Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis RAPIER I, X900-48FE, AT-8900, AT-8700XL Show isakmp policy, Iskamp policy command

Models: AT-9900 AT-8700XL AT-9800 AT-8600 RAPIER I AT-8800 AT-8900 X900-48FE

1 232

Download 232 pages 5.78 Kb

Page 184

184

Enhancements to IPsec/VPN

Release Note

show isakmp policy

Syntax SHow ISAkmp POLicy[=name]

Figure 61: Modified example output from the show isakmp policy command for a specific policy.

.
.
.
Message Time Out	20
Message Back-off	Incremental
Exchange Delete Delay	30
Source Interface	-
VPN Client Policy File Name	-
Local ID	-
Remote ID	IPv4:192.68.1.2
DebugFlag	00000000
Retry IKE Attempts	0
Current IKE Retries	0
Required IKE Retry Phase	No Phases
SA Specification
Encryption Algorithm	DES - 56 bit
Hash Algorithm	SHA
Group Description	1
DH Private Exponent Bits	767
Heartbeat Mode	NONE
Group Type	MODP
Expiry Seconds	86400
Expiry Kilobytes	1000
NAT Traversal	TRUE

Table 52: Modified parameters in output of the show isakmp policy command for specific policy

Parameter	Meaning

Message Back-off	The back-off pattern used when ISAKMP messages are
	retransmitted. Either the back-off time between message
	retransmissions gets larger (Incremental), or remains the
	same (None).

Retry IKE Attempts	The number of consecutive times that IKE attempts to
	complete an exchange if exchange failures are occurring,
	either a number from 0 to 16, or “continuous”. The value
	is set using the retryikeattempts parameter in the set
	iskamp policy command.

Current IKE Retries	The number of times that IKE has attempted to complete an
	exchange and has been unsuccessful. This counter is for
	consecutive attempts and is reset once an exchange is
	successful. If the exchange is never successfully completed,
	the number reached remains on this counter.

Required IKE Retry Phases	The phase or phases of IKE negotiation that have failed, and
	need to be repeated, one of “No Phases”, “Phase 1”,
	“Phase 2”, or “Phases 1 & 2”. “No Phases” indicates that
	there are no outstanding IKE negotiations.

Software Version 2.8.1 C613-10477-00 REV B

Image 184

Allied Telesis RAPIER I, X900-48FE, AT-8900, AT-8700XL, AT-9900, AT-8600, AT-9800 Show isakmp policy, Iskamp policy command

Contents

Software Version Release NoteRelease Note Software Version Introduction IntroductionProduct series Models Upgrading to Software Version Backwards Compatibility Issue when UpgradingProduct name Release file GUI resource file CLI help file Overview of New Features Overview of New FeaturesQuickly Software Version AR400 AR7x5 AR750S Rapier AT-8800 AT-8600 AT-9800 AT-8900 X900-48FE AT-9900AR400 AR7x5 AR750S Rapier AT-8800 Snmp MIBs Restart LogCommand Changes System EnhancementsClearing System Parameters Extended Monitoring of CPU UtilisationDisable cpu extended Enable cpu extendedReset cpu utilisation Activate cpu extendedCommand Reference Updates Disable cpu extendedEnable cpu extended Activate cpu extendedReset cpu utilisation Set system contactSet system location Set system nameExample output from the show cpu extended command Show cpuParameter Meaning Parts of a Command Command Line Interface CLI EnhancementsMore flexibility in Separating Parameters and Values Command Show command history Additional Shortcuts when EditingCreate config Command Line Interface CLI Enhancements Create configParameter Description Set command assignmentoperator Show command history Example output from the show command history commandFile System Enhancement Add fileCreate file File System EnhancementReset file permanentredirect File size Default 204 800 bytesShow file permanentredirect Software Version Parameter DescriptionExample output from the show file permanentredirect command File System Enhancement Release NoteSwitching Enhancements Ordering Hardware Filters in 48-Port SwitchesSwitching Enhancements CommandChangeSet switch hwfilter mode New command Show switch hwfilter New mode parameter in outputPortDisable Limiting Rapid MAC MovementCreate switch trunk Enable switch port vlanSet switch port Set switch thrashlimitSet switch hwrouteupdate Route Update Queue LengthNew command Securing a Single Vlan through Switch Filters Removing a Description from a Switch PortChanged description parameter Configuring vlansecure Change of Debug Command Syntax Ethernet Protection Switching Ring EpsrShow switch debug New DEV option in outputCreate switch trunk Disable switch debug Disable switch filter vlansecureDisable switch port vlan Debugging occurs on operations related to the switch chipEnable switch filter vlansecure Enable switch debugEnable switch port vlan Set lacp Set switch hwfilter mode Set switch hwrouteupdateSet switch port Set switch thrashlimit Set switch trunkExample output from the show lacp command Address learn thrash action ..... Learn DisableAddress learn thrash timeout ... second Show lacpShow switch Switching Enhancements Whether the debugging option for the router or switch is Show switch debugARL, DMA, DEV, PHY, or None Show switch filter Show switch hwfilterNew parameter in output of the show switch filter command VlanSecureShow switch port New parameters in output of the show switch port commandMeaning ModeThrashaction is set to none PPPoE Access Concentrator Add ppp acserviceSet ppp acservice Delete ppp acservicePPPoE Access Concentrator New parameter in output of the show ppp pppoe command Show ppp pppoeEth0 InterfaceDisable mstp port Enable mstp portDisable mstp port Enable mstp portSTP Enhancement Show stp portShow stp port New Port field in outputAsynchronous Port Enhancement Making Asynchronous Ports Respond More QuicklySet asyn Show asynSet asyn Show asynTen timer value 100 Ten timer valueAsynchronous Port Enhancement Release Note Which characters are bundledIgmp Proxy on x900 Series Switches Internet Group Management Protocol Igmp EnhancementsGroup Downstream interfaces have membersMulticast group Downstream interfaceIgmp filtering extended to all Igmp message types Add ip interfaceSet ip interface Set ip igmp interfaceInternet Group Management Protocol Igmp Enhancements Add igmp filterSet igmp filter Show igmp filterMonitoring reception of Igmp general query messages Add igmp filter MSGType=QUEryREPortLEAVeAdd ip interface Set igmp filterSet ip igmp interface Set ip interface Show igmp filter Leaves Is attached to RecdPassed Attached toUpstream General Query Reception Timeout .... None New parameters in the output of the show ip igmp commandShow ip igmp An Snmp trap are generatedExpanded IP Troubleshooting Internet Protocol IP EnhancementsExpanded number of Eth interfaces per physical interface IP Route Preference OptionsIPv4 Filter Expansion Assigning the Filter TypeEnhancements to Display of UDP Connections over IPv4 Waiting for a Response to an ARP RequestSet ip arpwaittimeout New Arp wait timeout fieldAdding Static ARP Entries with Multicast MAC Addresses Show ipEnable ip macdisparity Disable ip macdisparityNew IP/MAC address disparity parameter Add ip filter Syntax Traffic filterDisable ip macdisparity Reset ip counter Enable ip macdisparitySet ip arpwaittimeout Set ip filter Set ip route preferenceArp wait timeout Secs Modified parameters on output of the show ip commandWith multicast MAC addresses. One of Enabled or Show ipShow ip cache Internet Protocol IP Enhancements Release NoteShow ip counter When the entry is usedCount Number of times the entry was found Show ip filter Show ip udpUDP on the router or switch Time synchronisation using the Network Time ProtocolGeneration/reception of logs using the Secure Router Log Generation/reception of logs using the Net Manage protocolShow ipv6 udp New command IPv6 EnhancementsDisplay of UDP Connections over IPv6 IPv6 Tunnel ExpansionShow ipv6 udp L2TP Enhancements L2TP EnhancementsHandling PPP Link Negotiation Failures Resetting General L2TP CountersProxyauth=offon Disable l2tp debug Add l2tp ipEnable l2tp debug Reset l2tp counter Proxy Authentication Show l2tp ipShow l2tp tunnel DecodeShow l2tp tunnel call Syntax SHow L2TP TUNnel CALL=1..65535Ospf Interface Password Open Shortest Path First EnhancementsNssa Translator Role Add ospf interfaceSet ospf area Add ospf areaShow ospf area Redistributing External Routes Interaction with global Ospf parametersOspf backward compatibility Disable ospf debug Enable ospf debugAdd ospf redistribute Delete ospf redistributeAdd ospf area NSSAStability=1..3600 NSSATranslator=CANdidateALWaysAdd ospf interface Add ospf redistributeEnable ospf debug Disable ospf debugDelete ospf redistribute Set ospf BGPImport=ONOFFTrueFalseYESNOSet ospf area Set ospf interfaceSet ospf redistribute Role Show ospf areaStability Interval State Show ospf redistribute Software Version 101BGP Enhancements BGP Backoff Lower ThresholdUpper and Lower Thresholds BGP EnhancementsEnable and Disable Backoff BGP Peer and Peer Template EnhancementsDisplaying the Number of Routes from a Peer Displaying Routes Learned from a Specific BGP PeerDisplaying Information about Routes from a Peer Add bgp peer Software Version 105Disable bgp backoff Add bgp peertemplateEnable bgp backoff Set bgp backoffSoftware Version 107 BACkoffSet bgp peer Set bgp peertemplate Software Version 109Show bgp backoff BGP Enhancements Release NoteMem Upper Threshold Value 95% Mem Upper Notify Mem Lower Threshold Value 90% Mem Lower NotifyShow bgp route Show bgp peerRoutes learned MLD and MLD Snooping Enhancements MLD Packet FormatsIcmp type for MLDv2 Reports MLD and MLD Snooping EnhancementsMLD Snooping Group Membership Display Change of Maximum Query Response Interval forSoftware Version 113 Show mldsnooping More consistent outputEnable ipv6 mld interface Set ipv6 mldShow ipv6 mld Show mldsnoopingSoftware Version 115 V2 Draft CompatiblePrevious example output from the show mldsnooping command MLD and MLD Snooping EnhancementsRelease NoteExtension to Range of Classifier fields for x900 Switches Create classifierSet classifier Show classifierExtension to Range of Classifier fields for x900 Switches Create classifierSoftware Version 119 Set classifier Show classifier Software Version 121TCP Flags Icmp codeIcmp type Igmp type 0x17 V2LEAVEClassifier Rules 2222 MAC Address Aa-bb-cc-dd-ee-ff Type Vlan1234Format Protocol 1234567890 Layer 3 Byte Offset Value MaskIgmp Type Parameter option in brackets if availableTCP Flags One of URG, ACK, RST, SYN, or FINPort Groups QoS EnhancementsSoftware Version 125 Storm protection Set qos policy Create qos trafficclassSet qos trafficclass Show qos trafficclassAdd qos portgroup port Create qos policyDefault portdisable With the enable switch port commandProtection is enabled Create qos portgroupCreate qos trafficclass Storm protection is inactiveIs matching STORMTimeout With the enable switch port command, orEnable switch port vlan command STORMRatePOrt Port to delete from this port group Default no default Delete qos portgroup portDestroy qos portgroup Specific port that consistsSet qos policy Reset qos portgroup countersSoftware Version 133 Set qos portgroup Uses Kbps. If you specify Mbps or Gbps, the rateSet qos trafficclass Software Version 135 Parameter DescriptionWith the enable switch port or enable switch Is disabled by storm protectionShow qos policy QoS Enhancements Release Note Parameter DescriptionRate 1kbps Window 100ms Timeout None Show qos portPorts Assigned to Port Groups Assigned to 213-24 Storm Protection StatusQoS EnhancementsRelease Note Show qos portgroupPort Group Trunk Group None Parameters in output of the show qos portgroup command Show qos portgroup countersSoftware Version 139 Integer from 1 to140 Number of bytes that conforms with band with class Show qos trafficclassStorm Protection Configuring Secure Copy Configuring the ServerConfiguring the Client Secure Copy SCPConfiguring Users Use the show ssh session command to see current sessionsManaging Secure Copy Sessions Software Version 143Loading using Secure Copy Loading Files to the SwitchUploading using Secure Copy Uploading from the SwitchLoading Files from a Remote Machine Software Version 145Uploading Files from a Remote Machine LoadSet loader Show loaderDisable ssh debug Disable ssh serverDelete ssh session Software Version 147Enable ssh server Enable ssh debugWhether the SSH server supports SCP connections Load Software Version 149Default tftp Copy is the default method for loading and uploadingSet loader Set ssh client Software Version 151Set ssh server Show loader192.168.1.1 AliceSSH Server Enabled SCP Service Show sshSoftware Version 153 DebugReset loader command Show ssh counterShow ssh session Software Version 155Parameter Meaning WriteFileFailed FailureSecure Copy SCP Release Note Parameter Meaning Secure Shell SessionSoftware Version 157 UploadCharacters long SSL Counter Enhancement Show ssl countersSSL Counter Enhancement Show ssl countersSoftware Version 159 BadSessionIdLenSession ID longer than 32 bytes Client Counters for the SSL client BadSessionIdLenFirewall Enhancements Firewall LicencingDisabling SIP ALG Call ID Translation Firewall EnhancementsSet firewall sipalg New command Displaying SIP ALG Session DetailsFirewall Policy Rules Expansion Software Version 161Reset firewall sipalg counter Displaying a Subset of Policy RulesSet firewall sipalg Show firewall policyShow firewall Show firewall policyValid with the ip or summary commands Ip or callid commandsShow firewall sipalg CALLIdParameters in output of the show firewall sipalg command ServiceWithin the private network protected by the firewall Active SIP SessionsRouter or switch. The router or switch only translates IP Firewall Enhancements Release NoteGbl IP Seen on the public side of the firewallStart up or reset Current sessions Audio sessions created Since start up or reset Past sessionsShow firewall sipalg counter Current SIP sessionsTotal number of SIP messages received that the SIP ALG ThemResponding to IPsec Packets from an Unknown Tunnel Enhancements to IPsec/VPNSoftware Version 169 Modifying the Message Retransmission Delay Retrying Isakmp Phase 1 and 2 Negotiations VPN Tunnel Licencing New retryikeattempts parameterNew retryIkeAttemptsPh1 and retryIkeAttemptsPh2 New usePolIkeRetryGood and usePolIkeRetryFailedCreate ipsec policy Software Version 173Default incremental Msgtimeout valueCreate isakmp policy Msgbackoff parameterAfter the first 16 attempts, a five minute delay RETRYIKEattemptsAttempted over new Isakmp SAs Occurs between attemptsSet ipsec policy Set isakmp policy Software Version 177VPNs Maximum Current Peak Show ipsecParameter Meaning VPNs Show ipsec policy Software Version 179Respond Bad SPI Respond Bad SPIShow ipsec policy counter InBadSpiResponseInBadSpiResponse To true and packets processed by that policy have anSoftware Version 181 Show isakmp countersRetryIkeAttemptsPh1 RetryIkeAttemptsPh2 UsePolIkeRetryGood UsePolIkeRetryFailed Show isakmp exchange Software Version 183Message Back-off Incremental Same NoneIskamp policy command Show isakmp policySoftware Version 185 Show isakmp saMessage Back-off None Shdsl Line MIB Snmp MIBsSnmp MIBs Snmp request not processed due to excessive memory Logging Snmp operationUsage Traps on Ospf state changes Snmp Trap not sent due to excessive memory usageTraps on Mstp state and topology changes Trap on Vrrp topology changesSoftware Version 189 Restart Log Trap on Login FailuresVLAN-based port state changes Trap on Memory Levels Software Version 191Show buffer New Buffer level 0 fieldNew parameters in output of the show buffer command Show bufferBuffer level 1500 Parameter Meaning Buffer level nCDP over WAN Interfaces Disable lldp cdp interface Disable lldp cdp ppptemplateEnable lldp cdp debug CDP over WAN InterfacesEnable lldp cdp interface Enable lldp cdp ppptemplateEnables debugging of PPP events Software Version 195PPP Templates Enabled PPP Templates Disabled Show lldp cdpShow lldp cdp interface Ppp0 Ppp1Permanent Assignments on AR400 Series Routers Software Version 197Page Introduction to Ethernet Protection Switching Ring Epsr ChapterIntroduction to Ethernet Protection Switching Ring Epsr Epsr Instances and DomainsEthernet Protection Switching Ring Epsr Control VlanData Vlan Master NodeMaster Node Polling Fault Detection Fault Detection and RecoveryTransit Node Unsolicited Fault Detection Fault Recovery Procedure Restoring Normal Operation Configuring Epsr Epsr Single Domain, Single Ring NetworkExample script for a 4 node ring network # For Transit Nodes 1, 2Single Ring, Dual Domain Network Example script for a Single Ring, Two Domain Network Node # Node 1 Master node for RingA Transit Node for RingBExample script for a Single Ring, Two Domain Network Nodes 2 # Node 3 Transit node for RingA Master Node for RingB Epsr and Spanning Tree Operation # For Transit Node Command Reference # For Transit Nodes 2Add epsr datavlan Add epsr datavlanEthernet Protection Switching Ring Epsr Create epsr Create epsrOnly configured for the master node Seconds 32767s. Only configured for the master nodeDefault 1s FAilovertime Default 2s RIngflaptimeDelete epsr datavlan Hyphen character -. The epsr-name cannot be ALLUnique name for the VLAN. This can be from 1 to Vlan-name cannot be a number or ALLDestroy epsr Destroy epsrDisable epsr Ethernet Protection Switching Ring Epsr Disable epsrEpsr instance to be disabled String, 1 to 15 characters long. Valid characters areDisable epsr debug Disable epsr debugEthernet Protection Switching Ring Epsr Enable epsr Enable epsrEpsr instance to be enabled Enable epsr debug Enable epsr debugEpsr instance whose debugging is to be enabled OUTputEthernet Protection Switching Ring Epsr Purge epsr Purge epsrSet epsr Set epsrEthernet Protection Switching Ring Epsr Set epsr port Set epsr portEpsr to be set for the port VLANs within the ring domainShow epsr Show epsrEpsr instance whose details are displayed Ethernet Protection Switching Ring Epsr Show epsr Disabled. This parameter is only shown for a transit node Second PortShown for a transit node Second Port StatusEthernet Protection Switching Ring Epsr Show epsr counter Show epsr counterCOUnter Epsr instancesRelated Commands show epsr Show epsr debug Show epsr debug