SCE Software Configuration Guide

Cisco Service Center Release	Part Number	Publication Date
Release 3.0.5	OL-7827-05	November, 2006

Cisco Service Center Release	Part Number	Publication Date
Release 3.0.3	OL-7827-04	May, 2006

Cisco Service Center Release	Part Number	Publication Date
Release 3.0	OL-7827-03	December, 2005

Cisco Service Center Release	Part Number	Publication Date
Release 2.5.7	OL-7827-02	May, 2005

Chapter	Title	Description
Chapter 1	Overview	Overview of SCE platform management.
Chapter 2	Command Line Interface	Detailed explanation of how to use the Cisco SCE Command-line Interface.
Chapter 3	Operations	Explanation of how to manage configurations, install applications and upgrade the system software.
Chapter 4	Utilities	Explanation of the setup wizard and the user log, as well as of file operations.
Chapter 5	Configuring the Management Interface and Security	Explanation of how to configure the various management options: Telnet, SSH, and SNMP. Also how to configure the system time,Domain Name Settings, management IP address, and passwords.
Chapter 6	Configuring the Line Interface	Explanation of how to configure tunneling, TOS marking, and traffic rules.
Chapter 7	Configuring the Connection	Explanation of how to configure the connection mode, link mode, and failure behaviors.
Chapter 8	Configuring the RDR Formatter	Explanation of how to configure the RDR Formatter so that RDRs are sent to the proper destinations.
Chapter 9	Managing Subscribers	Explanation of how to import and export subscriber information and how to monitor subscribers.
Chapter 10	Redundancy and Fail-Over	Explanation of how to configure and manage a redundant system. This chapter applies only to the SCE 2000 platform.
Chapter 11	Identifying And Preventing Distributed-Denial-Of-Service Attacks	Explanation of how to configure attack filtering.
Chapter 12	Value Added Services (VAS) Traffic Forwarding	Explanation of Value Added Services (VAS) and how to configure VAS traffic forwarding.
Chapter 13	MPLS/VPN Support	Explanation of MPLS/VPN support, and how to configure and monitor MPLS/VPN subscribers and support.
Chapter 14	Managing the SCMP	Explanation of Service Control Management Protocol (SCMP), which is a protocol that integrates the SCE platform and the ISG (Intelligent Service Gateway) functionality of the Cisco routers. It also explains how to configure and manage SCMP, SCMP peer devices and the RADIUS client.
Appendix A	Monitoring SCE Platform Utilization	Explanation of how to monitor SCE platforms that are installed in real traffic.
Appendix B	Proprietary MIB Reference	Definition of the proprietary Service Control Enterprise MIB.

Convention	Description
boldface font	Commands and keywords are in boldface.
italic font	Arguments for which you supply values are in italics.
[ ]	Elements in square brackets are optional.
{x \| y \| z}	Alternative keywords are grouped in braces and separated by vertical bars.
[x \| y \| z]	Optional alternative keywords are grouped in brackets and separated by vertical bars.
string	A nonquoted set of characters. Do not use quotation marks around the string, or the string will include the quotation marks.
`screen` font	Terminal sessions and information that the system displays are in `screen` font.
`boldface screen` font	Information you must enter is in `boldface screen` font.
`italic screen` font	Arguments for which you supply values are in `italic screen` font.
< >	Nonprinting characters, such as passwords, are in angle brackets.
[ ]	Default responses to system prompts are in square brackets.
!, #	An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

Command	Purpose
abbreviated-command-entry?	Obtain a list of commands that begin with a particular character string. (Do not leave a space between the command and question mark.)
abbreviated-command-entry<Tab>	Complete a partial command name.
?	List all commands available for a particular command mode.
command ?	List the keywords associated with the specified command. Leave a space between the command and question mark.
command keyword ?	List the arguments associated with the specified keyword. Leave a space between the keyword and question mark.

Mode	Description	Level	Prompt indication
User Exec	Initial mode with very limited functionality.	User	SCE>
Viewer	Monitoring (show commands).	Viewer	SCE>
Privileged Exec	General administration; file system manipulations and control of basic parameters that do not change the configuration of the SCE platform.	Admin	SCE#
Global Configuration	Configuration of general system parameters, such as DNS, host name, and time zone.	Admin	SCE`(config)#`
Management Interface Configuration	Configuration of management interface parameters, such as the Ethernet interface properties and selection of the active port.	Admin	SCE`(config if)#`
Interface Configuration	Configuration of specific system interface parameters, such as the Line Card, and the Ethernet interfaces.	Admin	SCE`(config if)#`
Line Configuration	Configuration of Telnet lines, such as an access-list.	Admin	SCE`(config-line)#`

Level	Description	Value	Prompt
User	Password required. This level enables basic operational functionality.	0	>
Viewer	Password required. This level enables monitoring functionality. All show commands are available to the Viewer authorization level, with the exception of those that display password information.	5	>
Admin	Password required. For use by general administrators, the Admin authorization level enables configuration and management of the SCE platform.	10	#
Root	Password required. For use by technical field engineers, the Root authorization level enables configuration of all advanced settings, such as debug and disaster recovery. The Root level is used by technical engineers only and is not documented in this manual.	15	#>

This prompt...	Indicates this...
>	indicates User and Viewer levels
#	indicates Admin level
#>	indicates Root level

This command hierarchy...	Is indicated as...
User Exec	`SCE>`
Privileged Exec	`SCE#`
Global Configuration	`SCE(config)#`
Interface Configuration	`SCE(config if)#`
Line Configuration	`SCE(config-line)#`

Arrow	Shortcut	Description
Up arrow	Ctrl-P	Moves cursor to the previous command with the same prefix.
Down arrow	Ctrl-N	Moves cursor to the next command with the same prefix as original.
	Ctrl-L Ctrl-R	Re-display the current command line.

Description	Shortcut Key
Navigational shortcuts
Move cursor one character to the right.	CTRL-F /->
Move cursor one character to the left.	CTRL-B /<-
Move cursor one word to the right (forward).	ESC-F
Move cursor one word to the left (backward.	ESC-B
Move cursor to the start of the line.	CTRL-A
Move cursor to the end of the line.	CTRL-E
Editing shortcuts
Delete the character where the cursor is located.	CTRL-D
Delete from the cursor position to the end of the word.	ESC-d
Delete the character before the current location of the cursor.	Backspace
Delete the character before the current location of the cursor.	CTRL-H
Deletes from the cursor position to the end of the line	CTRL-K
Deletes all characters from the cursor to the beginning of the line	CTRL-U
Deletes all characters from the cursor to the beginning of the line. (Same functionality as CTRL-U.)	CTRL-X
Delete the word to the left of the cursor.	CTRL-W
Recall the last item deleted.	CTRL-Y
Completes the word when there is only one possible completion.	<Tab>
Completes the word when there is only one possible completion. (Same functionality as <Tab>.)	CTRL-I

SCE platform Operational Status	Description	Status LED State
Booting	Initial state after reset	Orange
Operational	SCE platform becomes operational after completing the following process: Boot is completed Power self-tests are completed without failure Platform configuration is applied	Flashing green
Warning	SCE platform is fully operational (as above) but one of the following occurred: Link on one of the line ports is down Management port link is down Temperature raised above threshold Voltage not in required range Fans problem Power supply problem Insufficient space on the disk Note: If the condition that caused the SCE platform to be in Warning state is resolved (for example, link is up) the SCE platform reverts to Operational state.	Flashing orange
Failure	System is in Failure state after Boot due to one of the following conditions: Power on test failure Three abnormal reboots in less than 20 minutes Platform configured to enter Failure mode consequent to failure-induced reboot (this is configurable using CLI command) Note: Depending on the cause of failure, the management interface and the platform configuration may or may not be active/available.	Red

Parameter	Definition
IP address	IP address of the SCE Platform.
subnet mask	Subnet mask of the SCE Platform.
default gateway	Default gateway.
hostname	Character string used to identify the SCE Platform. Maximum length is 20 characters.
admin password	Admin level password. Character string from 4-100 characters beginning with an alpha character.
root password	Root level password. Character string from 4-100 characters beginning with an alpha character.
password encryption status	Enable or disable password encryption?
Time Settings
time zone name and offset	Standard time zone abbreviation and minutes offset from UTC.
local time and date	Current local time and date. Use the format: 00:00:00 1 January 2002
SNTP Configuration
broadcast client status	Set the status of the SNTP broadcast client. If enabled, the SCE will synchronize its local time with updates received from SNTP broadcast servers.
unicast query interval	Interval in seconds between unicast requests for update (64 – 1024)
unicast server IP address	IP address of the SNTP unicast server.
DNS Configuration
DNS lookup status	Enable or disable IP DNS-based hostname translation.
default domain name	Default domain name to be used for completing unqualified host names
IP address	IP address of domain name server. ( maximum of 3 servers)
RDR Formatter Destination Configuration
IP address	IP address of the RDR-formatter destination
TCP port number	TCP port number of the RDR-formatter destination
Access Control Lists
Access Control List number	How many ACLs will be necessary? What IP addresses will be permitted/denied access for each management interface? You may want ACLs for the following: Any IP access Telnet access SNMP GET access SNMP SET access
list entries (maximum 20 per list)	IP address, and whether permitted or denied access.
IP access ACL	ID number of the ACL controlling IP access.
telnet ACL	ID number of the ACL controlling telnet access.
SNMP Configuration
SNMP agent status	Enable or disable SNMP management.
GET community names	Community strings to allow GET access and associated ACLs (maximum 20).
SET community names	Community strings to allow SET access and associated ACLs (maximum 20).
trap managers (maximum 20)	Trap manager IP address, community string, and SNMP version.
Authentication Failure trap status	Sets the status of the Authentication Failure traps.
enterprise traps status	Sets the status of the enterprise traps.
system administrator	Name of the system administrator.
Topology Configuration (Both Platforms)
connection mode	Is the SCE Platform installed in bump-in-the-wire topology (inline) or out of line using splitter or switch (receive-only)?
Admin status of the SCE Platform after abnormal boot	After a reboot due to a failure, should the SCE Platform remain in a Failure status or move to operational status provided no other problem was detected?
Topology Configuration (SCE 1000)
link bypass mode on operational status	When the SCE 1000 is operational, should it bypass traffic or not?
redundant SCE 1000 platform?	Is there a redundant SCE 1000 installed as a backup?
link bypass mode on non-operational status	When the SCE 1000 is not operational, should it bypass traffic or cut it off?
Topology Configuration (SCE 2000)
type of deployment	Is this a cascade topology, with two SCE Platforms connected via the cascade ports? Or is this a single platform topology?
physically connected link (cascade topology only)	In a cascade deployment this parameter sets the index for the link that this SCE 2000 is deployed on. The options for the SCE 2000 are link-0 or link-1. In a single-SCE 2000 Platform deployment this parameter is not relevant since one SCE 2000 is deployed on both links. In this case the link connected to port1-port2 is by default link-0 and the link connected to port3-port4 is by default link-1.
priority (cascade topology only)	If this is a cascaded topology, is this SCE 2000 the primary or secondary SCE 2000?
on-failure behavior (inline connection mode only)	If this SCE 2000 is deployed inline, should the failure behavior be bypass or cutoff of the link?

Chapter 5. Configuring the Management Interface and Security

The SCE platform is equipped with two RJ-45 management (MNG)ports. These ports provide access from a remote management console to the SCE platform via a LAN.

The two management ports support management interface redundancy, providing the possibility for a backup management link.

In addition to the Layer 1 security of a backup management link, the Service Control platform provides a further management interface security feature; an IP filter that monitors for various types of TCP/IP attacks. This filter can be configured with thresholds rates both for defining an attack and defining the end of an attack.

Note

The addition of the second management port is reflected in all objects related to it in the SNMP interface.

Perform the following tasks to configure the management interface and management interface security:

Configure the management port:
- Physical parameters
- Specify active port (if not redundant installation)
- Redundancy (if redundant installation)
Configure management interface security
- Enable IP fragment filtering
- Configure the permitted and not-permitted IP address monitor

Configuring the Management Ports

Perform the following tasks to configure the management ports:

Configure the IP address and subnet mask (only one IP address for the management interface, not one IP address per port).
Configure physical parameters:
- Duplex
- Speed
Configure redundant management interface behavior (optional):
- Fail-over mode
If fail-over mode is disabled, specify the active port (optional).

To configure the management interface, complete the following steps:

Cable the desired management port, connecting it to the remote management console via the LAN.
Disable the automatic fail-over mode. (See Configuring the Fail-Over Mode.)
Configure the management port physical parameters. (See Configuring the Management Port Physical Parameters.)

To configure the system with management interface redundancy, see Configuring the Management Ports for Redundancy.

Entering Management Interface Configuration Mode

When entering Management Interface Configuration Mode, you must indicate the number of the management port to be configured:

0/1 — Mng port 1
0/2 — Mng port 2

The following Management Interface commands are applied only to the port specified when entering Management Interface Configuration Mode. Therefore, each port must be configured separately:

speed
duplex

The following Management Interface commands are applied to both management ports, regardless of which port had been specified when entering Management Interface Configuration Mode. Therefore, both ports are configured with one command:

ip address
auto-fail-over

To enter Global Configuration Mode, type configure and press Enter.
The SCE(config)# prompt appears.
Type interface Mng {0/1|0/2} and press Enter.
The SCE(config if)# prompt appears.

Configuring the Management Port Physical Parameters

This interface has a transmission rate of 10 or 100 Mbps and is used for management operations and for transmitting RDRs, which are the output of traffic analysis and management operations.

The procedures for configuring this interface are explained in the following sections:

Setting the IP Address and Subnet Mask of the Management Interface.
Configuring the Speed of the Management Interface
Configuring the Duplex Operation of the Management Interface.
Specifying the Active Management Port: only if both of the following conditions are present:
- Fail-over mode is disabled (no automatic switch to the backup port).
- Active port = Mng Port 2 (Mng port 1 is the default and therefore does not need to be explicitly specified).

Setting the IP Address and Subnet Mask of the Management Interface

The user must define the IP address of the management interface.

When both management ports are connected, providing a redundant management port, this IP address always acts as a virtual IP address for the currently active management port, regardless of which port is the active port.

The following options are available:

IP address — The IP address of the management interface.
If both management ports are connected, so that a backup management link is available, this IP address will be act as a virtual IP address for the currently active management port, regardless of which physical port is currently active.
subnet mask — subnet mask of the management interface.

Warning

Changing the IP address of the management interface via telnet will result in loss of the telnet connection and inability to reconnect with the interface.

To set the IP address and subnet mask of the Management Interface, use the following command:

From the SCE(config if)# prompt, type ip address ip-address subnet-mask and press Enter.
The command might fail if there is a routing table entry that is not part of the new subnet, defined by the new IP address and subnet mask.

Example:

The following example shows how to set the IP address of the SCE platform to 10.1.1.1 and the subnet mask to 255.255.0.0.

SCE(config if)#ip address 10.1.1.1 255.255.0.0

`Configuring the Management Interface Speed and Duplex Parameters`

This section presents sample procedures that describe how to configure the speed and the duplex of the Management Interface.

Both these parameters must be configured separately for each port.

`Configuring the Speed of the Management Interface`

The following options are available:

speed — speed in Mbps of the currently selected management port (0/1 or 0/2):
- 10
- 100
- auto (default) — auto-negotiation (do not force speed on the link)

If the duplex parameter is configured to auto, changing the speed parameter has no effect (see Interface State Relationship to Speed and Duplex).

To configure the speed of the specified management port, use the following command:
From the SCE(config if)# prompt, type speed 10|100|auto and press Enter.

`Example:`

The following example shows how to use this command to configure the Management port to 100 Mbps speed.

SCE(config if)#speed 100

`Configuring the Duplex Operation of the Management Interface`

The following options are available:

duplex — duplex operation of the currently selected management port (0/1 or 0/2):
- full
- half
- auto (default) — auto-negotiation (do not force duplex on the link)

If the speed parameter is configured to auto, changing the duplex parameter has no effect (see Interface State Relationship to Speed and Duplex).

To configure the duplex operation of the specified management port, use the following command:
From the SCE(config if)# prompt, type duplex auto|full|half and press Enter.
Configures the duplex operation of the currently selected management interface to either auto, half duplex, or full duplex.

`Example:`

The following example shows how to use this command to configure a management port to half duplex mode.

SCE(config if)#duplex half

Table 5.1. Interface State Relationship to Speed and Duplex 

Speed 
Duplex 
Actual FEI state

Auto 
Auto 
Auto negotiation

Auto 
Full 
Auto negotiation

Auto 
Half 
Auto negotiation

10 
Auto 
Auto-negotiation (duplex only)

10 
Full 
10 Mbps and Full duplex

10 
Half 
10 Mbps and half duplex

100 
Auto 
Auto-negotiation (speed only)

100 
Full 
100 Mbps and full duplex

100 
Half 
100 Mbps and half duplex

Speed	Duplex	Actual FEI state
Auto	Auto	Auto negotiation
Auto	Full	Auto negotiation
Auto	Half	Auto negotiation
10	Auto	Auto-negotiation (duplex only)
10	Full	10 Mbps and Full duplex
10	Half	10 Mbps and half duplex
100	Auto	Auto-negotiation (speed only)
100	Full	100 Mbps and full duplex
100	Half	100 Mbps and half duplex

`Specifying the Active Management Port`

This command explicitly specifies which management port is currently active. Its use varies slightly, depending on whether the management interface is configured as a redundant interface (auto fail-over enabled) or not (auto fail-over disabled)

auto fail-over enabled (automatic mode) — the specified port becomes the currently active port, in effect forcing a fail-over action even if a failure has not occurred.
auto fail-over disabled (manual mode) — the specified port should correspond to the cabled Mng port, which is the only functional port and therefore must be and remain the active management port

`Note`

This command is a Privileged Exec command, unlike the other commands in this section, which are Mng Interface Configuration commands. If in Mng interface configuration mode, you must exit to the privileged exec mode and see the SCE# prompt displayed

The following options are available:

slot-number/interface-number — The interface number (0/1 or 0/2) of the management port that is specified as the active port.

To specify the active management port, use the following command:
From the SCE# prompt, type Interface Mng {0/1 | 0/2} active-port and press Enter.

`Example:`

The following example shows how to use this command to configure Mng port 2 as the currently active management port.

SCE# Interface Mng 0/2 active-port

`Configuring the Management Ports for Redundancy`

The SCE platform contains two RJ-45 management ports. The two management ports provide the possibility for a redundant management interface, thus ensuring management access to the SCE platform even if there is a failure in one of the management links. If a failure is detected in the active management link, the standby port automatically becomes the new active management port.

Note that both ports must be connected to the management console via a switch. In this way, the IP address of the MNG port is always the same, regardless of which physical port is currently active.

Important information:

Only one port is active at any time.
The same virtual IP address and MAC address are assigned to both ports.
Default —
- Port 1 = active
- Port 2 = standby
The standby port sends no packets to the network and packets from the network are discarded.
When a problem in the active port is encountered, the standby port automatically becomes the new active port.
Link problem, with switch to standby MNG port, is declared after the link is down for 300 msec.
Service does not revert to the default active port if/when that link recovers. The currently active MNG port remains active until link failure causes a switch to the other MNG port.

To configure the system with management interface redundancy, complete the following steps:
Cable both management ports (Mng 1 and Mng 2), connecting them both to the remote management console via the LAN and via a switch.
Configure the automatic fail-over mode. (See Configuring the Fail-Over Mode.)
Configure the IP address for the management interface. The same IP address will always be assigned to the active management port, regardless of which physical port is currently active. (See Setting the IP Address and Subnet Mask of the Management Interface.)
Configure the speed and duplex for both management ports. (See Configuring Management Interface Speed and Duplex Parameters.)

`Configuring the Fail-Over Mode`

Use the following command to enable automatic fail-over. The automatic mode must be enabled to support management interface redundancy. This mode automatically switches to the backup management link when a failure is detected in the currently active management link.

This parameter can be configured when in management interface configuration mode for either management port, and is applied to both ports with one command.

The following options are available:

auto/ no auto — Enable or disable automatic fail-over switching mode
- Default — auto (automatic mode)

To enable automatic fail-over mode, use the following command:
From the SCE(config if)# prompt, type auto-fail-over and press Enter.

When the automatic fail-over mode is disabled, by default Mng port 1 is the active port. If Mng port 2 will be the active port, it must be explicitly configured as such (see Specifying the Active Management Port.)

To disable automatic fail-over mode:
From the SCE(config if)# prompt, type no auto-fail-over and press Enter.

`Management Interface Security`

Management security is defined as the capability of the SCE platform to cope with malicious management conditions that might lead to global service failure. Resiliency to attacks on the management port includes the following features:

The SCE platform remains stable during flooding attack.
The number of TCP/IP stack control protocol vulnerabilities is minimized.
The availability of reporting capabilities on attacks on the management port.

There are two parallel security mechanisms:

Automatic security mechanism — monitors the TCP/IP stack rate at 200 msec intervals and throttles the rate from the device if necessary.
This mechanism always functions and is not user-configurable
User-configurable security mechanism — accomplished via two IP filters at user-configurable intervals:
- IP fragment filter — Drops all IP fragment packets
- IP filter monitor — Measures the rate of accepted and dropped packets for both permitted and not-permitted IP addresses.

`Configuring Management Port Security`

The procedure for configuring management port security is explained in the following sections:

`Enabling the IP Fragment Filter`

Use this command to enable the filtering out of IP fragments.

The following options are available:

enable/disable — Enable or disable IP fragment filtering
- Default — disable

To enable IP fragment filtering, use the following command:
From the SCE(config)# prompt, type ip filter fragment enable and press Enter.

To disable IP fragment filtering, use the following command:
From the SCE(config)# prompt, type ip filter fragment disable and press Enter.

`Configuring the Permitted and Not-permitted IP Address Monitor`

Use this command to configure the limits for permitted and not-permitted IP address transmission rates.

The following options are available:

ip permitted/ip not-permitted — Specifies whether the configured limits apply to permitted or not-permitted IP addresses.
If neither keyword is used, it is assumed that the configured limits apply to both permitted and not-permitted IP addresses.
low rate — lower threshold; the rate in Mbps that indicates the attack is no longer present
- Default — 20
high rate — upper threshold; the rate in Mbps that indicates the presence of an attack
- Default — 20
burst size — duration of the interval in seconds that the high and low rates must be detected in order for the threshold rate to be considered to have been reached
- Default — 10

To configure the permitted and not-permitted IP address monitor limits, use the following command:
From the SCE(config)# prompt, type ip filter monitor {ip_permited | ip_not_permited} low_rate low_rate high_rate high_rate burst burst size and press Enter.

`Monitoring Management Interface IP Filtering`

Use this command to display the following information for management interface IP filtering.

IP fragment filter enabled or disabled
configured attack threshold (permitted and not-permitted IP addresses)
configured end of attack threshold (permitted and not-permitted IP addresses)
burst size in seconds (permitted and not-permitted IP addresses)

To display information relating to the management interface, use the following command:
From the SCE# prompt, type show ip filter and press Enter.

`Configuring the Available Interfaces`

The system allows you to configure the Telnet and SNMP interfaces according to the manner in which you are planning to manage the SCE platform and the external components of the system.

`TACACS+ Authentication, Authorization, and Accounting`

TACACS+ is a security application that provides centralized authentication of users attempting to gain access to a network element. The implementation of TACACS+ protocol allows customers to configure one or more authentication servers for the SCE platform, providing a secure means of managing the SCE platform, as the authentication server will authenticate each user. This then centralizes the authentication database, making it easier for the customers to manage the SCE platform.

TACACS+ services are maintained in a database on a TACACS+ server running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network element are available.

The TACACS+ protocol provides authentication between the network element and the TACACS+ ACS, and it can also ensure confidentiality, if a key is configured, by encrypting all protocol exchanges between a network element and a TACACS+ server.

The following is a summary of the procedure for configuring TACACS+. All steps are explained in detail in the remainder of this section.

To configure TACACS+ authentication, authorization, and accounting, complete the following steps:
Configure the remote TACACS+ servers.
Configure the remote servers for the protocols, Keep in mind the following guidelines:
Configure the encryption key that the server and client will use
The maximal user privilege level and enable password (password used when executing the enable command) should be provided.
The configuration should always include the root user, giving it the privilege level of 15.
Viewer (privilege level 5) and superuser (privilege level 10) user IDs should be established at this time also.
For complete details on server configuration, refer to the appropriate configuration guide for the particular TACACS+ server that you will be using.
Configure the SCE client to work with TACACS+ server:
hostname of the server
port number
shared encryption key (the configured encryption key must match the encryption key configured on the server in order for the client and server to communicate.)
(Optional) Configure the local database, if used.
add new users
If the local database and TACACS+ are both configured, it is recommended to configure the same user names in both TACACS+ and the local database. This will allow the users to access the SCE platform in case of TACACS+ server failure.
Note
Note
If TACACS+ is used as the login method, the TACACS+ username is used automatically in the enable command. Therefore, it is important to configure the same usernames in both TACACS+ and the local database so that the enable command can recognize this username.
specify the password
define the privilege level
Configure the authentication methods on the SCE platform.
login authentication methods
privilege level authorization methods
Review the configuration.
Use the "show running-config" command to view the configuration.

The TACACS+ protocol provides the following three features:

Login authentication
Privilege level authorization
Accounting

`Login Authentication`

The SCE platform uses the TACACS+ ASCII authentication message for CLI, Telnet and SSH access.

TACACS+ allows an arbitrary conversation to be held between the server and the user until the server receives enough information to authenticate the user. This is usually done by prompting for a username and password combination.

The login and password prompts may be provided by the TACACS+ server, or if the TACACS+ server does not provide the prompts, then the local prompts will be used.

The user log on information (user name and password) is transmitted to the TACACS+ server for authentication. If the TACACS+ server indicates that the user is not authenticated, the user will be re-prompted for the user name and password. The user is re-prompted a user-configurable number of times, after which the failed login attempt is recorded in the SCE platform user log and the telnet session is terminated (unless the user is connected to the console port.)

The SCE platform will eventually receive one of the following responses from the TACACS+ server:

ACCEPT – The user is authenticated and service may begin.
REJECT – The user has failed to authenticate. The user may be denied further access, or will be prompted to retry the login sequence depending on the TACACS+ server.
ERROR – An error occurred at some time during authentication. This can be either at the server or in the network connection between the server and the SCE platform. If an ERROR response is received, the SCE platform will try to use an alternative method\server for authenticating the user.
CONTINUE – The user is prompted for additional authentication information.

If the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.

`Accounting`

The TACACS+ accounting supports the following functionality:

Each executed command (the command must be a valid one) will be logged using the TACACS+ accounting mechanism (including login and exit commands).
The command is logged both before and after it is successfully executed.
Each accounting message contains the following:
- User name
- Current time
- Action performed
- Command privilege level

TACACS+ accounting is in addition to normal local accounting using the SCE platform dbg log.

`Privilege Level Authorization`

After a successful login the user is granted a default privilege level of 0, giving the user the ability to execute a limited number of commands. Changing privilege level is done by executing the "enable" command. This command initiates the privilege level authorization mechanism.

Privilege level authorization in the SCE platform is accomplished by the use of an "enable" command authentication request. When a user requests an authorization for a specified privilege level, by using the "enable" command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server does the following:

Authenticates the "enable" command password
Verifies that the user has sufficient privileges to enter the requested privilege level.

Once the user privilege level has been determined, the user is granted access to a specified set of commands according to the level granted.

As with login authentication, if the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.

`General AAA Fallback and Recovery Mechanism`

The SCE platform uses a fall-back mechanism in order to maintain service availability in case of an error.

The AAA mechanism in the SCE platform contains several AAA methods that are used to back each other up. The customer may choose the AAA methods that are used and the order in which they are used.

The AAA methods available are:

TACACS+ – AAA is performed by the use of a TACACS+ server, allows authentication, authorization and accounting.
Local – AAA is performed by the use of a local database, allows authentication and authorization.
Enable – AAA is performed by the use of user configured passwords, allows authentication and authorization.
None – no authentication\authorization\accounting is performed.

In the current implementation the order of the methods used isn't configurable but the customer can choose which of the methods are used. The current order is

TACACS+
Local
Enable
None

`Note`

Important: If the server goes to AAA fault, the SCE platform will not be accessible until one of the AAA methods is restored. In order to prevent this, it is advisable to use the "none" method as the last AAA method.

If the SCE platform becomes un-accessible, the shell function "AAA_MethodsReset" will allow the user to delete the current AAA method settings and set the AAA method used to "Enable".

`Configuring the SCE Platform TACACS+ Client`

The user must configure the remote servers for the TACACS+ protocol. Then the SCE platform TACACS+ client must be configured to work with the TACACS+ servers. The following information must be configured:

TACACS+ server hosts definition — a maximum of three servers is supported.
For each sever host, the following information can be configured:
- hostname (required)
- port
- encryption key
- timeout interval
Default encryption key (optional) — A global default encryption key may be defined. This key is defined as the key for any server host for which a key is not explicitly configured when the server host is defined.
If the default encryption key is not configured, a default of no key is assigned to any server for which a key is not explicitly configured.
Default timeout interval (optional) — A global default timeout interval may be defined. This timeout interval is defined as the timeout interval for any server host for which a timeout interval is not explicitly configured when the server host is defined.
If the default timeout interval is not configured, a default of five seconds is assigned to any server for which a timeout interval is not explicitly configured.

The procedures for configuring the SCE platform TACACS+ client are explained in the following sections:

`Adding a new TACACS+ Server Host`

Use this command to define a new TACACS+ server host that is available to the SCE platform TACACS+ client.

The Service Control solution supports a maximum of three TACACS+ server hosts.

The following options are available:

host-name — name of the server
port # — TACACS+ port number
- Default = 49
timeout interval — time in seconds that the server waits for a reply from the server host before timing out
- Default = 5 seconds or user-configured global default timeout interval (see Configuring the Global Default Timeout.)
key-string — encryption key that the server and client will use when communicating with each other. Make sure that the specified key is actually configured on the TACACS+ server host.
- Default = no key or user-configured global default key (see Configuring the Global Default Key)

To add a new TACACS+ server host, use the following command:
From the SCE(config)# prompt, type tacacs-server host host-name [port port#] [timeout timeout-interval] [key key-string] and press Enter.

`Removing a TACACS+ Server Host`

Use this command to delete a TACACS+ server host from the system.

The following options are available:

host-name — name of the server to be deleted

To delete a TACACS+ server host, use the following command:
From the SCE(config)# prompt, type no tacacs-server host host-name and press Enter.

`Configuring the Global Default Key`

Use this command to define the global default key for the TACACS+ server hosts. This default key can be overridden for a specific TACACS+ server host by explicitly configuring a different key for that TACACS+ server host.

The following options are available:

key-string — default encryption key that all TACACS servers and clients will use when communicating with each other. Make sure that the specified key is actually configured on the TACACS+ server hosts.
- Default = no encryption

To define the global default key, use the following command:
From the SCE(config)# prompt, type tacacs-server key key-string and press Enter.

To clear the global default key, use the following command:
From the SCE(config)# prompt, type no tacacs-server key and press Enter.
No global default key is defined. Each TACACS+ server host may still have a specific key defined. However, any server host that does not have a key explicitly defined (uses the global default key) is now configured to use no key.

`Configuring the Global Default Timeout`

Use this command to define the global default timeout interval for the TACACS+ server hosts. This default timeout interval can be overridden for a specific TACACS+ server host by explicitly configuring a different timeout interval for that TACACS+ server host.

The following options are available:

timeout interval — default time in seconds that the server waits for a reply from the server host before timing out.
- Default = 5 seconds

To define the global default timeout interval, use the following command:
From the SCE(config)# prompt, type tacacs-server timeout timeout-interval and press Enter.

To clear the global default timeout interval, use the following command:
From the SCE(config)# prompt, type no tacacs-server timeout and press Enter.
No global default timeout interval is defined. Each TACACS+ server host may still have a specific timeout interval defined. However, any server host that does not have a timeout interval explicitly defined (uses the global default timeout interval) is now configured to a five second timeout interval.

`Managing the User Database`

TACACS+ maintains a local user database. Up to 100 users can be configured in this local database, which includes the following information for all users:

Username
Password — may configured as encrypted or unencrypted
Privilege level

The procedures for managing the local user database are explained in the following sections:

`Adding a User`

Use these commands to add a new user to the local database. Up to 100 users may be defined.

The password is defined with the username. There are several password options:

No password — use the nopassword keyword.
Password — Password is saved in clear text format in the local list.
Use the password parameter.
Encrypted password — Password is saved in encrypted (MD5) form in the local list. Use the secret keyword.
Password may be defined by either of the following methods:
- Specify a clear text password, which is saved in MD5 encrypted form
- Specify an MD5 encryption string, which is saved as the user MD5-encrypted secret password

The following options are available:

name — name of the user to be added
password — a clear text password. May be saved in the local list in either of two formats:
- as clear text
- in MD5 encrypted form if the secret keyword is used
encrypted-secret — an MD5 encryption string password

The following keywords are available:

nopassword — There is no password associated with this user
secret — the password is saved in MD5 encrypted form. Use with either of the following keywords to indicate the format of the password as entered in the command:
- 0 — use with the password option to specify a clear text password that will be saved in MD5 encrypted form
- 5 = use with the encrypted-secret option to specify an MD5 encryption string that will be saved as the user MD5-encrypted secret password

To add a new user to the local database with a clear text password, use the following command:
From the SCE(config)# prompt, type username name password password and press Enter.

To add a new user to the local database with no password, use the following command:
From the SCE(config)# prompt, type username name nopassword and press Enter.

To add a new user to the local database with an MD5 encrypted password entered in clear text, use the following command:
From the SCE(config)# prompt, type username name secret 0 password and press Enter.

To add a new user to the local database with an MD5 encrypted password entered as an MD5 encryption string, use the following command:
From the SCE(config)# prompt, type username name secret 5 encrypted-secret and press Enter.

`Defining the User Privilege Level`

Privilege level authorization in the SCE platform is accomplished by the use of an "enable" command authentication request. When a user requests an authorization for a specified privilege level, by using the "enable" command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server authenticates the "enable" command password and verifies that the user has sufficient privileges the enter the requested privilege level.

Use this command to set the privilege level of the specified user.

The following options are available:

name — name of the user whose privilege level is set
level — the privilege level permitted to the specified user. These levels correspond to the CLI authorization levels, which are entered via the enable command:
- 0 — User
- 10 — Admin
- 15 (default) — Root

To set the privilege level for the specified user, use the following command:
From the SCE(config)# prompt, type username name privilege level and press Enter.

`Adding a User with Privilege Level and Password`

Use these commands to define a new user, including password and privilege level, in a single command.

`Note`

In the config files (running config and startup config), this command will appear as two separate commands..

The following options are available:

name — name of the user to be added
password — a clear text password. May be saved in the local list in either of two formats:
- as clear text
- in MD5 encrypted form if the secret keyword is used
encrypted-secret — an MD5 encryption string password
level — the privilege level permitted to the specified user. These levels correspond to the CLI authorization levels, which are entered via the enable command:
- 0 — User
- 10 — Admin
- 15 (default) — Root

The following keywords are available:

secret — the password is saved in MD5 encrypted form. Use with either of the following keywords to indicate the format of the password as entered in the command:
- 0 — use with the password option to specify a clear text password that will be saved in MD5 encrypted form
- 5 = use with the encrypted-secret option to specify an MD5 encryption string that will be saved as the user MD5-encrypted secret password

To add a new user to the local database, specifying the privilege level and a clear text password, use the following command:
From the SCE(config)# prompt, type username name privilege level password password and press Enter.

To add a new user to the local database, specifying the privilege level and an MD5 encrypted password entered in clear text, use the following command:
From the SCE(config)# prompt, type username name privilege level secret 0 password and press Enter.

To add a new user to the local database, specifying the privilege level and an MD5 encrypted password entered as an MD5 encryption string, use the following command:
From the SCE(config)# prompt, type username name privilege level secret 5 encrypted-secret and press Enter.

`Deleting a User`

Use these commands to delete a specified user from the local database.

The following options are available:

name — name of the user to be deleted

To delete a user from the local database, use the following command:
From the SCE(config)# prompt, type no username name and press Enter.

`Configuring AAA Login Authentication`

There are two features to be configured for login authentication:

Maximum number of permitted Telnet login attempts
The authentication methods used at login (see General AAA Fallback and Recovery Mechanism.)

The procedures for configuring login authentication are explained in the following sections:

`Configuring Maximum Login Attempts`

Use this command to set the maximum number of login attempts that will be permitted before the session is terminated. This is relevant only for Telnet sessions. From the local console, the number of re-tries is unlimited.

The following options are available:

number-of-attempts — The maximum number of login attempts that will be permitted before the telnet session is terminated
- Default = three

To configure the maximum number of permitted login attempts, use the following command:
From the SCE(config)# prompt, type aaa authentication attempts login number-of-attempts and press Enter.

`Configuring the Login Authentication Methods`

You can configure "backup" login authentication methods to be used in the event of failure of the primary login authentication method (see General AAA Fallback and Recovery Mechanism).

Use this command to specify which login authentication methods are to be used, and in what order of preference.

The following options are available:

method — the login authentication methods to be used. You may specify up to four different methods, in the order in which they are to be used.
- group tacacs+ — Use TACACS+ authentication.
- local — Use the local username database for authentication.
- enable (default) — Use the "enable" password for authentication
- none — Use no authentication.

To configure login authentication methods, use the following command:
From the SCE(config)# prompt, type aaa authentication login default method1 [method2...] and press Enter.
You may list a maximum of four methods; all four methods explained above. List them in the order of priority.

To delete the login authentication methods list, use the following command:
From the SCE(config)# prompt, type no aaa authentication login default and press Enter.

If the login authentication methods list is deleted, the default login authentication method only (enable password) will be used. TACACS+ authentication will not be used.

`Configuring AAA Privilege Level Authorization Methods`

As with login authentication, you can configure "backup" privilege level authorization methods to be used in the event of failure of the primary privilege level authorization method (see General AAA Fallback and Recovery Mechanism).

Use this command to specify which privilege level authorization methods are to be used, and in what order of preference.,

The following options are available:

method — the privilege level authorization methods to be used. You may specify up to four different methods, in the order in which they are to be used.
- group tacacs+ — Use TACACS+ authentication.
- local — Use the local username database for authentication.
- enable (default) — Use the "enable" password for authentication
- none — Use no authentication.

To configure privilege level authorization methods, use the following command:
From the SCE(config)# prompt, type aaa authentication enable default method1 [method2...] and press Enter.
You may list a maximum of four methods; all four methods explained above. List them in the order of priority.

To delete the privilege level authorization methods list, use the following command:
From the SCE(config)# prompt, type no aaa authentication enable default and press Enter.

If the privilege level authorization methods list is deleted, the default login authentication method only (enable password) will be used. TACACS+ authentication will not be used.

`Enabling AAA Accounting`

If TACACS+ accounting is enabled, the SCE platform sends an accounting message to the TACACS+ server after every command execution. The accounting message is logged in the TACACS+ server for the use of the network administrator.

Use this command to enable or disable TACACS+ accounting.

By default, TACACS+ accounting is disabled.

The following options are available:

level — The privilege level for which to enable the TACACS+ accounting

To enable TACACS+ accounting for a specified privilege level, use the following command:
From the SCE(config)# prompt, type aaa authentication accounting commands level default stop-start group tacacs+ and press Enter.

The start-stop keyword (required) indicates that the accounting message is sent at the beginning and the end (if the command was successfully executed) of the execution of a CLI command.

To disable TACACS+ accounting for a specified privilege level, use the following command:
From the SCE(config)# prompt, type no aaa authentication accounting commands level default and press Enter.

`Monitoring TACACS+ Servers`

Use these commands to display statistics for the TACACS+ servers.

Note that, although most show commands are accessible to viewer level users, the 'all' option is available only at the admin level. Use the command 'enable 10' to access the admin level.

To display statistics for all TACACS+ servers, use the following command:
From the SCE# prompt, type show tacacs and press Enter.

To display statistics, including keys and timeouts, for all TACACS+ servers, use the following command:
From the SCE# prompt, type show tacacs all and press Enter.

`Monitoring TACACS+ Users`

Use this command to display the users in the local database, including passwords.

Note that, although most show commands are accessible to viewer level users, this command is available only at the admin level. Use the command 'enable 10' to access the admin level.

To display the users in the local database, use the following command:
From the SCE# prompt, type show users and press Enter.

`Configuring Access Control Lists (ACLs)`

The SCE platform can be configured with Access Control Lists (ACLs), which are used to permit or deny incoming connections on any of the management interfaces. An access list is an ordered list of entries, each consisting of an IP address and an optional wildcard “mask” defining an IP address range, and a permit/deny field.

The order of the entries in the list is important. The default action of the first entry that matches the connection is used. If no entry in the Access List matches the connection, or if the Access List is empty, the default action is deny.

Configuration of system access is done in two stages:
Creating an access list. (See Adding Entries to an Access List).
Associating the access list with a management interface. (See Defining the Global Access List and Associating an Access List to Telnet Interface.)

Creating an access list is done entry by entry, from the first to the last.

When the system checks for an IP address on an access list, the system checks each line in the access list for the IP address, starting at the first entry and moving towards the last entry. The first match that is detected (that is, the IP address being checked is found within the IP address range defined by the entry) determines the result, according to the permit/deny flag in the matched entry. If no matching entry is found in the access list, access is denied.

You can create up to 99 access lists. Access lists can be associated with system access on the following levels:

Global (IP) level. If a global list is defined using the ip access-class command, when a request comes in, the SCE platform first checks if there is permission for access from that IP address. If not, the SCE does not respond to the request. Configuring the SCE platform to deny a certain IP address would preclude the option of communicating with that address using any IP-based protocol including Telnet, FTP, ICMP and SNMP. The basic IP interface is low-level, blocking the IP packets before they reach the interfaces.
Interface level. Access to each management interface (Telnet, SNMP, etc.) can be restricted to an access list. Interface-level lists are, by definition, a subset of the Global list defined. If access is denied at the global level, the IP will not be allowed to access using one of the interfaces. Once an access list is associated with a specific management interface, that interface checks the access list to find out if there is permission for a specific external IP address trying to access the management interface.

It is possible to configure several management interfaces to the same access list, if this is the desired behavior of the SCE platform.

If no ACL is associated to a management interface or to the global IP level, access is permitted from all IP addresses.

`Note`

The SCE Platform will respond to ping commands only from IP addresses that are allowed access. Ping from a non-authorized address will not receive a response from the SCE unit, as ping uses ICMP protocol

The following commands are relevant to access lists:

access-list
access-class number in
ip access-class
no access-list
no ip access-class
show ip access-classAdding Entries to an Access List
To add an address to an access list allowing access to a particular address, complete the following steps:
To enter the Global Configuration Mode, type configure and press Enter. 
The SCE(config)# prompt appears.
To configure one IP address type:
access-list number permit x.x.x.x and press Enter where x.x.x.x is the IP address. 
To configure more than one IP address type:
access-list number permit x.x.x.x y.y.y.y and press Enter.
This command configures a range of addresses in the format x.x.x.x y.y.y.y where x.x.x.x specifies the prefix bits common to all IP addresses in the range, and y.y.y.y is a wildcard-bits mask specifying the bits that are ignored. In this notation, ‘0’ means bits to ignore.
Example:
The following example adds an entry to the access list number 1, that permits access only to IP addresses in the range of 10.1.1.0–10.1.1.255. 
SCE(config)#access-list 1 permit 10.1.1.0 0.0.0.255

You can also add addresses from which you deny service, by using the deny rather than the permit switch. You can create up to 99 different address lists, which can be associated with access to the interfaces.

When you add a new entry to an ACL, it is always added to the end of the Access-List.

`Removing an Access List`

To remove an Access List (with all its entries), use the following command:
From the SCE(config)# prompt, type no access-list number permit/deny, and press Enter. 
The Access List and all of its entries are removed.

`Defining the Global Access List`

To define an Access List as the global list for permitting or denying all traffic to the SCE platform, use the following command:
From the SCE(config)# prompt, type ip access-class number, and press Enter.

`Telnet Interface`

This section discusses the Telnet interface of the SCE platform. A Telnet session is the most common way to connect to the SCE CLI interface.

You can set the following parameters for the Telnet interface:

Enable/disable the interface
Associate an access list to permit or deny incoming connections. (Access lists)
Timeout for Telnet sessions, that is, if there is no activity on the session, how long the SCE platform waits before automatically cutting off the Telnet connection.

The following commands are relevant to Telnet interface:

access-class number in
line vty
[no] access list
[no] service telnetd
[no] timeout
show line vty access-class in
show line vty timeoutPreventing Telnet Access
You can disable access by Telnet altogether.
To disable Telnet access, use the following command:
From the SCE(config)# prompt, type no service telnetd.
Telnet service is no longer allowed on the SCE platform. Current Telnet sessions are not disconnected, but no new Telnet sessions are allowed.
Associating an Access List to Telnet Interface
To restrict the SCE platform management via Telnet to a specific access list, complete the following steps:
From the SCE(config)# prompt, enter the Line Configuration mode by typing line vty 0.
Type access-class access-list-number in (where access-list-number is an index of an existing access list). 
The following example associates the access list  number 1 to the Telnet interface.
SCE#configure
SCE (config)#line vty 0
SCE(config-line)#access-class 1 in
Type exit and press Enter.
This returns you to Global Configuration Mode.
Telnet Timeout
The SCE platform supports timeout of inactive Telnet sessions. The default timeout is 30 minutes.
To configure the timeout for a telnet session when the line is idle, use the following command:
From the SCE(config-line)# prompt, type timeout time, where time is the time in minutes.

SSH Server

A shortcoming of the standard telnet protocol is that it transfers password and data over the net unencrypted, thus compromising security. Where security is a concern, using a Secure Shell (SSH) server rather than telnet is recommended.

An SSH server is similar to a telnet server, but it uses cryptographic techniques that allow it to communicate with any SSH client over an insecure network in a manner which ensures the privacy of the communication. CLI commands are executed over SSH in exactly the same manner as over telnet.

The SSH server supports both the SSH-1 and SSH-2 protocols.

An Access Control List (ACL) can be configured for SSH as for any other management protocol, limiting SSH access to a specific set of IP addresses (see Configuring Access Control Lists).

Key Management

Each SSH server should define a set of keys (DSA2, RSA2 and RSA1) to be used when communicating with various clients. The key sets are pairs of public and private keys. The server publishes the public key while keeping the private key in non-volatile memory, never transmitting it to SSH clients. Note that the keys are kept on the tffs0 file system, which means that a person with knowledge of the ‘enable’ password can access both the private and public keys. The SSH server implementation provides protection against eavesdroppers who can monitor the management communication channels of the SCE platform, but it does not provide protection against a user with knowledge of the ‘enable’ password.

Key management is performed by the user via a special CLI command. A set of keys must be generated at least once before enabling the SSH server.

Size of the encryption key is always 2048 bits.

Managing the SSH Server

Use these commands to manage the SSH server. These commands do the following:

Generate an SSH key set
Enable/disable the SSH server
Assign/remove an ACL to the SSH server
Delete existing SSH keys

Remember that you must generate a set of SSH keys before you enable the SSH server.

To generate a set of SSH keys, use the following command:

From the SCE(config)# prompt, type ip ssh key generate and press Enter.
A new SSH key set is generated and immediately saved to non-volatile memory. (Key set is not part of the configuration file). Key size is always 2048 bits.

To enable the SSH server, use the following command:

From the SCE(config)# prompt, type ip ssh and press Enter.

To disable the SSH server, use the following command:

From the SCE(config)# prompt, type no ip ssh and press Enter.

To assign an ACL to the SSH server, use the following command:

From the SCE(config)# prompt, type ip ssh access-class access-list number and press Enter.
The specified ACL is assigned to the SSH server, so that access the SSH server is limited to the IP addresses defined in the ACL.

To remove the ACL assignment from the SSH server, use the following command:

From the SCE(config)# prompt, type no ip ssh access-class and press Enter.
The ACL assignment is removed from the SSH server, so that any IP address may now access the SSH server.

To delete the existing SSH keys, use the following command:

From the SCE(config)# prompt, type ip ssh key remove and press Enter.
The existing SSH key set is removed from non-volatile memory.
If the SSH server is currently enabled, it will continue to run, since it only reads the keys from non-volatile memory when it is started. However, if the startup-configuration specifies that the SSH server is enabled, the SCE platform will not be able to start the SSH server on startup if the keys have been deleted. To avoid this situation, after executing this command, always do one of the following before the SCE platform is restarted (using reload):
- Generate a new set of keys.
- Disable the SSH server and save the configuration.

Monitoring the Status of the SSH Server

Use this command to monitor the status of the SSH sever, including current SSH sessions.

This command is a Privileged Exec command. Make sure that you are in Privileged Exec command mode by exiting any other modes, and that the SCE# prompt appears in the command line.

To display the SSH server status, use the following command:

From the SCE# prompt, type show ip ssh and press Enter.

SNMP Interface

To enable the SNMP interface, use the snmp-server command. You can also configure any of the SNMP parameters (hosts, communities, contact, location, and trap destination host). When you enable the SNMP agent, these four parameters are filled in with their most recent values before the agent was disabled. To disable the SNMP interface, use the no snmp-server command.

This section guides you through enabling and disabling the SNMP interface. Complete information on SNMP is found in SNMP Configuration and Management.

The following commands are relevant to enabling and disabling the SNMP interface:

[no] snmp-server
[no] snmp-server community
[no] snmp-server contact
[no] snmp-server host
[no] snmp-server location

Enabling SNMP

To enable SNMP by setting a community string, complete the following commands:

To enter the Global Configuration Mode, at the SCE# prompt, type configure and press Enter.
The SCE(config)# prompt appears.
Type snmp-server community community-string, where the community string is a security string that identifies a community of managers that are able to access the SNMP server.
You must define at least one community string in order to allow SNMP access. For complete information on community strings see Configuring SNMP Community Strings.

Disabling SNMP

To disable SNMP access, use the following command:

From the SCE(config)# prompt, type no snmp-server.

Request Type	Description	Remarks
Set Request	Writes new data to one or more of the objects managed by an agent.	Set operations immediately affect the SCE platform running-config but do not affect the startup config.
Get Request	Requests the value of one or more of the objects managed by an agent.
Get Next Request	Requests the Object Identifier(s) and value(s) of the next object(s) managed by an agent.
Get Response	Contains the data returned by an agent.
Trap	Sends an unsolicited notification from an agent to a manager, indicating that an event or error has occurred on the agent system	SCE platform may be configured to send either SNMPv1 or SNMPv2 style traps.
Get Bulk Request	Retrieves large amounts of object information in a single Request / response transaction. GetBulk behaves as if many iterations of GetNext request/responses were issued, except that they are all performed in a single request/response.	This is newly defined SNMPv2c message.

Protocol	Supported handling	Mode name
L2TP	Ignore tunnel	IP-tunnel L2TP skip
Don't ignore tunnel – classify by external IP	No IP-Tunnel
VLAN	Ignore tunnel	VLAN symmetric skip
Ignore tunnel – asymmetric	VLAN a-symmetric skip
VLAN tag as subscriber	VLAN symmetric classify
MPLS	Ignore tunnel (inject unlabeled)	MPLS Traffic-engineering skip
Ignore tunneled (inject labeled)	MPLS VPN skip
MPLS L3 VPN as subscriber	MPLS VPN auto-learn

The Subscriber	Subscriber Characteristics
DSL residential subscriber	DSL residential user	IP address The list of IP addresses is allocated by a Radius server
Cable residential subscriber	Cable residential user	IP address The list of IP addresses of the CPEs is allocated dynamically by a DHCP server
Owner of a 3G-phone that is subscribed to data services	3G-phone owner	The MS-ISDN, which is dynamically allocated by a Radius server.
A corporate/enterprise customer of the service provider	The corporate/enterprise and the traffic it produces	The set of NAT-ed IP addresses, which are allocated statically
A CMTS	The CMTS and the broadband traffic of the Cable Modem users that connect to the Internet through the CMTS	A range of IP addresses A group of VLAN tags
A VPN	MPLS/VPN subscriber	All traffic of that VPN customer, which is aggregated into a single VPN subscriber
SCMP subscriber	SCMP subscriber	IP address or range Manager-Id of the SCMP peer device and Subscriber ID including the GUID. Each subscriber is assigned a Manager-Id based on the management entity that created the subscriber. The possible managers are the SM, CLI and an SCMP peer device.

`Chapter 12. Value Added Services (VAS) Traffic Forwarding`

`VAS Traffic Forwarding Overview`

With every new SCA BB release, the classification and control of new services is supported. The VAS integration capability enables classification and control of services not currently supported by SCA BB. The concept behind this capability enables the solution to use an external “expert system” for classification and control of the service traffic. Using this capability, the service provider can choose to forward selected flows to an external, third-party solution for per-subscriber value-added functionality. Possible use cases for this functionality would be intrusion detection and content-filtering. These value added services are provided on top of the services and functions of the SCA BB solution.

The VAS feature enables the user to divert a specified part of the traffic streams to an individual VAS server or appliance, or a cluster of them. The diversion is based on the subscriber package, flow type and the availability of the VAS servers. This capability also delivers a load balancing function for even distribution of the load on the various VAS servers.

The solution provides support for multiple VAS service types using different VAS Server Groups. Several servers of the same type can be deployed to increase the total capacity and resiliency.

The SCE platform performs subscriber load sharing between the active servers of the same Server Group. It is able to identify the active servers among the defined servers through a dedicated Health Check mechanism.

There is also a VAS over 10G solution, which is a special case of the Cisco Multi-Gigabit Service Control Platform (MGSCP) solution, supporting only one external 10G link and using a Cisco 6500/7600 Series router as a dispatcher to distribute the external 10G link and as the switch towards the VAS servers.

`VAS Service Goals`

The VAS traffic forwarding functionality allows the Service Control solution to meet a number of important service goals:

Allows service providers to provide a range of Value Added Services to their subscribers, thus increasing customer satisfaction.
Allows the SCE platform to forward part of the traffic to third party devices that can provide additional, complementary services.
The SCE platform, due to its strong classification capabilities, forwards only the part of the traffic that should get the additional service:
- Based on subscriber awareness
- Based on the policy that was configured
Allows the Service Control solution to include Value Added Servers that cannot be deployed inline for various reasons (for example, cannot support throughput or are not carrier grade for inline insertion).
Provides easy interoperability and flexibility for setting different services.
Since the VAS feature emulates a regular IP network for the third party devices, no special support is required on their part.

`How VAS Traffic Forwarding Works`

Subscribers are provisioned to the VAS services as part of the normal provisioning process of new subscribers to SCA BB.

When VAS traffic forwarding is enabled, in addition to all its basic functions, the SCA BB application classifies each flow as either a VAS flow or as a standard flow (non-VAS flow).

Flows that were classified to a VAS service get the usual SCA BB service, as well as being forwarded to the VAS servers for additional service.

Logically, “VAS engine” is upstream of “SCA engine”, meaning upstream traffic is first processed by the SCA BB application, downstream is first processed by the VAS server.

Routing the traffic to the VAS servers is done by using VLAN tags.

Figure 12.1. Value Added Services Solution Overview


Important information:
A single SCE platform can support up to eight VAS servers.
A maximum of 512 SCE platforms can be connected. 
The same VAS server may be used by more than one SCE platform.
The VAS traffic forwarding feature is supported on the SCE 2000 4xGBE platform only.
The following sections provide a more detailed description of the following aspects of VAS traffic forwarding:
VLAN tags for VAS traffic forwarding
VAS data flow
Load balancing
VAS Traffic Forwarding and SCA BB
When VAS traffic forwarding is enabled, in addition to all its basic functions, the SCA BB application classifies each flow as either a VAS flow or as a standard flow (non-VAS flow). This classification is made on the first packet of the flow (e.g. TCP SYN packet). The classification must be performed on the very first packet since the classification is used to select the routing of the packet to a VAS server or to the subscriber/network.
VAS traffic forwarding rules are configured through the SCA-BB console. These rules map certain traffic to the VAS Server Groups. When a flow is classified as a VAS flow, the VAS Server Group for this flow is selected. If the group includes more than one VAS server, traffic will be forwarded in such a way that the subscriber load is shared between the servers on the same group.
The mapping of traffic portions to VAS Server Groups is done through the standard SCA GUI, this definition is given per package
VLAN Tags for VAS Traffic Forwarding
The traffic is routed between the SCE platform and the VAS servers by VLANs. There is a unique VLAN tag for each SCE platform/VAS server combination. 
Before being forwarded to the VAS servers, the SCE platform adds the VLAN tag to the original traffic. When the traffic returns to the SCE platform, the SCE platform removes the VLAN tag it previously added, and then forwards the traffic on its original link. 
The VLAN tag to be used for each VAS server is configured by the user. To preserve consistency of the traffic flow, the VAS solution requires the user to configure a unique VLAN tag for each SCE platform/VAS server combination. 
The VLAN tag format is shown in the figure below.
The VLAN tag has twelve bits, divided as follows:
The lower three bits identify the VAS server.
The higher nine bits identify the SCE platform.
For example:
0x20 = 100 000 = SCE #4, VAS #0
0x21 = 100 001 = SCE #4, VAS #1
0x58 = 1101 000 = SCE #13, VAS #0
Observe the following for the nine bits that identify the SCE platform:
These nine bits must be the same for all VAS servers attached to a specific SCE platform.
These nine bits must be different for VAS servers attached to different SCE platforms.
Examples of valid VLAN tag ranges for an SCE platform:
0x20, 0x21 – 0x27, but not 0x33
0x58,0x59 – 0x5F, but not 0x26
The SCE platform enforces that the VLAN tags configured by the user keep this format, meaning that the lower three bits match the VAS server number for which the VLAN tag is configured and that the higher nine bits match the higher nine bits previously configured for other VAS servers on this SCE platform. However, the SCE platform is not aware of the configuration of other SCE platforms, and therefore it is the responsibility of the user to configure a unique nine bits (SCE id) for each SCE platform.
Note that the use of VLAN tags is an integral part of the VAS solution, and therefore requires the VAS device to be able to work in 802.1q trunk while preserving the VLAN information.
Service Flow
The mapping of traffic portions to VAS Server Groups is done through the standard SCA GUI, this definition is given per package. 
The SCE platform classifies a flow to a VAS Server Group based on the subscriber package and the TCP/UDP ports of the flow. It then selects one server within this group to handle the flow.
The SCE platform performs load sharing between multiple VAS servers belonging to the same Server Group; the balance is based on subscriber load. In other words, the SCE platform ensures that the subscribers are evenly distributed between the VAS servers in the same group. Note that the mapping of subscriber to a VAS server (per group) is kept even when servers are added or removed from the group either due to configuration changes or changes in the operational status of the servers in the group. The mapping will change only if the same server changes its status.
The following paragraphs explain in more details when and how the mapping is changed.
Data Flow
In a deployment using VAS traffic forwarding, there are two types of data flows:
Non-VAS flow 
VAS flow 
The following figure depicts the two types of data flows running through a single SCE platform and a single VAS server. 
Ports are illustrated as two uni-directional half ports, RX (on the left side) and the TX (on the right side).
The SCE platform has four ports.
The VAS server has two ports.
For the sake of illustration, the SCE platform traffic flow direction is left to right while the VAS traffic flow is right to left. The arrow below the name of the element indicates the traffic flow direction.
The Ethernet switches are omitted.
Each line represents a flow
Thick line is a non-VAS flow
Thin line is a VAS flow
Black line indicates part of a flow that does not have VLAN tag
Red line indicates part of a flow that has a VLAN tag
This figure illustrates the data flow from the subscriber to the network. Data flow from the network to the subscriber works in exactly the same way, but is received on the network port (N) and transmitted on the subscriber port (S).
Figure 12.2. VAS Data Flow

Non-VAS Data Flow
The flow steps for a non-VAS flow are:
A subscriber packet is received at the SCE platform port 1 (S).
The SCE platform classifies the flow as non-VAS flow.
The packet is sent to the network on port 2 (N).
VAS Data Flow
VAS data flow is slightly more complex than the basic data flow. It is received and transmitted in the same manner as the basic non-VAS SCE platform flow, but before it is transmitted to its original destination, it flows through the VAS server.
The flow steps are:
A subscriber packet is received at the SCE platform port 1 (S).
The SCE platform classifies the flow as VAS flow.
The SCE platform adds a VLAN tag to the packet. The VLAN tag is used by the Ethernet switch to route the packet to the proper VAS server.
Note that at this point the packet has a VLAN tag, which is indicated by the red line.
The packet is sent to the VAS subscriber port from SCE platform port 4 (N). 
The VAS server processes the packets and either drops the packet or sends it back to the SCE platform; from the VAS network port to the SCE platform subscribers port 3 (S).
Note that the VAS server passes the VLAN tag transparently. This is important to enable the Ethernet switch (not shown) to route the packet back to the proper SCE platform.
The SCE platform receives the packet on port 3 (S), drops the VLAN tag, and passes the packet towards the network through port 2 (N).
Load Balancing
VAS servers can be grouped logically according to their service type. Consider, for example, a system that requires both FTP caching and virus filtering. A single VAS server for each service might not have enough capacity. Let us say that the system requires five VAS servers, three to provide FTP caching, and two to provide virus filtering. Defining two VAS Server Groups, FTP caching and virus filtering, permits load sharing across the servers for each Server Group.
The VAS Server Group to which the flow should be attached is determined by the package of the subscriber. The selection of a specific VAS server from the VAS servers within this group is based on the current load on each VAS server. The system tries to create an equal subscriber load for all the VAS servers belonging to the same group.
In some cases, a VAS server may be used by more than one SCE platform. Remember that the SCE platform performs load balancing only on the traffic that it sends to the VAS server; it is not aware how much of a load the VAS server may be bearing from a different SCE platform. It is the responsibility of the user to allocate available VAS servers to the SCE platforms in a way that ensures proper total load on each VAS server. 
Load Balancing and Subscribers
The system balances the usage of the VAS servers within a VAS Server Group, trying to create an equal subscriber load for all the VAS servers in one VAS Server Group. The load balancing is subscriber based, meaning that the subscribers are evenly distributed between the servers.
VAS load sharing is subscriber-based rather than bandwidth-based in order to ensure that all the traffic of the subscriber gets to the same server so the server can make subscriber based decisions. 
The SCE platform uses the same VAS server for all the traffic of a subscriber (per server group) even if there is a change in the number of active servers in the group. Traffic from a subscriber is assigned to a new server only if the current server becomes inactive. This will only apply on new flows. Flows that were already mapped to a server before it became active will remain attached to it.
The mapping of subscriber to VAS servers not is saved across logouts or SCE platform reload.
Load Balancing and Subscriber Mode
Since the load balancing is subscribers based, this solution will not work properly in subscriberless mode, as the entire traffic load would be carried only by one VAS server per group.
Note
Use anonymous mode rather than subscriberless mode with VAS traffic forwarding.
In Pull mode, the first flow of the subscriber behaves as configured in the anonymous template. If no anonymous template is configured, such first flows will be processed as defined by the default template. Therefore, the default template should provide a proper package, so these flows will get VAS service.

`VAS Redundancy`

The services provided by the VAS servers should be highly available. The failure of a single VAS server should not degrade the total system performance and availability. This requirement must be considered when determining the number of VAS servers necessary for each VAS service.

There are two mechanisms by which the system guarantees the performance and availability of the VAS services:

Load sharing — The SCE platform distributes the subscribers between all the active VAS servers within a server group
Monitoring — The SCE platform monitors connectivity with the VAS servers and handles server failure according to the applied configuration.

In addition to failure of an individual VAS server, a complete VAS Server Group is considered to be failed if a defined minimum number of servers are not active.

`VAS Server Failure`

The system monitors the health of a VAS server by periodically checking the connectivity between the SCE platform and the VAS server. When the SCE platform fails to establish or maintain a connection to the server within a configurable window of time, the state of the server is considered to be Down.

The implications of such state are:

New logged-in subscribers will be distributed between the other active servers in the group.
Subscribers that are mapped to this server will be mapped to a new server if they initiate a new flow.
The Server Group may move to a Failure state if this failure caused the number of active servers in the group go below the minimum configured.

If the connectivity to the server resumes, the state of the server is changed to Up. The server returns to the list of active servers and will continue to serve subscribers that were mapped to it before the failure and have not yet been mapped to a new server during the failure time, as well as new subscribers.

`VAS Server Group Failure`

For each VAS Server Group, the user can configure the following:

The minimum number of active servers necessary.
The action to take in case the actual number of active servers goes below this number.

Note that if the minimum number equals the total number of configured servers, it means there is no redundancy and failure of one server will cause the failure of the whole server group.

When the SCE platform detects that the number of active servers within a group is below the configured minimum, it changes the state of the group to Failure. The configured action-on-failure will then be applied to all new flows mapped for that VAS Server Group (existing flows will not be affected.)

There are two possible actions when the VAS Server Group has failed:

Block — all new flows assigned to the failed VAS Server Group will be blocked by the SCE platform.
Pass — all new flows assigned to the failed VAS Server Group will be considered as regular non-VAS flows, and will be processed without VAS service (that is, they will get SCA BB service but not VAS service).

When the number of active servers is above the minimum and the state of the group is changed to Active again, the configured action-on-failure is no longer applied to new flows. However, to maintain the coherency of the network, flows that were Blocked or Passed are not affected by the change in the state of the Server Group.

`Ethernet Switch Failure`

The Ethernet switches are a single point of failure in the VAS topology. A complete failure of an Ethernet switch causes all the VAS services to be declared as failed and the configured action (on-failure) will be taken for all new VAS flows.

`Disabling a VAS Server`

A VAS server can be disabled for maintenance via the CLI.

No errors are reported on a disabled VAS server. However, if disabling the server reduces the number of active servers to below the minimum number configured for the group, it will bring down the VAS Server Group since a disabled VAS server is equal to a VAS server in a Down state.

Health check is not performed on disabled VAS servers.

`VAS Status and VAS Health Check`

In order to manage the VAS redundancy, the SCE platform needs to know the state of each VAS server. The SCE platform performs periodic health checks for all the configured VAS servers. These checks are the basis for VAS redundancy control; they enable the SCE platform to identify and react to VAS server failure, and to check the connectivity of the SCE platform-VAS server before enabling the server to handle traffic.

The health check is performed over the VAS link, the link that connects the SCE platform with the VAS servers. It validates the traffic flow between the SCE platform and the VAS server in both directions through special health check packets generated by the SCE platform.

The health check mechanism does not require special interaction with the VAS device, since the VAS server does not need to answer the health check packets, only to pass them as they are back to the SCE platform. As long as the packets are received by the SCE platform, the VAS server is considered to be alive. Failing to receive the packets back from the VAS server within a pre-defined time window is considered by the SCE platform as a failure of the VAS server and the server status is changed to Down.

Important information about the health check packets:

They are carried over UDP flows
Their source and destination IP addresses are configurable by the user
IP addresses should be:
- Unique to the SCE platform
- Addresses that will not be used by the network traffic (such as private IPs)

The SCE platform uses default UDP ports between 63140 and 63155, unless the user has configured different ports for the health check.

The SCE platform adds its own layer 7 data on top of the UDP transport layer. This data is used by the SCE platform to validate the correctness of the packet upon retrieval.

The health check is performed under the following conditions:

VAS mode is enabled
VAS server is enabled
Health Check for the VAS server is enabled
Server has VLAN tag
Pseudo IPs are configured for the GBE interfaces

If the check is enabled, but any one of the conditions is not met, the server state will be Down (the same as if the server did not pass the health check).

In order to check the connectivity with the VAS server before enabling it to handle traffic, the server should not be assigned to any group.

The health check procedure does not require a special interface with the VAS server, the health check traffic goes through the same network channels as any other VAS traffic. However, there are two assumptions the VAS servers should fulfill:

The VAS server does not drop traffic unless it is specifically configured to do so. Therefore, if the VAS server-SCE platform connectivity is operative, the health check packets should reach the SCE platform safely.
Alternatively, it should be able to configure the VAS server to pass traffic on specific ports (the health check ports).
In case of a failure, the VAS server should drop, not bypass, the traffic (cut the link), so that the SCE platform will be able to identify the failure.

`VAS Server States`

When determining whether a VAS server is active, the system considers the following two parameters:

Admin mode as configured by the user — Enabled or disabled
VAS server state as reported by the health check

A VAS server may be in either of the following states:

UP — The server is UP if:
- Health check disabled ¾ if the server is enabled, has a VLAN tag, and belongs to a group.
- Health check enabled - if the server passes the health check
DOWN — The server is Down if the above conditions are not met.

A server is considered to be Active when its admin mode is Enable and its state is Up.

`VAS Traffic Forwarding Topologies`

The following sections describe the following VAS traffic forwarding topologies:

Single SCE platform, many VAS servers
Many SCE platforms, many VAS servers
VAS over 10G, which is a special case of Cisco Multi-Gigabit Service Control Platform (MGSCP) solution, supporting only one external 10G link and using a Cisco 6500/7600 Series router as a dispatcher to distribute the external 10G link and as the switch towards the VAS servers.

`Note`

A topology in which a VAS server is directly connected to the SCE platform is not supported. If a topology of a single SCE platform connected to a single VAS server is desired, a switch should still be used between the SCE platform and the VAS server.

`Single SCE Platform, Multiple VAS Servers`

In this topology, a single SCE platform is forwarding VAS traffic to one or more VAS servers through two Ethernet switches.

The two Ethernet switches are necessary in order to avoid a situation in which a single MAC address has two ports or a single VLAN tag has two destinations. Each Ethernet switch should be configured to trunk mode with MAC learning disabled.

Figure 12.3. VAS Topology: Single SCE Platform, Multiple VAS Servers


Data Flow
The data flow is: 
A subscriber packet is received at port #1 (Subscriber). 
The SCE platform opens a flow and classifies the flow as either a non-VAS (blue) flow or as a VAS flow (red). 
If the flow is non-VAS (blue), the SCE platform passes the packet to the network. The VAS server is not involved in this case.
If the flow is a VAS flow (red), the SCE platform selects the VAS server to which the packet should be sent, adds the server VLAN tag to the packet and transmits the packet on port #4 (Network).
The packet is routed by the Ethernet switch to the VAS server according to its VLAN tag (the port towards the VAS server should be the only port with this VLAN tag allowed).
The VAS server processes the packet and either drops or forwards it without changing the VLAN tag.
The packet is forwarded by the Ethernet switch to the SCE platform according to its VLAN tag (the port towards the SCE platform should be the only port with this VLAN tag allowed).
The SCE platform receives the packet on port #3 (Subscriber), strips the VLAN tag and forwards the packet to the network via port #2 (Network).

`Multiple SCE Platforms, Multiple VAS Servers`

In this topology, multiple SCE platforms are connected to multiple VAS servers. Note that at least one VAS server receives traffic from more than one SCE platform; if the VAS servers are each in an exclusive relationship to a particular SCE platform, it would simply be several single SCE platform/multiple VAS server topologies grouped together.

In the following figure, the top SCE platform forwards traffic to VAS servers 1 and 2, while the bottom SCE platform forwards to VAS servers 2 and 3. A unique VLAN tag must designate each SCE-platform-to-VAS-server path. This topology is illustrated with two SCE platforms, but a maximum of 512 SCE platforms is supported (limited by the VLAN tag size).

The two Ethernet switches route the traffic to the VAS servers. The routing is VLAN based. The Ethernet switch should be configured to trunk mode with learning disabled.

The data flow is the same as that for the previous topology.

Note that SCE platform redundancy on the cascade ports is not supported in this topology.

Figure 12.4. VAS Topology: Multiple SCE Platforms, Multiple VAS Servers

`SNMP Support for VAS`

SCOS 3.0 adds the following items to the “PCUBE-SE-MIB” proprietary MIB:

SCE-MIB object: vasTrafficForwardingGrp
SCE-MIB Object type: vasServersTable - provides information on each VAS server operational status.
SNMP Trap: vasServerOperationalStatusChangeTrap - signifies that the agent entity has detected a change in the operational status of a VAS server.

`VAS Traffic Forwarding Configuration`

There are three broad aspects to VAS traffic forwarding configuration in the SCE platform:

Configuring global VAS traffic forwarding options, such as enabling or disabling VAS traffic forwarding, or specifying the VAS traffic link.
Configuring a VAS server, such as enabling or disabling a specific VAS server, or enabling or disabling the VAS health check for a specified VAS server.
Configuring a VAS server group, such as adding or removing a specific VAS server, configuring the minimum number of active servers per group, or configuring VAS server group failure behavior.

`Note`

Additional VAS traffic forwarding configuration and monitoring options are available from the SCAS BB Console. See Managing VAS Traffic Forwarding Settings in the Cisco Service Control Application for Broadband User Guide.

Configure the SCE platform ¾ define the servers and the server groups, configure Pseudo IP for the GBE interfaces, and enable VAS mode.
Verify the state of the individual VAS servers as well as that of the VAS Server Groups to make sure all are Up (see Monitoring VAS Traffic Forwarding).
Configure which traffic goes to which Server Group through the SCA BB console (see Configuring VAS Traffic Forwarding from the SCA BB Console).

`Configuring VAS Traffic Forwarding from the SCA BB Console`

Configuration of the VAS Traffic Forwarding solution is distributed between the SCA BB console and the SCE platform CLI:

SCE platform CLI configuration:
- Physical VAS server parameters — VLAN tag, Admin status and health check parameters
- VAS server groups parameters — the VAS servers that belong to the group and the action to take if the group enters a failure state
SCA BB console configuration — the traffic forwarding rules, meaning which portion of the subscriber traffic should be forwarded to the VAS servers.
This configuration is defined per package so different subscribers can receive different VAS service, based on the package they bought.

`Configuring VAS Traffic Forwarding`

There are two global VAS traffic forwarding options:

Enable or disable VAS traffic forwarding
Configure the link number on which to transmit VAS traffic (necessary only if the VAS servers are connected on link 0, rather than link 1, which is the default VAS traffic link))

`Enabling VAS Traffic Forwarding`

By default, VAS traffic forwarding is disabled. If VAS traffic forwarding is required, the user must enable it.

For instructions on how to disable VAS traffic forwarding, see Disabling VAS Traffic Forwarding.

There are certain other SCE platform features that are incompatible with VAS traffic forwarding. Before enabling VAS traffic forwarding, it is the responsibility of the user to make sure that no incompatible features or modes are configured.

The features and modes listed below cannot coexist with VAS mode:

Line-card connection modes — receive-only, receive-only-cascade, inline-cascade
Link mode other than forwarding
All link encapsulation protocols, including VLAN, MPLS, L2TP
Enhanced open flow mode

The following options are available:

Enable/disable — Enable or disable VAS traffic forwarding
- Default — Disable

To enable VAS traffic forwarding, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding and press Enter.

`Disabling VAS Traffic Forwarding`

Disabling the VAS Traffic Forwarding feature in runtime must be done with special care. There are two points to consider:

You cannot disable VAS mode in the SCE platform while the applied SCA BB policy instructs the SCE platform to forward traffic to the VAS servers.
Therefore, you must dismiss all VAS Traffic forwarding rules in the applied SCA BB policy before disabling the VAS traffic forwarding in the SCE platform.
After the SCA BB has been reconfigured, there may still be some open flows that have already been forwarded to the VAS servers. If the VAS feature is stopped while there are still such flows open, their packets coming back from the VAS servers may be routed to their original destination with the VLAN tag of the VAS server on it.
Therefore, it is also highly recommended to shutdown the line card before you disable the VAS traffic forwarding in the SCE platform to avoid inconsistency with flows that were already forwarded to the VAS servers.

To disable VAS traffic forwarding, complete the following steps
From the SCAS BB console, remove all the VAS table associations to packages and apply the changed policy.
Shutdown the line card:
Execute the CLI command shutdown from the LineCard Interface Configuration mode.
Disable VAS traffic forwarding:
Execute the CLI command no VAS-traffic-forwarding from the LineCard Interface Configuration mode.
Re-enable the line card:
Execute the CLI command ‘no shutdown’ from the LineCard Interface Configuration mode.

`Configuring the VAS Traffic Link`

By default, the VAS traffic is transmitted on Link 1. If the VAS servers are connected on Link 0, you must configure the VAS traffic link to Link 0.

To configure the link for VAS over 10G, see Configuring the VAS Traffic Link (VAS over 10G).

`Note`

The VAS traffic link should be in Forwarding mode.

The following option is available:

VAS traffic-link {link-0|link-1} — The link number on which to transmit VAS traffic
- Default — Link 1

To select the link for VAS traffic, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding traffic-link {link-0|link-1} and press Enter.

To revert to the default VAS traffic link, use the following command:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding traffic-link and press Enter.

`Configuring a VAS Server`

The user must define the VAS servers. Each VAS server has the following parameters:

Admin-mode — Enabled or disabled.
Health Check mode — Enabled or Disabled
Health Check ports
VLAN tag

Use the following commands to perform these operations for individual VAS servers:

Enable a specified VAS server
Disable a specified VAS server
Define the VLAN tag for a specified VAS server
Enable or disable the Health Check for a VAS server
Define the source and destination ports to use for the Health Check.
Delete all properties for a specified VAS server. The server returns to the default state, which is enabled. However, it is not operational since it does not have VLAN.

Note that a VAS server is not operational until the VLAN tag is defined, even if the server itself is enabled.

`Enabling a VAS Server`

Use this command to enable a VAS server.

To enable a VAS server, use the following command (note that the server is not operational until a VLAN tag has also been defined):
From the SCE(config if)# prompt, type VAS-traffic-forwarding VAS server-id <number> enable and press Enter.

To disable a specified VAS server, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding VAS server-id <number> disable and press Enter.

To restore all VAS server properties to default, use the following command:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding VAS server-id <number> and press Enter.

`Assigning a VLAN ID to a VAS Server`

Use this command to assign the VLAN ID to a specified VAS server.

The following options are available:

<VLAN-id> — The VLAN tag to use for the specified VAS server
The VLAN tag can be redefined as necessary.
- Default — No VLAN.

Note the following important points:

The VAS server is not operational until the VLAN tag is defined.
Disabling the server does not remove the VLAN tag number configured to the server.
The no form of the command (same as the default form of the command), removes the previously configured VLAN tag (no VLAN is the default configuration).

To configure the VLAN tag number for a specified VAS server, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding VAS server-id <number> VLAN <VLAN-id> and press Enter.

To remove the VLAN tag number for a specified VAS server, use either of the following commands:
From the SCE(config if)# prompt, type either of the following commands and press Enter:
no VAS-traffic-forwarding VAS server-id <number> VLAN 
default VAS-traffic-forwarding VAS server-id <number> VLAN

`Configuring the Health Check`

Use these commands to enable and disable the Health Check, and to define the ports it should use.

By default, the VAS server health check is enabled, however the user may disable it.

Note that the health check will be activated only if all the following conditions are true. If the health check is enabled, the server state will be Down if one or more conditions are not met:

VAS Traffic Forwarding mode is enabled
Pseudo IPs are configured for the SCE platform GBE ports on the VAS traffic link
VAS server is enabled
Server has a VLAN tag
Health check for the server is enabled

To configure VAS server health check for VAS over 10G, see also Configuring Health Check for VAS over 10G.

If the health check of the server is disabled, its operational status depends on the following (requirements for Up state are in parentheses):

admin status (enable)
VLAN tag configuration (VLAN tag defined)
group mapping (assigned to group)

The following options are available:

VAS server-id <number> — The ID number of the VAS server for which to enable or disable the health check
Enable/disable — Enable or disable VAS server health check
- Default — Enable
UPD ports — Specify the UDP ports to be used for the health check:
- source <port number> — health check source port number
- destination <port number> — health check destination port number
- Default — <63140,63141> used for server #0 through <63154,63155> used for server #7.

To disable VAS server health check, use the following command:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding VAS server-id <number> health-check and press Enter.

To define the UDP ports to be used for the health check, use the following command
From the SCE(config if)# prompt, type VAS-traffic-forwarding VAS server-id <number> health-check UDP ports source <port number> destination <port number> and press Enter.

To remove the UDP port configuration, use the following commands
From the SCE(config if)# prompt, type either of the following commands and press Enter:
no VAS-traffic-forwarding VAS server-id <number> health-check UDP ports
default VAS-traffic-forwarding VAS server-id <number> health-check UDP ports

`Configuring Pseudo IP Addresses for the Health Check Packets`

Use this command to configure source and destination pseudo IP address for the health check packets. This command allows you to specify a unique IP address to be used by the health check packets.

This is a ROOT level command and is available under the GBE configuration interface mode. The interfaces that should be configured are those interfaces which connect the SCE platform with the VAS servers (by default interfaces GBE 0/3 and GBE 0/4).

The SCE platform uses the pseudo IP as follows:

Pseudo IP configured for the subscriber side interface:
- source IP address for health check packets going in the Upstream direction
- destination IP address for health check packets going in the Downstream direction
Pseudo IP configured for the network side interface:
- source IP address for health check packets going in the Downstream direction
- destination IP address for health check packets going in the Upstream direction

`Note`

This command is a ROOT level command in the Gigabit Interface Configuration mode.

The following options are available:

ip address — IP address to be used (any IP address as long as it is not possible to be found in the network traffic, such as a private IP)
- Default — no IP address
subnet mask — Defines the range of IP addresses that can be used by the SCE platform. Note that the SCE platform is not required to reside in this subnet.
- Default — 255.255.255.255 (The subnet mask can be set to 255.255.255.255, as the health check mechanism requires only one IP address per interface.)

To define the pseudo IP address to be used for the health check, use the following command:
From the SCE(config if)# prompt, type pseudo-ip ip-address [subnet mask] and press Enter.

To delete the pseudo IP address, use the following command:
From the SCE(config if)# prompt, type no pseudo-ip ip-address [subnet mask] and press Enter.

`Configuring a VAS Server Group`

The user may define up to eight VAS server groups. Each VAS server group has the following parameters:

Server Group ID
A list of VAS servers attached to this group.
Failure detection — minimum number of active servers required for this group so it will be considered to be Active. If the number of active servers goes below this minimum, the group will be in Failure state.
Failure action — action performed on all new data flows that should be mapped to this Server Group while it is in Failure state.
Options:
- block
- pass

Use the following commands to perform these operations for a VAS server group:

Add or remove a VAS server to or from a specified group.
Configure the minimum number of active servers for a specified group.
Configure failure behavior for a specified group.

`Adding and Removing Servers`

Use these commands to add and remove servers to or from a specified VAS server group.

The following options are available:

group-number — The ID number of the VAS server group
id-number — The ID number of the VAS server

To add a VAS server to a specified VAS server group, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding VAS server-group group-number server-id id-number and press Enter.

To remove a VAS server from a specified VAS server group, use the following command:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding VAS server-group group-number server-id id-number and press Enter.

To remove all VAS servers from a specified VAS server group and set all group parameters to their default value, use the following command:
From the SCE(config if)# prompt, type no VAS server-group group-number and press Enter.

`Configuring VAS Server Group Failure Parameters`

Use the following commands to configure these failure parameters for the specified VAS server group:

Minimum number of active servers — If the number of active servers in the server group goes below this number, the group will be in Failure state
Failure action — The action to be applied to all new flows mapped to this server group while it is Failure state:
- Block — all new flows assigned to the failed VAS server group will be blocked by the SCE platform.
- Pass — all new flows assigned to the failed VAS server group will be considered as regular non-VAS flows, and will be processed without VAS service.

The following options are available:

VAS server-group <number> — The ID number of the VAS server group
minimum-active-servers <number> — The minimum number of active servers required for the specified server group
- Default — 1
failure action — Which of the following actions will be applied to all new flows for the specified server group:
- block
- pass (default)

To configure the minimum number of active servers for a specified VAS server group, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding VAS server-group <number> failure minimum-active-servers <number> and press Enter.

To reset the minimum number of active servers for a specified VAS server group to the default value, use the following command:
From the SCE(config if)# prompt, type default VAS-traffic-forwarding VAS server-group <number> failure minimum-active-servers <number> and press Enter.

To configure the failure action (either block or pass) for a specified VAS server group, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding VAS server-group <number> failure action {block | pass} and press Enter.

To configure the failure action to the default value (pass) for a specified VAS server group, use the following command:
From the SCE(config if)# prompt, type default VAS-traffic-forwarding VAS server-group <number> failure action and press Enter.

`Monitoring VAS Traffic Forwarding`

Use these commands to display the following information for VAS configuration and operational status summary.

Global VAS status summary — VAS mode, the traffic link used
VAS Server Groups information summary — operational status, number of configured servers, number of current active servers.

This information may be displayed for a specific server group or all server groups

VAS servers information summary — operational status, Health Check operational status, number of subscribers attached to this server.

This information may be displayed for a specific server or all servers

Bandwidth per VAS server and VAS direction (to VAS / from VAS)
VAS health check counters

Sample outputs are included.

`Note`

All the following CLI commands are viewer commands. If in line interface configuration mode, you must exit to the privileged exec mode and see the SCE# prompt displayed

To display global VAS status and configuration, use the following command:
From the SCE# prompt, type show interface linecard 0 VAS-traffic-forwarding and press Enter.
Sample output:
VAS traffic forwarding is enabled
VAS traffic link configured: Link-1   actual: Link-1

To display operational and configuration information for a specific VAS Server Group, use the following command:
From the SCE# prompt, type show interface linecard 0 VAS-traffic-forwarding VAS server-group <number> and press Enter.
Sample output:
VAS server group 0:
State: Failure  configured servers: 0   active servers: 0
minimum active servers required for Active state: 1   failure action: Pass

To display operational and configuration information for all VAS Server Groups, use the following command:
From the SCE# prompt, type show interface linecard 0 VAS-traffic-forwarding VAS server-group all and press Enter.

To display operational and configuration information for a specific VAS server, use the following command:
From the SCE# prompt, type show interface linecard 0 VAS-traffic-forwarding VAS server-id <number> and press Enter.
Sample output:
VAS server 0:
Configured mode: enable   actual mode: enable   VLAN:  520  server group:    3
State: UP
Health Check configured mode: enable  status: running
Health Check source port: 63140  destination port: 63141
Number of subscribers:       0

To display operational and configuration information for all VAS servers, use the following command:
From the SCE# prompt, type show interface linecard 0 VAS-traffic-forwarding VAS server-id all and press Enter.

To display the VAS servers used by a specified subscriber per VAS Server Group, use the following command:
From the SCE# prompt, type show interface linecard 0 subscriber  name <subscriber-name> VAS-servers and press Enter.

To display health check counters for a specific server, use the following command:
From the SCE# prompt, type show interface linecard 0 VAS-traffic-forwarding VAS server-id <number> counters health-check and press Enter.
Sample output
Health Checks statistics for VAS server '0'    Upstream      Downstream
------------------------------------------------------------------------
Flow Index '0'
-----------------
Total packets sent                         :       31028  :       31027 :
Total packets received                     :       31028  :       31027 :
Good packets received                      :       31028  :       31027 :
Error packets received                     :           0  :           0 :
Not handled packets                        :           0  :           0 :
Average roundtrip (in millisecond)         :           0  :           0 :
Error packets details                      :              :             :
---------------------                      :              :             :
Reordered packets                          :           0  :           0 :
Bad Length packets                         :           0  :           0 :
IP Checksum error packets                  :           0  :           0 :
L4 Checksum error packets                  :           0  :           0 :
L7 Checksum error packets                  :           0  :           0 :
Bad VLAN tag packets                       :           0  :           0 :
Bad Device ID packets                      :           0  :           0 :
Bad Server ID packets                      :           0  :           0 :

To display health check counters for all servers, use the following command:
From the SCE# prompt, type show interface linecard 0 VAS-traffic-forwarding VAS server-id all counters health-check and press Enter.

To clear health check counters for a specific server, use the following command:
From the SCE# prompt, type clear interface linecard 0 VAS-traffic-forwarding VAS server-id <number> counters health-check and press Enter.

To clear health check counters for all servers, use the following command:
From the SCE# prompt, type clear interface linecard 0 VAS-traffic-forwarding VAS server-id all counters health-check and press Enter.

To display bandwidth per VAS server and VAS direction, use the following command:
From the SCE# prompt, type show interface linecard 0 counters VAS-traffic-bandwidth and press Enter.

Note that the bandwidth presented in this command is measured at the Transmit queues, therefore the first table in the following output sample presents the bandwidth of traffic transmitted towards the VAS servers and the second table presents the bandwidth of traffic transmitted out of the SCE platform after being handled by the VAS servers. Note that the counting is based on L2 bytes.

Sample output

Traffic sent to VAS processing TxBW [Kbps] (bytes are counted from Layer 2):
       Port 1 Port 2 Port 3 Port 4
 -------- -------- -------- --------
VAS server id 0: 0 0 0 0
VAS server id 1: 0 0 0 0
VAS server id 2: 0 0 0 0
VAS server id 3: 0 0 0 0
VAS server id 4: 0 0 0 0
VAS server id 5: 0 0 0 0
VAS server id 6: 0 0 0 0
VAS server id 7: 0 0 0 0

Traffic after VAS processing TxBW [Kbps] (bytes are counted from Layer 2):
        Port 1 Port 2 Port 3 Port 4
 -------- -------- -------- --------
VAS server id 0: 0 0 0 0
VAS server id 1: 0 0 0 0
VAS server id 2: 0 0 0 0
VAS server id 3: 0 0 0 0
VAS server id 4: 0 0 0 0
VAS server id 5: 0 0 0 0
VAS server id 6: 0 0 0 0
VAS server id 7: 0 0 0 0

`Interactions Between VAS Traffic Forwarding and Other SCE Platform Features`

`Incompatible SCE Platform Features`

There are certain SCE platform features that are incompatible with VAS traffic forwarding. Before enabling VAS traffic forwarding, it is the responsibility of the user to make sure that no incompatible features or modes are configured.

The features and modes listed below cannot coexist with VAS mode are:

Line-card connection modes — receive-only, receive-only-cascade, inline-cascade
Link mode other than forwarding
All link encapsulation protocols, including VLAN, MPLS, L2TP

`VAS Traffic Forwarding and DDoS Processing`

VAS traffic forwarding has the following minor effects on the DDoS mechanisms.

`Specific IP DDoS Attack Detection`

The specific IP DDoS mechanism uses software counters. The second pass VAS packets do not reach the software, so they are not counted twice.

Network side packetsare handled by the attack-detector in the first pass,when they open a flow, so they also are not counted twice.

`Specific IP Attack filter`

The behavior depends on the action configured.

ReportOnly - VAS is not affected.
Block - flow is blocked, no VAS service to give.
Bypass – Traffic will be bypassed and NO SCA BB or VAS services are given.

`VAS Traffic Forwarding and Bandwidth management`

The complexity of the VAS traffic forwarding results in the modification of some SCE platform bandwidth management capabilities when using this feature:

VAS flows are not subject to global bandwidth control.
The number of global controllers available to regular flows has been decreased from 64 to 48.

Certain changes are required in the configuration of the global controllers in order to support these two restrictions.

`Global Controllers and VAS flows`

When VAS traffic forwarding is enabled, the global controllers function slightly differently.

Only 48 global controllers are available to the user.
Global controllers 49-63 are used to count VAS traffic.
The reserved global controllers cannot be configured.
On VAS flows, the flow does not get its global controller from the traffic controller to which it belongs. Rather, its global controller is set according to VAS rules.

`VAS over 10G`

A specific configuration of VAS traffic forwarding is VAS over 10G using a Cisco 6500/7600 Series router as a dispatcher. The VAS over 10G topology is a specific application of the Cisco Multi-Gigabit Service Control Platform (MGSCP) solution in which only one external 10G link is supported. The 7600 distributes the external 10G link and also functions as the switch for the VAS servers.

VAS functionality is supported over a dual 10G topology only. This topology provides a solution with no single point of failure.

In this topology, there are two external 10G links, each one connected to a separate 7600 platform and VAS server array. Only one set of VAS servers is used at a time, serving the VAS traffic of both 10G links. The other set of VAS servers is reserved for failover in case of either a switch failure or VAS server failure.

The following figure illustrates the VAS over 10G topology.

Figure 12.5. VAS over 10G Topology


Data Flow in VAS over 10G Topology
Data flow in the VAS solution over 10G topology depends on the appropriate use of VLAN tags to route the packets through the system, from the 7600/6500 to the SCE platform, to the appropriate VAS server, back to the SCE platform and then back to the network through the 7600/6500.
The following figure illustrates the flow of VAS data in the VAS solution over 10G topology. Note that the path between the SCE platform and the VAS servers has the same VLAN tag for all SCE platforms in the same EtherChannel.
Figure 12.6. VAS Data Flow in VAS over 10G Topology

VAS flows enter the SCE platform without a VLAN tag, and are then transmitted from the SCE platform with the VLAN tag of the VAS server. They must return from the VAS server to the SCE platform with this tag, which is then stripped off.
In the solution using the 7600/6500, VLAN tags are also used to identify the external link. Note that this is not the same VLAN tag used for the VAS servers. This VLAN tag must be defined as native in the trunk ports towards the SCE platforms, so that the external traffic arrives at the SCE platform without a VLAN tag. 
In this description of the VAS data flow, note the following important points:
This section describes the data flow of packets originating at the subscriber side of the 10G link and sent towards the network. The network to subscriber flow exactly mirrors this flow.
The description does not elaborate on the internal path inside the 7600/6500 device. It is intended to present the path between the SCE platform, the 7600/6500, and the VAS servers, and describe how the VLAN tag changes along that path.
Although the figures show only one SCE platform, in actuality the VAS over 10G topology would usually consist of multiple SCE platforms on multiple ECs. In such a topology, the ports towards the VAS servers must be trunk ports, which allow the presence of multiple VLAN tags, since there will be a unique VLAN tag for each EC. (As noted previously, all SCE platforms on one EC must use the same VLAN tag per VAS server).
The data flow is presented in two parts:
To the VAS servers 
From the VAS servers
The figures assume that the VAS link is link 1.
VAS Data Flow: To the VAS Server
Figure 12.7. VAS Data Flow: To the VAS Server

The following is the sequence of steps in the VAS data flow from the subscriber side to the VAS server:
A subscriber packet is received at the 7600/6500 external 10G link.
The packet is marked with VLAN 100 at the access port and is sent towards the EtherChannel (EC) configured with VLAN 100.
The EC selects port 1 of the SCE platform based on the subscriber side IP, and the VLAN tag is stripped off (100 is the native VLAN tag in the 7600/6500 trunk port).
The SCE platform classifies the flow as VAS flow and tags it with the VAS server VLAN tag 505.
The packet is sent to the VAS server from SCE platform port 2 (N) towards the 7600/6500 with VLAN tag 505.
The packet is received on the 7600/6500 trunk port and is sent to the access port configured with VLAN 505, which is the port connected to the VAS server subscriber side.
The packet has no VLAN tag when it arrives at the VAS server.
VAS Data Flow: From the VAS Server
Figure 12.8. VAS Data Flow: From the VAS Server

The following is the sequence of steps in the VAS data flow from the VAS server out to the network:
The VAS server processes the packet and sends it to the SCE platform from the VAS network port. Note that as the VAS server received the packet with no VLAN tag, it also transmits it with no VLAN tag.
The packet is received on the 7600/6500 access port, is assigned VLAN tag 525, and is sent towards the EC configured with VLAN 525. 
At the trunk port, the VLAN tag 525 is translated to VLAN tag 505. The packet is sent towards port 1 of the SCE platform based on the subscriber side IP.
SCE platform gets the packet on port 1 (S) and forwards it towards the network through port 2 (N) 
The SCE platform forwards the packet with NO VLAN tag.
The packet is received on the 7600/6500 trunk port, gets the native VLAN 101 and sent towards the access port configured with VLAN 101.
The packet is sent towards the network with no VLAN tag.
Failover Support
The SCE monitors the health of the connection to each VAS server on the active VAS link; failure of either the 7600/6500 or the VAS server will cause the server health check to fail. The failure of one or more server groups causes the VAS traffic to be forwarded to the redundant 7600/6500/VAS servers system.
How failover works:
The VAS link (the link on which to send the VAS traffic) is dynamically selected. In failover, the SCE platform switches to its backup subscriber and network ports, so that the VAS traffic is forwarded to the redundant set of VAS devices, as illustrated in the following figure.
Figure 12.9. VAS over 10G Failover

The VAS link does not revert automatically. It will be switched again only if required due to a VAS server group failure on this link. 
The system always checks only one set of the VAS servers; those on the active VAS link.
There is a user-configurable parameter that controls the link-switch rate if there has not been a successful health check on the current VAS link. The default value of this parameter is less than the failure detection time. It is recommended to configure a larger value.
Once there is a successful health check on the VAS link, the link switches immediately upon failure (see Configuring the Minimum Time between Link Switches). 
In the VAS over 10G topology, a failure may occur at any of the following three points:
Failure of an SCE platform
SCE platform failure is detected and handled by the 7600/6500 device. In such case, the EtherChannel will balance the traffic load between the other active SCE platforms.
SCA BB and VAS service through the other SCE platforms continues uninterrupted with no change in the VAS link.
Failure of a 7600/6500
The 10G link that goes through the failed 7600/6500 device is lost completely, however SCA BB and VAS services on the 10G link that goes through the second 7600/6500 device continue uninterrupted.
In case of failure of the 7600/6500 that is connected to the active set of VAS servers, all the VAS traffic of the other 10G link is forwarded to the standby set of VAS servers
Failure of a VAS server group
Failure of a VAS server group on the active VAS traffic link is detected by the VAS health check. Failure of any VAS server group triggers the switch of the entire link to the standby VAS servers. A server group failure is declared when the number of active VAS servers drops below the parameter “minimum active VAS servers in a group” (see Configuring VAS Server Group Failure Parameters).
Both links preserve SCA BB and VAS services. However, during the transition period, the replacing VAS servers will see VAS flows in the middle and the VAS service may be temporarily damaged. 
Health Check in VAS over 10G Topology
In the VAS over 10G topology, special attention must be paid to the selected IP addresses of the health check flows. A flow initiated by an SCE platform may not always be hashed correctly by the EtherChannel. Therefore, a health check packet can be sent out from one SCE platform, go through the 7600/6500 towards the VAS server, then be sent back from the VAS server through the 7600/6500 but hashed by the EtherChannel to a SCE platform different than the originator SCE platform. 
To prevent this from happening, the SCE platform opens eight flows per VAS server. This ensures that at least one of the flows will be mapped to the correct SCE platform; the other SCE platforms disregard health check packets not initiated by them.
Configuring VAS over 10G
When configuring VAS over 10G, the following changes must be made to the configuration process:
Configuration of the VAS traffic link is different (see Configuring the VAS Traffic Link (VAS over 10G))
You must configure a range of IP addresses as the source IP addresses for the health check (see Configuring the Health Check IP Address).
The health check must be specifically enabled to be compatible with the 10G topology (see Enabling the Health Check for VAS over 10G Topology).
Note
The VLAN tags and configuration of the two sets of VAS servers must be identical.
Note
Additional VAS traffic forwarding configuration and monitoring options are available from the SCAS BB Console. See Managing VAS Traffic Forwarding Settings in the Cisco Service Control Application for Broadband User Guide.
Configuring the 7600/6500 for VAS over 10G
This section explains some important points to keep in mind when configuring the 7600/6500 as part of the VAS over 10G solution. For complete information on how to configure the 7600/6500, please refer to the appropriate Cisco documentation.
Please refer to the following guidelines when configuring the 7600/6500 as part of the VAS over 10G solution:
The 7600/6500 device traffic distribution is based on the EtherChannel dispatching function. Specifically it is required that:
External traffic coming from the subscriber side of the 7600/6500 device must be hashed by the EtherChannel according to the source IP
External traffic coming from the network side must be hashed according to the destination IP.
This requirement insures that the same SCE platform handles all the traffic of a subscriber. Since the hashing metric is configurable per line card, the external 10G link subscriber and network ports must be on different line cards. The VAS servers should be connected to the 7600/6500 following this convention as well:
Connect the VAS server subscriber leg to the same line card as the network 10G port, or to a line card that is configured with per destination IP dispatching function.
Connect the VAS server network leg to the same line card as the subscriber 10G port, or to a line card that is configured with per source IP dispatching function.
In order for the native VLAN configuration to be effective, disable the "vlan dot1q tag native" configuration on the 7600/6500.
Introduce the VLAN tags of the VAS servers and the external subscriber and Network ports by running the "vlan XXX" configuration command on the 7600/6500 device.
Configuring the VAS Traffic Link Auto-Select Parameters (VAS over 10G)
To enable switching the VAS traffic automatically upon a failover situation, the following options must be configured for VAS over 10G:
Set the VAS traffic link to auto-select, so that the system can switch between the links in case of 7600/6500/VAS servers failure.
Specify the minimum time allowed between two consecutive link switches before any health check has succeeded.
Specify the link on which to transmit VAS traffic initially after changing the configuration to ‘auto-select’ (in runtime or after reload) or the current VAS traffic link if ‘auto-select’ is already configured.
Note
All commands in this section are Interface LineCard Configuration commands
Setting the VAS Traffic Link to Auto-Select
By default, the VAS traffic is transmitted on Link 1. However, for VAS over 10G, the VAS link should be set to auto-select, so that the system can switch to the backup link when necessary.
The following option is available:
VAS traffic-link {link-0|link-1|auto-select} — The link number on which to transmit VAS traffic
For VAS over 10G, specify auto-select.
To configure the link for VAS over 10G, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding traffic-link auto-select and press Enter.
To revert the link to the default VAS configuration, use the following command:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding traffic-link and press Enter.
Configuring the Minimum Time between Link Switches
You can configure the minimum time allowed between two consecutive link switches. This parameter applies only after a link switch and before any health check has succeeded.
Note that the system assumes the servers are UP while the health check initializes (initialization occurs as a result of every change in the configuration related to the health check or after a link switch, and it lasts until the first health check success or failure). This means that even if the servers are actually DOWN or not even connected, it is assumed that they are UP and user traffic is forwarded to them. Once the health check fails, the servers are declared to be Down, and user traffic is no longer forwarded to them.
In VAS over 10G topology, the default delay between two consecutive link switches (30 seconds) is less than the time it takes for the health check to fail. This means that once a VAS server group fails, the SCE platform switches immediately to the second link. 
In cases where there is at least one failed VAS server group on both links, the SCE platform will flip continuously between the links, and as described above, most of this time the state of the servers will be UP.
To avoid the constant flip between the links in such a case, it is recommended to configure a link-switch-delay time greater than 3 minutes.
It is also recommended to monitor the SNMP traps conveying messages on changes in server status.
The following option is available:
switch-time — The time in seconds to hold between two consecutive link switches on initial health check state.
Default = 30 seconds
To configure the delay between two consecutive link switches, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding traffic-link auto-select link-switch-delay <switch-time> and press Enter.
To revert to the default delay between two consecutive link switches, use either of the following commands:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding traffic-link auto-select link-switch-delay and press Enter.
From the SCE(config if)# prompt, type default VAS-traffic-forwarding traffic-link auto-select link-switch-delay and press Enter.
Setting the Active VAS Link
Use this command to set the active VAS link, the link on which to transmit VAS traffic after a system reload and when working in auto-select mode.
When executed, this command triggers an immediate link switch if the currently active VAS traffic link used is different from the one specified in the command.
The following option is available:
initial-selection {link-0|link-1} — The link number to be set as the active VAS link.
Default = link-1.
To set the active VAS link, use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding traffic-link auto-select initial-selection {link-0 | link-1} and press Enter.
To set the active VAS link to the default values, use either of the following commands:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding traffic-link auto-select initial-selection and press Enter.
From the SCE(config if)# prompt, type default VAS-traffic-forwarding traffic-link auto-select initial-selection and press Enter.
Configuring Health Check for VAS over 10G
When configuring the health check for VAS over 10G, you must perform the following steps:
Configure the health check source and destination IP addresses
Enable health check compatibility for VAS over 10G
Note
All commands in this section are Interface LineCard Configuration commands.
Configuring the Health Check IP Address
Use this command to configure the IP addresses to be used for the VAS health check flows. Any traffic to the configured IP address will be handled as belonging to health check flows; it will not be processed as usual traffic and will be dropped by the SCE platform.
There are three important rules to follow when configuring the IP addresses of the VAS health check. Improper configuration will cause the health check to fail and may cause health check traffic to be forwarded outside of the 7600/6500. 
It is required to configure a range of IP addresses (at least eight IP addresses) for the source IP. This will insure that at least one out of the eight flows will be hashed correctly to the SCE platform. If no range is configured and the VAS over 10G mode (MGSCP) is selected, the health check will fail to run.
The configured IP addresses must be unique to the SCE platforms and should not exist in the network. Any traffic to the configured IP addresses other than VAS health check traffic will be regarded as fault traffic and be dropped by the SCE platform.
All the SCE platforms under the same EtherChannel must have the same IP address configuration. Using the same IP addresses allows the SCE platform to correctly identify health check flows coming from other SCE platforms (as a result of the EtherChannel hashing) and drop these flows before they are transmitted out of the SCE platform.
Note
This command is permitted only when the linecard has been shutdown or no application is assigned.
The following options are available:
ip-address — Specify the IP addresses to be used for the health check:
source <source-ip> — health check source IP address
The source-ip must include a range indication (A.B.C.D/E or A.B.C.D:0xMASK, where A,B,C,D are numbers between [0,255] and E is in the range [0,32]. MASK is the IP mask in 8 hexadecimal characters.)
destination <dest-ip> — health check destination IP address
The configured IP addresses should not be in use in the network.
The same IP address should be used by all the SCE platforms under the same EtherChannel.
Use the no form to remove the configured IP addresses.
To define the IP addresses to be used for the health check, use the following command
From the SCE(config if)# prompt, type VAS-traffic-forwarding health-check ip-address source <source-ip> destination <dest-ip> and press Enter.
To remove the IP address configuration, use the following commands
From the SCE(config if)# prompt, type either of the following commands and press Enter:
no VAS-traffic-forwarding health-check ip-address
default VAS-traffic-forwarding health-check ip-address
Enabling the Health Check for VAS over 10G Topology
Use this command to configure the health check to adjust to VAS over 10G (MGSCP) conditions (see Health Check in VAS over 10G Topology). 
The keyword MGSCP is specified to enable health check compatibility because VAS over 10G is a special case of a MGSCP (Multi-Gigabit Service Control Platform) system.
By default, VAS over 10G compatibility is disabled.
To enable health check compatibility for VAS over 10G (MGSCP), use the following command:
From the SCE(config if)# prompt, type VAS-traffic-forwarding health-check topology MGSCP and press Enter.
To disable health check compatibility for VAS over 10G (MGSCP), use either of the following commands:
From the SCE(config if)# prompt, type no VAS-traffic-forwarding health-check topology MGSCP and press Enter.
From the SCE(config if)# prompt, type default VAS-traffic-forwarding health-check topology MGSCP and press Enter.
VAS Over 10G Sample Configuration
Following is a sample illustrating the steps in configuring the VAS over 10G solution.
Enter the LineCard Interface configuration mode:
SCE(config)#interface LineCard 0
Set VAS health-check to MGSCP mode:
SCE(config if)#VAS-traffic-forwarding health-check topology MGSCP
Set VAS health-check source IP address to the range 192.168.100.0/24 and destination to 192.168.101.0:
SCE(config if)#VAS-traffic-forwarding health-check ip-address source 192.168.100.0:0xffffff00 destination 192.168.101.0
Set VAS traffic link to auto-select so in case of a failure in any of the VAS servers group, the VAS traffic link will be automatically switched:
SCE(config if)#VAS-traffic-forwarding traffic-link auto-select
Configure the link switch delay to 4 minutes. The delay will be applied only if there was no successful health check on the current link:
SCE(config if)#VAS-traffic-forwarding traffic-link auto-select link-switch-delay 240.
Set link-0 to be used as the initial VAS traffic link in auto-select mode:
SCE(config if)#VAS-traffic-forwarding traffic-link auto-select initial-selection link-0
Assign VAS servers 0-3 to VLAN 600-603 respectively
SCE(config if)#VAS-traffic-forwarding VAS server-id 0 VLAN 600
SCE(config if)#VAS-traffic-forwarding VAS server-id 1 VLAN 601
SCE(config if)#VAS-traffic-forwarding VAS server-id 2 VLAN 602
SCE(config if)#VAS-traffic-forwarding VAS server-id 3 VLAN 603
Map VAS servers 0-1 and 2-3 to server groups 0 and 1 respectively, allowing server redundancy within each group:
SCE(config if)#VAS-traffic-forwarding VAS server-group 0 server-id 0
SCE(config if)#VAS-traffic-forwarding VAS server-group 0 server-id 1
SCE(config if)#VAS-traffic-forwarding VAS server-group 1 server-id 2
SCE(config if)#VAS-traffic-forwarding VAS server-group 1 server-id 3
The SCE platform is now set to forward VAS traffic:
SCE(config if)#VAS-traffic-forwarding

Term or Acronym	Definition
PE (Provider Edge router)	A router at the edge of the service provider network. The PE routers are the ones that connect to the customers, and maintain the VPNs.
P (Provider router)	A router in the core of the service provider network. P routers only forward MPLS packets, regardless of VPNs.
VPN (Virtual Private Network)	In the Service Control context, a VPN is the part of the VPN that resides in a specific site. This is the subscriber of the solution.
BGP LEG	A software module that resides on the SM server and generates BGP-related login events. The BGP LEG communicates with the BGP routers (PEs) and passes the relevant updates to the SM software, which generates login events to the SCE platform for the updated VPN subscribers.
Upstream	Traffic coming from the PE router and going into the P router
Downstream	Traffic coming from the P router and going into the PE router
RD (Route Distinguisher)	Used to uniquely identify the same network/mask from different VRFs (such as, 10.0.0.0/8 from VPN A and 10.0.0.0/8 from VPN B)
RT (Route Target)	Used by the routing protocols to control import and export policies, to build arbitrary VPN topologies for customers
VRF (Virtual Routing and Forwarding instance)	Mechanism used to build per-interface routing tables. Each PE has a number of VRFs, one for each site it connects to. This is how the private IPs remain unique.

Operation	Description
--set	Add/update a subscriber. If the mapping exists, replaces the existing mapping, unless the additive-mapping option is used.
--remove-all-mappings	Removes all the mappings of specified subscriber.
--remove-mappings	Removes specified mapping of specified subscriber.

Operation	Description
--additive-mapping	Adds the specified mappings to the existing ones (instead of replacing the existing mappings when this option is not used). Used with the set operation.

`Appendix B. Proprietary MIB Reference`

This appendix describes the pcube proprietary MIB supported by the SCE platform. A MIB (Management Information Base) is a database of objects that can be monitored by a network management system (NMS). The SCE platform supports both the standard MIB-II and a proprietary Service Control Enterprise MIB. This proprietary pcube MIB enables the external management system to perform configuration, performance, troubleshooting and alerting operations specific to the SCE platform, and therefore not provided by the standard MIB.

`Note`

Information and proprietary MIB files supported by the SCOS can be downloaded from: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml under the Cisco Service Routing Products section.

`pcube Enterprise MIB`

The pcube Enterprise MIB splits into into four main groups:

Products
Modules
Management
Workgroup

The pcube enterprise tree structure is defined in a MIB file named PCUBE-SMI.my.

`Note`

The following object identifier represents the pcube Enterprise MIB:

1.3.6.1.4.1.5655, or iso.org.dod.internet.private.enterprise.pcube.

The figure below illustrates the pcube Service Control Enterprise MIB structure.

Conventions used in the diagram:

Dotted arrows surrounding a unit or units indicate that the component is described in the MIB file specified below the line.
A shadowed box indicates that the component is described in its own MIB file.

Figure B.1. Cisco Service Control MIB Structure


The pcubeProducts subtree
The pcubeProducts subtree contains the OIDs of Cisco Service Control products. These OIDs are used only to describe the Cisco Service Control platforms, not as roots for other OIDs.
This subtree does not contain online data, just global definitions.
The pcubeProductsMIB is defined the following MIB file :
PCUBE-PRODUCTS-MIB.my 
The pcubeModules subtree
The pcubeModules subtree provides a root object identifier under which MIB modules can be defined. 
This subtree does not contain online data, just global definitions.
The pcubeMgmt subtree
The pcubeMgmt subtree is the root for pcube MIBs that are relevant to multiple products.
The pcubeWorkgroups subtree
The pcubeWorkgroups subtree contains the actual MIBs for Cisco Service Control devices and sub-devices. This is where the SCE platform, the dispatcher, and also the SCA BB application, hook their actual OIDs and notifications. This means that the branches in this subtree are defined in multiple MIB files.
The pcubeConfigCopyMib subtree
The pcubeConfigCopy MIB is a subset of the Cisco Config-Copy-MIB ported to the pcube enterprise subtree. It supports only local copying of running config to startup config.
The pcubeConfigCopyMIB is defined the following MIB file :
PCUBE-CONFIG-COPY-MIB.my
The config copy MIB is intended for use by all pcube products, and is therefore placed under the pcubeMgmt subtree.
The pcubeSE MIB
The pcubeSE MIB comprises two branches: 
pcubeSeEvents: Contains the OIDs used for sending enterprise-specific notifications. 
pcubeSEObjs : Contains the OIDs that belong to the SCE platform, divided into groups according to functionality.
Application MIB Integration
The pcubeSeMIB described above contains information about the SCE platform. Information regarding the SML application running on the SCE platform is available through the following two interfaces:
application and subscriber groups of the pcubeSeMIB
pcubeEngageMIB 
Application and Subscriber groups
These groups allow the operator to view information exposed by the application. In essence, these groups contain tables that allow access to viewables and tuneables defined in the installed SML application. This mechanism is general, and does not require specific adjustments of the SCOS platform for an application. Any installed application can define variables that would then automatically be accessible through the application or subscriber groups.
The Application Group
The application group contains information about the application itself. It also contains two tables:
appPropertiesTable: 
Contains a list of properties of the application. These properties are SML viewables and tuneables that are defined in global scope. Each property has a name and a type (both are strings).
This table is updated when the application is installed, and has read-only access. It is therefore managed by the agent (the SCOS).
appPropertiesValueTable:
Contains information about the application properties that appear in the appPropertiesTable, described above. For each such property, a value is available in one or more formats, as appropriate:
String
Integer
64-bit Integer.
This table is a read-write table, which uses the row-status mechanism. With this mechanism it is possible for a management station to add rows to an SNMP table in an pseudo-atomic way. The RowStatus type is defined in SNMPv2-SMI. 
This table is cleared when an application is unloaded, or when the system resets. The manager may add rows to the table after the system starts, with properties taken from the appPropertiesTable, and then it is possible to poll these variables for their values. It is the manager’s responsibility to read the value in the correct format (according to the “type” field in the appPropertiesTable).
Note that the values cannot be changed through SNMP. Tuneables and Viewables are the same in this respect, they can only be viewed.
Note as well that all the properties in the application group are global properties.
The Subscriber Group
The subscribers group contains global statistics about the subscribers. It also contains two tables, which work in a mechanism very similar to that of the application properties tables described above:
subscribersPropertiesTable: 
Contains a list of “subscriber properties” that the installed application has defined. These properties are SML viewables and tuneables that are defined in subscriber scope. Each property has a name  and a type (both are strings).
This table is updated when the application is installed, and has read-only access. It is therefore it is managed by the agent (the SCOS).
subscribersPropertiesValueTable:
Like the appPropertiesValueTable, this table also uses the RowStatus mechanism to allow addition and removal of rows by the manager. Once a row is created in the subscriberValueTable, it is possible to poll the value of the property for the requested subscriber. The values are given in three formats (string, integer, and 64-bit integer, it being the responsibility of the manager to read the appropriate field, according to the type of the property)
In order to retrieve the value of a subscriber property, the manager must supply the following:
The name of the property (taken from the subscriberPropertyTable) 
The name of the subscriber for which this value should be polled (the name of the subscriber should be known to the manager, it is not available through SNMP). 
Note that the values of the properties are read-only for viewables and tuneables alike.
This table is also used by the pcubeEngageMIB.
The Engage MIB (pcubeEngageMIB)
The application group of the pcubeSeMIB allows the manager to retrieve information about the application. However, due to its generality, it requires quite a bit of intelligence from the management station. The pcubeEngageMIB is an application-specific MIB that supplies information relevant only to the SCA BB (Engage) application.
All information that the application may want to publish is stored in viewables and tuneables. However, there is currently no automatic way for the application to declare that a certain OID should reflect a certain application variable. For this reason, the Engage application MIB is actually implemented by the SCOS.
The Engage subscriber tables rely on the SCOS subscriber value tables described above. Since there is no table that contains a list of the subscribers in the system, the only subscribers referred to in the Engage  tables are the ones that appear in the SCOS subscribersPropertiesValueTable. The spvIndex is used to index the subscribers in the pcubeEngageMIB as well.
Using this Reference
This reference describes all existing MIB objects. For each object, the following information is presented:
IDENTIFIERS	MIB descriptor name and OID
DESCRIPTION	Description of the object, including format and legal values, if applicable.
ACCESS	Access control associated with the object:
	Read only (RO)
	Read/Write (RW)
SYNTAX	The general format of the object.

`pcubeModules (1.3.6.1.4.1.5655.2)`

pcubeModules provides a root object identifier from which module identity values may be assigned.

`Modules:`

PCUBE-SE-MIB: pcubeSeMIB (1.3.6.1.4.1.5655.2.3)
CISCO-SCAS-BB-MIB: pcubeEngageMIB (1.3.6.1.4.1.5655.2.4) (See the "SCA BB Proprietary MIB Reference" chapter in the Cisco SCA BB Reference Guide for a description of the CISCO-SCAS-BB-MIB.)

`pcubeSeMIB (1.3.6.1.4.1.5655.2.3)`

Main SNMP MIB for the Cisco SCE products such as SCE 2000 and SCE 1000. This MIB provides configuration and runtime status for chassis, control modules, and line modules on the SCOS systems.

`pcubeSeMIB Object Groups (1.3.6.1.4.1.5655.2.3.1.1)`

Following is a list of the pcubeSeMIB object groups. Each object group consists of a number of related objects. All individual objects are listed and described in the pcubeWorkgroup section.

`pcubeSystemGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.1}`
`pcubeChassisGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.2}`
`pcubeModuleGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.3}`
`pcubeLinkGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.4}`
`pcubeDiskGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.5}`
`pcubeRdrFormatterGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.6}`
`pcubeLoggerGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.7}`
`pcubeSubscribersGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.8}`
`pcubeTrafficProcessorGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.9}`
`pcubePortGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.10}`
`pcubeTxQueuesGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.11}`
`pcubeGlobalControllersGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.12}`
`pcubeApplicationGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.13}`
`pcubeTrafficCountersGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.14}`
`pcubeAttackGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.15}`
`pcubeVasTrafficForwardingGroup`	`{1.3.6.1.4.1.5655.2.3.1.1.16}`
`pcubeMplsVpnAutoLearnGroup`	`(1.3.6.1.4.1.5655.2.3.1.1.17)`
`pcubeTrapObjectsGroup`	`(1.3.6.1.4.1.5655.2.3.1.1.18)`

`System Group: pcubeSystemGroup (1.3.6.1.4.1.5655.2.3.1.1.1)`

The System group provides data on the system-wide functionality of the SCE platform.

`Objects:`

1: sysOperationalStatus (1.3.6.1.4.1.5655.4.1.1.1)

2: sysFailureRecovery (1.3.6.1.4.1.5655.4.1.1.2)

3: sysVersion (1.3.6.1.4.1.5655.4.1.1.3)

`Chassis Group: pcubeChassisGroup (1.3.6.1.4.1.5655.2.3.1.1.2)`

The Chassis group defines and identifies the chassis, as well as environmental alarms related to the chassis.

`Objects:`

1: pchassisSysType (1.3.6.1.4.1.5655.4.1.2.1)

2: pchassisPowerSupplyAlarm (1.3.6.1.4.1.5655.4.1.2.2)

3: pchassisFansAlarm (1.3.6.1.4.1.5655.4.1.2.3)

4: pchassisTempAlarm (1.3.6.1.4.1.5655.4.1.2.4)

5: pchassisVoltageAlarm (1.3.6.1.4.1.5655.4.1.2.5)

6: pchassisNumSlots (1.3.6.1.4.1.5655.4.1.2.6)

7: pchassisSlotConfig (1.3.6.1.4.1.5655.4.1.2.7)

8: pchassisPsuType (1.3.6.1.4.1.5655.4.1.2.8)

9: pchassisLineFeedAlarm (1.3.6.1.4.1.5655.4.1.2.9)

`Module Group: pcubeModuleGroup (1.3.6.1.4.1.5655.2.3.1.1.3)`

The Module group identifies and defines the modules, or cards, in the SCE platform.

`Objects:`

1: pmoduleIndex (1.3.6.1.4.1.5655.4.1.3.1.1.1)

2: pmoduleType (1.3.6.1.4.1.5655.4.1.3.1.1.2)

3: pmoduleNumTrafficProcessors (1.3.6.1.4.1.5655.4.1.3.1.1.3)

4: pmoduleSlotNum (1.3.6.1.4.1.5655.4.1.3.1.1.4)

5: pmoduleHwVersion (1.3.6.1.4.1.5655.4.1.3.1.1.5)

6: pmoduleNumPorts (1.3.6.1.4.1.5655.4.1.3.1.1.6)

7: pmoduleNumLinks (1.3.6.1.4.1.5655.4.1.3.1.1.7)

8: pmoduleConnectionMode (1.3.6.1.4.1.5655.4.1.3.1.1.8)

9: pmoduleSerialNumber (1.3.6.1.4.1.5655.4.1.3.1.1.9)

10: pmoduleUpStreamAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.10)

11: pmoduleUpStreamLastAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.11)

12: pmoduleDownStreamAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.12)

13: pmoduleDownStreamLastAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.13)

14: pmoduleAttackObjectsClearTime (1.3.6.1.4.1.5655.4.1.3.1.1.14)

15: pmoduleAdminStatus (1.3.6.1.4.1.5655.4.1.3.1.1.15)

16: pmoduleOperStatus (1.3.6.1.4.1.5655.4.1.3.1.1.16)

`Link Group: pcubeLinkGroup (1.3.6.1.4.1.5655.2.3.1.1.4)`

The Link group defines and identifies the link. It provides information regarding the mode of operation of the link defined for each status of the platform.

`Objects:`

1: linkModuleIndex (1.3.6.1.4.1.5655.4.1.4.1.1.1)

2: linkIndex (1.3.6.1.4.1.5655.4.1.4.1.1.2)

3: linkAdminModeOnActive (1.3.6.1.4.1.5655.4.1.4.1.1.3)

4: linkAdminModeOnFailure (1.3.6.1.4.1.5655.4.1.4.1.1.4)

5: linkOperMode (1.3.6.1.4.1.5655.4.1.4.1.1.5)

6: linkStatusReflectionEnable (1.3.6.1.4.1.5655.4.1.4.1.1.6)

7: linkSubscriberSidePortIndex (1.3.6.1.4.1.5655.4.1.4.1.1.7)

8: linkNetworkSidePortIndex (1.3.6.1.4.1.5655.4.1.4.1.1.8)

`Disk Group: pcubeDiskGroup (1.3.6.1.4.1.5655.2.3.1.1.5)`

The Disk group provides data regarding the space utilization on the disk.

`Objects:`

1: diskNumUsedBytes (1.3.6.1.4.1.5655.4.1.5.1)

2: diskNumFreeBytes (1.3.6.1.4.1.5655.4.1.5.2)

`RDR Formatter Group: pcubeRdrFormatterGroup (1.3.6.1.4.1.5655.2.3.1.1.6)`

The RDR Formatter provides information regarding RDR Formatter destinations (Collection Managers), as well as RDR statistics.

`Objects:`

1: rdrFormatterEnable (1.3.6.1.4.1.5655.4.1.6.1)

2: rdrFormatterDestIPAddr (1.3.6.1.4.1.5655.4.1.6.2.1.1)

3: rdrFormatterDestPort (1.3.6.1.4.1.5655.4.1.6.2.1.2)

4: rdrFormatterDestPriority (1.3.6.1.4.1.5655.4.1.6.2.1.3)

5: rdrFormatterDestStatus (1.3.6.1.4.1.5655.4.1.6.2.1.4)

6: rdrFormatterDestConnectionStatus (1.3.6.1.4.1.5655.4.1.6.2.1.5)

7: rdrFormatterDestNumReportsSent (1.3.6.1.4.1.5655.4.1.6.2.1.6)

8: rdrFormatterDestNumReportsDiscarded (1.3.6.1.4.1.5655.4.1.6.2.1.7)

9: rdrFormatterDestReportRate (1.3.6.1.4.1.5655.4.1.6.2.1.8)

10: rdrFormatterDestReportRatePeak (1.3.6.1.4.1.5655.4.1.6.2.1.9)

11: rdrFormatterDestReportRatePeakTime (1.3.6.1.4.1.5655.4.1.6.2.1.10)

12: rdrFormatterNumReportsSent (1.3.6.1.4.1.5655.4.1.6.3)

13: rdrFormatterNumReportsDiscarded (1.3.6.1.4.1.5655.4.1.6.4)

14: rdrFormatterClearCountersTime (1.3.6.1.4.1.5655.4.1.6.5)

15: rdrFormatterReportRate (1.3.6.1.4.1.5655.4.1.6.6)

16: rdrFormatterReportRatePeak (1.3.6.1.4.1.5655.4.1.6.7)

17: rdrFormatterReportRatePeakTime (1.3.6.1.4.1.5655.4.1.6.8)

18: rdrFormatterProtocol (1.3.6.1.4.1.5655.4.1.6.9)

19: rdrFormatterForwardingMode (1.3.6.1.4.1.5655.4.1.6.10)

20: rdrFormatterCategoryIndex (1.3.6.1.4.1.5655.4.1.6.11.1.1)

21: rdrFormatterCategoryName (1.3.6.1.4.1.5655.4.1.6.11.1.2)

22: rdrFormatterCategoryNumReportsSent (1.3.6.1.4.1.5655.4.1.6.11.1.3)

23: rdrFormatterCategoryNumReportsDiscarded (1.3.6.1.4.1.5655.4.1.6.11.1.4)

24: rdrFormatterCategoryReportRate (1.3.6.1.4.1.5655.4.1.6.11.1.5)

25: rdrFormatterCategoryReportRatePeak (1.3.6.1.4.1.5655.4.1.6.11.1.6)

26: rdrFormatterCategoryReportRatePeakTime (1.3.6.1.4.1.5655.4.1.6.11.1.7)

27: rdrFormatterCategoryNumReportsQueued (1.3.6.1.4.1.5655.4.1.6.11.1.8)

28: rdrFormatterCategoryDestPriority (1.3.6.1.4.1.5655.4.1.6.12.1.1)

29: rdrFormatterCategoryDestStatus (1.3.6.1.4.1.5655.4.1.6.12.1.2)

`Logger Group: pcubeLoggerGroup (1.3.6.1.4.1.5655.2.3.1.1.7)`

The Logger group is responsible for logging the system synchronous and asynchronous events.

`Objects:`

1: loggerUserLogEnable (1.3.6.1.4.1.5655.4.1.7.1)

2: loggerUserLogNumInfo (1.3.6.1.4.1.5655.4.1.7.2)

3: loggerUserLogNumWarning (1.3.6.1.4.1.5655.4.1.7.3)

4: loggerUserLogNumError (1.3.6.1.4.1.5655.4.1.7.4)

5: loggerUserLogNumFatal (1.3.6.1.4.1.5655.4.1.7.5)

6: loggerUserLogClearCountersTime (1.3.6.1.4.1.5655.4.1.7.6)

`Subscribers Group: pcubeSubscribersGroup (1.3.6.1.4.1.5655.2.3.1.1.8)`

The Subscribers group provides statistics concerning the number of subscribers and subscriber mappings. It also provides data on the subscriber properties and the value of those properties for a specified subscriber.

`Objects:`

1: subscribersNumIntroduced (1.3.6.1.4.1.5655.4.1.8.1.1.1)

2: subscribersNumFree (1.3.6.1.4.1.5655.4.1.8.1.1.2)

3: subscribersNumIpAddrMappings (1.3.6.1.4.1.5655.4.1.8.1.1.3)

4: subscribersNumIpAddrMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.4)

5: subscribersNumIpRangeMappings (1.3.6.1.4.1.5655.4.1.8.1.1.5)

6: subscribersNumIpRangeMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.6)

7: subscribersNumVlanMappings (1.3.6.1.4.1.5655.4.1.8.1.1.7)

8: subscribersNumVlanMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.8)

9: subscribersNumActive (1.3.6.1.4.1.5655.4.1.8.1.1.9)

10: subscribersNumActivePeak (1.3.6.1.4.1.5655.4.1.8.1.1.10)

11: subscribersNumActivePeakTime (1.3.6.1.4.1.5655.4.1.8.1.1.11)

12: subscribersNumUpdates (1.3.6.1.4.1.5655.4.1.8.1.1.12)

13: subscribersCountersClearTime (1.3.6.1.4.1.5655.4.1.8.1.1.13)

14: subscribersNumTpIpRangeMappings (1.3.6.1.4.1.5655.4.1.8.1.1.14)

15: subscribersNumTpIpRangeMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.15)

16: subscribersNumAnonymous (1.3.6.1.4.1.5655.4.1.8.1.1.16)

17: subscribersNumWithSessions (1.3.6.1.4.1.5655.4.1.8.1.1.17)

18: spIndex (1.3.6.1.4.1.5655.4.1.8.2.1.1)

19: spName (1.3.6.1.4.1.5655.4.1.8.2.1.2)

20: spType (1.3.6.1.4.1.5655.4.1.8.2.1.3)

21: spvSubName (1.3.6.1.4.1.5655.4.1.8.3.1.2)

22: spvPropertyName (1.3.6.1.4.1.5655.4.1.8.3.1.3)

23: spvRowStatus (1.3.6.1.4.1.5655.4.1.8.3.1.4)

24: spvPropertyStringValue (1.3.6.1.4.1.5655.4.1.8.3.1.5)

25: spvPropertyUintValue (1.3.6.1.4.1.5655.4.1.8.3.1.6)

26: spvPropertyCounter64Value (1.3.6.1.4.1.5655.4.1.8.3.1.7)

`Traffic Processor Group: pcubeTrafficProcessorGroup (1.3.6.1.4.1.5655.2.3.1.1.9)`

The Traffic Processor group provides statistics regarding the traffic flow handled by each traffic processor.

`Objects:`

1: tpModuleIndex (1.3.6.1.4.1.5655.4.1.9.1.1.1)

2: tpIndex (1.3.6.1.4.1.5655.4.1.9.1.1.2)

3: tpTotalNumHandledPackets (1.3.6.1.4.1.5655.4.1.9.1.1.3)

4: tpTotalNumHandledFlows (1.3.6.1.4.1.5655.4.1.9.1.1.4)

5: tpNumActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.5)

6: tpNumActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.6)

7: tpNumActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.7)

8: tpNumTcpActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.8)

9: TpNumTcpActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.9)

10: tpNumTcpActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.10)

11: tpNumUdpActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.11)

12: tpNumUdpActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.12)

13: tpNumUdpActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.13)

14: tpNumNonTcpUdpActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.14)

15: tpNumNonTcpUdpActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.15)

16: tpNumNonTcpUdpActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.16)

17: tpTotalNumBlockedPackets (1.3.6.1.4.1.5655.4.1.9.1.1.17)

18: tpTotalNumBlockedFlows (1.3.6.1.4.1.5655.4.1.9.1.1.18)

19: tpTotalNumDiscardedPacketsDueToBwLimit (1.3.6.1.4.1.5655.4.1.9.1.1.19)

20: tpTotalNumWredDiscardedPackets (1.3.6.1.4.1.5655.4.1.9.1.1.20)

21: tpTotalNumFragments (1.3.6.1.4.1.5655.4.1.9.1.1.21)

22: tpTotalNumNonIpPackets (1.3.6.1.4.1.5655.4.1.9.1.1.22)

23: tpTotalNumIpCrcErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.23)

24: tpTotalNumIpLengthErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.24)

25: tpTotalNumIpBroadcastPackets (1.3.6.1.4.1.5655.4.1.9.1.1.25)

26: tpTotalNumTtlErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.26)

27: tpTotalNumTcpUdpCrcErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.27)

28: tpClearCountersTime (1.3.6.1.4.1.5655.4.1.9.1.1.28)

29: tpHandledPacketsRate (1.3.6.1.4.1.5655.4.1.9.1.1.29)

30: tpHandledPacketsRatePeak (1.3.6.1.4.1.5655.4.1.9.1.1.30)

31: tpHandledPacketsRatePeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.31)

32: tpHandledFlowsRate (1.3.6.1.4.1.5655.4.1.9.1.1.32)

33: tpHandledFlowsRatePeak (1.3.6.1.4.1.5655.4.1.9.1.1.33)

34: tpHandledFlowsRatePeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.34)

35: tpCpuUtilization (1.3.6.1.4.1.5655.4.1.9.1.1.35)

36: tpCpuUtilizationPeak (1.3.6.1.4.1.5655.4.1.9.1.1.36)

37: tpCpuUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.37)

38: tpFlowsCapacityUtilization (1.3.6.1.4.1.5655.4.1.9.1.1.38)

39: tpFlowsCapacityUtilizationPeak (1.3.6.1.4.1.5655.4.1.9.1.1.39)

40: tpFlowsCapacityUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.40)

41: tpServiceLoss (1.3.6.1.4.1.5655.4.1.9.1.1.41)

`Port Group: pcubePortGroup (1.3.6.1.4.1.5655.2.3.1.1.10)`

The Port group provides data regarding the port, such as its type and speed.

`Objects:`

1: pportModuleIndex (1.3.6.1.4.1.5655.4.1.10.1.1.1)

2: pportIndex (1.3.6.1.4.1.5655.4.1.10.1.1.2)

3: pportType (1.3.6.1.4.1.5655.4.1.10.1.1.3)

4: pportNumTxQueues (1.3.6.1.4.1.5655.4.1.10.1.1.4)

5: pportIfIndex (1.3.6.1.4.1.5655.4.1.10.1.1.5)

6: pportAdminSpeed (1.3.6.1.4.1.5655.4.1.10.1.1.6)

7: pportAdminDuplex (1.3.6.1.4.1.5655.4.1.10.1.1.7)

8: pportOperDuplex (1.3.6.1.4.1.5655.4.1.10.1.1.8)

9: pportLinkIndex (1.3.6.1.4.1.5655.4.1.10.1.1.9)

10: pportOperStatus (1.3.6.1.4.1.5655.4.1.10.1.1.10)

`Transmit Queues Group: pcubeTxQueuesGroup (1.3.6.1.4.1.5655.2.3.1.1.11)`

The Transmit Queues group provides data regarding the transmit queue counters.

`Objects:`

1: txQueuesModuleIndex (1.3.6.1.4.1.5655.4.1.11.1.1.1)

2: txQueuesPortIndex (1.3.6.1.4.1.5655.4.1.11.1.1.2)

3: txQueuesQueueIndex (1.3.6.1.4.1.5655.4.1.11.1.1.3)

4: txQueuesDescription (1.3.6.1.4.1.5655.4.1.11.1.1.4)

5: txQueuesBandwidth (1.3.6.1.4.1.5655.4.1.11.1.1.5)

6: txQueuesUtilization (1.3.6.1.4.1.5655.4.1.11.1.1.6)

7: txQueuesUtilizationPeak (1.3.6.1.4.1.5655.4.1.11.1.1.7)

8: txQueuesUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.11.1.1.8)

9: txQueuesClearCountersTime (1.3.6.1.4.1.5655.4.1.11.1.1.9)

10: txQueuesDroppedBytes (1.3.6.1.4.1.5655.4.1.11.1.1.10)

`Global Controllers Group: pcubeGlobalControllersGroup (1.3.6.1.4.1.5655.2.3.1.1.12)`

The Global Controllers group provides data regarding the Global Controllers configuration and counters.

`Objects:`

1: globalControllersModuleIndex (1.3.6.1.4.1.5655.4.1.12.1.1.1)

2: globalControllersPortIndex (1.3.6.1.4.1.5655.4.1.12.1.1.2)

3: globalControllersIndex (1.3.6.1.4.1.5655.4.1.12.1.1.3)

4: globalControllersDescription (1.3.6.1.4.1.5655.4.1.12.1.1.4)

5: globalControllersBandwidth (1.3.6.1.4.1.5655.4.1.12.1.1.5)

6: globalControllersUtilization (1.3.6.1.4.1.5655.4.1.12.1.1.6)

7: globalControllersUtilizationPeak (1.3.6.1.4.1.5655.4.1.12.1.1.7)

8: globalControllersUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.12.1.1.8)

9: globalControllersClearCountersTime (1.3.6.1.4.1.5655.4.1.12.1.1.9)

10: globalControllersDroppedBytes (1.3.6.1.4.1.5655.4.1.12.1.1.10)

`Application Group: pcubeApplicationGroup (1.3.6.1.4.1.5655.2.3.1.1.13)`

The Application group indicates which application is installed in the SCE platform, and what the properties of the application and values of those properties are.

`Objects:`

1: appName (1.3.6.1.4.1.5655.4.1.13.1.1.1)

2: appDescription (1.3.6.1.4.1.5655.4.1.13.1.1.2)

3: appVersion (1.3.6.1.4.1.5655.4.1.13.1.1.3)

4: apIndex (1.3.6.1.4.1.5655.4.1.13.2.1.1)

5: apName (1.3.6.1.4.1.5655.4.1.13.2.1.2)

6: apType (1.3.6.1.4.1.5655.4.1.13.2.1.3)

7: apvPropertyName (1.3.6.1.4.1.5655.4.1.13.3.1.2)

8: apvRowStatus (1.3.6.1.4.1.5655.4.1.13.3.1.3)

9: apvPropertyStringValue (1.3.6.1.4.1.5655.4.1.13.3.1.4)

10: apvPropertyUintValue (1.3.6.1.4.1.5655.4.1.13.3.1.5)

11: apvPropertyCounter64Value (1.3.6.1.4.1.5655.4.1.13.3.1.6)

`Traffic Counters Group: pcubeTrafficCountersGroup (1.3.6.1.4.1.5655.2.3.1.1.14)`

The Traffic Counters group provides information regarding the value of different the traffic counters.

`Objects:`

1: trafficCounterIndex (1.3.6.1.4.1.5655.4.1.14.1.1.1)

2: trafficCounterValue (1.3.6.1.4.1.5655.4.1.14.1.1.2)

3: trafficCounterName (1.3.6.1.4.1.5655.4.1.14.1.1.3)

4: trafficCounterType (1.3.6.1.4.1.5655.4.1.14.1.1.4)

`Attack Group: pcubeaAtackGroup (1.3.6.1.4.1.5655.2.3.1.1.15)`

The Attack group provides information regarding detected attacks, aggregated by attack type.

`Objects:`

1: attackTypeIndex (1.3.6.1.4.1.5655.4.1.15.1.1.1)

2: attackTypeName (1.3.6.1.4.1.5655.4.1.15.1.1.2)

3: attackTypeCurrentNumAttacks (1.3.6.1.4.1.5655.4.1.15.1.1.3)

4: attackTypeTotalNumAttacks (1.3.6.1.4.1.5655.4.1.15.1.1.4)

5: attackTypeTotalNumFlows (1.3.6.1.4.1.5655.4.1.15.1.1.5)

6: attackTypeTotalNumSeconds (1.3.6.1.4.1.5655.4.1.15.1.1.6)

`VAS Group: pcubeVasTrafficForwardingGroup (1.3.6.1.4.1.5655.2.3.1.1.16)`

The VAS group provides information regarding the status of the VAS servers.

`Objects:`

1: vasServerIndex (1.3.6.1.4.1.5655.4.1.16.1.1.1)

2: vasServerId (1.3.6.1.4.1.5655.4.1.16.1.1.2)

3: vasServerAdminStatus (1.3.6.1.4.1.5655.4.1.16.1.1.3)

4: vasServerOperStatus (1.3.6.1.4.1.5655.4.1.16.1.1.4)

`MPLS/VPN Group: pcubeMplsVpnAutoLearnGroup (1.3.6.1.4.1.5655.2.3.1.1.17)`

The MPLS/VPN Group provides data regarding MPLS/VPN auto-learning.

`Objects:`

1: mplsVpnMaxHWMappings (1.3.6.1.4.1.5655.4.1.17.1.1.1)

2: mplsVpnCurrentHWMappings (1.3.6.1.4.1.5655.4.1.17.1.1.2)

`Traps Group: pcubeTrapObjectsGroup (1.3.6.1.4.1.5655.2.3.1.1.18)`

The traps group includes strings used for notifications.

`Objects:`

1: pcubeSeEventGenericString1

2: pcubeSeEventGenericString2

3: pullRequestNumber

`pcubeCompliances (1.3.6.1.4.1.5655.2.3.1.2)`

Module compliance is a compliance statement defined in this MIB module that defines which groups must be implemented.

`pcubeCompliance module-compliances (1.3.6.1.4.1.5655.2.3.1.2.1)`

A compliance statement defined in this MIB module, for SCE platform SNMP agents.

`Module Name:`

pcubeSeMIB

`Mandatory Groups`

1: pcubeSystemGroup

2: pcubeChassisGroup

3: pcubeModuleGroup

4: pcubeLinkGroup

5: pcubeDiskGroup

6: pcubeRdrFormatterGroup

7: pcubeLoggerGroup

8: pcubeSubscribersGroup

9: pcubeTrafficProcessorGroup

10: pcubePortGroup

11: pcubeTxQueuesGroup

12: pcubeGlobalControllersGroup

13: pcubeApplicationGroup

14: pcubeTrafficCountersGroup

15: pcubeAttackGroup

16: pcubeVasTrafficForwardingGroup

17: pcubeMplsVpnAutoLearnGroup

18: pcubeTrapObjectsGroup

`pcubeWorkgroup (1.3.6.1.4.1.5655.4)`

pcubeWorkgroup is the main subtree for objects and events of the Cisco SCE platform products.

`Notification Types`

Following is a list of the SCE platform notification types

`operationalStatusOperationalTrap`	{`1.3.6.1.4.1.5655.4.0.1`}
`operationalStatusWarningTrap`	`{1.3.6.1.4.1.5655.4.0.2}`
`operationalStatusFailureTrap`	`{1.3.6.1.4.1.5655.4.0.3}`
`systemResetTrap`	`{1.3.6.1.4.1.5655.4.0.4}`
`chassisTempAlarmOnTrap`	`{1.3.6.1.4.1.5655.4.0.5}`
`chassisTempAlarmOffTrap`	`{1.3.6.1.4.1.5655.4.0.6}`
`chassisVoltageAlarmOnTrap`	`{1.3.6.1.4.1.5655.4.0.7}`
`chassisFansAlarmOnTrap`	`{1.3.6.1.4.1.5655.4.0.8}`
`chassisPowerSupplyAlarmOnTrap`	`{1.3.6.1.4.1.5655.4.0.9}`
`rdrActiveConnectionTrap`	`{1.3.6.1.4.1.5655.4.0.10}`
`rdrNoActiveConnectionTrap`	`{1.3.6.1.4.1.5655.4.0.11}`
`rdrConnectionUpTrap`	`{1.3.6.1.4.1.5655.4.0.12}`
`rdrConnectionDownTrap`	`{1.3.6.1.4.1.5655.4.0.13}`
`loggerUserLogIsFullTrap`	`{1.3.6.1.4.1.5655.4.0.18}`
`sntpClockDriftWarnTrap`	`{1.3.6.1.4.1.5655.4.0.19}`
`linkModeBypassTrap`	`{1.3.6.1.4.1.5655.4.0.20}`
`linkModeForwardingTrap`	`{1.3.6.1.4.1.5655.4.0.21}`
`linkModeCutoffTrap`	`{1.3.6.1.4.1.5655.4.0.22}`
`moduleAttackFilterActivatedTrap`	`{1.3.6.1.4.1.5655.4.0.25}`
`moduleAttackFilterDeactivatedTrap`	`{1.3.6.1.4.1.5655.4.0.26}`
`moduleEmAgentGenericTrap`	`{1.3.6.1.4.1.5655.4.0.27}`
`linkModeSniffingTrap`	`{1.3.6.1.4.1.5655.4.0.28}`
`moduleRedundancyReadyTrap`	`{1.3.6.1.4.1.5655.4.0.29}`
`moduleRedundantConfigurationMismatchTrap`	`{1.3.6.1.4.1.5655.4.0.30}`
`moduleLostRedundancyTrap`	`{1.3.6.1.4.1.5655.4.0.31}`
`moduleSmConnectionDownTrap`	`{1.3.6.1.4.1.5655.4.0.32}`
`moduleSmConnectionUpTrap`	`{1.3.6.1.4.1.5655.4.0.33}`
`moduleOperStatusChangeTrap`	`{1.3.6.1.4.1.5655.4.0.34}`
`portOperStatusChangeTrap`	`{1.3.6.1.4.1.5655.4.0.35}`
`chassisLineFeedAlarmOnTrap`	`{1.3.6.1.4.1.5655.4.0.36}`
`rdrFormatterCategoryDiscardingReportsTrap`	`{1.3.6.1.4.1.5655.4.0.37}`
`rdrFormatterCategoryStoppedDiscardingReportsTrap`	`{1.3.6.1.4.1.5655.4.0.38}`
`sessionStartedTrap`	`{1.3.6.1.4.1.5655.4.0.39}`
`sessionEndedTrap`	`{1.3.6.1.4.1.5655.4.0.40}`
`sessionDeniedAccessTrap`	`{1.3.6.1.4.1.5655.4.0.41}`
`sessionBadLoginTrap`	`{1.3.6.1.4.1.5655.4.0.42}`
`illegalSubscriberMappingTrap`	`{1.3.6.1.4.1.5655.4.0.43}`
`loggerLineAttackLogFullTrap`	`{1.3.6.1.4.1.5655.4.0.44}`
`vasServerOperationStatusChangeTrap`	`{1.3.6.1.4.1.5655.4.0.45}`
`pullRequestNumber`	`{1.3.6.1.4.1.5655.4.0.46}`
`pullRequestRetryFailedTrap`	`{1.3.6.1.4.1.5655.4.0.47}`
`mplsVpnTotalHWMappingsThresholdExceededTrap`	`{1.3.6.1.4.1.5655.4.0.48`}

`operationalStatusOperationalTrap (1.3.6.1.4.1.5655.4.0.1)`

The system operational state of the SCE platform has changed to Operational (3).

`operationalStatusWarningTrap (1.3.6.1.4.1.5655.4.0.2)`

The system operational state of the SCE platform has changed to Warning (4).

`operationalStatusFailureTrap (1.3.6.1.4.1.5655.4.0.3)`

The system operational state of the SCE platform has changed to Failure (5).”

`systemResetTrap (1.3.6.1.4.1.5655.4.0.4)`

The agent entity is about to reset itself either per user request or due to a fatal event.

`chassisTempAlarmOnTrap (1.3.6.1.4.1.5655.4.0.5)`

The chassisTempAlarm object in this MIB has transitioned to the On (3) state, indicating that the temperature is too high.

`chassisTempAlarmOffTrap (1.3.6.1.4.1.5655.4.0.6)`

The chassisTempAlarm object in this MIB has transitioned to the Off (2) state, indicating that the temperature level is back to normal.

`chassisVoltageAlarmOnTrap (1.3.6.1.4.1.5655.4.0.7)`

The chassisVoltageAlarm object in this MIB has transitioned to the On (3) state, indicating that the voltage level is is out of safe bounds.

`chassisFansAlarmOnTrap (1.3.6.1.4.1.5655.4.0.8)`

The chassisFansAlarm object in this MIB has transitioned to the On (3) state, indicating fan malfunction.

`chassisPowerSupplyAlarmOnTrap (1.3.6.1.4.1.5655.4.0.9)`

The chassisPowerSupplyAlarm object in this MIB has transitioned to the On (3) state, indicating power supply malfunction.

`rdrActiveConnectionTrap (1.3.6.1.4.1.5655.4.0.10)`

One of the RDR-formatter connections has become the active connection.

`rdrNoActiveConnectionTrap (1.3.6.1.4.1.5655.4.0.11)`

There is no active connection between the RDR-formatter and any Collection Manager.

`rdrConnectionUpTrap (1.3.6.1.4.1.5655.4.0.12)`

The rdrFormatterDestConnectionStatus object in this MIB has transitioned to Up (2), indicating that one of the RDR-formatter connections was established.

`rdrConnectionDownTrap (1.3.6.1.4.1.5655.4.0.13)`

The rdrFormatterDestConnectionStatus object in this MIB has transitioned to Down (3), indicating that one of the RDR-formatter connections was disconnected.

`loggerUserLogIsFullTrap (1.3.6.1.4.1.5655.4.0.18)`

The User log file is full. The agent entity then rolls to the next file.

`sntpClockDriftWarnTrap (1.3.6.1.4.1.5655.4.0.19)`

The SNTP agent has not received an SNTP time update for a long period, which may result in a time drift of the agent entity’s clock.

`linkModeBypassTrap (1.3.6.1.4.1.5655.4.0.20)`

The link mode has changed to bypass.

`linkModeForwardingTrap (1.3.6.1.4.1.5655.4.0.21)`

The link mode has changed to forwarding.

`linkModeCutoffTrap (1.3.6.1.4.1.5655.4.0.22)`

The link mode has changed to cutoff.

`moduleAttackFilterActivatedTrap (1.3.6.1.4.1.5655.4.0.25)`

The attack filter module has detected an attack and activated a filter. The type of attack-filter that was activated is returned in pcubeSeEventGenericString1.

Following are several examples of pcubeSeEventGenericString1 for various scenarios:

Attack detected automatically (the number of open flows or ddos-suspected flows has exceeded the maximum configured for the attack detector):
- Source of the attack is detected (at the subscriber side, IP address = 10.1.4.134, attacking the network side using UDP., number of open flows = 10000, configured action is ‘report’):
  Attack detected: Attack from IP address10.1.4.134, from subscriber side, protocol UDP. 10000 concurrent open flows detected, 57 concurrent Ddos-suspected flows detected. Action is: Report.
- Target of the attack is detected (at the network side, IP address = 10.1.4.135, being attacked from the subscriber side using ICMP, number of ddos-suspected flows = 500, configured action is ‘block’):
  Attack detected: Attack on IP address 10.1.4.135, from subscriber side, protocol ICMP. 745 concurrent open flows detected, 500 concurrent Ddos-suspected flows detected. Action is: Block.
Forced filtering using the ‘force-filter’ command:
- Action is ‘block’, attack-direction is attack-source, side is subscriber, IP address = 10.1.1.1, and protocol is TCP:
  Attack filter: Forced block of flows from IP address 10.1.1.1, from subscriber side, protocol TCP. Attack forced using a force-filter command.
- When the action is ‘report’, attack-direction is attack-destination, side is subscriber, IP address = 10.1.1.1, and protocol is Other:
  Attack filter: Forced report toIP address 10.1.1.1, from network side, protocol Other. Attack forced using a force-filter command.

`moduleAttackFilterDeactivatedTrap (1.3.6.1.4.1.5655.4.0.26)`

The attack filter module has removed a filter that was previously activated.

Attack filter type — in pcubeSeEventGenericString1 (refer to corresponding moduleAttackFilterActivatedTrap)
Reason for deactivating the filter — in pcubeSeEventGenericString2

Following are several examples of pcubeSeEventGenericString1 for various scenarios:

Attack end detected automatically (the number of open flows or ddos-suspected flows drops below the minimum value configured for the attack detector):
End-of-attack detected — Attack on IP address 10.1.4.135, from subscriber side, protocol UDP. Action is: Report. Duration 20 seconds, attack comprised of 11736 flows.
End-of-attack detected — Attack from IP address 10.1.4.134, from subscriber side, protocol ICMP. Action is: Block. Duration 10 seconds, attack comprised of 2093 flows.
Attack end forced by a ‘dont-filter’, or a previous ‘force-filter’ command is removed:
Attack filter — Forced to end block of flows from IP address 10.1.1.1, from subscriber side, protocol TCP. Attack end forced using a 'no force-filter' or a 'dont-filter' command. Duration 6 seconds, 1flows blocked.
Attack filter — Forced to end report to IP address 10.1.1.1, from network side, protocol Other. Attack end forced using a 'no force-filter' or a 'dont-filter' command. Duration 13 seconds, attack comprised of 1 flows.

`moduleEmAgentGenericTrap (1.3.6.1.4.1.5655.4.0.27)`

A generic trap used by the Cisco management agent.

Trap name — in pcubeSeEventGenericString1 (refer to corresponding moduleAttackFilterActivatedTrap)
Relevant parameter — in pcubeSeEventGenericString2

`linkModeSniffingTrap (1.3.6.1.4.1.5655.4.0.28)`

The agent entity has detected that the linkOperMode object in this MIB has changed to sniffing(5).

`moduleRedundancyReadyTrap (1.3.6.1.4.1.5655.4.0.29)`

The module was able to connect and synch with a redundant entity, and is now ready to handle fail-over if needed.

`moduleRedundantConfigurationMismatchTrap (1.3.6.1.4.1.5655.4.0.30)`

The module was not able to synch with a redundant entity, due to an incompatibility in essential configuration parameters between the module and the redundant entity.

`moduleLostRedundancyTrap (1.3.6.1.4.1.5655.4.0.31)`

The module has lost the ability to perform the fail-over procedure.

`moduleSmConnectionDownTrap (1.3.6.1.4.1.5655.4.0.32)`

The virtual connection to the SM (Subscriber Manager) is broken.

`moduleSmConnectionUpTrap (1.3.6.1.4.1.5655.4.0.33)`

The virtual connection to the SM is up and working.

`moduleOperStatusChangeTrap (1.3.6.1.4.1.5655.4.0.34)`

The value of moduleOperStatus has changed.

`portOperStatusChangeTrap (1.3.6.1.4.1.5655.4.0.35)`

The value of the portOperStatus object of the portIndex has changed, indicating that the link was either forced down or the force down was released.

`chassisLineFeedAlarmOnTrap (1.3.6.1.4.1.5655.4.0.36)`

The agent entity has detected that the chassisLineFeed object in this MIB has changed to the on (3) state.

`rdrFormatterCategoryDiscardingReportsTrap (1.3.6.1.4.1.5655.4.0.37)`

The agent entity has detected that reports sent to this category are being discarded.

The rdrFormatterCategoryNumReportsDiscarded object in this MIB counts the number of discarded reports.

`rdrFormatterCategoryStoppedDiscardingReportsTrap (1.3.6.1.4.1.5655.4.0.38)`

The agent entity has detected that reports sent to this category are no longer being discarded.

The rdrFormatterCategoryNumReportsDiscarded object in this MIB counts the number of discarded reports.

`sessionStartedTrap (1.3.6.1.4.1.5655.4.0.39)`

The agent entity has accepted a new session. The pcubeSeEventGenericString1 contains the session type (telnet/SSH) and client IP address.

`sessionEndedTrap (1.3.6.1.4.1.5655.4.0.40)`

The agent entity has detected the end of a session. The pcubeSeEventGenericString1 contains the session type (telnet/SSH) and client IP address.

`sessionDeniedAccessTrap (1.3.6.1.4.1.5655.4.0.41)`

The agent entity has refused a session from unauthorized source. The pcubeSeEventGenericString1 contains the session type (telnet/SSH) and client IP address.

`sessionBadLoginTrap (1.3.6.1.4.1.5655.4.0.42)`

The agent entity has detected attempt to login with a wrong password. The pcubeSeEventGenericString1 contains the session type (telnet/SSH) and client IP address.

`illegalSubscriberMappingTrap (1.3.6.1.4.1.5655.4.0.43)`

The agent entity has detected that an external entity has attempted to create an illegal or inconsistent subscriber mapping.

pcubeSeEventGenericString1 contains a message describing the problem.

`loggerLineAttackLogFullTrap (1.3.6.1.4.1.5655.4.0.44)`

The agent entity has detected that the attack log is full and a new log file is opened.

`vasServerOperationalStatusChangeTrap (1.3.6.1.4.1.5655.4.0.45)`

The agent entity has detected a change in the operational status of a VAS server.

`pullRequestNumber (1.3.6.1.4.1.5655.4.0.46)`

The number of pull requests currently issued for the anonymous subscriber identified in the pullRequestRetryFailedTrap.

Always returns a value of 0.

`pullRequestRetryFailedTrap (1.3.6.1.4.1.5655.4.0.47)`

An unknown subscriber could not be identified after a certain number of pull requests, and is suspected to be an intruder.

pcubeSeEventGenericString1 contains subscriber ID.

`mplsVpnTotalHWMappingsThresholdExceededTrap (1.3.6.1.4.1.5655.4.0.48)`

The value of mplsVpnCurrentHWMappings exceeds the allowed threshold.

`pcubeSe Objects`

The pcubeSe objects provide configuration and runtime status for the SCE platform.

`sysOperationalStatus (1.3.6.1.4.1.5655.4.1.1.1)`

Indicates the operational status of the system.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (boot) — the system is in boot process

3 (operational) — the system is operational

4 (warning) — the system is in Warning status

5 (failure) — the system is in Failure status

}

`sysFailureRecovery (1.3.6.1.4.1.5655.4.1.1.2)`

Indicates the behavior of the system after abnormal boot.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (operational) — the system should enter Operational mode after abnormal boot

3 (non-operational) — the system should enter Failure mode after abnormal boot

}

`sysVersion (1.3.6.1.4.1.5655.4.1.1.3)`

The system version.

Access RO

`Syntax`

DisplayString

`pchassisSysType (1.3.6.1.4.1.5655.4.1.2.1)`

The chassis system type.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (SE1000) — SCE 1000 platform

3 (SE100) — SCE 100 platform

4 (SE2000) — SCE 2000 platform

}

`pchassisPowerSupplyAlarm (1.3.6.1.4.1.5655.4.1.2.2)`

Indicates whether the power supply to the chassis is normal. If the alarm is ‘on’, it means that one or more of the power supplies is not functional

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (off) — the power supply to the chassis is normal

3 (on) — the power supply to the chassis is not normal, and probably one or more of the power supplies is not functional.

}

`pchassisFansAlarm (1.3.6.1.4.1.5655.4.1.2.3)`

Indicates whether all the fans on the chassis are functional.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (off) — all fans are functional

3 (on) — one or more fans is not functional.

}

`pchassisTempAlarm (1.3.6.1.4.1.5655.4.1.2.4)`

Indicates the chassis temperature alarm status.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (off) — temperature is within acceptable range

3 (on) — temperature is too high.

}

`pchassisVoltageAlarm (1.3.6.1.4.1.5655.4.1.2.5)`

Indicates the chassis internal voltage alarm status. If the alarm is ‘on’, it indicates that the voltage level of one or more unit in the chassis is not in the normal range.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (off) — voltage level is within normal range

3 (on) — voltage level is out of the acceptable bounds.

}

`pchassisNumSlots (1.3.6.1.4.1.5655.4.1.2.6)`

Indicates the number of slots in the chassis available for plug-in modules, including both currently occupied and empty slots.

Access RO

`Syntax`

INTEGER (0..255)

`pchassisSlotConfig (1.3.6.1.4.1.5655.4.1.2.7)`

An indication of which slots in the chassis are occupied.

This is an integer value with bits set to indicate configured modules. It is expressed as the function:

Sum of f(x) as x goes from 1 to the number of slots, where:

no module inserted — f(x) = 0
module inserted — f(x) = exp(2, x-1)

Access RO

`Syntax`

INTEGER (0..65535)

`pchassisPsuType (1.3.6.1.4.1.5655.4.1.2.8)`

Indicates the type of the power supplies.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (AC) — AC power supply

3 (DC) — DC power supply

}

`pchassisLineFeedAlarm (1.3.6.1.4.1.5655.4.1.2.9)`

Indicates whether the line feed to the chassis is connected and whether it is supplying power to the power supply unit.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (OFF) — The line feed to the chassis is connected and has power

3 (ON) — The line feed to the chassis is not normal. One or both of the line feeds may not be connected properly or have no power.

}

`pmoduleTable (1.3.6.1.4.1.5655.4.1.3.1)`

A list of module entries containing information defining the modules in the chassis.

The number of entries is the number of modules in the chassis.

Access not-accessible

`Syntax`

Sequence of pmoduleEntry

`pmoduleEntry (1.3.6.1.4.1.5655.4.1.3.1.1)`

Entry containing a number of parameters defining the physical characteristics of one module in the chassis.

Access not-accessible

`Index`

{pmoduleIndex}

`Syntax`

SEQUENCE {

pmoduleIndex

pmoduleType

pmoduleNumTrafficProcessors

pmoduleSlotNum

pmoduleHwVersion

pmoduleNumPorts

pmoduleNumLinks

pmoduleConnectionMode

pmoduleSerialNumber

pmoduleUpStreamAttackFilteringTime

pmoduleUpStreamLastAttackFilteringTime

pmoduleDownStreamAttackFilteringTime

pmoduleDownStreamLastAttackFilteringTime

pmoduleAttackObjectsClearTime

pmoduleAdminStatus

pmoduleOperStatus

}

`pmoduleIndex (1.3.6.1.4.1.5655.4.1.3.1.1.1)`

An ID number identifying the module. A unique value for each module within the chassis.

Access RO

`Syntax`

INTEGER (1..255)

`pmoduleType (1.3.6.1.4.1.5655.4.1.3.1.1.2)`

The type of module.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (gbe2Module) — 2 port Gigabit Ethernet line interface, 2 Fast Ethernet 10/100 management interfaces

3 (fe2Module) — 2 port Fast Ethernet line interface, 1 Fast Ethernet 10/100 management interface

4 (gbe4Module) — 4 port Gigabit Ethernet line interface, 2 Fast Ethernet 10/100 management interfaces

5 (fe4Module) — 4 port Fast Ethernet line interface, 2 Fast Ethernet 10/100 management interfaces

6 (oc12-4Module) — 4 port OC12 line interface, 2 Fast Ethernet 10/100 management interfaces

7 (fe8Module) — 8 port Fast Ethernet line interface, 2 Fast Ethernet 10/100 management interfaces

}

`pmoduleNumTrafficProcessors (1.3.6.1.4.1.5655.4.1.3.1.1.3)`

The number of traffic processors supported by the module.

Access RO

`Syntax`

INTEGER (0..255)

`pmoduleSlotNum (1.3.6.1.4.1.5655.4.1.3.1.1.4)`

The number of the slot in the chassis in which the module is installed.

Valid entries are from 1 to the value of pchassisNumSlots.

Access RO

`Syntax`

INTEGER (1..255)

`pmoduleHwVersion (1.3.6.1.4.1.5655.4.1.3.1.1.5)`

The hardware version of the module.

Access RO

`Syntax`

DisplayString

`pmoduleNumPorts (1.3.6.1.4.1.5655.4.1.3.1.1.6)`

The number of ports supported by the module.

Access RO

`Syntax`

INTEGER (0..255)

`pmoduleNumLinks (1.3.6.1.4.1.5655.4.1.3.1.1.7)`

The number of links carrying inband traffic that are supported by the module. The link is uniquely defined by the two ports that are at its endpoints.

Access RO

`Syntax`

INTEGER (0..255)

`pmoduleConnectionMode (1.3.6.1.4.1.5655.4.1.3.1.1.8)`

Indicates the connection mode of the module.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (inline) — SCE is both receiving and transmitting traffic on the line ports.

3 (receive-only) — SCE can only receive packets from the line ports. This mode is suitable for external splitting topology.

4 (inline-cascade) — SCE is both receiving and transmitting traffic on the line ports and the cascade ports.

5 (receive-only-cascade) — SCE can only receive packets from the line and the cascade ports. This mode is suitable for external splitting topology

`pmoduleSerialNumber (1.3.6.1.4.1.5655.4.1.3.1.1.9)`

The serial number of the module.

Access RO

`Syntax`

DisplayString

`pmoduleUpStreamAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.10)`

The accumulated time (in hundredths of a second) during which attack up-stream traffic was filtered.

Access RO

`Syntax`

TimeTicks

`pmoduleUpStreamLastAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.11)`

The time (in hundredths of a second) since the previous attack filtered in the up-stream traffic.

Access RO

`Syntax`

TimeTicks

`pmoduleDownStreamAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.12)`

The accumulated time (in hundredths of a second) during which attack down-stream traffic was filtered.

Access RO

`Syntax`

TimeTicks

`pmoduleDownStreamLastAttackFilteringTime (1.3.6.1.4.1.5655.4.1.3.1.1.13)`

The time (in hundredths of a second) since the previous attack filtered in the down-stream traffic.

Access RO

`Syntax`

TimeTicks

`pmoduleAttackObjectsClearTime (1.3.6.1.4.1.5655.4.1.3.1.1.14)`

The time (in hundredths of a second) since the attack objects were cleared. Writing a 0 to this object causes the counters to be cleared.

Access RO

`Syntax`

TimeTicks

`pmoduleAdminStatus (1.3.6.1.4.1.5655.4.1.3.1.1.15)`

Indicates whether the module is configured to handle traffic on startup or reboot (active), to be the hot standby.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (primary) — Handle traffic on startup.

3 (secondary) — Fail-over module on startup.

}

`pmoduleOperStatus (1.3.6.1.4.1.5655.4.1.3.1.1.16)`

Indicates whether the module is currently handling (active), or is on standby.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (active) — Currently is handling traffic.

3 (standby) — Currently is the fail-over module.

}

`linkTable (1.3.6.1.4.1.5655.4.1.4.1)`

A list of link entries containing information regarding the configuration and status of the links that pass through the SCE platform and carry in-band traffic.

The number of entries is determined by the number of modules in the chassis and the number of links on each module.

Access not-accessible

`Syntax`

Sequence of linkEntry

`linkEntry (1.3.6.1.4.1.5655.4.1.4.1.1)`

Entry containing information about the Link.

Access not-accessible

`Index`

{linkModuleIndex, linkIndex}

`Syntax`

SEQUENCE {

linkModuleIndex

linkIndex

linkAdminModeOnActive

linkAdminModeOnFailure

linkOperMode

linkStatusReflectionEnable

linkSubscriberSidePortIndex

linkNetworkSidePortIndex

}

`linkModuleIndex (1.3.6.1.4.1.5655.4.1.4.1.1.1)`

An index value (pmoduleIndex) that uniquely identifies the module where this link is located.

Access RO

`Syntax`

INTEGER (1..255)

`linkIndex (1.3.6.1.4.1.5655.4.1.4.1.1.2)`

An index value that uniquely identifies the link within the specified module.

Valid entries are 1 to the value of pmoduleNumLinks for this module.

Access RO

`Syntax`

INTEGER (1..255)

`linkAdminModeOnActive (1.3.6.1.4.1.5655.4.1.4.1.1.3)`

The desired mode of the link when the operating status of the module is active and it is not in boot or failure.

Possible values (LinkModeType):

Bypass — the traffic is forwarded from one port to the other using an internal splitter.
Forwarding — the traffic is forwarded by the internal hardware and software modules of the SCE platform.

Access RO

`Syntax`

LinkModeType

`linkAdminModeOnFailure (1.3.6.1.4.1.5655.4.1.4.1.1.4)`

The desired mode of the link when the system status is failure.

Possible values (LinkModeType):

Bypass — the traffic is forwarded from one port to the other using an internal splitter.
Cutoff — all traffic is dropped by the SCE.

Access RO

`Syntax`

LinkModeType

`linkOperMode (1.3.6.1.4.1.5655.4.1.4.1.1.5)`

The current operational mode of the link.

Possible values (LinkModeType):

Bypass — the traffic is forwarded from one port to the other using an internal splitter with no processing taking place.
Forwarding — the traffic is forwarded by the internal hardware and software modules of the SCE.
Sniffing — the traffic is forwarded in the same manner as in Bypass mode, however it passes through and is analysed by the internal software and hardware modules of the SCE platform.

Access RO

`Syntax`

LinkModeType

`linkStatusReflectionEnable (1.3.6.1.4.1.5655.4.1.4.1.1.6)`

Indicates whether failure of the physical link on one interface should trigger the failure of the link on the other interface on the module.

Access RO

`Syntax`

INTEGER {

1 (enabled)

2 (disabled)

}

`linkSubscriberSidePortIndex (1.3.6.1.4.1.5655.4.1.4.1.1.7)`

An index value that uniquely identifies this link with the related port that is connected to the subscriber side.

Access RO

`Syntax`

INTEGER (0..255)

`linkNetworkSidePortIndex (1.3.6.1.4.1.5655.4.1.4.1.1.8)`

An index value that uniquely identifies this link with the related port that is connected to the network side.

Access RO

`Syntax`

INTEGER (0..255)

`diskNumUsedBytes (1.3.6.1.4.1.5655.4.1.5.1)`

The number of used bytes on the disk.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`diskNumFreeBytes (1.3.6.1.4.1.5655.4.1.5.2)`

The number of free bytes on the disk.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterEnable (1.3.6.1.4.1.5655.4.1.6.1)`

Indicates whether the RDR-formatter is enabled or disabled.

When the RDR-formatter is enabled, it sends the reports it gets from the traffic processors to the Collection Manager as defined in the rdrFormatterDestTable.

Access RO

`Syntax`

INTEGER {

1 (enabled)

2 (disabled)

}

`rdrFormatterDestTable (1.3.6.1.4.1.5655.4.1.6.2)`

This table lists the addresses of Collection Managers.

If the RDR-formatter is enabled, the destination with the highest priority to which a TCP connection can be established is designated as the active connection, and would receive the reports generated by the traffic processors.

The table may contain a maximum of three entries.

Access not-accessible

`Syntax`

Sequence of rdrFormatterDestEntry

`rdrFormatterDestEntry (1.3.6.1.4.1.5655.4.1.6.2.1)`

Entry defining one RDR destination.

Access not-accessible

`Index`

{rdrFormatterDestIPAddr, rdrFormatterDestPort}

`Syntax`

SEQUENCE {

rdrFormatterDestIPAddr

rdrFormatterDestPort

rdrFormatterDestPriority

rdrFormatterDestStatus

rdrFormatterDestConnectionStatus

rdrFormatterDestNumReportsSent

rdrFormatterDestNumReportsDiscarded

rdrFormatterDestReportRate

rdrFormatterDestReportRatePeak

rdrFormatterDestReportRatePeakTime

}

`rdrFormatterDestIPAddr (1.3.6.1.4.1.5655.4.1.6.2.1.1)`

The IP address of a Collection Manager.

Access RO

`Syntax`

IP Address

`rdrFormatterDestPort (1.3.6.1.4.1.5655.4.1.6.2.1.2)`

The TCP port on which the Collection Manager listens and the to which the RDR-Formatter should connect.

Access RO

`Syntax`

INTEGER (1...65535)

`rdrFormatterDestPriority (1.3.6.1.4.1.5655.4.1.6.2.1.3)`

The priority given to the Collection Manager. The active Collection Manager is the Collection Manager with the highest priority whose TCP connection is up.

Access RO

`Syntax`

INTEGER (1...100)

`rdrFormatterDestStatus (1.3.6.1.4.1.5655.4.1.6.2.1.4)`

Indicates whether this destination is the active one.

In redundancy and simple-load-balancing modes there can be only one ‘active’ destination, which is the one to which the reports are sent. In multicast mode all destinations receive the active mode.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (active) — this destination is where the reports are sent

3 (standby) — this destination is a backup

}

`rdrFormatterDestConnectionStatus (1.3.6.1.4.1.5655.4.1.6.2.1.5)`

The status of TCP connection to this destination.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (up) — the TCP connection to this destination is up

3 (down) — the TCP connection to this destination is down

}

`rdrFormatterDestNumReportsSent (1.3.6.1.4.1.5655.4.1.6.2.1.6)`

The number of reports sent by the RDR-formatter to this destination.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterDestNumReportsDiscarded (1.3.6.1.4.1.5655.4.1.6.2.1.7)`

The number of reports dropped by the RDR-formatter at this destination.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterDestReportRate (1.3.6.1.4.1.5655.4.1.6.2.1.8)`

The current rate (in reports per second) of sending reports to this destination.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterDestReportRatePeak (1.3.6.1.4.1.5655.4.1.6.2.1.9)`

The maximum rate of sending reports to this destination.

`Access RO`

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterDestReportRatePeakTime (1.3.6.1.4.1.5655.4.1.6.2.1.10)`

The time (in hundredths of a second) since the rdrFormatterDestReportRatePeak value occurred.

Access RO

`Syntax`

TimeTicks

`rdrFormatterNumReportsSent (1.3.6.1.4.1.5655.4.1.6.3)`

The number of reports sent by the RDR-formatter.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterNumReportsDiscarded (1.3.6.1.4.1.5655.4.1.6.4)`

The number of reports dropped by the RDR-formatter.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterClearCountersTime (1.3.6.1.4.1.5655.4.1.6.5)`

The time (in hundredths of a second) since the RDR-formatter counters were last cleared. Writing a 0 to this object causes the RDR-formatter counters to be cleared.

Access RW

`Syntax`

TimeTicks

`rdrFormatterReportRate (1.3.6.1.4.1.5655.4.1.6.6)`

The current rate (in reports per second) of sending reports to all destinations.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterReportRatePeak (1.3.6.1.4.1.5655.4.1.6.7)`

The maximum rate of sending reports to all destinations.

`Access RO`

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterReportRatePeakTime (1.3.6.1.4.1.5655.4.1.6.8)`

The time (in hundredths of a second) since the rdrFormatterReportRatePeak value occurred.

Access RO

`Syntax`

TimeTicks

`rdrFormatterProtocol (1.3.6.1.4.1.5655.4.1.6.9)`

The RDR protocol currently in use.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (RDRv1) — RDR protocol version 1

3 (RDRv2) — RDR protocol version 2

}

`rdrFormatterForwardingMode (1.3.6.1.4.1.5655.4.1.6.10)`

The manner in which the RDR formatter sends the reports to the destinations.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (redundancy) — all RDRs are sent to the primary (active) destination, and all other destinations are in standby

3 (simpleLoadBalancing) — each successive RDR is sent to a different destination, one destination after the other, in a round robin manner

4 (multicast) — all RDRs are sent to all destinations

}

`rdrFormatterCategoryTable (1.3.6.1.4.1.5655.4.1.6.11)`

This table describes the different categories of RDRs and supplies some statistical information about the RDRs sent to these categories

Access not-accessible

`Syntax`

Sequence of rdrFormatterCategoryEntry

`rdrFormatterCategoryEntry (1.3.6.1.4.1.5655.4.1.6.11.1)`

Entry containing information about the RDR formatter categories.

Access not-accessible

`Index`

{rdrFormatterCategoryIndex}

`Syntax`

SEQUENCE {

rdrFormatterCategoryIndex

rdrFormatterCategoryName

rdrFormatterCategoryNumReportsSent

rdrFormatterCategoryNumReportsDiscarded

rdrFormatterCategoryReportRate

rdrFormatterCategoryReportRatePeak

rdrFormatterCategoryReportRatePeakTime

rdrFormatterCategoryNumReportsQueued

}

`rdrFormatterCategoryIndex (1.3.6.1.4.1.5655.4.1.6.11.1.1)`

The RDR formatter category number.

Access RO

`Syntax`

INTEGER (1..4)

`rdrFormatterCategoryName (1.3.6.1.4.1.5655.4.1.6.11.1.2)`

The name of the category.

Access RO

`Syntax`

DisplayString

`rdrFormatterCategoryNumReportsSent (1.3.6.1.4.1.5655.4.1.6.11.1.3)`

The number of reports sent by the RDR-formatter to this category.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterCategoryNumReportsDiscarded (1.3.6.1.4.1.5655.4.1.6.11.1.4)`

The number of reports dropped by the RDR formatter for this category.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterCategoryReportRate (1.3.6.1.4.1.5655.4.1.6.11.1.5)`

The rate of the reports (in reports per second) currently sent to this category.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterCategoryReportRatePeak (1.3.6.1.4.1.5655.4.1.6.11.1.6)`

The maximum report rate sent to this category.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterCategoryReportRatePeakTime (1.3.6.1.4.1.5655.4.1.6.11.1.7)`

The time (in hundredths of a second) since the rdrFormatterCategoryReportRatePeak value occurred.

Access RO

`Syntax`

TimeTicks

`rdrFormatterCategoryNumReportsQueued (1.3.6.1.4.1.5655.4.1.6.11.1.8)`

The number of pending reports in this category.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`rdrFormatterCategoryDestTable (1.3.6.1.4.1.5655.4.1.6.12)`

This table describes the partition of the RDR destinations between the different categories and the priority and status of each destination in each category

Access not-accessible

`Syntax`

Sequence of rdrFormatterCategoryDestEntry

`rdrFormatterCategoryDestEntry (1.3.6.1.4.1.5655.4.1.6.12.1)`

A destination table entry.

Access not-accessible

`Index`

{rdrFormatterCategoryIndex, rdrFormatterDestIPAddr, rdrFormatterDestPort}

`Syntax`

SEQUENCE {

rdrFormatterCategoryDestPriority

rdrFormatterCategoryDestStatus

}

`rdrFormatterCategoryDestPriority (1.3.6.1.4.1.5655.4.1.6.12.1.1)`

The priority assigned to the Collection Manager for this category.

The active Collection Manager is the Collection Manager with the highest priority and a TCP connection that is up.

Access RO

`Syntax`

INTEGER (1...100)

`rdrFormatterCategoryDestStatus (1.3.6.1.4.1.5655.4.1.6.12.1.2)`

Indicates whether the destination is currently active or standby.

In redundancy and in simple Load Balancing rdrFormatterForwardingMode there can be only one active destination, which is where the reports are currently being sent. In multicast mode, all destinations will be assigned the active(2) status

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (active) — this is the destination to which reports are currently being sent

3 (standby) — this destination is a backup

}

`loggerUserLogEnable (1.3.6.1.4.1.5655.4.1.7.1)`

Indicates whether the logging of user information is enabled or disabled.

Access RO

`Syntax`

INTEGER {

1 (enabled)

2 (disabled)

}

`loggerUserLogNumInfo (1.3.6.1.4.1.5655.4.1.7.2)`

The number of Info messages logged into the user log file since last reboot or last time the counter was cleared

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`loggerUserLogNumWarning (1.3.6.1.4.1.5655.4.1.7.3)`

The number of Warning messages logged into the user log file since last reboot or last time the counter was cleared.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`loggerUserLogNumError (1.3.6.1.4.1.5655.4.1.7.4)`

The number of Error messages logged into the user log file since last reboot or last time the counter was cleared.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`loggerUserLogNumFatal (1.3.6.1.4.1.5655.4.1.7.5)`

The number of Fatal messages logged into the user log file since last reboot or last time the counter was cleared

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`loggerUserLogClearCountersTime (1.3.6.1.4.1.5655.4.1.7.6)`

The time (in hundredths of a second) since user log counters were last cleared.

Writing a 0 to this object causes the user log counters to be cleared.

Access RW

`Syntax`

TimeTicks

`subscribersInfoTable (1.3.6.1.4.1.5655.4.1.8.1)`

Data regarding subscriber management operations performed.

Access not-accessible

`Syntax`

Sequence of subscribersInfoEntry

`subscribersInfoEntry (1.3.6.1.4.1.5655.4.1.8.1.1)`

Entry describing the subscriber management operations performed on a certain module.

Access not-accessible

`Index`

{pmoduleIndex}

`Syntax`

SEQUENCE {

subscribersNumIntroduced

subscribersNumFree

subscribersNumIpAddrMappings

subscribersNumIpAddrMappingsFree

subscribersNumIpRangeMappings

subscribersNumIpRangeMappingsFree

subscribersNumVlanMappings

subscribersNumVlanMappingsFree

subscribersNumActive

subscribersNumActivePeak

subscribersNumActivePeakTime

subscribersNumUpdates

subscribersCountersClearTime

subscriberssubscribersNumTpIpRangeMappingssubscribersNumTpIpRangeMappingsFreeCountersClearTime
subscribersNumAnonymous
subscribersNumWithSessions
}

`subscribersNumIntroduced (1.3.6.1.4.1.5655.4.1.8.1.1.1)`

The current number of subscribers introduced to the SCE. These subscribers may or may not have IP address or VLAN mappings. Subscribers who do not have mappings of any kind cannot be associated with traffic, and will be served by the SCE according to the default settings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumFree (1.3.6.1.4.1.5655.4.1.8.1.1.2)`

The number of subscribers that may be introduced in addition to the currently introduced subscribers.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumIpAddrMappings (1.3.6.1.4.1.5655.4.1.8.1.1.3)`

The current number of IP address to subscriber mappings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumIpAddrMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.4)`

The number of free IP address to subscriber mappings that are available for defining new mappings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumIpRangeMappings (1.3.6.1.4.1.5655.4.1.8.1.1.5)`

The current number of IP-range to subscriber mappings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumIpRangeMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.6)`

The number of free IP range to subscriber mappings that are available for defining new mappings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumVlanMappings (1.3.6.1.4.1.5655.4.1.8.1.1.7)`

The current number of VLAN to subscriber mappings

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumVlanMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.8)`

The number of free VLAN to subscriber mappings that are available for defining new mappings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumActive (1.3.6.1.4.1.5655.4.1.8.1.1.9)`

The current number of active subscribers. These subscribers necessarily have IP address or VLAN mappings that define the traffic to be served according to the subscriber service agreement.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumActivePeak (1.3.6.1.4.1.5655.4.1.8.1.1.10)`

The peak value of subscribersNumActive since the last time it was cleared or the system started.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumActivePeakTime (1.3.6.1.4.1.5655.4.1.8.1.1.11)`

The time (in hundredths of a second) since the subscribersNumActivePeak value occurred.

Access RO

`Syntax`

TimeTicks

`subscribersNumUpdates (1.3.6.1.4.1.5655.4.1.8.1.1.12)`

The accumulated number of subscribers database updates received by the SCE.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersCountersClearTime (1.3.6.1.4.1.5655.4.1.8.1.1.13)`

The time (in hundredths of a second) since the subscribers counters were cleared.

Writing a 0 to this object causes the counters to be cleared.

Access RW

`Syntax`

TimeTicks

`subscribersNumTpIpRangeMappings (1.3.6.1.4.1.5655.4.1.8.1.1.14)`

The current number of IP range to Traffic Processormappings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumTpIpRangeMappingsFree (1.3.6.1.4.1.5655.4.1.8.1.1.15)`

The current number of IP range to Traffic Processormappings that are available for defining new mappings.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumAnonymous (1.3.6.1.4.1.5655.4.1.8.1.1.16)`

The current number of anonymous subscribers.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersNumWithSessions (1.3.6.1.4.1.5655.4.1.8.1.1.17)`

The current number of subscribers with open sessions.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`subscribersPropertiesTable (1.3.6.1.4.1.5655.4.1.8.2)`

List of all subscriber properties. This table is updated each time an application is loaded on the SCE platform.

Access not-accessible

`Syntax`

Sequence of subscribersPropertiesEntry

`subscribersPropertiesEntry (1.3.6.1.4.1.5655.4.1.8.2.1)`

Entry describing subscriber properties of the application relevant for a certain module.

Access not-accessible

`Index`

{pmoduleIndex, spIndex}

`Syntax`

SEQUENCE {

spIndex

spName

spType

}

`spIndex (1.3.6.1.4.1.5655.4.1.8.2.1.1)`

An index value that uniquely identifies the subscriber property.

Access RO

`Syntax`

INTEGER (1..255)

`spName (1.3.6.1.4.1.5655.4.1.8.2.1.2)`

Name of the subscriber property.

Access RO

`Syntax`

DisplayString

`spType (1.3.6.1.4.1.5655.4.1.8.2.1.3)`

Property type in respect to: variable type (integer, boolean, string etc), number of elements (scalar or array), and restrictions, if any.

Access RO

`Syntax`

DisplayString

`subscriberPropertiesValuesTable (1.3.6.1.4.1.5655.4.1.8.3)`

The subscriber properties value table is used to provide values for the subscriber properties for a specific subscriber introduced into the SCE platform.

An entry must be created by setting the entry spvRowStatus object with CreateAndGo (4) before setting the name of the subscriber and the property requested. The property requested must be one of the properties from the subscribersPropertiesTable. To remove an entry set the spvRowStatus object with Destroy (6).

To poll the subscriber property, either of these objects should be polled:

spvPropertyStringValue
spvPropertyUnitValue

The table is cleared when the application is unloaded.

Access not-accessible

`Syntax`

Sequence of subscribersPropertiesValueEntry

`subscriberPropertiesValueEntry (1.3.6.1.4.1.5655.4.1.8.3.1)`

Entry providing information on the value of one of the specified subscriber properties.

Access not-accessible

`Index`

{pmoduleIndex, spvIndex}

`Syntax`

SEQUENCE {

SpvIndex

spvSubName

spvPropertyName

spvRowStatus

spvPropertyStringValue

spvPropertyUintValue

spvPropertyCounter64Value

}

`spvIndex (1.3.6.1.4.1.5655.4.1.8.3.1.1)`

cccAn index value that uniquely identifies the entry.

Access RO

`Syntax`

INTEGER (1.. 1024)

`spvSubName (1.3.6.1.4.1.5655.4.1.8.3.1.2)`

A name that uniquely identifies the subscriber.

Access RC

`Syntax`

DisplayString (Size 1...40)

`spvPropertyName (1.3.6.1.4.1.5655.4.1.8.3.1.3)`

A name that uniquely identifies the subscriber property.

Array-type properties may be accessed one element at a time in C-like format. (For example: x[1], or y[1][2])

Access RC

`Syntax`

DisplayString (Size 1...128)

`spvRowStatus (1.3.6.1.4.1.5655.4.1.8.3.1.4)`

Controls creation of a table entry. Only setting CreateAndGo (4) and Destroy (6) will change the status of the entry.

Access RC

`Syntax`

RowStatus

`spvPropertyStringValue (1.3.6.1.4.1.5655.4.1.8.3.1.5)`

The value of the subscriber property in display string format.

Access RO

`Syntax`

DisplayString (SIZE 0...128)

`spvPropertyUintValue (1.3.6.1.4.1.5655.4.1.8.3.1.6)`

The value of the subscriber property in Uint format.

If the property cannot be cast to Uint format, getting this object returns zero.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`spvPropertyCounter64Value (1.3.6.1.4.1.5655.4.1.8.3.1.7)`

The value of the subscriber property in Counter64 format.

If the property cannot be cast to Counter64 format, getting this object returns zero.

Access RO

`Syntax`

Counter64

`tpInfoTable (1.3.6.1.4.1.5655.4.1.9.1)`

The Traffic Processor Info table consists of data regarding traffic handled by the traffic processors, classified by packets and flows.

Access not-accessible

`Syntax`

Sequence of tpInfoEntry

`tpInfoEntry (1.3.6.1.4.1.5655.4.1.9.1.1)`

Entry containing information from the traffic processors.

Access not-accessible

`Index`

{tpModuleIndex, tpIndex}

`Syntax`

SEQUENCE {

tpModuleIndex

tpIndex

tpTotalNumHandledPackets

tpTotalNumHandledFlows

tpNumActiveFlows

tpNumActiveFlowsPeak

tpNumActiveFlowsPeakTime

tpNumTcpActiveFlows

tpNumTcpActiveFlowsPeak

tpNumTcpActiveFlowsPeakTime

tpNumUdpActiveFlows

tpNumUdpActiveFlowsPeak

tpNumUdpActiveFlowsPeakTime

tpNumNonTcpUdpActiveFlows

tpNumNonTcpUdpActiveFlowsPeak

tpNumNonTcpUdpActiveFlowsPeakTime

tpTotalNumBlockedPackets

tpTotalNumBlockedFlows

tpTotalNumDiscardedPacketsDueToBwLimit

tpTotalNumWredDiscardedPackets

tpTotalNumFragments

tpTotalNumNonIpPackets

tpTotalNumIpCrcErrPackets

tpTotalNumIpLengthErrPackets

tpTotalNumIpBroadcastPackets

tpTotalNumTtlErrPackets

tpTotalNumTcpUdpCrcErrPackets

tpClearCountersTime

tpHandledPacketsRate

tpHandledPacketsRatePeak

tpHandledPacketsRatePeakTime

tpHandledFlowsRate

tpHandledFlowsRatePeak

tpHandledFlowsRatePeakTime

tpCpuUtilization

tpCpuUtilizationPeak

tpCpuUtilizationPeakTime

tpFlowsCapacityUtilization

tpFlowsCapacityUtilizationPeak

tpFlowsCapacityUtilizationPeakTime

tpServiceLoss

}

`tpModuleIndex (1.3.6.1.4.1.5655.4.1.9.1.1.1)`

An index value (pmoduleIndex) that uniquely identifies the module in which this traffic processor is located.

Access RO

`Syntax`

INTEGER (1...255)

`tpIndex (1.3.6.1.4.1.5655.4.1.9.1.1.2)`

An index value that uniquely identifies the traffic processor within the specified module. The value is determined by the location of the traffic processor on the module.

Valid entries are 1 to the value of pmoduleNumTrafficProcessors for the specified module.

Access RO

`Syntax`

INTEGER (1...255)

`tpTotalNumHandledPackets (1.3.6.1.4.1.5655.4.1.9.1.1.3)`

The accumulated number of packets handled by this traffic processor since last reboot or last time this counter was cleared.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumHandledFlows (1.3.6.1.4.1.5655.4.1.9.1.1.4)`

The accumulated number of flows handled by this traffic processor since last reboot or last time this counter was cleared.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.5)`

The number of flows currently being handled by this traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.6)`

The peak value of tpNumActiveFlows since the last time it was cleared or the system started.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.7)`

The time (in hundredths of a second) since the tpNumActiveFlowsPeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpNumTcpActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.8)`

The number of TCP flows currently being handled by this traffic processor

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`TpNumTcpActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.9)`

The peak value of tpNumTcpActiveFlows since the last time it was cleared or the system started.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumTcpActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.10)`

The time (in hundredths of a second) since the tpNumTcpActiveFlowsPeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpNumUdpActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.11)`

The number of UDP flows currently being handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumUdpActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.12)`

The peak value of tpNumUdpActiveFlows since the last time it was cleared or the system started.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumUdpActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.13)`

The time (in hundredths of a second) since the tpNumUdpActiveFlowsPeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpNumNonTcpUdpActiveFlows (1.3.6.1.4.1.5655.4.1.9.1.1.14)`

The number of non TCP/UDP flows currently being handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumNonTcpUdpActiveFlowsPeak (1.3.6.1.4.1.5655.4.1.9.1.1.15)`

The peak value of tpNumNonTcpUdpActiveFlows since the last time it was cleared or the system started.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpNumNonTcpUdpActiveFlowsPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.16)`

The time (in hundredths of a second) since the tpNumNonTcpUdpActiveFlowsPeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpTotalNumBlockedPackets (1.3.6.1.4.1.5655.4.1.9.1.1.17)`

The accumulated number of packets discarded by the traffic processor according to application blocking rules.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumBlockedFlows (1.3.6.1.4.1.5655.4.1.9.1.1.18)`

The accumulated number of flows discarded by the traffic processor according to application blocking rules.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumDiscardedPacketsDueToBwLimit (1.3.6.1.4.1.5655.4.1.9.1.1.19)`

The accumulated number of packets discarded by the traffic processor due to subscriber bandwidth limitations.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumWredDiscardedPackets (1.3.6.1.4.1.5655.4.1.9.1.1.20)`

The accumulated number of packets discarded by the traffic processor due to congestion in the queues.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumFragments (1.3.6.1.4.1.5655.4.1.9.1.1.21)`

The accumulated number of fragmented packets handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumNonIpPackets (1.3.6.1.4.1.5655.4.1.9.1.1.22)`

The accumulated number of non IP packets handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumIpCrcErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.23)`

The accumulated number of packets with IP CRC error handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumIpLengthErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.24)`

The accumulated number of packets with IP length error handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumIpBroadcastPackets (1.3.6.1.4.1.5655.4.1.9.1.1.25)`

The accumulated number of IP broadcast packets handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumTtlErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.26)`

The accumulated number of packets with TTL error handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpTotalNumTcpUdpCrcErrPackets (1.3.6.1.4.1.5655.4.1.9.1.1.27)`

The accumulated number of TCP/UDP packets with CRC error handled by the traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpClearCountersTime (1.3.6.1.4.1.5655.4.1.9.1.1.28)`

The time (in hundredths of a second) since the traffic processor statistics counters were last cleared. Writing a 0 to this object causes the RDR-formatter counters to be cleared.

Access RW

`Syntax`

TimeTicks

`tpHandledPacketsRate (1.3.6.1.4.1.5655.4.1.9.1.1.29)`

The rate in packets per second of the packets handled by this traffic processor..

Access RO

`Syntax`

Unsigned32 (0... 4294967295)

`tpHandledPacketsRatePeak (1.3.6.1.4.1.5655.4.1.9.1.1.30)`

The peak value of tpHandledPacketsRate since the last time it was cleared or the system started.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpHandledPacketsRatePeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.31)`

the time (in hundredths of a second) since the tpHandledPacketsRatePeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpHandledFlowsRate (1.3.6.1.4.1.5655.4.1.9.1.1.32)`

The rate in flows start per second of the flows handled by this traffic processor.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpHandledFlowsRatePeak (1.3.6.1.4.1.5655.4.1.9.1.1.33)`

The peak value of tpHandledFlowsRate since the last time it was cleared or the system started.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`tpHandledFlowsRatePeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.34)`

the time (in hundredths of a second) since the tpHandledFlowsRatePeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpCpuUtilization (1.3.6.1.4.1.5655.4.1.9.1.1.35)`

The current percentage of CPU utilization

Access RO

`Syntax`

INTEGER (1..100)

`tpCpuUtilizationPeak (1.3.6.1.4.1.5655.4.1.9.1.1.36)`

The peak value of tpCpuUtilization since the last time it was cleared or the system started.

Access RO

`Syntax`

INTEGER (1..100)

`tpCpuUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.37)`

The time (in hundredths of a second) since the pCpuUtilizationPeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpFlowsCapacityUtilization (1.3.6.1.4.1.5655.4.1.9.1.1.38)`

The percentage of flows capacity utilization.

Access RO

`Syntax`

INTEGER (1..100)

`tpFlowsCapacityUtilizationPeak (1.3.6.1.4.1.5655.4.1.9.1.1.39)`

The peak value of tpFlowsCapacityUtilization since the last time it was cleared or the system started.

Access RO

`Syntax`

INTEGER (1..100)

`tpFlowsCapacityUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.9.1.1.40)`

The time (in hundredths of a second) since the tpFlowsCapacityUtilizationPeak value occurred.

Access RO

`Syntax`

TimeTicks

`tpServiceLoss (1.3.6.1.4.1.5655.4.1.9.1.1.41)`

The relative amount of service loss in this traffic processor, in units of 0.001%, since last reboot or last time this counter was cleared.

Access RO

`Syntax`

INTEGER (1..100000)

`pportTable (1.3.6.1.4.1.5655.4.1.10.1)`

A list of port entries.

The number of entries is determined by the number of modules in the chassis and the number of ports on each module.

Access not-accessible

`Syntax`

Sequence of pportEntry

`pportEntry (1.3.6.1.4.1.5655.4.1.10.1.1)`

Entry containing information for a specified port on a module.

Access not-accessible

`Index`

{pportModuleIndex, pportIndex}

`Syntax`

SEQUENCE {

pportModuleIndex

pportIndex

pportType

pportNumTxQueues

pportIfIndex

pportAdminSpeed

pportAdminDuplex

pportOperDuplex

pportLinkIndex

pportOperStatus

}

`pportModuleIndex (1.3.6.1.4.1.5655.4.1.10.1.1.1)`

An index value (pmoduleIndex) that uniquely identifies the module where the port is located.

Access RO

`Syntax`

INTEGER (1..255)

`pportIndex (1.3.6.1.4.1.5655.4.1.10.1.1.2)`

An index value that uniquely identifies the port within the specified module. The value is determined by the location of the port on the module.

Valid entries are 1 to the value of pmoduleNumPorts for this module.

Access RO

`Syntax`

INTEGER (1..255)

`pportType (1.3.6.1.4.1.5655.4.1.10.1.1.3)`

The type of physical layer medium dependent interface on the port.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

11 (e100BaseTX) — UTP Fast Ethernet (Cat 5)

28 (e1000BaseSX) — Short Wave fiber Giga Ethernet

}

`pportNumTxQueues (1.3.6.1.4.1.5655.4.1.10.1.1.4)`

The number of transmit queues supported by this port.

Access RO

`Syntax`

INTEGER (1..255)

`pportIfIndex (1.3.6.1.4.1.5655.4.1.10.1.1.5)`

The value of the instance of the ifIndex object, defined in MIB-II, for this port.

Access RO

`Syntax`

INTEGER (1..255)

`pportAdminSpeed (1.3.6.1.4.1.5655.4.1.10.1.1.6)`

The desired speed of the port. The current operational speed of the port can be determined from ifSpeed.

Access RO

`Syntax`

INTEGER {

1 (autoNegotiation) —

10000000 (s10000000) — 10 Mbps

100000000 (s100000000) — 100 Mbps

1000000000 (s1000000000) — 1 Gbps

}

`pportAdminDuplex (1.3.6.1.4.1.5655.4.1.10.1.1.7)`

The desired duplex of the port.

Access RO

`Syntax`

INTEGER {

1 (half)

2 (full)

4 (auto)

}

`pportOperDuplex (1.3.6.1.4.1.5655.4.1.10.1.1.8)`

Indicates whether the port is operating in half-duplex or full-duplex.

Access RO

`Syntax`

INTEGER {

1 (half)

2 (full)

}

`pportLinkIndex (1.3.6.1.4.1.5655.4.1.10.1.1.9)`

The linkIndex of the link to which this port belongs.

Value of 0 indicates that this port is not associated with any link.

Value of -1 indicates that this port is associated with multiple links.

Access RO

`Syntax`

INTEGER (-1..255)

`pportOperStatus (1.3.6.1.4.1.5655.4.1.10.1.1.10)`

The status of the port. If the port is down, the reason is indicated.

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (up) — the port is up

3 (reflectionForcingDown) — the port is currently forced down due to the link reflection mechanism

4 (redundancyForcingDown) — the port is currently forced down due to redundancy reasons

5 (otherDown) — the port is down due to other reasons

}

`txQueuesTable (1.3.6.1.4.1.5655.4.1.11.1)`

A list of information for each SCE platform transmit queue.

Access not-accessible

`Syntax`

Sequence of txQueuesEntry

`txQueuesEntry (1.3.6.1.4.1.5655.4.1.11.1.1)`

Entry containing information for a specified SCE transmit queue.

Access not-accessible

`Index`

{txQueuesModuleIndex, txQueuesPortIndex, txQueuesQueueIndex}

`Syntax`

SEQUENCE {

txQueuesModuleIndex

txQueuesPortIndex

txQueuesQueueIndex

txQueuesDescription

txQueuesBandwidth

txQueuesUtilization

txQueuesUtilizationPeak

txQueuesUtilizationPeakTime

txQueuesClearCountersTime

}

`txQueuesModuleIndex (1.3.6.1.4.1.5655.4.1.11.1.1.1)`

An index value (pmoduleIndex) that uniquely identifies the module where the queue is located.

Access RO

`Syntax`

INTEGER (1..255)

`txQueuesPortIndex (1.3.6.1.4.1.5655.4.1.11.1.1.2)`

An index value that uniquely identifies the port on which the queue is located.

Access RO

`Syntax`

INTEGER (1..255)

`txQueuesQueueIndex (1.3.6.1.4.1.5655.4.1.11.1.1.3)`

An index value that uniquely identifies the queue within the specified port. The value is determined by the location of the queue on the port.

Valid entries are 1 to the value of pportNumTxQueues for the specified port.

Access RO

`Syntax`

INTEGER (1..255)

`txQueuesDescription (1.3.6.1.4.1.5655.4.1.11.1.1.4)`

Description of the transmit queue.

Access RO

`Syntax`

DisplayString

`txQueuesBandwidth (1.3.6.1.4.1.5655.4.1.11.1.1.5)`

The bandwidth in kbps configured for this queue.

Access RO

`Syntax`

INTEGER (1...1000000)

`txQueuesUtilization (1.3.6.1.4.1.5655.4.1.11.1.1.6)`

The percentage of bandwidth utilization relative to the to the configured rate.

Access RO

`Syntax`

INTEGER (0...100)

`txQueuesUtilizationPeak (1.3.6.1.4.1.5655.4.1.11.1.1.7)`

The peak value of txQueuesUtilization since the last time it was cleared or the system started.

Access RO

`Syntax`

INTEGER (0...100)

`txQueuesUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.11.1.1.8)`

The time (in hundredths of a second) since the txQueuesUtilizationPeak value occurred.

Access RO

`Syntax`

TimeTicks

`txQueuesClearCountersTime (1.3.6.1.4.1.5655.4.1.11.1.1.9)`

The time (in hundredths of a second) since the transmit queues statistics counters were last cleared.

Writing a 0 to this object causes the transmit queues counters to be cleared.

Access RW

`Syntax`

TimeTicks

`txQueuesDroppedBytes (1.3.6.1.4.1.5655.4.1.11.1.1.10)`

Number of dropped bytes. Valid only if the system is configured to count dropped bytes per TX queue.

Access RO

`Syntax`

Counter64

`globalControllersTable (1.3.6.1.4.1.5655.4.1.12.1)`

A list of information for each global controller.

Access not-accessible

`Syntax`

Sequence of globalControllersEntry

`globalControllersEntry (1.3.6.1.4.1.5655.4.1.12.1.1)`

Entry containing information for a specified global controller.

Access not-accessible

`Index`

{globalControllersModuleIndex, globalControllersPortIndex, globalControllersIndex}

`Syntax`

SEQUENCE {

globalControllersModuleIndex

globalControllersPortIndex

globalControllersIndex

globalControllersDescription

globalControllersBandwidth

globalControllersUtilization

globalControllersUtilizationPeak

globalControllersUtilizationPeakTime

globalControllersClearCountersTime

globalControllersDroppedBytes

}

`globalControllersModuleIndex (1.3.6.1.4.1.5655.4.1.12.1.1.1)`

An index value (pmoduleIndex) that uniquely identifies the module where the Global Controller is located.

Access RO

`Syntax`

INTEGER (1..255)

`globalControllersPortIndex (1.3.6.1.4.1.5655.4.1.12.1.1.2)`

An index value that uniquely identifies the port on which the Global Controller is located.

Access RO

`Syntax`

INTEGER (1..255)

`globalControllersIndex (1.3.6.1.4.1.5655.4.1.12.1.1.3)`

An index value that uniquely identifies this Global Controller within the specified port.

Access RO

`Syntax`

INTEGER (1..255)

`globalControllersDescription (1.3.6.1.4.1.5655.4.1.12.1.1.4)`

Description of the Global Controller.

Access RO

`Syntax`

DisplayString

`globalControllersBandwidth (1.3.6.1.4.1.5655.4.1.12.1.1.5)`

The bandwidth in kbps configured for this Global Controller.

Access RO

`Syntax`

INTEGER (1...1000000)

`globalControllersUtilization (1.3.6.1.4.1.5655.4.1.12.1.1.6)`

The percentage of bandwidth utilization relative to the configured rate (globalControllersBandwidth).

Access RO

`Syntax`

INTEGER (0...100)

`globalControllersUtilizationPeak (1.3.6.1.4.1.5655.4.1.12.1.1.7)`

The peak value of bwLimitersUtilization since the last time it was cleared or the system started.

Access RO

`Syntax`

INTEGER (0...100)

`globalControllersUtilizationPeakTime (1.3.6.1.4.1.5655.4.1.12.1.1.8)`

The time (in hundredths of a second) since the globalControllersUtilizationPeak value occurred.

Access RO

`Syntax`

TimeTicks

`globalControllersClearCountersTime (1.3.6.1.4.1.5655.4.1.12.1.1.9)`

The time (in hundredths of a second) since the Global Controller statistics counters were last cleared.

Writing a 0 to this object causes the Global Controller counters to be cleared.

Access RW

`Syntax`

TimeTicks

`globalControllersDroppedBytes (1.3.6.1.4.1.5655.4.1.12.1.1.10)`

Number of dropped bytes. Valid only if the system is configured to count dropped bytes per global controller.

Access RO

`Syntax`

Counter64

`appInfoTable (1.3.6.1.4.1.5655.4.1.13.1)`

Information identifying the application that is currently installed in the SCE platform.

Access not-accessible

`Syntax`

Sequence of appInfoEntry

`appInfoEntry (1.3.6.1.4.1.5655.4.1.13.1.1)`

Entry containing identifying information for the application that is currently installed in the SCE platform.

Access not-accessible

`Index`

{moduleIndex}

`Syntax`

SEQUENCE {

appName

appDescription

appVersion

}

`appName (1.3.6.1.4.1.5655.4.1.13.1.1.1)`

Name of the application currently installed in the SCE platform. This object returns an empty string if no application is currently installed.

Access RO

`Syntax`

DisplayString

`appDescription (1.3.6.1.4.1.5655.4.1.13.1.1.2)`

Description of the application currently installed in the SCE platform.

Access RO

`Syntax`

DisplayString

`appVersion (1.3.6.1.4.1.5655.4.1.13.1.1.3)`

Version information for the application currently installed in the SCE platform.

Access RO

`Syntax`

DisplayString

`appPropertiesTable (1.3.6.1.4.1.5655.4.1.13.2)`

List of all properties available for the application. The table is cleared when the application is unloaded.

Access not-accessible

`Syntax`

Sequence of appPropertiesEntry

`appPropertiesEntry (1.3.6.1.4.1.5655.4.1.13.2.1)`

Entry describing one of the properties available for the application.

Access not-accessible

`Index`

{moduleIndex, apIndex}

`Syntax`

SEQUENCE {

apIndex

apName

apType

}

`apIndex (1.3.6.1.4.1.5655.4.1.13.2.1.1)`

An index value that uniquely identifies the property.

Access RO

`Syntax`

INTEGER (1..255)

`apName (1.3.6.1.4.1.5655.4.1.13.2.1.2)`

Name of the property.

Access RO

`Syntax`

DisplayString

`apType (1.3.6.1.4.1.5655.4.1.13.2.1.3)`

Property type in respect to: variable type (integer, boolean, string etc), number of elements (scalar or array), and restrictions, if any.

Access RO

`Syntax`

DisplayString

`appPropertiesValuesTable (1.3.6.1.4.1.5655.4.1.13.3)`

The applications properties value table is used to provide specific values for the applications properties.

An entry must be created by setting the entry apvRowStatus object with CreateAndGo (4) before setting the name of the property requested. The property requested must be one of the properties from the appPropertiesTable. To remove an entry set the apvRowStatus object with Destroy (6).

To poll the application property, any of these objects should be polled:

apvPropertyValue
apvPropertyUnitValue
apvPropertyCounter64 object.

The table is cleared when the application is unloaded.

Access not-accessible

`Syntax`

Sequence of appPropertiesValueEntry

`appPropertiesValueEntry (1.3.6.1.4.1.5655.4.1.13.3.1)`

Entry providing information on the value of one of the specified application properties.

Access not-accessible

`Index`

{moduleIndex, apvIndex}

`Syntax`

SEQUENCE {

apvIndex

apvPropertyName

apvRowStatus

apvPropertyStringValue

apvPropertyUintValue

apvPropertyCounter64Value

}

`apvIndex (1.3.6.1.4.1.5655.4.1.13.3.1.1)`

An index value that uniquely identifies the property.

Access RO

`Syntax`

INTEGER (1.. 1024)

`apvPropertyName (1.3.6.1.4.1.5655.4.1.13.3.1.2)`

A name that uniquely identifies the application property.

Array-type properties may be accessed one element at a time in C-like format. (For example: x[1], or y[1][2])

Access RC

`Syntax`

DisplayString

`apvRowStatus (1.3.6.1.4.1.5655.4.1.13.3.1.3)`

Controls creation of a table entry.

Access RC

`Syntax`

RowStatus

`apvPropertyStringValue (1.3.6.1.4.1.5655.4.1.13.3.1.4)`

The value of the application property in display string format.

Access RO

`Syntax`

DisplayString (SIZE 0...128)

`apvPropertyUintValue (1.3.6.1.4.1.5655.4.1.13.3.1.5)`

The value of the application property in Uint format.

If the property cannot be cast to Uint format, getting this object returns zero.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`apvPropertyCounter64Value (1.3.6.1.4.1.5655.4.1.13.3.1.6)`

The value of the application property in Counter64 format.

If the property cannot be cast to Counter64 format, getting this object returns zero.

Access RO

`Syntax`

Counter64

`trafficCountersTable (1.3.6.1.4.1.5655.4.1.14.1)`

A list of information for each traffic counter.

Access not-accessible

`Syntax`

Sequence of trafficCountersEntry

`trafficCountersEntry (1.3.6.1.4.1.5655.4.1.14.1.1)`

Entry containing information for a specified traffic counter.

Access not-accessible

`Index`

{trafficCounterIndex}

`Syntax`

SEQUENCE {

trafficCounterIndex

trafficCounterValue

trafficCounterName

trafficCounterType

}

`trafficCounterIndex (1.3.6.1.4.1.5655.4.1.14.1.1.1)`

An index value that uniquely identifies the counter.

Access RO

`Syntax`

INTEGER (1..255)

`trafficCounterValue (1.3.6.1.4.1.5655.4.1.14.1.1.2)`

The 64 bit counter value.

Access RO

`Syntax`

Counter64

`trafficCounterName (1.3.6.1.4.1.5655.4.1.14.1.1.3)`

The name of the counter.

Access RO

`Syntax`

DisplayString

`trafficCounterType (1.3.6.1.4.1.5655.4.1.14.1.1.4)`

Defines whether the traffic counters counts by packets (3) or by bytes (2).

Access RO

`Syntax`

INTEGER {

1 (other) — none of the following

2 (bytes) — counts by bytes

3 (packets) — counts by packets

}

`attackTypeTable (1.3.6.1.4.1.5655.4.1.15.1)`

A list of information for defined attack types.

Access not-accessible

`Syntax`

Sequence of AttackTypeEntry

`attackTypeEntry (1.3.6.1.4.1.5655.4.1.15.1.1)`

Entry containing information for a specified attack type.

Access not-accessible

`Index`

{pmoduleIndex, attackTypeIndex}

`Syntax`

SEQUENCE {

attackTypeIndex

attackTypeName

attackTypeCurrentNumAttacks

attackTypeTotalNumAttacks

attackTypeTotalNumFlows

attackTypeTotalNumSeconds

}

`attackTypeIndex (1.3.6.1.4.1.5655.4.1.15.1.1.1)`

An index value that uniquely identifies the attack type.

Access RO

`Syntax`

INTEGER (1..255)

`attackTypeName (1.3.6.1.4.1.5655.4.1.15.1.1.2)`

The name of the attack type.

Access RO

`Syntax`

DisplayString

`attackTypeCurrentNumAttacks (1.3.6.1.4.1.5655.4.1.15.1.1.3)`

The number of attacks currently detected of this type.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`attackTypeTotalNumAttacks (1.3.6.1.4.1.5655.4.1.15.1.1.4)`

The total number of attacks of this type detected since last clear.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`attackTypeTotalNumFlows (1.3.6.1.4.1.5655.4.1.15.1.1.5)`

The total number of flows in attacks of this type detected since last clear.

Access RO

`Syntax`

Counter64

`attackTypeTotalNumSeconds (1.3.6.1.4.1.5655.4.1.15.1.1.6)`

The total duration (in seconds) of attacks of this type detected since last clear.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`vasServersTable (1.3.6.1.4.1.5655.4.1.16.1)`

A list of information for the VAS servers.

Access not-accessible

`Syntax`

Sequence of VasServerEntry

`vasServerEntry (1.3.6.1.4.1.5655.4.1.16.1.1)`

Entry containing information for a specified VAS server.

Access not-accessible

`Index`

{vasServerIndex}

`Syntax`

SEQUENCE {

vasServerIndex

vasServerId

vasServerAdminStatus

vasServerOperStatus

}

`vasServerIndex (1.3.6.1.4.1.5655.4.1.16.1.1.1)`

An index value that uniquely identifies the VAS server.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`vasServerId (1.3.6.1.4.1.5655.4.1.16.1.1.2)`

The VAS server ID number in the system.

Access RO

`Syntax`

Unsigned32 (0...4294967295)

`vasServerAdminStatus (1.3.6.1.4.1.5655.4.1.16.1.1.3)`

The administrative status of the VAS server.

Access RO

`Syntax`

INTEGER {

1 (other)

2 (up)

3.(down)

}

`vasServerOperStatus (1.3.6.1.4.1.5655.4.1.16.1.1.4)`

The operational status of the VAS server.

Access RO

`Syntax`

INTEGER {

1 (other)

2 (up)

3.(down)

}

`mplsVpnSoftwareCountersTable (1.3.6.1.4.1.5655.4.1.17.1)`

A list of information on various system software counters related to MPLS/VPN auto-learning.

Access not-accessible

`Syntax`

Sequence of mplsVpnSoftwareCountersEntry

`mplsVpnSoftwareCountersEntry (1.3.6.1.4.1.5655.4.1.17.1.1)`

Entry containing information regarding MPLS/VPN auto-learning.

Access not-accessible

`Syntax`

SEQUENCE {

mplsVpnMaxHWMappings

mplsVpnCurrentHWMappings

}

`mplsVpnMaxHWMappings (1.3.6.1.4.1.5655.4.1.17.1.1.1)`

The maximum number of hardware mappings permitted.

Access RO

`Syntax`

INTEGER (1..1000000)

`mplsVpnCurrentHWMappings (1.3.6.1.4.1.5655.4.1.17.1.1.2)`

The current number of hardware mappings in the system.

Access RO

`Syntax`

INTEGER (1..1000000)

`Supported Standards`

The SCE platform supports the SNMP related standards listed in the following table.

Table B.1. Supported SNMP Standards

Document Name 
Description

RFC 1155: Structure and Identification of Management Information for TCP/IP-based Internets 
K. McCloghrie and M. T. Rose, (May 1990).
Contains MIB object definitions.
(Obsoletes RFC 1065)

RFC 1157: A Simple Network Management Protocol 
J. D. Case, M. Fedor, M. L. Schoffstall, and C. Davin, (May 1990).
 Defines SNMP.
(Obsoletes RFC 1098)

RFC 1212: Concise MIB Definitions 
K. McCloghrie (March 1991).
Defines a format for producing MIB modules

RFC 1213: Management Information Base Network Management of TCP/IP based internets: MIB-II 
K. McCloghrie and M. T. Rose, eds.,
(March 1991). 
Defines MIB-II. (Obsoletes RFC 1158)

RFC 1215: Convention for Defining Traps for Use with the SNMP 
M. T. Rose, ed. (March 1991).

RFC 1901: Introduction to Community-based SNMPv2 
SNMPv2 WG, J.Case, K. McCloghrie, M.T.Rose, S. Waldbusser, (January 1996).

Defines “Community-based SNMPv2.”
(Experimental. Obsoletes RFC 1441)

RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2) 
Obsoletes: 1448 (January 1996)

RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2) 
Obsoletes: 1449 (January 1996)

RFC 2233: The Interfaces Group MIB using SMIv2.
Obsoleted by RFC-2863: The Interfaces Group MIB 
Extensions for the ifTable.

STRING	When a String is expected, you can enter any set of characters or digits. If the string has a space as one of its characters, use double-quote (“) marks to enclose the string.
DECIMAL	Any decimal number. Positive number is assumed, for negative numbers use the “–” symbol.
HEX	A hexadecimal number; must start with either 0x or 0X.

iftable	An update to the MIB-II ifTable
ifxtable	An addition to the ifTable, intended for high capacity interfaces
ifStackTable	A table containing information about sublayers of interfaces
ifRcvAddressTable	A table meant for interfaces that support more than one receive address

ifindex	The numbering of the interfaces is such that the port(s) come first.
ifdescr	The same as the CLI name of the interface.
ifPhysAddress	For Management interfaces, this is the MAC address. For traffic interfaces, this is an all zeros address.
IfAdminStatus	Write operation to this object is not supported. This OK according to Ethernet MIB RFC2665 section 3.2.7
IfOutQLen	Always returns 0.
Under ifXTable: ifname	The same as ifDescr.
ifpromiscuousmode	Management interface – “false”. Traffic interfaces – “true”.
ifRcvAddressTable	Not implemented
iftesttable	Was deprecated by RFC-2233, and is therefore not implemented

entPhysicalIndex (1)	1 (SCE main board)
entPhysicalDescr (2)	The description corresponding to the Product ID, as it appears in the product catalog.
entPhysicalVendorType (3)	cevChassisSCE2000 = {cevChassis 511} (1.3.6.1.4.1.9.12.3.1.3.511) cevChassisSCE1000 = {cevChassis 512} (1.3.6.1.4.1.9.12.3.1.3.512)
entPhysicalContainedIn (4)	0 (not contained)
entPhysicalClass (5)	3 (chassis)
entPhysicalParentRelPos (6)	1
entPhysicalName (7	"Chassis"
entPhysicalHardwareRev (8)	Version ID, as identified in EPROM
entPhysicalFirmwareRev (9)	empty string
entPhysicalSoftwareRev (10)	Software version, as seen in "show version"
entPhysicalSerialNum (11)	Serial number, as identified in EPROM
entPhysicalMfgName (12)	"Cisco Systems, inc."
entPhysicalModelName (13)	Product ID, as identified in EPROM
entPhysicalAlias (14)	empty string
entPhysicalAssetID (15)	empty string
entPhysicalIsFRU (16)	2 (false)

Document Name	Description
RFC 1155: Structure and Identification of Management Information for TCP/IP-based Internets	K. McCloghrie and M. T. Rose, (May 1990). Contains MIB object definitions. (Obsoletes RFC 1065)
RFC 1157: A Simple Network Management Protocol	J. D. Case, M. Fedor, M. L. Schoffstall, and C. Davin, (May 1990). Defines SNMP. (Obsoletes RFC 1098)
RFC 1212: Concise MIB Definitions	K. McCloghrie (March 1991). Defines a format for producing MIB modules
RFC 1213: Management Information Base Network Management of TCP/IP based internets: MIB-II	K. McCloghrie and M. T. Rose, eds., (March 1991). Defines MIB-II. (Obsoletes RFC 1158)
RFC 1215: Convention for Defining Traps for Use with the SNMP	M. T. Rose, ed. (March 1991).
RFC 1901: Introduction to Community-based SNMPv2	SNMPv2 WG, J.Case, K. McCloghrie, M.T.Rose, S. Waldbusser, (January 1996). Defines “Community-based SNMPv2.” (Experimental. Obsoletes RFC 1441)
RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)	Obsoletes: 1448 (January 1996)
RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)	Obsoletes: 1449 (January 1996)
RFC 2233: The Interfaces Group MIB using SMIv2. Obsoleted by RFC-2863: The Interfaces Group MIB	Extensions for the ifTable.

SCE Software Configuration Guide

Preface

Document Revision History

Description of Changes

Description of Changes

Description of Changes

Description of Changes

Audience

Organization

Related Publications

Note

Conventions

Note

Caution

Warning

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Contacting TAC by Using the Cisco TAC Website

Contacting TAC by Telephone

Chapter 1. General Overview

The Cisco Service Control Concept

Service Control for Broadband Service Providers

Cisco Service Control Capabilities

The SCE Platform

Management and Collection

Network Management

Service Configuration Management

Subscriber Management

Data Collection

Chapter 2. Command-Line Interface

Getting Help

Authorization and Command Levels (Hierarchy)

Note

CLI Command Hierarchy

Note

Note

Example:

CLI Authorization Levels

Note

Example:

Prompt Indications

Example:

Exiting Modes

Example:

Navigating Between Configuration Modes

Entering and Exiting Global Configuration Mode

Interface Configuration Modes

Configuring the Physical Ports

Note

Entering Management Interface Configuration Mode

Entering LineCard Interface Configuration Mode

Entering Ethernet Line Interface Configuration Mode

Entering the Fast Ethernet Line Interface Configuration Mode

Example:

Entering the Gigabit Ethernet Line Interface Configuration Mode

Example:

Navigating between the Interface Configuration Modes

The "do" Command: Executing Commands Without Exiting

Example

CLI Help Features

Partial Help

Example:

Argument Help

Example:

Example:

The [no] Prefix

Navigational and Shortcut Features

Command History

Keyboard Shortcuts

Tab Completion

Example:

Example:

FTP User Name and Password

Example:

`CLI Help Features`

`Partial Help`

`Example:`

`Redirecting Command Output to a File`

`CLI Scripts`

`Chapter 3. Operations`

`Managing Configurations`

`Viewing Configuration`

`Example:`

`File-system Operations`

`Note`

`Working with Directories`