Cisco Systems 15310-CL, 15310-MA RADIUS Stand Alone Mode

15-7

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

78-18133-01

Chapter 15 Configuring Security for the ML-Series Card

RADIUS Stand Alone Mode

Configuring RADIUS Relay Mode

This feature is turned on with CTC or TL1. To enable RADIUS Relay Mode through CTC, go to the

card-level view of the ML-Series card, check the Enable RADIUS Relay box and click Apply. The user

must be logged in at the Superuser level to complete this task.

To enable it using TL1, refer to the Cisco ONS SONET TL1 Command Guide.

Caution Switching the ML-Series card into RADIUS relay mode erases any configuration in the Cisco IOS

configuration file related to AAA/RADIUS. The cleared AAA/RADIUS configuration is not restored to

the Cisco IOS configuration file when the ML-Series card is put back into stand alone mode.

Caution Do not use the Cisco IOS command copy running-config startup-config while the ML-Series card is in

relay mode. This command will save a Cisco IOS configuration file with RADIUS relay enabled. On a

reboot, the ML-Series card would come up in RADIUS relay mode, even when the Enable RADIUS

Relay box on the CTC is not checked. If this situation arises, the user should check the Enable RADIUS

Relay box and click Apply and then uncheck the Enable RADIUS Relay box and click Apply. Doing this

will set the ML-Series card in stand alone mode and clear RADIUS relay from the ML-Series card

configuration.

RADIUS Stand Alone Mode

In stand alone mode, RADIUS on the ML-Series card is configured with the Cisco IOS CLI in the same

general manner as RADIUS on a Cisco Catalyst switch.

This section describes how to enable and configure RADIUS in the stand a lone mode on the ML-Series

card. RADIUS in stand alone mode is facilitated through AAA and enabled through AAA commands.

Note For the remainder of the chapter, RADIUS refers to the Cisco IOS RADIUS available when the

ML-Series card is in stand alone mode. It does not refer to RADIUS relay mode.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS

Security Command Reference, Release 12.2.

These sections contain this configuration information:

• Understanding RADIUS, page 15-8

• RADIUS Stand Alone Mode, page 15-7

• Configuring RADIUS, page 15-8

• Displaying the RADIUS Configuration, page 15-20

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Revision History Document Objectives Audience Related Documentation Document Conventions iv v Page vii Page Obtaining Optical Networking Information Where to Find Safety and Warning Information Cisco Optical Networking Product Documentation CD-ROM Obtaining Documentation, Obtaining Support, and Security Guidelines Page 1 Overview of the ML-Series Card ML-Series Card Description ML-Series Feature List Page Key ML-Series Features Cisco IOS GFP-F Framing Link Aggregation (FEC and POS) RMON RPR SNMP TL1 CTC Operations on the ML-Series Card Displaying ML-Series POS Statistics in CTC Displaying ML-Series Ethernet Statistics in CTC Displaying ML-Series Ethernet Ports Provisioning Information on CTC Displaying ML-Series POS Ports Provisioning Information on CTC Displaying SONET Alarms Displaying J1 Path Trace Provisioning SONET Circuits Page Page Initial Configuration of the ML-Series Card Hardware Installation Cisco IOS on the ML-Series Card Opening a Cisco IOS Session Using CTC Telnetting to the Node IP Address and Slot Number Telnetting to a Management Port ML-Series IOS CLI Console Port RJ-11 to RJ-45 Console Cable Adapter Connecting a PC or Terminal to the Console Port Startup Configuration File Manually Creating a Startup Configuration File Through the Serial Console Port Passwords Configuring the Management Port Configuring the Hostname Loading a Cisco IOS Startup Configuration File Through CTC Database Restore of the Startup Configuration File Cisco IOS Command Modes Page Using the Command Modes Exit Getting Help Page Configuring Interfaces on the ML-Series Card General Interface Guidelines MAC Addresses Interface Port ID Basic Interface Configuration Basic Fast Ethernet and POS Interface Configuration Configuring the Fast Ethernet Interfaces Configuring the POS Interfaces Monitoring Operations on the Fast Ethernet Interfaces 4-7 Example 4-3 show controller Command Output 4-8 Example 4-4 show run interface Command Output Configuring POS on the ML-Series Card Understanding POS on the ML-Series Card Available Circuit Sizes and Combinations LCAS Support J1 Path Trace, and SONET Alarms Framing Mode, Encapsulation, Scrambling, MTU and CRC Support Configuring the POS Interface Configuring POS Interface Framing Mode Configuring POS Interface Encapsulation Type Under GFP-F Framing SONET Alarms Configuring SONET Alarms Configuring SONET Delay Triggers Monitoring and Verifying POS 5-9 Showing scrambling with the show interface pos [0 | 1] command (Example 5-2). Example 5-2 Showing Scrambling with the show interface pos [0 | 1] Command Page Configuring STP and RSTP on the ML-Series Card STP Features STP Overview Supported STP Instances Bridge Protocol Data Units Election of the Root Switch Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Timers Creating the Spanning-Tree Topology Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State Spanning-Tree Address Management STP and IEEE 802.1Q Trunks Spanning Tree and Redundant Connectivity Accelerated Aging to Retain Connectivity RSTP Features Supported RSTP Instances Port Roles and the Active Topology Rapid Convergence Synchronization of Port Roles Bridge Protocol Data Unit Format and Processing Processing Superior BPDU Information Processing Inferior BPDU Information Topology Changes Interoperability with IEEE 802.1D STP Configuring STP and RSTP Features Default STP and RSTP Configuration Disabling STP and RSTP Configuring the Root Switch Configuring the Port Priority Configuring the Path Cost Configuring the Switch Priority of a Bridge Group Configuring the Hello Time Configuring the Forwarding-Delay Time for a Bridge Group Configuring the Maximum-Aging Time for a Bridge Group Verifying and Monitoring STP and RSTP Status Page Page Configuring VLANs on the ML-Series Card Understanding VLANs Configuring IEEE 802.1Q VLAN Encapsulation IEEE 802.1Q VLAN Configuration 7-4 ML-Series ML-Series Router_A Router_B 7-5 Monitoring and Verifying VLAN Operation Example 7-2 Output for show vlans Command Page Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling on the ML-Series Card Understanding IEEE 802.1Q Tunneling Page Page Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling and Compatibility with Other Features Configuring an IEEE 802.1Q Tunneling Port IEEE 802.1Q Example Understanding VLAN-Transparent and VLAN-Specific Services VLAN-Transparent and VLAN-Specific Services Configuration Example 8-8 Example 8-4 applies to ML-Series card B. Example 8-4 ML-Series Card B Configuration Example 8-5 applies to ML-Series card C. Example 8-5 ML-Series Card C Configuration Understanding Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Default Layer 2 Protocol Tunneling Configuration Layer 2 Protocol Tunneling Configuration Guidelines Configuring Layer 2 Tunneling on a Port Configuring Layer 2 Tunneling Per-VLAN Monitoring and Verifying Tunneling Status Configuring Link Aggregation on the ML-Series Understanding Link Aggregation Configuring Link Aggregation Configuring Fast EtherChannel EtherChannel Configuration Example Configuring POS Channel POS Channel Configuration Example Understanding Encapsulation over FEC or POS Channel Configuring Encapsulation over EtherChannel or POS Channel Encapsulation over EtherChannel Example 9-8 Example 9-6 ML_Series B Configuration Monitoring and Verifying EtherChannel and POS Load Balancing on the ML-Series cards Page Page Page Configuring IRB on the ML-Series Card Understanding Integrated Routing and Bridging Configuring IRB IRB Configuration Example 10-4 Example 10-1 Configuring ML_Series A Table 10-1 shows the privileged EXEC commands for monitoring and verifying IRB. Example 10-2 Configuring ML_Series B Monitoring and Verifying IRB Page Page Configuring Quality of Service on the ML-Series Understanding QoS Priority Mechanism in IP and Ethernet IP Precedence and Differentiated Services Code Point 11-3 Ethernet CoS ML-Series QoS Classification Policing Marking and Discarding with a Policer Queuing Scheduling Control Packets and L2 Tunneled Protocols Egress Priority Marking Ingress Priority Marking QinQ Implementation Flow Control Pause and QoS QoS on RPR Configuring QoS Creating a Traffic Class Creating a Traffic Policy Page Page Page Attaching a Traffic Policy to an Interface Configuring CoS-Based QoS Monitoring and Verifying QoS Configuration QoS Configuration Examples Traffic Classes Defined Example Traffic Policy Created Example class-map match-any and class-map match-all Commands Example match spr1 Interface Example 11-20 ML-Series VoIP Example Figure 11-7 ML-Series VoIP Example Example 11-9 ML-Series VoIP Commands ML-Series Policing Example ML-Series Router_A ML-Series CoS-Based QoS Example 11-22 Example 11-11 shows the code used to configure ML-Series Card A in Figure 11-9. Example 11-12 shows the code used to configure ML-Series Card B in Figure 11-9. Example 11-13 shows the code used to configure ML-Series Card C in Figure 11-9. Understanding Multicast QoS and Multicast Priority Queuing Default Multicast QoS Multicast Priority Queuing QoS Restrictions Configuring Multicast Priority Queuing QoS Page QoS not Configured on Egress ML-Series Egress Bandwidth Example Case 1: QoS with Priority and Bandwidth Configured Without Priority Multicast Case 2: QoS with Priority and Bandwidth Configured with Priority Multicast Understanding CoS-Based Packet Statistics Configuring CoS-Based Packet Statistics 11-30 Understanding IP SLA IP SLA on the ML-Series IP SLA Restrictions on the ML-Series Page Configuring the Switching Database Manager on the ML-Series Card Understanding the SDM Understanding SDM Regions Configuring SDM Configuring SDM Regions Configuring Access Control List Size in TCAM Monitoring and Verifying SDM Page Configuring Access Control Lists on the ML-Series Card Understanding ACLs ML-Series ACL Support IP ACLs Named IP ACLs User Guidelines Creating IP ACLs Creating Numbered Standard and Extended IP ACLs Creating Named Standard IP ACLs Creating Named Extended IP ACLs (Control Plane Only) Applying the ACL to an Interface Modifying ACL TCAM Size Page Configuring Resilient Packet Ring on the ML-Series Card Understanding RPR Role of SONET Circuits Packet Handling Operations Ring Wrapping RPR Framing Process 14-5 MAC Address and VLAN Support RPR QoS CTM and RPR Configuring RPR Connecting the ML-Series Cards with Point-to-Point STS Circuits Configuring CTC Circuits for RPR CTC Circuit Configuration Example for RPR Page Configuring RPR Characteristics and the SPR Interface on the ML-Series Card Page Assigning the ML-Series Card POS Ports to the SPR Interface Page Creating the Bridge Group and Assigning the Ethernet and SPR Interfaces 14-14 RPR Cisco IOS Configuration Example Example 14-1 SPR Station-ID 1 Configuration Example 14-2 SPR Station-ID 2 Configuration 14-15 Example 14-3 SPR Station-ID 3 Configuration Verifying Ethernet Connectivity Between RPR Ethernet Access Ports CRC Threshold Configuration and Detection 14-16 Monitoring and Verifying RPR Example 14-4 Example of show interface spr 1 Output Example 14-5 Example of show run interface spr 1 Output Add an ML-Series Card into an RPR Page Adding an ML-Series Card into an RPR To Page Delete an ML-Series Card from an RPR 14-22 To delete an ML-Series card from the RPR, you need to complete several general actions: to initiate the RPR wrap. deleted. Deleting an ML-Series Card from an RPR To Page Cisco Proprietary RPR KeepAlive Configuring Cisco Proprietary RPR KeepAlive Monitoring Cisco Propretary RPR KeepAlive Cisco Proprietary RPR Shortest Path Configuring Shortest Path and Topology Discovery Page Configuring Security for the ML-Series Card Understanding Security Disabling the Console Port on the ML-Series Card Secure Login on the ML-Series Card Secure Shell on the ML-Series Card Understanding SSH Configuring SSH Configuration Guidelines Setting Up the ML-Series Card to Run SSH Configuring the SSH Server Displaying the SSH Configuration and Status RADIUS on the ML-Series Card RADIUS Relay Mode Configuring RADIUS Relay Mode RADIUS Stand Alone Mode Understanding RADIUS Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Configuring AAA Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Configuring a nas-ip-address in the RADIUS Packet Configuring Settings for All RADIUS Servers Configuring the ML-Series Card to Use Vendor-Specific RADIUS Attributes Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication Displaying the RADIUS Configuration Configuring Bridging on the ML-Series Card Understanding Bridging Configuring Bridging 16-3 Figure 16-1 Bridging Example Displays classes of entries in the bridge forwarding database. interface-address Monitoring and Verifying Bridging pos 0pos 0 fast ethernet 0 ML_Series_A ML_Series_B Command Purpose Step 1 16-4 Command Purpose Example 16-3 shows examples of monitoring and verifying bridging. Example 16-3 Monitoring and Verifying Bridging Step 3 Step 4 CE-100T-8 Ethernet Operation CE-100T-8 Overview CE-100T-8 Ethernet Features Autonegotiation, Flow Control, and Frame Buffering Ethernet Link Integrity Support Enhanced State Model for Ethernet and SONET Ports IEEE 802.1Q CoS and IP ToS Queuing Page RMON and SNMP Support Statistics and Counters CE-100T-8 SONET Circuits and Features Available Circuit Sizes and Combinations Page CE-100T-8 STS/VT Allocation Tab CE-100T-8 VCAT Characteristics CE-100T-8 POS Encapsulation, Framing, and CRC CE-100T-8 Loopback, J1 Path Trace, and SONET Alarms Page A Command Reference for the ML-Series Card [no] clear counters [no] clock auto interface spr 1 [no] pos mode gfp [fcs-disabled] [no] pos pdi holdoff time [no] pos report alarm [non] pos trigger defects condition [no] pos trigger delay time [no] pos vcat defect {immediate | delayed} show controller pos interface-number [details] Page show interface pos interface-number A-15 show ons alarm Page show ons alarm defect {[eqpt | port [port-number] | sts [sts-number] | vcg [vcg-number] | vt]} A-18 Related Commands show controller pos show ons alarm failures show ons alarm failure {[eqpt | port [port-number] | sts [sts-number] | vcg [vcg-number] | vt]} Page spr-intf-id shared-packet-ring-number [no] spr load-balance { auto | port-based } spr station-id station-id-number spr wrap { immediate | delayed } B Unsupported CLI Commands for the ML-Series Unsupported Privileged Exec Commands Unsupported Global Configuration Commands Page Unsupported POS Interface Configuration Commands Unsupported FastEthernet Interface Configuration Commands Unsupported Port-Channel Interface Configuration Commands Unsupported BVI Interface Configuration Commands C Using Technical Support Gathering Information About Your Internetwork Getting the Data from Your ML-Series Card Providing Data to Your Technical Support Representative Page INDEX Numerics A B C Page D E F G H I J K L M N O P Q R S Page T U V W