|
|
Table Of Contents
Configuring the Management Interface and Security
About Management Interface and Security
How to Configure the Management Ports
Configuring the Management Ports
How to Enter Management Interface Configuration Mode
About Management Interface Configuration Mode
How to Configure the Management Port Physical Parameters
How to Set the IP Address and Subnet Mask of the Management Interface
How to Configure the Management Interface Speed and Duplex Parameters
How to Specify the Active Management Port
How to Configure Management Interface Redundancy
About Management Port Redundancy
How to Configure the Management Ports for Redundancy
How to Configure the Fail-Over Mode
How to Configure Management Interface Security
About Management Interface Security
How to Configure the IP Fragment Filter
How to Configure the Permitted and Not-permitted IP Address Monitor
How to Monitor Management Interface IP Filtering
How to Configure the Available Interfaces
How to Configure TACACS+ Authentication, Authorization, and Accounting
How to Configure Access Control Lists (ACLs)
How to Configure the Telnet Interface
How to Configure the SSH Server
How to Configure and Manage the SNMP Interface
Information About the SNMP Interface
How to Configure SNMP Community Strings
How to Configure SNMP Notifications
Verifying that the Password has been Successfully Changed
How to Configure the IP Routing Table
How to Configure the IP Address of the Management Interface
How to Configure Time Clocks and Time Zone
About Time Clocks and Time Zone
How to Display the System Time
How to Display the Calendar Time
How to Remove the Current Time Zone Setting
How to Configure Daylight Saving Time
How to Enable the SNTP Multicast Client
How to Disable the SNTP Multicast Client
How to Enable the SNTP Unicast Client
How to Disable the SNTP Unicast Client
How to Define the SNTP Unicast Update Interval
How to Display SNTP Information
How to Configure Domain Name Server (DNS) Settings
How to Add a Host to the Host Table
How to Display Current DNS Settings
How to Configure the Management Port Physical Parameters
How to Configure the Management Interface Speed and Duplex Parameters
How to Monitor the Management Interface
Configuring the Management Interface and Security
This module describes how to configure the physical management interfaces (ports) as well as the various management interface applications, such as SNMP, SSH, and TACACS+. It also explains how to configure users, passwords, IP configuration, clock and time zone, and domain name settings.
•
About Management Interface and Security
•
•
•
•
•
•
•
•
•
•
About Management Interface and Security
The SCE platform is equipped with two RJ-45 management (MNG) ports. These ports provide access from a remote management console to the SCE platform via a LAN.
The two management ports support management interface redundancy, providing the possibility for a backup management link.
In addition to the Layer 1 security of a backup management link, the Service Control platform provides a further management interface security feature; an IP filter that monitors for various types of TCP/IP attacks. This filter can be configured with thresholds rates both for defining an attack and defining the end of an attack.
Note
Perform the following tasks to configure the management interface and management interface security:
•
–
–
–
•
–
–
How to Configure the Management Ports
•
Configuring the Management Ports
Perform the following tasks to configure the management ports:
•
•
–
–
•
–
•
To configure the system with management interface redundancy, see How to Configure Management Interface Redundancy Configuring the Management Ports for Redundancy.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Step 1
Step 2
Step 3
How to Enter Management Interface Configuration Mode
interface Mng
•
About Management Interface Configuration Mode
When entering Management Interface Configuration Mode, you must indicate the number of the management port to be configured:
•
•
The following Management Interface commands are applied only to the port specified when entering Management Interface Configuration Mode. Therefore, each port must be configured separately:
•
•
The following Management Interface commands are applied to both management ports, regardless of which port had been specified when entering Management Interface Configuration Mode. Therefore, both ports are configured with one command:
•
•
SUMMARY STEPS
1.
configureand press Enter.2.
interface Mng {0/1|0/2}and press Enter.DETAILED STEPS
Step 1
configureand press Enter.Enables Global Configuration mode.
The command prompt changes to SCE(config)#.
Step 2
interface Mng {0/1|0/2}and press Enter.Enables Management Interface Configuration mode.
The command prompt changes to SCE(config if)#
How to Configure the Management Port Physical Parameters
This interface has a transmission rate of 10 or 100 Mbps and is used for management operations and for transmitting RDRs, which are the output of traffic analysis and management operations.
•
•
•
How to Set the IP Address and Subnet Mask of the Management Interface
•
•
•
Setting the IP Address and Subnet Mask of the Management Interface
The user must define the IP address of the management interface.
When both management ports are connected, providing a redundant management port, this IP address always acts as a virtual IP address for the currently active management port, regardless of which port is the active port.
Options
The following options are available:
•
If both management ports are connected, so that a backup management link is available, this IP address will be act as a virtual IP address for the currently active management port, regardless of which physical port is currently active.
•
Changing the IP address of the management interface via telnet will result in loss of the telnet connection and inability to reconnect with the interface.
Step 1
ip addressip-address subnet-maskand press Enter.The command might fail if there is a routing table entry that is not part of the new subnet defined by the new IP address and subnet mask.
Note
Note
Setting the IP Address and Subnet Mask of the Management Interface: Example
The following example shows how to set the IP address of the SCE platform to 10.1.1.1 and the subnet mask to 255.255.0.0.
SCE(config if)#ip address 10.1.1.1 255.255.0.0How to Configure the Management Interface Speed and Duplex Parameters
This section presents sample procedures that describe how to configure the speed and the duplex of the Management Interface.
Both these parameters must be configured separately for each port.
•
•
•
Interface State Relationship to Speed and Duplex
The following table summarizes the relationship between the interface state and speed and duplex.
How to Configure the Speed of the Management Interface
•
•
Options
The following options are available:
•
–
–
–
If the duplex parameter is configured to auto , changing the speed parameter has no effect (see ).
Step 1
speed10|100|autoand press Enter.Specify the desired speed option.
Configuring the Speed of the Management Interface: Example
The following example shows how to use this command to configure the Management port to 100 Mbps speed.
SCE(config if)#speed 100How to Configure the Duplex Operation of the Management Interface
•
•
Options
The following options are available:
•
–
–
–
If the speed parameter is configured to auto , changing the duplex parameter has no effect (see ).
Step 1
duplexauto|full|halfand press Enter.Specify the desired duplex option.
Configuring the Duplex Operation of the Management Interface: Example
The following example shows how to use this command to configure a management port to half duplex mode.
SCE(config if)#duplex halfHow to Specify the Active Management Port
•
•
•
Specifying the Active Management Port
This command explicitly specifies which management port is currently active. Its use varies slightly, depending on whether the management interface is configured as a redundant interface (auto fail-over enabled) or not (auto fail-over disabled).
•
•
Note
Options
The following options are available:
•
Step 1
Interface Mng {0/1 | 0/2} active-portand press Enter.Specify the desired MNG interface.
Specifying the Active Management Port: Example
The following example shows how to use this command to configure Mng port 2 as the currently active management port.
SCE# Interface Mng 0/2 active-portHow to Configure Management Interface Redundancy
•
•
•
About Management Port Redundancy
The SCE platform contains two RJ-45 management ports. The two management ports provide the possibility for a redundant management interface, thus ensuring management access to the SCE platform even if there is a failure in one of the management links. If a failure is detected in the active management link, the standby port automatically becomes the new active management port.
Note that both ports must be connected to the management console via a switch. In this way, the IP address of the MNG port is always the same, regardless of which physical port is currently active.
Important information:
•
•
•
–
–
•
•
•
•
How to Configure the Management Ports for Redundancy
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
Using the switch ensures that the IP address of the MNG port is always the same, regardless of which physical port is currently active
Step 2
See How to Configure the Fail-Over Mode.
Step 3
The same IP address will always be assigned to the active management port, regardless of which physical port is currently active.
See How to Set the IP Address and Subnet Mask of the Management Interface.
Step 4
See How to Configure the Management Interface Speed and Duplex Parameters.
How to Configure the Fail-Over Mode
•
•
•
•
Configuring the Fail-Over Mode
Use the following command to enable automatic fail-over. The automatic mode must be enabled to support management interface redundancy. This mode automatically switches to the backup management link when a failure is detected in the currently active management link.
This parameter can be configured when in management interface configuration mode for either management port, and is applied to both ports with one command.
Options
The following options are available:
•
–
How to Enable Automatic Fail-Over Mode
Step 1
auto-fail-overand press Enter.How to Disable Automatic Fail-Over Mode
Step 1
no auto-fail-overand press Enter.
How to Configure Management Interface Security
•
•
•
•
About Management Interface Security
Management security is defined as the capability of the SCE platform to cope with malicious management conditions that might lead to global service failure. Resiliency to attacks on the management port includes the following features:
•
•
•
There are two parallel security mechanisms:
•
This mechanism always functions and is not user-configurable.
•
–
–
How to Configure the IP Fragment Filter
•
•
•
Options
The following options are available:
•
–
How to Enable the IP Fragment Filter
Step 1
ip filter fragment enableand press Enter.How to Disable the IP Fragment Filter
Step 1
ip filter fragment disableand press Enter.How to Configure the Permitted and Not-permitted IP Address Monitor
Options
The following options are available:
•
If neither keyword is used, it is assumed that the configured limits apply to both permitted and not-permitted IP addresses.
•
–
•
–
•
–
Step 1
ip filter monitor {ip_permited|ip_not_permited} low_ratelow_ratehigh_rate high_rateburst burst sizeand press Enter.How to Monitor Management Interface IP Filtering
Monitoring Management Interface IP Filtering
Use this command to display the following information for management interface IP filtering.
•
•
•
•
Step 1
show ip filterand press Enter.
How to Configure the Available Interfaces
The system allows you to configure the Telnet and SNMP interfaces according to the manner in which you are planning to manage the SCE platform and the external components of the system.
•
•
•
•
How to Configure TACACS+ Authentication, Authorization, and Accounting
•
•
•
•
•
•
•
•
Information About TACACS+ Authentication, Authorization, and Accounting
•
•
•
TACACS+ Authentication, Authorization, and Accounting
TACACS+ is a security application that provides centralized authentication of users attempting to gain access to a network element. The implementation of TACACS+ protocol allows customers to configure one or more authentication servers for the SCE platform, providing a secure means of managing the SCE platform, as the authentication server will authenticate each user. This then centralizes the authentication database, making it easier for the customers to manage the SCE platform.
TACACS+ services are maintained in a database on a TACACS+ server running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network element are available.
The TACACS+ protocol provides authentication between the network element and the TACACS+ ACS, and it can also ensure confidentiality, if a key is configured, by encrypting all protocol exchanges between a network element and a TACACS+ server.
The TACACS+ protocol provides the following three features:
•
•
•
Login Authentication
The SCE platform uses the TACACS+ ASCII authentication message for CLI, Telnet and SSH access.
TACACS+ allows an arbitrary conversation to be held between the server and the user until the server receives enough information to authenticate the user. This is usually done by prompting for a username and password combination.
The login and password prompts may be provided by the TACACS+ server, or if the TACACS+ server does not provide the prompts, then the local prompts will be used.
The user log in information (user name and password) is transmitted to the TACACS+ server for authentication. If the TACACS+ server indicates that the user is not authenticated, the user will be re-prompted for the user name and password. The user is re-prompted a user-configurable number of times, after which the failed login attempt is recorded in the SCE platform user log and the telnet session is terminated (unless the user is connected to the console port.)
The SCE platform will eventually receive one of the following responses from the TACACS+ server:
•
•
•
•
If the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.
Accounting
The TACACS+ accounting supports the following functionality:
•
•
•
–
–
–
–
TACACS+ accounting is in addition to normal local accounting using the SCE platform dbg log.
Privilege Level Authorization
After a successful login the user is granted a default privilege level of 0, giving the user the ability to execute a limited number of commands. Changing privilege level is done by executing the "enable" command. This command initiates the privilege level authorization mechanism.
Privilege level authorization in the SCE platform is accomplished by the use of an "enable" command authentication request. When a user requests an authorization for a specified privilege level, by using the "enable" command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server does the following:
•
•
Once the user privilege level has been determined, the user is granted access to a specified set of commands according to the level granted.
As with login authentication, if the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.
General AAA Fallback and Recovery Mechanism
The SCE platform uses a fall-back mechanism to maintain service availability in case of an error.
The SCE platform uses a fall-back mechanism to maintain service availability in case of an error.
The AAA methods available are:
•
•
•
•
In the current implementation the order of the methods used isn't configurable but the customer can choose which of the methods are used. The current order is
•
•
•
•
Note
About Configuring TACACS+
The following is a summary of the procedure for configuring TACACS+. All steps are explained in detail in the remainder of this section.
1.
Configure the remote servers for the protocols. Keep in mind the following guidelines
–
–
–
–
1.
2.
–
–
–
3.
–
If the local database and TACACS+ are both configured, it is recommended to configure the same user names in both TACACS+ and the local database. This will allow the users to access the SCE platform in case of TACACS+ server failure.
Note
–
–
4.
–
–
5.
Use the " show running-config" command to view the configuration.
How to Configure the SCE Platform TACACS+ Client
•
•
•
•
•
Configuring the SCE Platform TACACS+ Client
The user must configure the remote servers for the TACACS+ protocol. Then the SCE platform TACACS+ client must be configured to work with the TACACS+ servers. The following information must be configured:
•
For each sever host, the following information can be configured:
–
–
–
–
•
If the default encryption key is not configured, a default of no key is assigned to any server for which a key is not explicitly configured.
•
If the default timeout interval is not configured, a default of five seconds is assigned to any server for which a timeout interval is not explicitly configured.
The procedures for configuring the SCE platform TACACS+ client are explained in the following sections:
•
•
•
•
How to Add a new TACACS+ Server Host
Use this command to define a new TACACS+ server host that is available to the SCE platform TACACS+ client.
The Service Control solution supports a maximum of three TACACS+ server hosts.
Options
The following options are available:
•
•
–
•
–
•
–
Step 1
TACACS-server hosthost-name[port portnumber] [timeout timeout-interval] [key key-string] and press Enter.How to Remove a TACACS+ Server Host
Options
The following options are available:
•
Step 1
no TACACS-server hosthost-nameand press Enter.How to Configure the Global Default Key
Use this command to define the global default key for the TACACS+ server hosts. This default key can be overridden for a specific TACACS+ server host by explicitly configuring a different key for that TACACS+ server host.
•
•
•
Options
The following options are available:
•
–
How to Define a Global Default Key
Step 1
TACACS-server keykey-stringand press Enter.How to Clear the Global Default Key
Step 1
no TACACS-server keyand press Enter.No global default key is defined. Each TACACS+ server host may still have a specific key defined. However, any server host that does not have a key explicitly defined (uses the global default key) is now configured to use no key.
How to Configure the Global Default Timeout
Use this command to define the global default timeout interval for the TACACS+ server hosts. This default timeout interval can be overridden for a specific TACACS+ server host by explicitly configuring a different timeout interval for that TACACS+ server host.
•
•
•
Options
The following options are available:
•
–
How to Define the Global Default Timeout
Step 1
TACACS-server timeouttimeout-intervaland press Enter.How to Clear the Global Default Timeout
Step 1
no TACACS-server timeoutand press Enter.No global default timeout interval is defined. Each TACACS+ server host may still have a specific timeout interval defined. However, any server host that does not have a timeout interval explicitly defined (uses the global default timeout interval) is now configured to a five second timeout interval.
How to Manage the User Database
TACACS+ maintains a local user database. Up to 100 users can be configured in this local database, which includes the following information for all users:
•
•
•
The procedures for managing the local user database are explained in the following sections:
•
•
•
How to Add a New User to the Local Database
Use these commands to add a new user to the local database. Up to 100 users may be defined.
•
•
•
•
•
Options
The password is defined with the username. There are several password options:
•
•
Use the passwordparameter.
•
Password may be defined by either of the following methods:
–
–
The following options are available:
•
•
–
–
•
The following keywords are available:
•
•
–
–
How to Add a User with a Clear Text Password
Step 1
usernamenamepassword passwordand press Enter.How to Add a User with No Password
Step 1
usernamenamenopassword and press Enter.How to Add a User with an MD5 Encrypted Password Entered in Clear Text
Step 1
usernamenamesecret 0 passwordand press Enter.How to Add a User with an MD5 Encrypted Password Entered as an MD5 Encrypted String
Step 1
usernamenamesecret 5 encrypted-secretand press Enter.How to Define the User Privilege Level
•
•
About the User Privilege Level
Privilege level authorization in the SCE platform is accomplished by the use of an " enable" command authentication request. When a user requests an authorization for a specified privilege level, by using the " enable" command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server authenticates the " enable" command password and verifies that the user has sufficient privileges the enter the requested privilege level.
Options
The following options are available:
•
•
–
–
–
Step 1
usernamenameprivilege leveland press Enter.How to Add a New User with Privilege Level and Password
Use these commands to define a new user, including password and privilege level, in a single command.
Note
•
•
•
Options
The following options are available:
•
•
–
–
–
•
–
–
•
The following keywords are available:
•
–
–
How to Add a User with a Privilege Level and a Clear Text Password
Step 1
usernamenameprivilege levelpassword passwordand press Enter.How to Add a User with a Privilege Level and an MD5 Encrypted Password Entered in Clear Text
Step 1
usernamenameprivilege levelsecret 0 passwordand press Enter.How to Add a User with a Privilege Level and an MD5 Encrypted Password Entered as an MD5 Encrypted String
Step 1
usernamenameprivilege levelsecret 5 encrypted-secretand press Enter.How to Delete a User
•
Options
The following options are available:
•
Step 1
no usernamenameand press Enter.How to Configure AAA Login Authentication
There are two features to be configured for login authentication:
•
•
The procedures for configuring login authentication are explained in the following sections:
•
•
Configuring Maximum Login Attempts
Use this command to set the maximum number of login attempts that will be permitted before the session is terminated.
•
Options
The following options are available:
•
This is relevant only for Telnet sessions. From the local console, the number of re-tries is unlimited.
–
Step 1
aaa authentication attempts loginnumber-of-attemptsand press Enter..How to Configure the Login Authentication Methods
You can configure "backup" login authentication methods to be used if failure of the primary login authentication method (see General AAA Fallback and Recovery Mechanism ).
Use this command to specify which login authentication methods are to be used, and in what order of preference.
•
•
•
Options
The following options are available:
•
–
–
–
–
How to Specify the Login Authentication Methods
Step 1
aaa authentication login defaultmethod1 [method2...] and press Enter.You may list a maximum of four methods; all four methods explained above. List them in the order of priority.
How to Delete the Login Authentication Methods List
Step 1
no aaa authentication login defaultand press Enter.If the login authentication methods list is deleted, the default login authentication method only (enable password) will be used. TACACS+ authentication will not be used.
How to Configure AAA Privilege Level Authorization Methods
•
•
•
Options
The following options are available:
•
–
–
–
–
How to Specify AAA Privilege Level Authorization Methods
Step 1
aaa authentication enable defaultmethod1 [method2...] and press Enter.You may list a maximum of four methods; all four methods explained above. List them in the order of priority.
How to Delete the AAA Privilege Level Authorization Methods List
Step 1
no aaa authentication enable defaultand press Enter.If the privilege level authorization methods list is deleted, the default login authentication method only (enable password) will be used. TACACS+ authentication will not be used.
How to Configure AAA Accounting
Use this command to enable or disable TACACS+ accounting.
•
•
•
About AAA Accounting
If TACACS+ accounting is enabled, the SCE platform sends an accounting message to the TACACS+ server after every command execution. The accounting message is logged in the TACACS+ server for the use of the network administrator.
By default, TACACS+ accounting is disabled.
Options
The following options are available:
•
How to Enable AAA Accounting
Step 1
aaa authentication accounting commandsleveldefault stop-start group TACACS+ and press Enter.The start-stop keyword (required) indicates that the accounting message is sent at the beginning and the end (if the command was successfully executed) of the execution of a CLI command.
How to Disable AAA Accounting
Step 1
aaa authentication accounting commandsleveldefault and press Enter.How to Monitor TACACS+ Servers
Use these commands to display statistics for the TACACS+ servers.
•
•
How to Display Statistics for TACACS+ Servers
Step 1
show TACACSand press Enter.How to Display Statistics, Keys and Timeouts for TACACS+ Servers
Step 1
show TACACS alland press Enter.Note that, although most show commands are accessible to viewer level users, the ' all ' option is available only at the admin level. Use the command ' enable 10' to access the admin level.
How to Monitor TACACS+ Users
Use this command to display the users in the local database, including passwords.
Step 1
show usersand press Enter.Note that, although most show commands are accessible to viewer level users, this command is available only at the admin level. Use the command ' enable 10' to access the admin level.
How to Configure Access Control Lists (ACLs)
•
•
About Access Control Lists
The SCE platform can be configured with Access Control Lists (ACLs), which are used to permit or deny incoming connections on any of the management interfaces. An access list is an ordered list of entries, each consisting of an IP address and an optional wildcard "mask" defining an IP address range, and a permit/deny field.
The order of the entries in the list is important. The default action of the first entry that matches the connection is used. If no entry in the Access List matches the connection, or if the Access List is empty, the default action is deny.
Configuration of system access is done in two stages:
1.
2.
Creating an access list is done entry by entry, from the first to the last.
When the system checks for an IP address on an access list, the system checks each line in the access list for the IP address, starting at the first entry and moving towards the last entry. The first match that is detected (that is, the IP address being checked is found within the IP address range defined by the entry) determines the result, according to the permit/deny flag in the matched entry. If no matching entry is found in the access list, access is denied.
You can create up to 99 access lists. Access lists can be associated with system access on the following levels:
•
•
It is possible to configure several management interfaces to the same access list, if this is the desired behavior of the SCE platform.
If no ACL is associated to a management interface or to the global IP level, access is permitted from all IP addresses.
Note
Options
The following options are available:
•
•
•
The following keywords are available:
•
•
How to Add Entries to an ACL
•
Step 1
configureand press Enter.Enables Global Configuration mode.
Step 2
•
access-listnumber permit|deny ip-addressand press Enter.•
access-listnumber permit|deny ip-address/maskand press Enter.When you add a new entry to an ACL, it is always added to the end of the list.
Adding Entries to an ACL: Example
The following example adds an entry to the access list number 1, that permits access only to IP addresses in the range of 10.1.1.0-10.1.1.255.
SCE(config)#access-list 1 permit 10.1.1.0 0.0.0.255How to Remove an ACL
Use this command to remove an ACL with all its entries.
Step 1
no access-listnumber, and press Enter.Removes the specified ACL with all its entries.
How to Define a Global ACL
A global ACL for permits or denies all traffic to the SCE platform.
Step 1
ip access-classnumber, and press Enter.Applies the specified ACL to all traffic attempting to access the SCE platform, rather than to a specific type of traffic, such as Telnet traffic.
How to Configure the Telnet Interface
•
•
•
About the Telnet Interface
This section discusses the Telnet interface of the SCE platform. A Telnet session is the most common way to connect to the SCE platform CLI interface.
You can set the following parameters for the Telnet interface:
•
•
•
The following commands are relevant to Telnet interface:
•
•
•
•
•
•
•
How to Prevent Telnet Access
Use this command to disable access by Telnet altogether.
Step 1
no service telnetd, and press Enter.Current Telnet sessions are not disconnected, but no new Telnet sessions are allowed.
How to Assign an ACL to the Telnet Interface
•
Step 1
line vty 0, and press Enter.Enables Line Configuration mode.
Step 2
access-classacl-numberin.acl-number is the ID number of an existing access list.
Assigning an ACL to the Telnet Interface: Example
The following example shows how to assign ACL #1 to the Telnet interface.
SCE#configure SCE(config)#line vty 0 SCE(config-line)#access-class 1 inHow to Configure the Telnet Timeout
The SCE platform supports timeout of inactive Telnet sessions.
•
Options
The following options are available:
•
–
Step 1
timeouttimeout, and press Enter.How to Configure the SSH Server
•
•
•
Information About the SSH Server
The SSH Server
A shortcoming of the standard telnet protocol is that it transfers password and data over the net unencrypted, thus compromising security. Where security is a concern, using a Secure Shell (SSH) server rather than telnet is recommended.
An SSH server is similar to a telnet server, but it uses cryptographic techniques that allow it to communicate with any SSH client over an insecure network in a manner which ensures the privacy of the communication. CLI commands are executed over SSH in exactly the same manner as over telnet.
The SSH server supports both the SSH-1 and SSH-2 protocols.
An Access Control List (ACL) can be configured for SSH as for any other management protocol, limiting SSH access to a specific set of IP addresses (see How to Configure Access Control Lists (ACLs) ).
Key Management
Each SSH server should define a set of keys (DSA2, RSA2 and RSA1) to be used when communicating with various clients. The key sets are pairs of public and private keys. The server publishes the public key while keeping the private key in non-volatile memory, never transmitting it to SSH clients. Note that the keys are kept on the tffs0 file system, which means that a person with knowledge of the `enable' password can access both the private and public keys. The SSH server implementation provides protection against eavesdroppers who can monitor the management communication channels of the SCE platform, but it does not provide protection against a user with knowledge of the `enable' password.
Key management is performed by the user via a special CLI command. A set of keys must be generated at least once before enabling the SSH server.
Size of the encryption key is always 2048 bits.
How to Manage the SSH Server
Use these commands to manage the SSH server. These commands are described in the following sections:
•
•
•
•
•
•
How to Generate a Set of SSH Keys
Remember that you must generate a set of SSH keys before you enable the SSH server.
Step 1
ip ssh key generateand press Enter.Generates a new SSH key set and immediately saves it to non-volatile memory. (Key set is not part of the configuration file). Key size is always 2048 bits.
How to Enable the SSH Server
Step 1
ip sshand press Enter.How to Disable the SSH Server
Step 1
no ip sshand press Enter.How to Assign an ACL to the SSH Server
Step 1
ip ssh access-classacl-numberand press Enter.Assigns the specified ACL to the SSH server, so that access the SSH server is limited to the IP addresses defined in the ACL.
How to Remove the ACL Assignment from the SSH Server
Step 1
no ip ssh access-classand press Enter.Removes the ACL assignment from the SSH server, so that any IP address may now access the SSH server.
How to Delete the Existing SSH Keys
Step 1
ip ssh key removeand press Enter.Removes the existing SSH key set from non-volatile memory.
If the SSH server is currently enabled, it will continue to run, since it only reads the keys from non-volatile memory when it is started. However, if the startup-configuration specifies that the SSH server is enabled, the SCE platform will not be able to start the SSH server on startup if the keys have been deleted. To avoid this situation, after executing this command, always do one of the following before the SCE platform is restarted (using reload):
•
•
How to Monitor the Status of the SSH Server
Use this command to monitor the status of the SSH sever, including current SSH sessions.
Step 1
show ip sshand press Enter.This is a User Exec command. Make sure that you are in User Exec command mode by exiting any other modes.
Enabling the SNMP Interface
Use this command to enable the SNMP interface. For more information on configuring and managing the SNMP parameters, including hosts, communities, contact, location, and trap destination hosts, see How to Configure and Manage the SNMP Interface.
•
•
How to Enable the SNMP Interface
•
Options
The following options are available:
•
Step 1
snmp-server communitycommunity-stringand press Enter.You must define at least one community string to allow SNMP access. For complete information on community strings see How to Configure SNMP Community Strings.
How to Disable the SNMP Interface
Step 1
no snmp-serverand press Enter.
How to Configure and Manage the SNMP Interface
•
•
•
Information About the SNMP Interface
This section explains how to configure the SNMP agent parameters. It also provides a brief overview of SNMP notifications and the supported MIBs, and explains the order in which the MIB must be loaded.
The SNMP Interface
The SCE platform operating system includes a Simple Network Management Protocol (SNMP) agent that supports the following:
•
•
•
SNMP Protocol
SNMP (Simple Network Management Protocol) is a set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
SCE platform supports the original SNMP protocol (also known as SNMPv1), and a newer version called Community-based SNMPv2 (also known as SNMPv2C).
•
•
SCE platform implementation of SNMP supports all MIB II variables, as described in RFC 1213, and defines the SNMP traps using the guidelines described in RFC 1215.
The SNMPv1 and SNMPv2C specifications define the following basic operations that are supported by SCE platform:
Security Considerations
By default, the SNMP agent is disabled for both read and write operations. When enabled, SNMP is supported over the management port only (in-band management is not supported).
In addition, the SCE platform supports the option to configure community of managers for read-write accessibility or for read-only accessibility. Furthermore, an ACL (Access List) may be associated with a community to allow SNMP management to a restricted set of managers IP addresses.
Information About CLI
•
•
•
CLI
The SCE platform supports the CLI commands that control the operation of the SNMP agent. All the SNMP commands are available in Admin authorization level. The SNMP agent is disabled by default and any SNMP configuration command enables the SNMP agent (except where there is an explicit disable command).
CLI Commands for Configuring SNMP
Following is a list of CLI commands available for configuring SNMP. These are Global Configuration mode commands.
•
•
•
•
•
•
•
CLI Commands for Monitoring SNMP
Following is a list of CLI commands available for monitoring SNMP. These are Viewer mode commands, and are available when the SNMP agent is enabled:
•
•
•
•
•
•
•
•
Information About MIBs
•
•
•
MIBs
MIBs (Management Information Bases) are databases of objects that can be monitored by a network management system (NMS). SNMP uses standardized MIB formats that allow any SNMP tools to monitor any device defined by a MIB.
The SCE platform supports the following MIBs:
•
–
–
•
Pcube enterprise MIB (pcube) can be divided into different kinds of MIBs:
–
The SE MIB and the Dispatcher MIB are two examples of OS MIBs.
–
Currently, there is one application MIB - Engage MIB.
–
Currently there is one common MIB - configuration copy MIB.
Since the acquisition of P-cube, Inc by Cisco Systems, Inc , the existing proprietary MIBs have undergone a process of updating to make them conform to Cisco standards. Note that all Pcube MIBs since SCOS version 3.0.3 are compiled using SMICNG and are in conformation with Cisco standards and styling.
Note
MIB Data Objects
The data objects that make up the MIB may be identified in two ways:
•
OIDs are written in dotted format such as: 1.3.6.1.4.1.5655.4.1.10.1
•
For instance: "ifTable" stands for the OID of the MIB-II interface table.
Information About MIB-II
•
•
MIB-II
SCE platform fully supports MIB-II (RFC1213), including the following groups
•
•
•
•
IF-MIB
The MIB-II standard has been extended by several different MIBs. The SCOS supports the IF-MIB, defined in RFC-2233.
The IF-MIB defines the following four tables:
These are the details of specific objects in this MIB:
Information About ENTITY-MIB
ENTITY-MIB
The Entity-MIB contains five groups of MIB objects:
•
•
•
•
•
The SCOS implements only the physical and the general groups of the Entity-MIB, since the other groups are not relevant to the SCE platform.
entityPhysical group
The entityPhysical group describes the physical entities managed by a single agent. It contains a single table, the entPhysicalTable , that identifies physical system components.
These are the details of specific objects in the entPhysicalTable , as implemented in SCOS:
entityGeneral group
The entityGeneral group contains general information relating to the other object groups. The entGeneral group contains a single scalar object.
These are the details of specific object in the entityGeneral group, as implemented in SCOS:
entLastChangeTime
sysUpTime. This reflects the fact that the entries in the Entity-MIB do not change in the SCE platform after their creation at boot time.
Information About pcube Enterprise MIB
pcube Enterprise MIB
The SCE proprietary pcube MIB enables external management systems to retrieve general information regarding the SCE platform operating status and resources utilization, extract real time measurements of bandwidth utilization and network statistics, and receive notifications of critical events and alarms.
Note
Note
The pcube Enterprise MIB splits into four main groups:
•
•
•
•
The pcube enterprise tree structure is defined in a MIB file named pcube.mib .
Refer to Appendix B, "Proprietary MIB Reference"for a complete description of the pcube enterprise MIB.
The figure below illustrates the pcube Enterprise MIB structure. Conventions used in the diagram:
•
•
Figure 5-1
•
•
•
–
•
•
–
–
Loading the MIB Files
The Service Control proprietary MIB uses definitions that are defined in other MIBs, such as pcube MIB ( pcube.mib ), and the SNMPv2.mib . Therefore, the order in which the MIBs are loaded is important. To avoid errors, the MIBs must be loaded in the proper order.
1.
2.
3.
4.
Note
Configuration via SNMP
SCE platform supports a limited set of variables that may be configured via SNMP (read-write variables). Setting a variable via SNMP (as via the CLI) takes effect immediately and affects only the running-configuration. To make this configuration stored for next reboots (startup-configuration) the user must specify it explicitly via CLI or via SNMP using the Cisco enterprise MIB objects (see ).
It should be noted also that the SCE platform takes the approach of a single configuration database with multiple interfaces that may change this database. Therefore, executing the copy running-config startup-config command via CLI or SNMP makes permanent all the changes made by either SNMP or CLI.
How to Configure SNMP Community Strings
•
•
•
•
Configuring SNMP Community Strings
To enable SNMP management, you must configure SNMP community strings to define the relationship between the SNMP manager and the agent.
After receiving an SNMP request, the SNMP agent compares the community string in the request to the community strings that are configured for the agent. The requests are valid under the following circumstances:
•
•
How to Define a Community String
•
•
Options
The following options are available:
•
•
If no ACL is specified, all IP addresses can access the agent using the defined community string. For more information about ACLs, see How to Configure Access Control Lists (ACLs)
The following keywords are available:
•
•
Step 1
snmp-server communitycommunity-stringro|rw acl-numberand press Enter.Repeat the command as necessary to define all community strings.
Defining a Community String: Example
This example shows how to configure a community string called "mycommunity" with read-only rights and access list number "1".
Since read-only isthe default, it does not need to be defined explicitly.
SCE(config)#snmp-server community mycommunity 1How to Remove a Community String
•
Step 1
no snmp-server communitycommunity-stringand press Enter.Removing a Community String: Example
The following example shows how to remove a community string called "mycommunity".
SCE(config)#no snmp-server community mycommunityHow to Display the Configured Community Strings
•
Step 1
show snmp-server communitycommunity-stringand press Enter.Displaying the Configured Community Strings: Example
The following example shows how to display the configured SNMP communities.
SCE>show snmp community Community: public, Access Authorization: RO, Access List Index: 1 SCE>How to Configure SNMP Notifications
Use these commands to configure:
•
•
About SNMP Notifications
Notifications are unsolicited messages that are generated by the SNMP agent that resides inside the SCE platform when an event occurs. When the Network Management System receives the notification message, it can take suitable actions, such as logging the occurrence or ignoring the signal.
By default, the SCE platform is not configured to send any SNMP notifications. You must define the Network Management System to which the SCE platform should send notifications. (See the table below, Configurable Notifications, for a list of configurable notifications). Whenever one of the events that trigger notifications occurs in the SCE platform, an SNMP notification is sent from the SCE platform to the list of IP addresses that you define.
SCE platform supports two general categories of notifications:
•
•
After a host or hosts are configured to receive notifications, by default, the SCE platform sends to the host or hosts all the notifications supported by the SCE platform except for the AuthenticationFailure notification. The SCE platform provides the option to enable or disable the sending of this notification, as well as some of the SCE enterprise notifications, explicitly.
SCE platform can be configured to generate either SNMPv1 style or SNMPv2c style notifications. By default, the SCE platforms sends SNMPv1 notifications.
Following are some sample procedures illustrating how to do the following:
•
•
•
•
•
How to Define SNMP Hosts
Use this command to define the hosts that will receive notifications from the SCE platform.
•
•
•
Options
The following options are available:
•
•
•
–
How to Configure the SCE Platform to Send Notifications to a Host (NMS)
•
Step 1
snmp-server hostip-address community-stringand press Enter.If the version is not specified, SNMPv1 is assumed.
Only one host can be specified per command. To define multiple hosts, execute one command for each host.
Configuring the SCE Platform to Send Notifications to Multiple Hosts: Example
The following example shows how to configure the SCE platform to send SNMPv1 notifications to several hosts.
SCE(config)#snmp-server host 10.10.10.10 mycommunity SCE(config)#snmp-server host 20.20.20.20 mycommunity SCE(config)#snmp-server host 30.30.30.30 mycommunity SCE(config)#snmp-server host 40.40.40.40 mycommunityHow to Configure the SCE Platform to Stop Sending Notifications to a Host
•
Step 1
no snmp-server hostip-address and press Enter.Configuring the SCE Platform to Stop Sending Notifications to a Host: Example
The following example shows how to remove the host with the IP Address: "192.168.0.83".
SCE(config)#no snmp-server host 192.168.0.83How to Configure SNMP Traps
Use this command to configure the notifications that will be sent to the defined host.
•
•
•
•
•
Options
The following options are available:
•
By default, snmp traps are disabled.
snmp trap name — optional parameter that specifies a specific snmp trap that should be enabled or disabled.
Currently the only accepted value for this parameter is Authentication .
•
By default, enterprise traps are enabled.
•
Values: attack, chassis, link-bypass, logger, operational-status, port-operational-status, pull-request-failure, RDR-formatter, session, SNTP, subscriber, system-reset, telnet, vas-traffic-forwarding
Use these parameters as follows:
•
•
•
How to Enable the SNMP Server to Send Authentication Failure Notifications
Step 1
snmp-server enable traps snmp authenticationand press Enter.How to Enable the SNMP Server to Send All Enterprise Notifications
Step 1
snmp-server enable traps enterpriseand press Enter.How to Enable the SNMP Server to Send a specific Enterprise Notification
DETAILED STEPS
Step 1
snmp-server enable traps enterprise[attack|chassis|link-bypass|logger|operational-status|port-operational-status|pull-request-failure|RDR-formatter|session| SNTP|subscriber|system-reset|telnet|vas-traffic-forwarding]and press Enter.Specify the desired enterprise trap type.
Enabling the SNMP Server to Send a Specific Enterprise Notification: Example
The following example shows how to configure the SNMP server to send the logger enterprise notification only.
SCE(config)#snmp-server enable traps enterprise loggerHow to Restore All Notifications to the Default Status
Step 1
default snmp-server enable trapsand press Enter.Resets all notifications supported by the SCE platform to their default status.
How to Manage Passwords
About Passwords
Cisco CLI passwords are an access-level authorization setting, not individual user passwords. All Admin users, for example, log in with the same password. This means that the system does not identify you as an individual, but as a user with certain privileges.
Passwords are needed for all authorization levels to prevent unauthorized users from accessing the SCE platform. It is highly recommended that you change the default password upon initial installation, and that you change the passwords periodically to secure the system.
Note
When a telnet user logs on, he sees only a Password: prompt, no logo is displayed. This provides extra security by not revealing the system identity to users that do not know the password.
Password guidelines:
•
•
•
•
•
Users with Admin or higher authorization level can view the configured passwords using the show running-config or the show startup-configcommands. Therefore, if you want passwords to remain completely confidential, you must activate the encryption feature, described in How to Enable Password Encryption.
Changing Your Password
•
How to Change Your Password
Use the enable passwordcommand to change the password. Note that if the password has been changed, the default password will no longer be accepted.
Options
The following options are available:
•
The authorization levels are:
–
–
–
–
•
Step 1
enable password levellevel passwordand press Enter.The Network Administrator should record passwords in a secure location.
Verifying that the Password has been Successfully Changed
Step 1
This is important so that if the verification fails, you would still have admin level authorization to re-enter the password.
Step 2
enableleveland press Enter.Specify the level for which you have just changed the password.
Step 3
If your new password has been entered successfully, then the appropriate prompt appears.
If you enter an incorrect password, the password prompt will appear again.
Step 4
The encryption feature will encrypt the passwords in the platform configuration files.
Password Encryption
•
•
About Password Encryption
Once the encryption feature is activated, passwords entered into the system are encrypted to the startup configuration file the next time the configuration is saved. When encryption feature is turned off, passwords previously encrypted to the startup configuration file are not deciphered.
By default, the password encryption feature is disabled.
How to Enable Password Encryption
Step 1
service password encryptionand press Enter.How to Disable Password Encryption
Step 1
no service password encryptionand press Enter.This does not remove the encryption from the configuration file. You must save to the startup configuration file if you want the password to be stored un-encrypted on the startup configuration file.
Password Recovery
Use the following procedures if it becomes necessary to recover the enablepasswords for the SCE platform. Be sure to use the appropriate procedure depending on the version of SCOS you are using:
•
•
How to Recover the Passwords: SCOS versions before 2.5.5
The procedure used for recovering the passwords depends on whether or not there are user-configured parameters that need to be saved.
•
•
How to Recover the Passwords: Reverting to Default the Configuration
For SCE platforms running a SCOS version before 2.5.5, you can recover the passwords by simply removing the config.txt file and then rebooting.
Note
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
rm "/tffs0/system/config.txt"and press Enter.6.
rebootand press Enter.DETAILED STEPS
Step 1
Step 2
Step 3
Connects to the SCE platform.
Step 4
rm "/tffs0/system/config.txt"and press Enter.Deletes the configuration file, which contains the unknown passwords.
Step 5
rebootand press Enter.Reboot the system to restore the default configuration, including default passwords.
Note
How to Recover the Passwords: Saving the Current Configuration
Simply deleting the config.txt file, while quick and easy to do, resets the configuration of the SCE platform to factory defaults, replacing all current user configuration. Use this procedure, which saves the configuration file, to recover the passwords without losing the current configuration.
Note
SUMMARY STEPS
1.
2.
3.
cd systemand press Enter.4.
rename "config.txt" "config2.txt"and press Enter.5.
rebootand press Enter.6.
7.
copy /system/config2.txt ftp://<user>:<ftp_password>@ip_address/<path>/config2.txt and press Enter.8.
9.
rename /system/config2.txt /system/config.txtand press Enter.10.
reloadand press Enter.DETAILED STEPS
Step 1
Step 2
Connects to the SCE platform.
Step 3
cd systemand press Enter.Navigates to the system directory.
Step 4
rename "config.txt" "config2.txt"and press Enter.Renames the configuration file so that it will not be lost when the system is rebooted.
Step 5
rebootand press Enter.Reboots the system to reset passwords. The default configuration is restored, in which all passwords are Cisco . This will provide access to the system.
(The IP address configuration remains as it was last configured.)
Step 6
Use the default password (Cisco).
Step 7
copy /system/config2.txt ftp://<user>:<ftp_password>@ip_address/<path>/config2.txt and press Enter.Copies the file /system/config2.txt to the workstation using the SCE platform FTP client.
Step 8
If passwords are not encrypted, you will be able to see the passwords, and can simply take note of them.
If passwords are encrypted, do the following
a.
b.
c.
copy ftp://<user>:<ftp_password>@ip_address/<path>/config2.txt /system/config2.txt and press Enter.Copies the file from the workstation back to the SCE platform disk space using the SCE platform FTP client.
Step 9
rename /system/config2.txt /system/config.txtand press Enter.Renames the configuration file on the SCE platform back to the original name config.txt .
Step 10
reloadand press Enter.Reboots the SCE platform to restore the saved user configuration
•
•
To block unauthorized users from connecting to the SCE platform using the default password, a new password should be configured immediately for all levels for which such a password is required. The configuration should be saved (use the CLI command copy running-config startup-config) to make the new passwords permanent.
How to Recover the Passwords: SCOS versions 2.5.5 or later
In SCOS versions 2.5.5 or later, a specific command is available to restore the default passwords. However, it is important to note that this default password configuration is only temporary. New passwords should be configured and saved immediately both for security and also so that the unknown passwords will not be restored in case of system reboot.
Note
SUMMARY STEPS
1.
2.
3.
PSWD_ResetAlland press Enter.DETAILED STEPS
Step 1
Step 2
Connects to the SCE platform.
Step 3
PSWD_ResetAlland press Enter.Resets the enablepasswords.
The following message will appear:
All 'enable' passwords have been reset.The SCOS is now using the default passwords for all levels. Note that this is a temporary state that is not preserved after a reboot. Rebooting the SCE platform without changing and saving the passwords will restore the unknown passwords.
n order to block unauthorized users from connecting to the SCE platform using the default password, a new password should be configured immediately for all levels for which such a password is required. The configuration should be saved (use the CLI command copy running-config startup-config) to make the new passwords permanent.
IP Configuration
•
•
How to Configure the IP Routing Table
•
•
•
About the IP Routing Table
For handling IP packets on the out-of-band MNG port, the SCE platform maintains a static routing table. When a packet is sent, the system checks the routing table for proper routing, and forwards the packet accordingly. In cases where the SCE platform cannot determine where to route a packet, it sends the packet to the default gateway.
SCE platform supports the configuration of the default gateway as the default next hop router, as well as the configuration of the routing table to provide different next hop routers for different subnets (for maximum configuration of 10 subnets).
The following sections illustrate how to use CLI commands to configure various parameters.
The following commands are relevant to IP routing tables:
•
•
•
•
•
•
•
How to Configure the Default Gateway
•
•
Options
The following option is available:
•
Step 1
ip default-gatewayip-address, and press Enter.Enables privileged EXEC mode.
•
Configuring the Default Gateway: Example
The following example shows how to set the default gateway IP of the SCE platform to 10.1.1.1.
SCE(config)#ip default-gateway 10.1.1.1How to Add an Entry to the IP Routing Table
•
•
Options
The following options are available:
•
•
•
Must be within the MNG interface subnet.
Step 1
ip routeprefixmasknext-hop, and press Enter.Adds the specified IP routing entry to the routing table.
How to Add an Entry to the IP Routing Table: Example
The following example shows how to set the router 10.1.1.250 as the next hop to subnet 10.2.0.0.
SCE(config)#ip route 10.2.0.0 255.255.0.0 10.1.1.250How to Display the IP Routing Table
•
•
How to Display the Entire IP Routing Table
•
Step 1
show ip routeand press Enter.Displays the entire routing table and the destination of last resort (default-gateway)
Displaying the Entire IP Routing Table: Example
This example shows how to display the routing table.
SCE#show ip route gateway of last resort is 10.1.1.1 | prefix | mask | next hop | |-----------------|------------------|-----------------| | 10.2.0.0 | 255.255.0.0 | 10.1.1.250 | | 10.3.0.0 | 255.255.0.0 | 10.1.1.253 | | 198.0.0.0 | 255.0.0.0 | 10.1.1.251 | | 10.1.60.0 | 255.255.255.0 | 10.1.1.5 |How to Display the IP Routing Table for a Specified Subnet
•
•
Options
The following options are available:
•
•
Step 1
show ip routeprefixmaskand press Enter.Displays the routing table for the specified subnet (prefix/mask).
Displaying the IP Routing Table for a Specified Subnet: Example
This example shows how to display the routing table for a specified subnet.
SCE#show ip route 10.1.60.0 255.255.255.0 | prefix | mask | next hop | |-----------------|-----------------|-----------------| | 10.1.60.0 | 255.255.255.0 | 10.1.1.5 | SCEnumberIP Advertising
•
•
About IP Advertising
IP advertising is the act of periodically sending ping requests to a configured address at configured intervals. This maintains the SCE platform IP/MAC addresses in the memory of adaptive network elements, such as switches, even during a long period of inactivity.
The following commands are relevant to IP advertising:
•
•
•
•
•
•
•
•
How to Configure IP Advertising
To configure IP advertising, you must first enable IP advertising. You may then specify a destination address to which the ping request is to be sent and/or the frequency of the ping requests (interval). If no destination or interval is explicitly configured, the default values are assumed.
•
•
•
•
•
Options
The following options are available in the IP advertising commands:
•
default interval = 300 seconds
•
default destination = 127.0.0.1
How to Enable IP Advertising
Step 1
ip advertising, and press Enter.Enables IP advertising.
How to Configure the IP Advertising Destination
Step 1
ip advertising destinationdestination, and press Enter.Configures the destination for the IP advertising pings.
How to Configure the IP Advertising Interval
Step 1
ip advertising intervalinterval , and press Enter.Configures the frequency of the IP advertising pings.
Configuring IP Advertising: Example
The following example shows how to configure IP advertising, specifying 10.1.1.1 as the destination and an interval of 240 seconds.
SCE(config)#ip advertising destination 10.1.1.1 interval 240How to Display the Current IP Advertising Configuration
Step 1
show ip advertisingand press Enter.Displays the status of IP advertising (enabled or disabled), the configured destination, and the configured interval
How to Configure the IP Address of the Management Interface
•
•
•
About the Management Interface IP Address
The user must define the IP address of the management interface. When both management ports are connected, providing a redundant management port, this IP address always acts as a virtual IP address for the currently active management port, regardless of which port is the active port.
Note
Note
Options
The following options are available:
•
•
SUMMARY STEPS
1.
2.
ip addressip-addresssubnet-maskand press Enter.DETAILED STEPS
Step 1
Establishes contact with the SCE platform that is not dependent on the configured IP address.
Step 2
ip addressip-addresssubnet-maskand press Enter.Configures a new IP address for the management interface
The command might fail if there is a routing table entry that is not part of the new subnet defined by the new IP address and subnet mask..
Configuring the IP Address of the Management Interface: Example
The following example shows how to set the IP address of the SCE platform to 10.1.1.1 and the subnet mask to 255.255.0.0.
SCE(config if)#ip address 10.1.1.1 255.255.0.0How to Configure Time Clocks and Time Zone
•
•
•
•
•
About Time Clocks and Time Zone
The SCE platform has three types of time settings, which can be configured: the clock, the calendar, and the time zone. It is important to synchronize the clock and calendar to the local time, and to set the time zone properly. The SCE platform does not track Daylight Saving Time automatically, so you must update the time zone when the time changes bi-annually.
The SCE platform has the following two time sources:
•
•
It does not matter which clock you set first, as long as you use the clock and calendar read commands to ensure they are synchronized.
The time zone settings are important because they allow the system to communicate properly with other systems in other time zones. The system is configured based on Coordinated Universal Time (UTC), which is standard in the industry for coordination with other manufacturers' hardware and software. For example, Pacific Standard Time would be written as PST-10, meaning that the name of the time zone is PST, which is 10 hours behind Universal Time.
When setting and showing the time, the time is always typed or displayed according to the local time zone configured.
How to Display the System Time
•
Step 1
show clockand press Enter.Displaying the System Time: Example
The following example shows the current system clock.
SCE#show clock 12:50:03 UTC MON November 13 2001 SCEnumberHow to Display the Calendar Time
•
Step 1
show calendarand press Enter.Displaying the Calendar Time: Example
The following example shows the current system calendar.
SCE#show calendar 12:50:03 UTC MON May 11 2007 SCE#How to Set the System Clock
•
•
Options
The following option is available:
•
hh:mm:ss day month year
Step 1
clock settime-date, and press Enter.Sets the system clock to the specified time and date.
Setting the System Clock: Example
The following example shows how to set the clock to 20 minutes past 10 AM, May 13, 2007, updates the calendar and then displays the time.
SCE#clock set 10:20:00 13 may 2007 SCE#clock update-calendar SCE#show clock 10:21:10 UTC THU May 13 2007How to Set the Calendar
The calendar is a system clock that continues functioning even when the system shuts down.
•
•
Options
The following option is available:
•
hh:mm:ss day month year
SUMMARY STEPS
1.
calendar settime-date, and press Enter.2.
clock read-calendar, and press Enter.DETAILED STEPS
Step 1
calendar settime-date, and press Enter.Sets the system calendar to the specified time and date.
The time specified in this command is relative to the configured time zone.
Step 2
clock read-calendar, and press Enter.Synchronizes the system clock with the calendar time you just set .
Setting the Calendar: Example
The following example shows that the calendar is set to 10:20 AM, May 13, 2007. The clock is then synchronized with the calendar setting.
SCE#calendar set 10:20:00 13 may 20017 SCE#clock read-calendar SCE#show calendar 10:21:06 UTC THU May 13 2007How to Set the Time Zone
•
•
Options
The following options are available:
•
default = GMT
•
default = 0
•
default = 0
Step 1
clock timezonezonehoursminutes, and press Enter.Sets the timezone to the specified timezone name with the configured offset in hours and minutes.
Setting the Time Zone: Example
The following example shows how to set the time zone to Pacific Standard Time with an offset of 10 hours behind UTC.
SCE(config)#clock timezone PST -10 SCE(config)#How to Remove the Current Time Zone Setting
Step 1
o clock timezoneand press Enter.Removes the timezone configuration and resets the timezone to the default value (UTC).
How to Configure Daylight Saving Time
The SCE platform can be configured to automatically switch to daylight saving time on a specified date, and also to switch back to standard time. In addition, the time zone code can be configured to vary with daylight saving time if required. (For instance, in the eastern United States, standard time is designated EST, and daylight saving time is designated EDT).
•
•
•
•
•
Options
The transition times into and out of daylight saving time may be configured in one of two ways, depending on how the dates for the beginning and end of daylight saving time are determined for the particular location:
•
•
The day on which the transition takes place may be defined in several ways:
•
•
•
The following options are available:
•
•
•
•
•
•
•
Default = 60 minutes
Guidelines
General guidelines for configuring daylight saving time transitions:
•
•
•
•
–
–
•
•
–
–
•
–
–
How to Define Recurring Daylight Saving Time Transitions
Step 1
clock summer-timezonerecurring [week1 day1 month1 time1 week2 day2 month2 time2[ offset]] and press Enter.Configures daylight saving time to start and stop on the specified days every year.
Defining Recurring Daylight Saving Time Transitions: Example
The following example shows how to configure recurring daylight saving time for a time zone designated "DST" as follows:
•
•
•
SCE(config)# clock summer-time DST recurring last Sunday March 00:00 4 Saturday November 23:59How to Define Non-Recurring Daylight Saving Time Transitions
Step 1
clock summer-timezone[ date1 month1 year1 time1 date2 month2 year2 time2[ offset]] and press Enter.Enables privileged EXEC mode.
Defining Non-Recurring Daylight Saving Time Transitions: Example
The following example shows how to configure non-recurring daylight saving time for a time zone designated "DST" as follows:
•
•
•
SCE(config)# clock summer-time DST April 16 2004 00:00 October 23 2004 23:59How to Cancel the Daylight Saving Time Configuration
Step 1
no clock summer-timeand press Enter.Removes all daylight saving configuration.
How to Display the Current Daylight Saving Time Configuration
Step 1
show timezoneand press Enter.Displays the current time zone and daylight saving time configuration.
How to Configure SNTP
•
•
•
•
•
•
About SNTP
The Simple Network Timing Protocol (SNTP) is a simple solution to the problem of synchronizing the clocks in the various elements of the network. SNTP provides access to a time source via the network. The system clock and calendar are then set in accordance with this external source.
There are two options for the SNTP client. These functions are independent, and the system employ either one or both.
•
•
Note
The following commands are relevant to SNTP configuration:
•
•
•
•
•
How to Enable the SNTP Multicast Client
Step 1
sntp broadcast client, and press Enter.Enables the SNTP multicast client. It will accept time updates from any broadcast server.
How to Disable the SNTP Multicast Client
Step 1
no sntp broadcast client, and press Enter.Disables the SNTP multicast client. It will not accept any broadcast time updates.
How to Enable the SNTP Unicast Client
•
•
Options
The following option is available:
•
Step 1
sntp serverip-address, and press EnterDefines the SNTP unicast server so that SNTP client is able to query that server.
Enabling SNTP Unicast Client: Example
The following example shows how to enable an SNTP server at IP address 128.182.58.100.
SCE(config)# sntp server 128.182.58.100How to Disable the SNTP Unicast Client
•
•
How to Disable the SNTP Unicast Client and Remove All Servers
Step 1
no sntp server all, and press Enter.Removes all SNTP unicast servers, preventing unicast SNTP query.
How to Remove One SNTP Server
Options
The following option is available:
•
Step 1
no sntp serverip-address,and press EnterRemoves the specified SNTP unicast server .
How to Define the SNTP Unicast Update Interval
•
•
Options
The following option is available:
•
default interval = 900 seconds
Step 1
sntp update-intervalinterval, and press Enter.Enables privileged EXEC mode.
•
Defining the SNTP Unicast Update Interval: Example
The following example shows how to set the SNTP update interval for 100 seconds.
SCE(config)# sntp update-interval 100How to Display SNTP Information
•
Step 1
show sntp, and press Enter.Displays the configuration of both the SNTP unicast client and the SNTP multicast client.
Displaying SNTP Information: Example
This example illustrates how to use this command.
SCE# show sntp SNTP broadcast client: disabled last update time: not available SNTP unicast client: enabled SNTP unicast server: 128.182.58.100 last update time: Feb 10 2002, 14:06:41 update interval: 100 secondsHow to Configure Domain Name Server (DNS) Settings
•
•
•
About Domain Name Servers
When a name of a host is given as a parameter to a CLI command that expects a host name or an IP address, the system translates the name to an IP address according to the following:
1.
2.
3.
4.
The following commands are relevant to DNS settings:
•
•
•
•
•
How to Configure DNS Lookup
How to Enable DNS Lookup
Step 1
ip domain-lookupand press Enter.Enables DNS lookup.
How to Disable DNS Lookup
Step 1
no ip domain-lookupand press Enter.How to Configure Name Servers
•
•
•
•
Options
The following options are available:
•
How to Define Domain Name Servers
Use this command to specify the address of one or more name servers to use for name and address resolution.
•
Step 1
ip name-serverserver-address1 [server-address2 [server-address3]], and press Enter.Defines the servers at the specified addresses as domain name servers.
Defining Domain Name Servers: Example
The following example shows how to configure the two name server (DNS) IP addresses.
SCE(config)#ip name-server 10.1.1.60 10.1.1.61How to Remove a Domain Name Server
Step 1
no ip name-serverserver-address1 [server-address2 [server-address3]], and press Enter.Removes the specified server from the DNS list.
Removing a Domain Name Server: Example
The following example shows how to remove name server (DNS) IP addresses.
SCE(config)#no ip name-server 10.1.1.60 10.1.1.61How to Remove All Domain Name Servers
Step 1
no ip name-server, and press Enter.Removes all configured DNS servers.
How to Add a Host to the Host Table
•
•
Options
The following options are available:
•
•
Step 1
ip hosthostname ip-address, and press Enter.Adds the specified host to the host table.
Adding Hosts to Removing them from the Host Table: Examples
The following example shows how to add a host to the host table.
SCE(config)#ip host PC85 10.1.1.61The following example shows how to remove a hostname together with all its IP mappings.
SCE(config)#no ip host PC85How to Display Current DNS Settings
Step 1
show hosts, and press Enter.Displays current DNS settings.
Displaying Current DNS Settings: Example
The following example shows how to display current DNS information.
SCE#show hosts Default domain is Cisco.com Name/address lookup uses domain service Name servers are 10.1.1.60, 10.1.1.61 Host Address ---- ------- PC85 10.1.1.61 SCEnumberHow to Configure the Management Port Physical Parameters
This interface has a transmission rate of 10 or 100 Mbps and is used for management operations and for transmitting RDRs, which are the output of traffic analysis and management operations.
The procedures for configuring this interface are explained in the following sections.
•
•
How to Configure the Management Interface Speed and Duplex Parameters
This section presents sample procedures that describe how to configure the speed and the duplex of the Management Interface.
Both these parameters must be configured separately for each port.
•
•
How to Configure the Duplex Operation of the Management Interface
•
•
Options
The following options are available:
•
–
–
–
If the speed parameter is configured to auto , changing the duplex parameter has no effect (see ).
Step 1
duplexauto|full|half and press Enter.Configures the duplex operation of the currently selected management interface.
Configuring the Duplex Operation of the Management Interface: Example
The following example shows how to use this command to configure both management ports to half duplex mode.
SCE#config SCE(config)#interface mng 0/1 SCE(config if)#duplex half SCE(config if)#exit SCE(config)#interface mng 0/2 SCE(config if)#duplex halfHow to Configure the Speed of the Management Interface
•
•
Options
The following options are available:
•
–
–
–
If the duplex parameter is configured to auto , changing the speed parameter has no effect (see ).
Step 1
speed10|100|autoand press Enter.Configures the speed of the currently selected management interface.
Configuring the Speed of the Management Interface: Example
The following example shows how to use this command to configure both management ports to The following example shows how to use this command to configure both management ports to half duplex mode..
SCE#config SCE(config)#interface mng 0/1 SCE(config if)#speed 100 SCE(config if)#exit SCE(config)#interface mng 0/2 SCE(config if)#speed 100How to Monitor the Management Interface
Use this command to display the following information for the specified management interface. Speed and duplex parameters are specific to the selected interface (port), while other parameters apply to both ports and are displayed by a command to either interface.
•
•
•
•
Step 1
show interface Mng {01 | 0/2}[auto-fail-over|duplex|ip address|speed]and press Enter.Displays the specified management interface configuration.
•
•
Posted: Wed May 30 08:52:37 PDT 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
