSoftware Version 169 Modifying the Message Retransmission Delay Retrying Isakmp Phase 1 and 2 Negotiations New retryIkeAttemptsPh1 and retryIkeAttemptsPh2 VPN Tunnel LicencingNew retryikeattempts parameter New usePolIkeRetryGood and usePolIkeRetryFailedCreate ipsec policy Software Version 173Create isakmp policy Default incrementalMsgtimeout value Msgbackoff parameterAttempted over new Isakmp SAs After the first 16 attempts, a five minute delayRETRYIKEattempts Occurs between attemptsSet ipsec policy Set isakmp policy Software Version 177VPNs Maximum Current Peak Show ipsecParameter Meaning VPNs Respond Bad SPI Show ipsec policySoftware Version 179 Respond Bad SPIInBadSpiResponse Show ipsec policy counterInBadSpiResponse To true and packets processed by that policy have anSoftware Version 181 Show isakmp countersRetryIkeAttemptsPh1 RetryIkeAttemptsPh2 UsePolIkeRetryGood UsePolIkeRetryFailed Message Back-off Incremental Show isakmp exchangeSoftware Version 183 Same NoneIskamp policy command Show isakmp policySoftware Version 185 Show isakmp saMessage Back-off None Shdsl Line MIB Snmp MIBsSnmp MIBs Snmp request not processed due to excessive memory Logging Snmp operationUsage Traps on Ospf state changes Snmp Trap not sent due to excessive memory usageTraps on Mstp state and topology changes Trap on Vrrp topology changesSoftware Version 189 Restart Log Trap on Login FailuresVLAN-based port state changes Show buffer Trap on Memory LevelsSoftware Version 191 New Buffer level 0 fieldBuffer level 1500 New parameters in output of the show buffer commandShow buffer Parameter Meaning Buffer level nCDP over WAN Interfaces Enable lldp cdp debug Disable lldp cdp interfaceDisable lldp cdp ppptemplate CDP over WAN InterfacesEnables debugging of PPP events Enable lldp cdp interfaceEnable lldp cdp ppptemplate Software Version 195Show lldp cdp interface PPP Templates Enabled PPP Templates DisabledShow lldp cdp Ppp0 Ppp1Permanent Assignments on AR400 Series Routers Software Version 197Page Introduction to Ethernet Protection Switching Ring Epsr ChapterIntroduction to Ethernet Protection Switching Ring Epsr Epsr Instances and DomainsData Vlan Ethernet Protection Switching Ring EpsrControl Vlan Master NodeMaster Node Polling Fault Detection Fault Detection and RecoveryTransit Node Unsolicited Fault Detection Fault Recovery Procedure Restoring Normal Operation Configuring Epsr Epsr Single Domain, Single Ring NetworkExample script for a 4 node ring network # For Transit Nodes 1, 2Single Ring, Dual Domain Network Example script for a Single Ring, Two Domain Network Node # Node 1 Master node for RingA Transit Node for RingBExample script for a Single Ring, Two Domain Network Nodes 2 # Node 3 Transit node for RingA Master Node for RingB Epsr and Spanning Tree Operation # For Transit Node Command Reference # For Transit Nodes 2Add epsr datavlan Add epsr datavlanEthernet Protection Switching Ring Epsr Create epsr Create epsrDefault 1s FAilovertime Only configured for the master nodeSeconds 32767s. Only configured for the master node Default 2s RIngflaptimeUnique name for the VLAN. This can be from 1 to Delete epsr datavlanHyphen character -. The epsr-name cannot be ALL Vlan-name cannot be a number or ALLDestroy epsr Destroy epsrEpsr instance to be disabled Disable epsrEthernet Protection Switching Ring Epsr Disable epsr String, 1 to 15 characters long. Valid characters areDisable epsr debug Disable epsr debugEthernet Protection Switching Ring Epsr Enable epsr Enable epsrEpsr instance to be enabled Epsr instance whose debugging is to be enabled Enable epsr debugEnable epsr debug OUTputEthernet Protection Switching Ring Epsr Purge epsr Purge epsrSet epsr Set epsrEpsr to be set for the port Ethernet Protection Switching Ring Epsr Set epsr portSet epsr port VLANs within the ring domainShow epsr Show epsrEpsr instance whose details are displayed Ethernet Protection Switching Ring Epsr Show epsr Shown for a transit node Disabled. This parameter is only shown for a transit nodeSecond Port Second Port StatusCOUnter Ethernet Protection Switching Ring Epsr Show epsr counterShow epsr counter Epsr instancesRelated Commands show epsr Show epsr debug Show epsr debug