hit counter script
Cisco ASR 5000 Series Administration Manual

Cisco ASR 5000 Series Administration Manual

Staros release 21.4
Hide thumbs Also See for ASR 5000 Series:
Table of Contents

Advertisement

ASR 5500 System Administration Guide, StarOS Release 21.4
First Published: 2017-11-22
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Summary of Contents for Cisco ASR 5000 Series

  • Page 1 ASR 5500 System Administration Guide, StarOS Release 21.4 First Published: 2017-11-22 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
  • Page 3 C O N T E N T S About this Guide xxix P r e f a c e Conventions Used xxix Related Documentation MIOs and DPCs Contacting Customer Support xxxi System Operation and Configuration C H A P T E R 1 System Management Overview Terminology Contexts...
  • Page 4 Contents Alphanumeric Strings Character Set Quoted Strings Getting Started C H A P T E R 2 ASR 5500 Configuration Using the ASR 5500 Quick Setup Wizard The Quick Setup Wizard Using the CLI for Initial Configuration Configuring System Administrative Users Limiting the Number of Concurrent CLI Sessions Automatic Logout of CLI Sessions Configuring the System for Remote Access...
  • Page 5 Contents System Settings C H A P T E R 3 Configuring a Second Management Interface Verifying and Saving Your Interface and Port Configuration Configuring System Timing Setting the System Clock and Time Zone Verifying and Saving Your Clock and Time Zone Configuration Configuring Network Time Protocol Support Configuring NTP Servers with Local Sources Using a Load Balancer...
  • Page 6 Contents Associating an SFTP root Directory with an Administrator Associating an SFTP root Directory with a Config Administrator Configuring TACACS+ for System Administrative Users Operation User Account Requirements TACACS+ User Account Requirements StarOS User Account Requirements Configuring TACACS+ AAA Services Configuring TACACS+ for Non-local VPN Authentication Verifying the TACACS+ Configuration Separating Authentication Methods...
  • Page 7 Contents Preferred Slot Auto-Switch Criteria Link Aggregation Control Minimum Links Redundancy Options Horizontal Link Aggregation with Two Ethernet Switches Non-Redundant (Active-Active) LAG Faster Data Plane Convergence Link Aggregation Status Configuring a Demux Card Overview MIO Demux Restrictions Configuration Config Mode Lock Mechanisms C H A P T E R 4 Overview of Config Mode Locking Requesting an Exclusive-Lock...
  • Page 8 Contents Feature Configuration Service Configuration Context Configuration System Configuration Finding Configuration Errors Synchronizing File Systems Saving the Configuration System Interfaces and Ports C H A P T E R 7 Contexts Creating Contexts Viewing and Verifying Contexts Ethernet Interfaces and Ports Creating an Interface Configuring a Port and Binding It to an Interface Configuring a Static Route for an Interface...
  • Page 9 Contents User Access to Operating System Shell Test-Commands Enabling cli test-commands Mode Enabling Password for Access to CLI-test commands Exec Mode cli test-commands Configuration Mode cli test-commands Secure System Configuration File C H A P T E R 9 Feature Summary and Revision History Feature Description How System Configuration Files are Secured Create a Digital Signature...
  • Page 10 Contents Configuring the Boot Stack System Boot Methods Viewing the Current Boot Stack Adding a New Boot Stack Entry Deleting a Boot Stack Entry Network Booting Configuration Requirements Configuring the Boot Interface Configuring the Boot Network Configuring Boot Network Delay Time Configuring a Boot Nameserver Upgrading the Operating System Software Identifying OS Release Version and Build Number...
  • Page 11 C H A P T E R 1 1 Feature Summary and Revision History Smart Software Licensing Cisco Smart Software Manager Smart Accounts/Virtual Accounts Request a Cisco Smart Account Software Tags and Entitlement Tags Configuring Smart Licensing Monitoring and Troubleshooting Smart Licensing Smart Licensing Bulk Statistics...
  • Page 12 Contents Configuring Bulk Statistic Schemas Configuring a Separate Bulkstats Config File Using show bulkstats Commands Verifying Your Configuration Saving Your Configuration Viewing Collected Bulk Statistics Data Collecting Bulk Statistics Samples in SSD Manually Gathering and Transferring Bulk Statistics Clearing Bulk Statistics Counters and Information Bulkstats Schema Nomenclature Statistic Types Data Types...
  • Page 13 Contents Reducing Excessive Event Logging Configuring Log Source Thresholds Checkpointing Logs Saving Log Files Event ID Overview Event Severities Understanding Event ID Information in Logged Output Troubleshooting C H A P T E R 1 5 Detecting Faulty Hardware Licensing Issues Using the CLI to View Status LEDs Checking the LEDs on the PFU Checking the LEDs on the MIO Card...
  • Page 14 Contents SSC System Service LED States Testing System Alarm Outputs Taking Corrective Action Switching MIOs Busying Out a DPC Migrating a DPC Halting Cards Initiate a Card Halt Restore a Previously Halted Card Verifying Network Connectivity Using the ping or ping6 Command Syntax Troubleshooting Using the traceroute or traceroute6 Command...
  • Page 15 Contents Show Command(s) and/or Outputs show cdr statistics show { hexdump-module | cdr } file-space-usage show hexdump-module statistics System Recovery C H A P T E R 1 7 Prerequisites Console Access Boot Image Accessing the boot CLI Initiate a Reboot Interrupt the Boot Sequence Enter CLI Mode boot Command Syntax...
  • Page 16 Contents Applying an ACL to All Traffic Within a Context Verifying the ACL Configuration in a Context Applying an ACL to a RADIUS-based Subscriber Applying an ACL to an Individual Subscriber Verifying the ACL Configuration to an Individual Subscriber Applying an ACL to the Subscriber Named default Applying an ACL to the Subscriber Named default Verifying the ACL Configuration to the Subscriber Named default Applying an ACL to Service-specified Default Subscriber...
  • Page 17 Contents Static Routing Adding Static Routes to a Context Deleting Static Routes From a Context OSPF Routing OSPF Version 2 Overview Basic OSPFv2 Configuration Enabling OSPF Routing For a Specific Context Enabling OSPF Over a Specific Interface Redistributing Routes Into OSPF (Optional) Confirming OSPF Configuration Parameters OSPFv3 Routing OSPFv3 Overview...
  • Page 18 Contents BGP CLI Configuration Commands Confirming BGP Configuration Parameters Bidirectional Forwarding Detection Overview of BFD Support Configuring BFD Configuring a BFD Context Configuring IPv4 BFD for Static Routes Configuring IPv6 BFD for Static Routes Configuring BFD for Single Hop Configuring Multihop BFD Scaling of BFD Associating BGP Neighbors with the Context Associating OSPF Neighbors with the Context...
  • Page 19 Contents VLANs C H A P T E R 2 1 Overview Overlapping IP Address Pool Support – GGSN RADIUS VLAN Support – Enhanced Charging Services APN Support – PDN Gateway (P-GW) Creating VLAN Tags Verifying the Port Configuration Configuring Subscriber VLAN Associations RADIUS Attributes Used Configuring Local Subscriber Profiles Verify the Subscriber Profile Configuration...
  • Page 20 Contents Session Recovery C H A P T E R 2 4 How Session Recovery Works Additional ASR 5500 Hardware Requirements Configuring the System to Support Session Recovery Enabling Session Recovery Enabling Session Recovery on an Out-of-Service System Enabling Session Recovery on an In-Service System Disabling the Session Recovery Feature Viewing Session Recovery Status Viewing Recovered Session Information...
  • Page 21 Contents SRP Redundancy, AAA and Diameter Guard Timers DSCP Marking of SRP Messages Optimizing Switchover Transitions Allow Non-VoLTE Traffic During ICSR Switchover Allow All Data Traffic Allow Early Active Transition Graceful Cleanup of ICSR After Audit of Failed Calls Optimization of Switchover Control Outage Time Configuring the SRP Context Interface Parameters Configuring NACK Generation for SRP Checkpoint Messaging Failures Enabling NACK Messaging from the Standby Chassis...
  • Page 22 Contents Updating the Boot Record Synchronizing File Systems Reboot StarOS Updating the Configuration File Verifying the Software Version Saving the Configuration File Completing the Update Process Waiting for Session Synchronization Primary System Initiating an SRP Switchover Checking AAA Monitor Status on the Newly Active System Completing the Software Update Initiating an SRP Switchover Making Test Calls...
  • Page 23 Contents Packet Data Network (PDN) Interface Rules Context Rules Subscriber Rules Service Rules Access Control List (ACL) Engineering Rules ECMP Groups StarOS Tasks A P P E N D I X B Overview Primary Task Subsystems Controllers and Managers Subsystem Tasks System Initiation Subsystem High Availability Subsystem Resource Manager Subsystem...
  • Page 24 Contents rest port Sample Configuration Verifying the Configuration show confdmgr Command clear confdmgr confd cdb clear confdmgr statistics YANG Models Show Support Details (SSD) ConfD Examples Server ConfD Bulkstats Exec CLI Model CLI Based YANG Model for ECS Commands Seeding and Synchronizing the CDB show configuration confd Command CDB Maintenance clear confdmgr confd cdb...
  • Page 25 Contents ECS Category SESS_UCHKPT_CMD_ACS_CALL_INFO SESS_UCHKPT_CMD_ACS_GX_LI_INFO SESS_UCHKPT_CMD_ACS_SESS_INFO SESS_UCHKPT_CMD_DEL_ACS_CALL_INFO SESS_UCHKPT_CMD_DEL_ACS_SESS_INFO SESS_UCHKPT_CMD_DYNAMIC_CHRG_CA_INFO SESS_UCHKPT_CMD_DYNAMIC_CHRG_DEL_CA_INFO SESS_UCHKPT_CMD_DYNAMIC_CHRG_DEL_QG_INFO SESS_UCHKPT_CMD_DYNAMIC_CHRG_QG_INFO SESS_UCHKPT_CMD_DYNAMIC_RULE_DEL_INFO SESS_UCHKPT_CMD_DYNAMIC_RULE_INFO ePDG Category SESS_UCHKPT_CMD_DELETE_EPDG_BEARER SESS_UCHKPT_CMD_UPDATE_EPDG_BEARER SESS_UCHKPT_CMD_UPDATE_EPDG_PEER_ADDR SESS_UCHKPT_CMD_UPDATE_EPDG_REKEY SESS_UCHKPT_CMD_UPDATE_EPDG_STATS Firewall/ECS Category SESS_UCHKPT_CMD_SFW_DEL_RULE_INFO SESS_UCHKPT_CMD_SFW_RULE_INFO GGSN Category SESS_UCHKPT_CMD_GGSN_DELETE_SUB_SESS SESS_UCHKPT_CMD_GGSN_UPDATE_RPR SESS_UCHKPT_CMD_GGSN_UPDATE_SESSION SESS_UCHKPT_CMD_GGSN_UPDATE_STATS SESS_UCHKPT_CMD_UPDATE_COA_PARAMS Gx Interface Category SESS_UCHKPT_CMD_ACS_VOLUME_USAGE SESS_UCHKPT_CMD_UPDATE_SGX_INFO NAT Category SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALM_PORT_INFO1 SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALMS SESS_UCHKPT_CMD_NAT_SIP_ALG_CALL_INFO SESS_UCHKPT_CMD_NAT_SIP_ALG_CONTACT_PH_INFO...
  • Page 26 Contents SESS_UCHKPT_CMD_UPDATE_DSK_FLOW_CHKPT_INFO SESS_UCHKPT_CMD_UPDATE_NAT_BYPASS_FLOW_INFO P-GW Category SESS_UCHKPT_CMD_PGW_DELETE_SUB_SESS SESS_UCHKPT_CMD_PGW_OVRCHRG_PRTCTN_INFO SESS_UCHKPT_CMD_PGW_SGWRESTORATION_INFO SESS_UCHKPT_CMD_PGW_UBR_MBR_INFO SESS_UCHKPT_CMD_PGW_UPDATE_APN_AMBR SESS_UCHKPT_CMD_PGW_UPDATE_INFO SESS_UCHKPT_CMD_PGW_UPDATE_LI_PARAM SESS_UCHKPT_CMD_PGW_UPDATE_PDN_COMMON_PARAM SESS_UCHKPT_CMD_PGW_UPDATE_QOS SESS_UCHKPT_CMD_PGW_UPDATE_SGW_CHANGE SESS_UCHKPT_CMD_PGW_UPDATE_STATS Rf Interface Category SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_QCI_RF SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_QCI_RF_WITH_FC SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_RATING_GROUP_RF SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_RATING_GROUP_RF_WITH_FC S6b Interface Category SESS_UCHKPT_CMD_S6B_INFO SaMOG Category SESS_UCHKPT_CMD_CGW_DELETE_BEARER SESS_UCHKPT_CMD_CGW_DELETE_PDN SESS_UCHKPT_CMD_CGW_UPDATE_BEARER_QOS SESS_UCHKPT_CMD_CGW_UPDATE_PDN SESS_UCHKPT_CMD_CGW_UPDATE_STATS SESS_UCHKPT_CMD_CGW_UPDATE_UE_PARAM SESS_UCHKPT_CMD_SAMOG_ACCT_INTERIM_INFO SESS_UCHKPT_CMD_SAMOG_ACCT_START_INFO SESS_UCHKPT_CMD_SAMOG_EOGRE_TUNNEL_INFO SESS_UCHKPT_CMD_SAMOG_GTPV1_UPDATE_PDN_INFO SESS_UCHKPT_CMD_SAMOG_HANDOFF_AUTHEN_INFO SESS_UCHKPT_CMD_SAMOG_HANDOFF_INIT_INFO SESS_UCHKPT_CMD_SAMOG_LI_PROV_INFO ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 27 SESS_UCHKPT_CMD_SAMOG_MULTI_ROUND_AUTHEN_INFO SESS_UCHKPT_CMD_SAMOG_REAUTHEN_INFO SESS_UCHKPT_CMD_SAMOG_REAUTHOR_INFO ASR 5500 SDR CLI Command Strings A P P E N D I X E Cisco Secure Boot A P P E N D I X F Fundamental Concepts Secure Boot Overview MIO2 Support for Secure Boot...
  • Page 28 Contents ASR 5500 System Administration Guide, StarOS Release 21.4 xxviii...
  • Page 29: About This Guide

    About this Guide This preface describes the ASR 5500 System Administration Guide, how it is organized and its document conventions. The System Administration Guide describes how to generally configure and maintain StarOS running on an ASR 5500 platform. It also includes information on monitoring system performance and troubleshooting. •...
  • Page 30: Related Documentation

    Related Documentation The most up-to-date information for this product is available in the product Release Notes provided with each software release. The following user documents are available on www.cisco.com: • ASR 5500 Installation Guide • AAA Interface Administration and Reference •...
  • Page 31: Contacting Customer Support

    Use the information in this section to contact customer support. Refer to the support area of http://www.cisco.com for up-to-date product documentation or to submit a service request. A valid username and password are required to access this site. Please contact your Cisco sales or service representative for additional information.
  • Page 32 About this Guide Contacting Customer Support ASR 5500 System Administration Guide, StarOS Release 21.4 xxxii...
  • Page 33: System Management Overview

    C H A P T E R System Operation and Configuration The ASR 5500 is designed to provide subscriber management services for Mobile Packet Core networks. Before you connect to the command line interface (CLI) and begin system configuration, you must understand how the system supports these services.
  • Page 34: Chapter

    System Operation and Configuration System Management Overview There are multiple ways to manage the system either locally or remotely using its out-of-band management interfaces. Figure 1: System Management Interfaces Management options include: • Local login through the Console port on the MIO/MIO2 card using an RS-232 Console connection (RJ45) directly or indirectly via a terminal server •...
  • Page 35: Terminology

    Universal PID license must be purchased and installed on the chassis for each installed UMIO and UDPC/UDPC2. Contact your Cisco account representative for additional licensing information. Throughout this guide, any reference to an MIO card or DPC is assumed to also refer to the UMIO and Important UDPC/UDPC2 respectively.
  • Page 36: Logical Interfaces

    System Operation and Configuration Logical Interfaces Logical Interfaces You must associate a port with a StarOS virtual circuit or tunnel called a logical interface before the port can allow the flow of user data.Within StarOS, a logical interface is a named interface associated with a virtual router instance that provides higher-layer protocol transport, such as Layer 3 IP addressing.
  • Page 37: Aaa Servers

    System Operation and Configuration Subscribers • Serving GPRS Support Node (SGSN) Services • Packet Data Serving Node (PDSN) services • Home Agent (HA) services • Layer 2 Tunneling Protocol Access Concentrator (LAC) services • Dynamic Host Control Protocol (DHCP) services •...
  • Page 38: Trusted Builds

    System Operation and Configuration Trusted Builds • Local Subscribers: These are subscribers, primarily used for testing purposes, that are configured and authenticated within a specific context. Unlike RADIUS-based subscribers, the local subscriber's user profile (containing attributes like those used by RADIUS-based subscribers) is configured within the context where they are created.
  • Page 39: How The System Selects Contexts

    System Operation and Configuration How the System Selects Contexts How the System Selects Contexts This section describes the process that determines which context to use for context-level administrative users or subscriber sessions. Understanding this process allows you to better plan your configuration in terms of how many contexts and interfaces you need to configure.
  • Page 40: Asr 5500 System Administration Guide, Staros Release 21.4

    System Operation and Configuration Context Selection for Context-level Administrative User Sessions The following table and flowchart describe the process that the system uses to select an AAA context for a context-level administrative user. Items in the table correspond to the circled numbers in the flowchart. Figure 2: Context-level Administrative User AAA Context ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 41: Asr 5500 System Administration Guide, Staros Release 21.4

    System Operation and Configuration Context Selection for Context-level Administrative User Sessions Table 1: Context-level Administrative User AAA Context Selection Item Description During authentication, the system determines whether local authentication is enabled in the local context. If it is, the system attempts to authenticate the administrative user in the local context. If it is not, proceed to item 2 in this table.
  • Page 42: Context Selection For Subscriber Sessions

    System Operation and Configuration Context Selection for Subscriber Sessions Context Selection for Subscriber Sessions The context selection process for a subscriber session is more involved than that for the administrative users. Subscriber session context selection information for specific products is located in the Administration Guide for the individual product.
  • Page 43: Understanding Configuration Files

    System Operation and Configuration Understanding Configuration Files The following steps describe the system's boot process: Step 1 When power is first applied to the chassis, or after a reboot, only the MIO/UMIO/MIO2s in slot 5 and slot 6 receive power. Step 2 During the startup process, the MIO/UMIO/MIO2 performs a series of power-on self tests (POSTs) to ensure that its hardware is operational.
  • Page 44: Asr 5500 System Administration Guide, Staros Release 21.4

    System Operation and Configuration Understanding Configuration Files Pipes ( | ), used with the grep and more keywords, can potentially cause errors in configuration file Important processing. Therefore, the system automatically ignores keywords with pipes during processing. Always save configuration files in UNIX format. Failure to do so can result in errors that prevent Important configuration file processing.
  • Page 45: Ip Address Notation

    System Operation and Configuration IP Address Notation IP Address Notation When configuring a port interface via the CLI you must enter an IP address. The CLI always accepts an IPv4 address, and in some cases accepts an IPv6 address as an alternative. For some configuration commands, the CLI also accepts CIDR notation.
  • Page 46: Alphanumeric Strings

    System Operation and Configuration Alphanumeric Strings CIDR notation is constructed from the IP address and the prefix size, the latter being the number of leading 1 bits of the routing prefix. The IP address is expressed according to the standards of IPv4 or IPv6. It is followed by a separator character, the slash (/) character, and the prefix size expressed as a decimal number.
  • Page 47: Asr 5500 System Administration Guide, Staros Release 21.4

    System Operation and Configuration Character Set • ! (exclamation point) [see exception below] • ( ) [parentheses] • % (percent) [see exception below] • # (pound sign) [see exception below] • ? (question mark) • ' (quotation mark – single) •...
  • Page 48: Quoted Strings

    System Operation and Configuration Quoted Strings Quoted Strings If descriptive text requires the use of spaces between words, the string must be entered within double quotation marks (" "). For example: interface "Rack 3 Chassis 1 port 5/2" ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 49: Asr 5500 Configuration

    C H A P T E R Getting Started • ASR 5500 Configuration, page 17 • Using the ASR 5500 Quick Setup Wizard, page 17 • Using the CLI for Initial Configuration, page 24 • Configuring System Administrative Users, page 26 •...
  • Page 50: The Quick Setup Wizard

    Getting Started The Quick Setup Wizard The Quick Setup Wizard The Quick Setup Wizard consists of a series of questions that prompt you for input before proceeding to the next question. Some prompts may be skipped depending on previous responses or whether a particular function is supported in the StarOS release.
  • Page 51: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started The Quick Setup Wizard Ques. Task Description/Notes Change chassis key value. A unique chassis key is configured at the factory for each system. This key is used to decrypt encrypted passwords found in generated configuration files. The system administrator can create a unique chassis key that will be used to encrypt passwords stored in configuration files.
  • Page 52: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started The Quick Setup Wizard Ques. Task Description/Notes 14, 17, Configure a single Management Input/Output Traffic on the management LAN is not transferred (MIO/UMIO/MIO2) out-of-band over the same media as user data and control management interface for out-of-band system signaling.
  • Page 53: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started The Quick Setup Wizard Ques. Task Description/Notes Enable FTP access to the system. File Transfer Protocol (FTP) uses TCP port number 21 by default, if enabled. Note: For maximum system security, do not enable FTP. Note: in release 20.0 and higher Trusted StarOS builds, FTP is not supported.
  • Page 54: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started The Quick Setup Wizard Once configuration using the wizard is complete, proceed to instructions on how to configure other system Important parameters. Figure 4: MIO Interfaces Console port [Port 3] USB port ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 55: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started The Quick Setup Wizard 10 GbE ports, DC-1 [Ports 10 – 19] 10 GbE ports, DC-2 [Ports 20 – 29] 1 GbE ports (1000Base-T) [Ports 1 and 2] Figure 5: MIO2 Interfaces 100 GbE ports, DC-1 [Ports 10 and 11] 10GbE ports, DC-1 [Ports 12 and 13] USB port Console port [Port 3]...
  • Page 56: Using The Cli For Initial Configuration

    Getting Started Using the CLI for Initial Configuration 1 GbE ports (1000Base-T) [Ports 1 and 2] 100 GbE ports, DC-2 [Ports 20 and 21] 10GbE ports, DC-2 [Ports 22 and 23] Using the CLI for Initial Configuration The initial configuration consists of the following: •...
  • Page 57: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started Using the CLI for Initial Configuration Step 5 Enter the following command to configure a hostname by which the system will be recognized on the network: host_name system hostname host_name [local] (config)# host_name is the name by which the system will be recognized on the network. The hostname is an alphanumeric string of 1 through 63 characters that is case sensitive.
  • Page 58: Configuring System Administrative Users

    Getting Started Configuring System Administrative Users Configuring System Administrative Users This section describes some of the security features that allow security administrators to control user accounts. Limiting the Number of Concurrent CLI Sessions Security administrators can limit the number of concurrent interactive CLI sessions. Limiting the number of concurrent interactive sessions reduces the consumption of system-wide resources.
  • Page 59: Configuring The System For Remote Access

    Getting Started Configuring the System for Remote Access Idle Timeout: allows a security administrator to specify the maximum amount of minutes that a session can remain in an idle state before the session is automatically disconnected. The session timeout and idle timeout fields are not exclusive. If both are specified, then the idle timeout Important should always be lower than the session timeout since a lower session timeout will always be reached first.
  • Page 60: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started Configuring the System for Remote Access Step 3 Configure the system to allow SSH access: host_name ssh generate key [ type { v1-rsa | v2-rsa | v2-dsa } ] [local] (config-ctx)# v2-rsa is the recommended key type. In StarOS 19.2 and higher, the v1-rsa keyword has been removed from and the v2-dsa keyword has been concealed within the Context Configuration mode ssh generate CLI command.
  • Page 61: Configuring Ssh Options

    Getting Started Configuring SSH Options Step 8 Verify the configuration of the IP routes by entering the following command: host_name show ip route [local] The CLI output should be similar to the sample output: "*" indicates the Best or Used route. Destination Nexthop Protocol...
  • Page 62: Ssh Host Keys

    Getting Started SSH Host Keys The v1-rsa keyword has been removed from the Exec mode show ssh key CLI command. SSH Host Keys SSH key-based authentication uses two keys, one "public" key that anyone is allowed to see, and another "private"...
  • Page 63: Specifying Ssh Encryption Ciphers

    Getting Started SSH Host Keys Specifying SSH Encryption Ciphers The SSH Configuration mode ciphers CLI command configures the cipher priority list in sshd for SSH symmetric encryption. It changes the cipher options for that context. Step 1 Enter the SSH Configuration mode. host_name server sshd [local]...
  • Page 64: Generating Ssh Keys

    Getting Started Authorized SSH User Access Generating SSH Keys The ssh generate command generates a public/private key pair which is to be used by the SSH server. The v1-rsa keyword has been removed from and the v2-dsa keyword concealed within the ssh generate CLI command.
  • Page 65: Authorizing Ssh User Access

    Getting Started SSH User Login Restrictions Authorizing SSH User Access The SSH Configuration mode authorized-key command grants user access to a context from a specified host. Step 1 Go to the SSH Configuration mode. server sshd [local]host_name(config-ctx)# [local]host_name(config-sshd)# Step 2 Specify administrative user access via the authorized-key command.
  • Page 66: Ssh User Login Authentication

    Getting Started SSH User Login Authentication Step 2 Go to the SSH Configuration mode. host_name server sshd [local] (config-ctx)# Step 3 Configure the SSH user list. host_name allowusers add user_list [local] (config-sshd)# user_list specifies a list of user name patterns, separated by spaces, as an alphanumeric string of 1 through 999 characters. If the pattern takes the form 'USER' then login is restricted for that user.
  • Page 67: Secure Session Logout

    45 seconds (using default parameters). Two SSH Configuration mode CLI commands allow you to disable or modify this default sshd disconnect behavior. For higher security, Cisco recommends at least a client-alive-countmax of 2 and client-alive-interval of Important 5.
  • Page 68: Ssh Client Login To External Servers

    Getting Started SSH Client Login to External Servers Step 3 Set the ClientAliveCountmax parameter to 2. host_name client-alive-countmax 2 [local] (config-sshd)# Step 4 Set the ClientAliveInterval parameter to 5 seconds. host_name client-alive-interval 5 [local] (config-sshd)# Step 5 Exit the SSH Configuration mode. host_name [local] (config-sshd)#...
  • Page 69: Setting Preferred Authentication Methods

    Getting Started SSH Client Login to External Servers • aes256-gcm@openssh.com – AES, 256-bit key size, GCM, OpenSSH • chacha20-poly1305@openssh.com – ChaCha20 symmetric cipher, Poly1305 cryptographic Message Authentication Code [MAC], OpenSSH The default string for algorithms in a Normal build is: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com, blowfish-cbc,3des-cbc,aes128-cbc The default string for algorithms in a Trusted build is:...
  • Page 70: Generating Ssh Client Key Pair

    Getting Started SSH Client Login to External Servers Generating SSH Client Key Pair You use commands in the SSH Client Configuration mode to specify a private key and generate the SSH client key pair. Step 1 Enter the SSH client configuration mode. host_name client ssh [local]...
  • Page 71: Enabling Netconf

    An SSH key is a requirement before NETCONF protocol and the ConfD engine can be enabled in support of Cisco Network Service Orchestrator (NSO). Refer to the NETCONF and ConfD appendix in this guide for detailed information on how to enable NETCONF.
  • Page 72: Asr 5500 System Administration Guide, Staros Release 21.4

    Getting Started Configuring the Management Interface with a Second IP Address Step 7 Save your configuration as described in Verifying and Saving Your Configuration. ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 73: Asr 5500 System Administration Guide, Staros Release 21.4

    C H A P T E R System Settings This chapter provides instructions for configuring the following StarOS options. It is assumed that the procedures to initially configure the system as described in Getting Started have been completed. The commands used in the configuration examples in this section are the most likely-used commands Important and/or keyword options.
  • Page 74: Configuring A Second Management Interface

    System Settings Configuring a Second Management Interface Configuring a Second Management Interface Refer to Getting Started for instructions on configuring a system management interface on the Management Input/Output (MIO/UMIO/MIO2) card. This section provides described how to configure a second management interface.
  • Page 75: Configuring System Timing

    System Settings Configuring System Timing Verify that the port configuration settings are correct by entering the following command: show configuration port slot#/port# slot# is the chassis slot number of the line card where the physical port resides. slot# is either 5 or 6. port# is the number of the port (either 1 or 2).
  • Page 76: Verifying And Saving Your Clock And Time Zone Configuration

    System Settings Verifying and Saving Your Clock and Time Zone Configuration Verifying and Saving Your Clock and Time Zone Configuration Enter the following command to verify that you configured the time and time zone correctly: show clock The output displays the date, time, and time zone that you configured. Configuring Network Time Protocol Support This section provides information and instructions for configuring the system to enable the use of the Network Time Protocol (NTP).
  • Page 77: Configuring Ntp Servers With Local Sources

    System Settings Configuring NTP Servers with Local Sources Do not change the maxpoll, minpoll, or version keyword settings unless instructed to do so by Cisco Important TAC. Use the following example to configure the necessary NTP association parameters: configure enable...
  • Page 78: Verifying The Ntp Configuration

    System Settings Verifying the NTP Configuration Verifying the NTP Configuration Verify the NTP configuration is correct. Enter the following command at the Exec mode prompt: show ntp associations The output displays information about all NTP servers. See the output below for an example deploying two NTP servers.
  • Page 79: Configuring Sf Boot Configuration Pause

    System Settings Configuring SF Boot Configuration Pause Column Title Description delay Round-trip delay (in milliseconds) for messages exchanged between the system and the NTP server. offset Number of milliseconds by which the system clock must be adjusted to synchronize it with the NTP server. jitter Jitter in milliseconds between the system and the NTP server.
  • Page 80: Configuring Cli Confirmation Prompts

    System Settings Configuring CLI Confirmation Prompts The date and time appear immediately after you execute the command. Save the configuration as described in the Verifying and Saving Your Configuration chapter. Configuring CLI Confirmation Prompts A number of Exec mode and Global Configuration mode commands prompt users for a confirmation (Are you sure? [Yes|No]:) prior to executing the command.
  • Page 81: Requiring Confirmation For Specific Exec Mode Commands

    System Settings Requiring Confirmation for Specific Exec Mode Commands The following command sequence enables the commandguard feature: configure commandguard With commandguard enabled the confirmation prompt appears as shown in the example below: host_name configure [local] Are you sure? [Yes|No]: host_name [local] (config)# To disable commandguard once it has been enabled, use the no commandguard command.
  • Page 82: Configuring System Administrative Users

    System Settings Configuring System Administrative Users • You can turn off confirmation prompting for a specific category using no commandguard exec-command exec_mode_category. • If autoconfirm is overridden by commandguard exec-command for an Exec mode command, StarOS displays an informational message indicating why autoconfirm is being overridden when you attempt to execute the command.
  • Page 83: Configuring Context-Level Administrative Users

    System Settings Configuring Context-level Administrative Users If you attempt to create a user name that does not adhere to these standards, you will receive the following message: "Invalid character; legal characters are "0123456789.-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ". Configuring Context-level Administrative Users This user type is configured at the context-level and relies on the AAA subsystems for validating user names and passwords during login.
  • Page 84: Configuring Context-Level Administrators

    System Settings Configuring Context-level Administrative Users Configuring Context-level Administrators Use the example below to configure context-level configuration administrators: configure context local config-administrator user_name { [ encrypted ] [ nopassword ] password password } Notes: • Additional keyword options are available that identify active administrators or place time thresholds on the administrator.
  • Page 85: Configuring Li Administrators

    System Settings Configuring Context-level Administrative Users • Additional keyword options are available that identify active administrators or place time thresholds on the administrator. Refer to the Command Line Interface Reference for more information about the inspector command. • The nopassword option allows you to create an inspector without an associated password. Enable this option when using ssh public keys (authorized key command in SSH Configuration mode) as a sole means of authentication.
  • Page 86: Verifying Context-Level Administrative User Configuration

    For a detailed description of the Global Configuration mode require segregated li-configuration and associated commands, see the Lawful Intercept CLI Commands appendix in the Lawful Intercept Configuration Guide. The Lawful Intercept Configuration Guide is not available on www.cisco.com. Contact your Cisco account Note representative to obtain a copy of this guide.
  • Page 87: Configuring Local-User Administrative Users

    System Settings Configuring Local-User Administrative Users This command displays all of the configuration parameters you modified within the Local context during this session. The following displays sample output for this command. In this example, a security administrator named testadmin was configured. config context local interface mgmt1...
  • Page 88: Updating Local-User Database

    System Settings Configuring Local-User Administrative Users Password Expired: Locked: Suspended: Lockout on Pw Aging: Lockout on Login Fail: Yes Updating Local-User Database Update the local-user (administrative) configuration by running the following Exec mode command. This command should be run immediately after creating, removing or editing administrative users. update local-user database Updating and Downgrading the local-user Database Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved...
  • Page 89: Provisioning Lawful Intercept

    StarOS services that support Lawful Intercept. This guide is not available on www.cisco.com. It can only be obtained by contacting your Cisco account representative.
  • Page 90: Restricting User Access To A Specified Root Directory

    System Settings Restricting User Access to a Specified Root Directory re-configured any other type of LI context system. Refer to the Lawful Intercept Configuration Guide before attempting to create a Dedicated-LI context. Figure 6: LI Context Configurations In Release 21.4 and higher (Trusted builds only): •...
  • Page 91: Configuring An Sftp Root Directory

    System Settings Restricting User Access to a Specified Root Directory Configuring an SFTP root Directory The subsystem sftp command allows the assignment of an SFTP root directory and associated access privilege level. configure context local server sshd subsystem sftp [ name sftp_name root-dir pathname mode { read-only | readwrite } ] Notes: •...
  • Page 92: Configuring Tacacs+ For System Administrative Users

    System Settings Configuring TACACS+ for System Administrative Users Configuring TACACS+ for System Administrative Users This section describes TACACS+ (Terminal Access Controller Access Control System+) AAA (Authentication Authorization and Accounting) service functionality and configuration on the ASR 5500. Operation TACACS+ is a secure, encrypted protocol. By remotely accessing TACACS+ servers that are provisioned with the administrative user account database, the ASR 5500 system can provide TACACS+ AAA services for system administrative users.
  • Page 93: User Account Requirements

    System Settings User Account Requirements For releases after 15.0 MR4, TACACS+ accounting (CLI event logging) will not be generated for Lawful Important Intercept users with privilege level set to 15 and 13. User Account Requirements Before configuring TACACS+ AAA services, note the following TACACS+ server and StarOS user account provisioning requirements.
  • Page 94: Configuring Tacacs+ Aaa Services

    System Settings Configuring TACACS+ AAA Services For instructions on defining users and administrative privileges on the system, refer to Configuring System Important Administrative Users. Configuring TACACS+ AAA Services This section provides an example of how to configure TACACS+ AAA services for administrative users on the system.
  • Page 95: Configuring Tacacs+ For Non-Local Vpn Authentication

    System Settings Configuring TACACS+ for Non-local VPN Authentication Configuring TACACS+ for Non-local VPN Authentication By default TACACS+ authentication is associated with login to the local context. TACACS+ authentication can also be configured for non-local context VPN logins. TACACS+ must configured and enabled with the option described below.
  • Page 96: Separating Authentication Methods

    System Settings Separating Authentication Methods For details on all TACACS+ maintenance commands, refer to the Command Line Interface Reference. Important Separating Authentication Methods You can configure separate authentication methods for accessing the Console port and establishing SSH/telnet sessions (vty lines). If you configure TACACS+ globally, access to the Console and vty lines are both authenticated using that method.
  • Page 97: Disable Tacacs+ Authentication At The Context Level

    System Settings Disable TACACS+ Authentication at the Context Level Since local-user authentication is always performed before AAA-based authentication and local-user allow-aaa-authentication noconsole is enabled, the behavior is the same as if no local-user allow-aaa-authentication is configured. There is no impact on vty lines. Important This command does not apply for a Trusted build because the local-used database is unavailable.
  • Page 98: Limit Console Access For Aaa-Based Users

    System Settings Limit Console Access for AAA-based Users This command does not apply for a Trusted build because the local-used database is unavailable. Important Limit Console Access for AAA-based Users AAA-based users normally login through on a vty line. However, you may want to limit a few users to accessing just the Console line.
  • Page 99: Configuring A New Chassis Key Value

    System Settings Configuring a New Chassis Key Value The chassis key is used to generate the chassis ID which is stored in a file and used as the master key for protecting sensitive data (such as passwords and secrets) in configuration files For release 15.0 and higher, the chassis ID is an SHA256 hash of the chassis key.
  • Page 100: Quick Setup Wizard

    System Settings Configuring MIO/UMIO/MIO2 Port Redundancy However, if the chassis key is reset in Release 15 through the Quick Setup Wizard or CLI command, a new chassis ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will not recognize the 44-character chassis ID.
  • Page 101: Asr 5500 System Administration Guide, Staros Release 21.4

    System Settings Configuring MIO/UMIO/MIO2 Port Redundancy With port redundancy, if a failover occurs, only the specific port(s) become active. For example; if port 5/1 fails, then port 6/1 becomes active, while all other active ports on the line card in slot 5 remain in the same active state.
  • Page 102: Asr 5500 System Administration Guide, Staros Release 21.4

    System Settings Configuring MIO/UMIO/MIO2 Port Redundancy This feature requires specific network topologies to work properly. The network must have redundant switching components or other devices that the system is connected to. The following diagrams show examples of a redundant switching topologies and how the system reacts to various external network device scenarios. Figure 7: Network Topology Example Using MIO/UMIO Port Redundancy Figure 8: Port Redundancy Failover in Cable Defect Scenario In the example above, an Ethernet cable is cut or unplugged, causing the link to go down.
  • Page 103: Configuring Mio/Umio/Mio2 Port Redundancy Auto-Recovery

    System Settings Configuring MIO/UMIO/MIO2 Port Redundancy Auto-Recovery the port on the secondary switch to which the MIO/UMIO/MIO2 in slot 6 is connected, allowing it to redirect and transport data. Figure 9: Port Redundancy Failover in External Network Device Failure Scenario In the example above, a switch failure causes a link down state on all ports connected to that switch.
  • Page 104: Verifying Port Redundancy Auto-Recovery

    System Settings Configuring Data Processing Card Availability Verifying Port Redundancy Auto-Recovery Verify port information by entering the following command show port info slot#/port# slot# is the chassis slot number of the MIO/UMIO/MIO2 card on which the physical port resides. port# is the physical port on the MIO/UMIO/MIO2. The following shows a sample output of this command for port 1 on the MIO/UMIO/MIO2 in slot 5: host_name [local]...
  • Page 105: Verifying Card Configurations

    System Settings Verifying Card Configurations Notes: • When activating cards, remember to keep at least one DPC/UDPC or DPC2/UDPC2 in standby mode for redundancy. • Repeat for every other DPC/UDPC or DPC2/UDPC2 in the chassis that you wish to activate. Save the configuration as described in the Verifying and Saving Your Configuration chapter.
  • Page 106: Lag And Master Port

    System Settings LAG and Master Port LAG and Master Port Logical port configurations (VLAN and binding) are defined in the master port of the LAG. If the master port is removed because of a card removal/failure, another member port becomes the master port (resulting in VPN binding change and outage), unless there is a redundant master port available.
  • Page 107: Multiple Switches With L2 Redundancy

    System Settings LAG and Multiple Switches Multiple Switches with L2 Redundancy To handle the implementation of LACP without requiring standby ports to pass LACP packets, two separate instances of LACP are started on redundant cards. The two LACP instances and port link state are monitored to determine whether to initiate an auto-switch (including automatic L2 port switch).
  • Page 108: Preferred Slot

    System Settings Link Aggregation Control The LAG manager also enters/extends the hold period when an administrator manually switches ports to trigger a card switch. Preferred Slot You can define which card is preferred per LAG group as a preferred slot. When a preferred MIO/UMIO/MIO2 slot is specified, it is selected for the initial timeout period to make the selection of a switch less random.
  • Page 109: Minimum Links

    System Settings Minimum Links The VPN can only bind the master port, and a VLAN can only be created on the master port. A failure Important message is generated if you attempt to bind to a link aggregation member port. Each system that participates in link aggregation has a unique system ID that consists of a two-byte priority (where the lowest number [0] has the highest priority) and a six-byte MAC address derived from the first port's MAC address.
  • Page 110: Redundancy Options

    System Settings Redundancy Options link-aggreagation master ( global | group } number min-link number_links Redundancy Options For L2 redundancy set the following option on the master port for use with the whole group: link-aggregation redundancy standard [hold-time sec ] [preferred slot { card_number | none } Standard redundancy treats all cards in the group as one group.
  • Page 111: Faster Data Plane Convergence

    System Settings Faster Data Plane Convergence In the above configuration, there is a single, primary LAG. All ports work as a single bundle of ports that distribute the traffic. If you use the Ethernet Port Configuration mode shutdown command to shut down one of the ports on Important an MIO/UMIO/MIO2 card in this LAG configuration, by default the paired port on the other MIO/UMIO/MIO2 card will also be shut down.
  • Page 112: Chapter

    System Settings Link Aggregation Status Active-Active LAG groups must be configured, along with aggressive microBFD timers (such as 150*3). Important During MIO card recovery BGP Sessions might flap based on the configuration. To avoid traffic loss during these events, BGP graceful restart must be configured with proper hold/keepalive and restart timers. See the description of the bgp graceful-restart command in the BGP Configuration Mode Commands chapter of the Command Line Interface Reference.
  • Page 113: Mio Demux Restrictions

    Caution Enabling the Demux on MIO/UMIO/MIO2 feature changes resource allocations within the system. This directly impacts an upgrade or downgrade between StarOS versions in ICSR configurations. Contact Cisco TAC for procedural assistance prior to upgrading or downgrading your ICSR deployment.
  • Page 114: Configuration

    System Settings Configuration Contact Cisco TAC for additional assistance when assessing the impact to system configurations when Important enabling the Demux on MIO/UMIO/MIO2 feature. Configuration For releases prior to 15.0, to configure a DPC/UDPC as a demux card enter the following CLI commands:...
  • Page 115: Chapter

    C H A P T E R Config Mode Lock Mechanisms This chapter describes how administrative lock mechanisms operate within StarOS configuration mode. It contains the following sections: • Overview of Config Mode Locking, page 83 • Requesting an Exclusive-Lock, page 84 •...
  • Page 116: Requesting An Exclusive-Lock

    Config Mode Lock Mechanisms Requesting an Exclusive-Lock A shutdown-lock is enabled during a save configuration operation to prevent other users from reloading or shutting down the system while the configuration is being saved. Config mode locking mechanisms such as shared-lock, exclusive-lock and shutdown-lock mitigate the possibility of conflicting commands, file corruption and reboot issues.
  • Page 117: Effect Of Config Lock On Url Scripts

    Config Mode Lock Mechanisms Effect of Config Lock on URL Scripts A configure lock force command may not be successful because there is a very small chance that another administrator may be in the middle of entering a password or performing a critical system operation that cannot be interrupted.
  • Page 118: Saving A Configuration File

    Config Mode Lock Mechanisms Saving a Configuration File Saving a Configuration File Saving a partial or incomplete configuration file can cause StarOS to become unstable when the saved configuration is loaded at a later time. StarOS inhibits the user from saving a configuration which is in the process of being modified.
  • Page 119: Show Administrators Command

    Config Mode Lock Mechanisms show administrators Command Broadcast message from root (pts/2) Wed May 11 16:08:16 2016... The system is going down for reboot NOW !! Caution Employing the ignore-locks keyword when rebooting the system may corrupt the configuration file. show administrators Command The Exec mode show administrators command has a single-character "M"...
  • Page 120: Asr 5500 System Administration Guide, Staros Release 21.4

    Config Mode Lock Mechanisms show administrators Command ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 121: Management Settings

    C H A P T E R Management Settings This chapter provides instructions for configuring Object Request Broker Element Management (ORBEM) and Simple Network Management Protocol (SNMP) options. This chapter includes the following sections: • ORBEM, page 89 • SNMP MIB Browser, page 91 •...
  • Page 122: Configuring Orbem Client And Port Parameters

    Management Settings Configuring ORBEM Client and Port Parameters To configure the system to communicate with an EMS: Step 1 Set client ID parameters and configure the STOP/TCP port settings by applying the example configuration in Configuring ORBEM Client and Port Parameters, on page 90 Step 2 Configure Internet Inter-ORB Protocol (IIOP) transport parameters by applying the example configuration in Configuring...
  • Page 123: Verifying Orbem Parameters

    : 87950 usecs SNMP MIB Browser This section provides instructions to access the latest Cisco Starent MIB files using a MIB Browser. An updated MIB file accompanies every StarOS release. For assistance to set up an account and access files, please contact your Cisco sales or service representative for additional information.
  • Page 124: Asr 5500 System Administration Guide, Staros Release 21.4

    Use the following procedure to view the SNMP MIBs for a specific StarOS build : Step 1 Contact Cisco sales or a service representative, to obtain access to the MIB files for a specific StarOS release. Step 2 Download the compressed companion file to a folder on your desktop. The file name follows the convention: companion_xx.x.x.tgz...
  • Page 125: Asr 5500 System Administration Guide, Staros Release 21.4

    Management Settings SNMP MIB Browser In the example below the MIB Browser presents a tree diagram that allows you to display details for each Object, Trap and Conformance. The example below includes the OID number and trap details for the starCardPACMigrateFailed trap. The SNMP MIB browser allows you to search for specific MIBs.
  • Page 126: Snmp Support

    Management Settings SNMP Support SNMP Support The system uses the SNMP to send traps or events to the EMS server or an alarm server on the network. You must configure SNMP settings to communicate with those devices. Commands used in the configuration samples in this section provide base functionality. The most common Important commands and keyword options are presented.
  • Page 127: Verifying Snmp Parameters

    • The snmp user name is for SNMP v3 and is optional. There are numerous keyword options associated with this command. • Use the snmp mib command to enable other industry standard and Cisco MIBs. By default only the STARENT-MIB is enabled.
  • Page 128: Controlling Snmp Trap Generation

    Management Settings Controlling SNMP Trap Generation CISCO-PROCESS-MIB : Disabled CISCO-ENTITY-FRU-CONTROL-MIB : Disabled Step 2 Verify that the SNMP community(ies) were configured properly by entering the following command: show snmp communities The output of this command lists the configured SNMP communities and their corresponding access levels.
  • Page 129: Verifying And Saving Your Configuration

    C H A P T E R Verifying and Saving Your Configuration This chapter describes how to save your system configuration. • Verifying the Configuration, page 97 • Synchronizing File Systems, page 99 • Saving the Configuration, page 99 Verifying the Configuration You can use a number of commands to verify the configuration of your feature, service, or system.
  • Page 130: Chapter

    Verifying and Saving Your Configuration Service Configuration To configure features on the system, use the show commands specifically for these features. Refer to the Important Exec Mode show Commands chapter in the Command Line Interface Reference for complete information. Service Configuration Verify that your service was created and configured properly by entering the following command: show service_type service_name The output is a concise listing of the service parameter settings similar to the sample displayed below.
  • Page 131: Synchronizing File Systems

    Verifying and Saving Your Configuration Synchronizing File Systems You must refine this command to specify particular sections of the configuration. Add the section keyword and choose a section from the help menu as shown in the examples below. show configuration errors section ggsn-service show configuration errors section aaa-config If the configuration contains no errors, an output similar to the following is displayed: ##############################################################################...
  • Page 132: Asr 5500 System Administration Guide, Staros Release 21.4

    Verifying and Saving Your Configuration Saving the Configuration The obsolete-encryption and showsecrets keywords have been removed from the save configuration Important command in StarOS 19.2 and higher. If you run a script or configuration that contains the removed keyword, a warning message is generated. For complete information about the above command, see the Exec Mode Commands chapter of the Command Line Interface Reference.
  • Page 133: System Interfaces And Ports

    C H A P T E R System Interfaces and Ports This chapter describes how to create a context and configure system interfaces and ports within the context. Before beginning these procedures, refer to your product-specific administration guide for configuration information for your product.
  • Page 134: Viewing And Verifying Contexts

    System Interfaces and Ports Viewing and Verifying Contexts Viewing and Verifying Contexts Step 1 Verify that your contexts were successfully created by entering the following command: host_name show context all [local] The output is a two-column table similar to the example below. This example shows that two contexts were created: one named source and one named destination.
  • Page 135: Creating An Interface

    System Interfaces and Ports Creating an Interface Creating an Interface Use the following example to create a new interface in a context: configure context name interface name { ip | ipv6 } address address subnetmask secondary Notes: • Optional: Add the loopback keyword option to the interface name command, to set the interface type as "loopback"...
  • Page 136: Viewing And Verifying Port Configuration

    System Interfaces and Ports Viewing and Verifying Port Configuration { ip | ipv6 } route ip_address netmask next-hop gw_address interface_name Notes: • ip_address and netmask are the IP address and subnet mask of the target network. This IP address can be entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
  • Page 137: Vlans

    System Interfaces and Ports VLANs bind interface rp1 source #end Step 3 Verify that your static route(s) was configured properly by entering the following command: context_name host_name show ip static-route Example: This command produces an output similar to that displayed in the following example that shows a static route to a gateway with an IP address of 192.168.250.1.
  • Page 138: Asr 5500 System Administration Guide, Staros Release 21.4

    System Interfaces and Ports VLANs and Management Ports This feature is implemented by adding support for the vlan command to the management port in the local context. See the example command sequence below. configure port ethernet 1/1 vlan 184 no shutdown bind interface 19/3-UHA foo ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 139: System Security

    C H A P T E R System Security This chapter describes the StarOS security features. This chapter explores the following topics: • Per-Chassis Key Identifier, page 107 • Protection of Passwords, page 108 • Support for ICSR Configurations, page 110 •...
  • Page 140: Mio Synchronization

    System Security MIO Synchronization Changing a chassis key may invalidate previously generated configurations. This is because any secret Important portions of the earlier generated configuration will have used a different encryption key. For this reason the configuration needs to be recreated and restored. To make password configuration easier for administrators, the chassis key should be set during the initial Important chassis set-up.
  • Page 141: Secure Password Encryption

    System Security Secure Password Encryption Secure Password Encryption By default for StarOS releases prior to 21.0 the system encrypts passwords using an MD5-based cipher (option A). These passwords also have a random 64-bit (8-byte) salt added to the password. The chassis key is used as the encryption key.
  • Page 142: Support For Icsr Configurations

    System Security Support for ICSR Configurations • Change the chassis key to the new desired value. • Save the configuration with this new chassis key. Refer to Configuring a Chassis Key in System Settings for additional information. Support for ICSR Configurations Inter-Chassis Session Recovery (ICSR) is a redundancy configuration that employs two identically configured ASR 5500 chassis/instances as a redundant pair.
  • Page 143: Modifying Intercepts

    System Security Modifying Intercepts If no information related to LI server addresses is received for that subscriber, LI server addresses will not be restricted. A maximum of five LI server addresses are supported via an authenticating agent. Important The ability to restrict destination addresses for LI content and event delivery using RADIUS attributes is Important supported only for PDSN and HA gateways.
  • Page 144: User Access To Operating System Shell

    CLI test-commands are intended for diagnostic use only. Access to these commands is not required during normal system operation. These commands are intended for use by Cisco TAC personnel only. Some of these commands can slow system performance, drop subscribers, and/or render the system inoperable.
  • Page 145: Exec Mode Cli Test-Commands

    System Security Exec Mode cli test-commands This command sequence is shown below. host_name config [local] host_name tech-support test-commands password new_password [ old-password [local] (config)# old_password ] host_name [local] (config)# If the new password replaces an existing password, you must enter the old password for the change to be accepted.
  • Page 146: Asr 5500 System Administration Guide, Staros Release 21.4

    System Security Configuration Mode cli test-commands An SNMP trap (starTestModeEntered) is generated whenever a user enters CLI test-commands mode. Important ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 147: Secure System Configuration File

    C H A P T E R Secure System Configuration File • Feature Summary and Revision History, page 115 • Feature Description, page 116 • How System Configuration Files are Secured, page 116 • Configuring Signature Verification, page 117 Feature Summary and Revision History Summary Data Applicable Product(s) or Functional Area...
  • Page 148: Feature Description

    Secure System Configuration File Feature Description Revision History Revision Details Release First Introduced. 21.3 Feature Description A system configuration file contains crucial configuration information used to setup and operate the operator's network. The configuration file must be properly authenticated before it is loaded to avoid unauthorized changes to the file that could harm the network.
  • Page 149: Validate The Digital Signature

    Secure System Configuration File Validate the Digital Signature Generating the Public and Private Keys The RSA public key is stored in PEM format (.pem file), and can be generated using one of the following OpenSSL commands in the example below: openssl rsa -in pri_key.pem - pubout -out pub_key.pem –-or-- openssl rsa -in pri_key.pem -RSAPublicKey_out -out pub_key.pem...
  • Page 150: Enable Or Disable Signature Verification

    Secure System Configuration File Enable or Disable Signature Verification tftp://host[:port][/<directory>]/filename ftp://[username[:password]@]host[:port][/directory]/filename sftp://[username[:password]@]host[:port][/directory]/filename http://[username[:password]@]host[:port][/directory]/filename https://[username[:password]@]host[:port][/directory]/filename Enable or Disable Signature Verification Use the following command to enable (or disable) signature verification in the configuration file: Important This command can only be executed from the console. [ no ] cfg-security sign Notes: •...
  • Page 151: Software Management Operations

    C H A P T E R Software Management Operations This chapter provides information about software management operations on the system. • Understanding the Local File System, page 119 • Maintaining the Local File System, page 120 • Configuring the Boot Stack, page 125 •...
  • Page 152: Understanding The Boot.sys File

    Software Management Operations Understanding the boot.sys File • CLI Configuration File: This file type is identified by its .cfg extension. These are text files that contain CLI commands that work in conjunction with the operating system software image. These files determine services to be provided, hardware and software configurations, and other functions performed by the system.
  • Page 153: Synchronizing The File System

    Software Management Operations File System Management Commands For complete information on the commands listed below, see the Exec Mode Commands chapter of the Important Command Line Interface Reference. Synchronizing the File System Commands are supported for mirroring the local file systems from the active MIO/UMIO/MIO2 to the standby MIO/UMIO/MIO2 in systems containing two cards.
  • Page 154: Copying Files

    Software Management Operations File System Management Commands Copying Files These instructions assume that you are at the root prompt for the Exec mode. To save your current configuration, enter the following command: host_name copy from_url to_url [-noconfirm] [local] To copy a configuration file called system.cfg from a directory that was called cfgfiles to a directory named configs_old, enter the following command: host_name copy /flash/cfgfiles/system.cfg /flash/configs_old/system_2011.cfg...
  • Page 155: Applying Pre-Existing Cli Configuration Files

    Software Management Operations Applying Pre-existing CLI Configuration Files Local devices that have been formatted using other methods such as NTFS or FAT32 may be used to store Important various operating system, CLI configuration, and crash log files. However, when placing a new local device into the MIO/UMIO/MIO2 for regular use, you should format the device via the system prior to use.
  • Page 156: Viewing Cli Configuration And Boot.sys Files

    Software Management Operations Viewing Files on the Local File System Viewing CLI Configuration and boot.sys Files The contents of CLI configuration and boot.sys files, contained on the local file system, can be viewed off-line (without loading them into the OS) by entering the following command at the Exec mode prompt: host_name show file url { /flash | /usb1 | /hd-raid } filename [local]...
  • Page 157: Configuring The Boot Stack

    Software Management Operations Configuring the Boot Stack Configuring the Boot Stack The boot stack consists of a prioritized listing of operating system software image-to-CLI configuration file associations. These associations determine the software image and configuration file that gets loaded during system startup or upon a reload/reboot.
  • Page 158: Asr 5500 System Administration Guide, Staros Release 21.4

    Software Management Operations Viewing the Current Boot Stack The StarOS image filename scheme changed with release 16.1. Pre-16.1, format = "production.image.bin". Important For 16.1 onwards, format = "asr5500-image_number.bin". This change is reflected in the examples provided below. Example 1 – StarOS releases prior to 16.1: boot system priority 18 \ image /flash/15-0-builds/production.45666.bin \ config /flash/general_config.cfg...
  • Page 159: Adding A New Boot Stack Entry

    Software Management Operations Adding a New Boot Stack Entry Adding a New Boot Stack Entry Important Before performing this procedure, verify that there are less than 10 entries in the boot.sys file and that a higher priority entry is available (i.e. that minimally there is no priority 1 entry in the boot stack). Refer to Viewing the Current Boot Stack for more information.
  • Page 160: Configuring The Boot Network

    Software Management Operations Network Booting Configuration Requirements This procedure details how to configure the boot interface for reliable communications with your network server. Make sure you are at the Exec mode prompt. Step 1 Enter the Global Configuration mode by entering the following command: host_name configure [local]...
  • Page 161: Configuring Boot Network Delay Time

    Software Management Operations Upgrading the Operating System Software The next example uses static IP addresses for MIO/UMIO/MIO2 in slot 5, which can access the external network server through a gateway whose IP address is 135.212.10.2. host_name boot networkconfig static ip address mio5 192.168.206.101 netmask 255.255.255.0 [local] (config)# gateway 135.212.10.2...
  • Page 162: Verify Free Space On The /Flash Device

    [local] Download the Software Image from the Support Site Access to the Cisco support site and download facility is username and password controlled. You must have an active customer account to access the site and download the StarOS image. Download the software image to a network location or physical device (USB stick) from which it can be uploaded to the /flash device.
  • Page 163: Transfer Staros Image To /Flash

    Software Management Operations Transfer StarOS Image to /flash Transfer StarOS Image to /flash Transfer the new operating system image file to the /flash directory on the MIO/UMIO/MIO2 using one of the following methods: • Copy the file from a network location or local device plugged in into the MIO/UMIO/MIO2 by entering the following command: host_name copy from_url to_url [ -noconfirm ]...
  • Page 164: Downgrading From Release 20.0

    Software Management Operations Downgrading from Release 20.0 Downgrading from Release 20.0 Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved in the database. In release 20. 0, PBKDF2 (Password Based Key Derivation Function - Version 2) is now used to derive a key of given length, based on entered data, salt and number of iterations.
  • Page 165: Configure A Message Of The Day Banner

    Software Management Operations Off-line Software Upgrade Newcall policies are created on a per-service basis. If you have multiple services running on the chassis, Important you can configure multiple newcall policies. The syntax for newcall policies is described below: host_name newcall policy { asngw-service | asnpc-service | sgsn-service } { all | name [local] service_name } reject host_name...
  • Page 166: Synchronize File Systems

    Software Management Operations Off-line Software Upgrade Assign the next highest priority to this entry, by using the <N-1> method, wherein you assign a priority number that is one number less than your current highest priority. Run the Exec mode show boot command to verify that there are less than 10 entries in the boot.sys file Important and that a higher priority entry is available (minimally there is no priority 1 entry in the boot stack).
  • Page 167: Verify The Running Software Version

    Software Management Operations Verify the Running Software Version Verify the Running Software Version After the system has successfully booted, verify that the new StarOS version is running by executing the Exec mode show version command. host_name show version [local You can run the Exec mode show build command to display additional information about the running StarOS build release.
  • Page 168: New System License Keys

    Software Management Operations New System License Keys New System License Keys New systems are delivered with no license keys installed. In most cases, you receive the license key in electronic format (usually through e-mail). When a system boots with no license key installed a default set of restricted session use and feature licenses is installed.
  • Page 169: Adding License Keys To Configuration Files

    Software Management Operations Installing New License Keys LSP=000000|LSH=000000|LSG=500000|LSL=500000\|FIS=Y|FR4=Y|FPP=Y|FCS=Y|FTC=Y|FMG=Y| FCR=Y|FSR=Y|FPM=Y|FID=Y|SIG=MCwCF\Esnq6Bs/ XdmyfLe7rHcD4sVP2bzAhQ3IeHDoyyd6388jHsHD99sg36SG267gshssja77 Step 2 Verify that the license key just entered was accepted by entering the following command at the Exec mode prompt: host_name show license key [local] The new license key should be displayed. If it is not, return to the Global configuration mode and re-enter the key using the license key command.
  • Page 170: License Expiration Behavior

    Requesting License Keys License keys for the system can be obtained through your Cisco account representative. Specific information is required before a license key may be generated: • Sales Order or Purchase Order information • Desired session capacity •...
  • Page 171: Management Card Replacement And License Keys

    Software Management Operations Management Card Replacement and License Keys Management Card Replacement and License Keys License keys are stored on a midplane EEPROM in the ASR 5500 chassis. The MIO/UMIO/MIO2s share these license keys. There is no need to swap memory cards into replacement MIO/UMIO/MIO2s. Managing Local-User Administrative Accounts Unlike context-level administrative accounts which are configured via a configuration file, information for local-user administrative accounts is maintained in a separate file in flash memory and managed through the...
  • Page 172: Local-User Account Suspensions

    Software Management Operations Changing Local-User Passwords • Password Aging: The configured maximum password age has been reached. Refer to the local-user password command in the Global Configuration Mode Commands chapter of the Command Line Interface Reference for details. Accounts that are locked out are inaccessible to the user until either the configured lockout time is reached (refer to the local-user lockout-time command in the Global Configuration Mode Commands chapter of the Command Line Interface Reference) or a security administrator clears the lockout (refer to the clear local-user command in the Exec Mode Commands chapter of the Command Line Interface Reference).
  • Page 173: Smart Licensing

    C H A P T E R Smart Licensing • Feature Summary and Revision History, page 141 • Smart Software Licensing, page 142 • Configuring Smart Licensing, page 145 • Monitoring and Troubleshooting Smart Licensing, page 146 Feature Summary and Revision History Summary Data Applicable Product(s) or Functional Area...
  • Page 174: Smart Software Licensing

    Licensing consists of software activation by installing Product Activation Keys (PAK) on to the Cisco product. A Product Activation Key is a purchasable item, ordered in the same manner as other Cisco equipment and used to obtain license files for feature set on Cisco Products. Smart Software Licensing is a cloud based licensing of the end-to-end platform through the use of a few tools that authorize and deliver license reporting.
  • Page 175: Cisco Smart Software Manager

    Request a Cisco Smart Account A Cisco Smart Account is an account where all products enabled for Smart Licensing are deposited. A Cisco Smart Account allows you to manage and activate your licenses to devices, monitor license use, and track Cisco license purchases.
  • Page 176: Software Tags And Entitlement Tags

    Software Tags Software tags uniquely identify each licenseable software product or product suite on a device. The following software tags exist for the StarOS. Product Type / Description Software Tag ASR5500 regid.2017-02.com.cisco.ASR5500,1.0_401f2e9e-67fd -4131-b61d-6e229d13a338 ASR-5500 Multimedia Core Platform VPC_SI regid.2017-02.com.cisco.VPC_SI,1.0_dcb12293-10c0 -4e90-b35e-b10a9f8bfac1...
  • Page 177: Configuring Smart Licensing

    Before you begin, ensure you have: • created a Smart Licensing/Virtual account on https://software.cisco.com • registered products on https://software.cisco.com using the ID tokens created as part of virtual account. • enabled a communication path between the StarOS system to the CSSM server.
  • Page 178: Monitoring And Troubleshooting Smart Licensing

    Smart Licensing Monitoring and Troubleshooting Smart Licensing Handling Out of Compliance If there are not enough licenses in the virtual account for a given SKU, CSSM sends Out Of Compliance (OOC) message to the device, in response to authorization request. The system stops allowing additional sessions until the OOC state is cleared.
  • Page 179: Asr 5500 System Administration Guide, Staros Release 21.4

    • max_call_count – Maximum number of sessions/calls counted for the entire product for a particular service type. • last_lic_count – License count last reported to Cisco licensing (CSSM) for particular service type. • max_lic_count – Maximum license count reported to Cisco licensing (CSSM) for particular service type up to this point in time.
  • Page 180: Asr 5500 System Administration Guide, Staros Release 21.4

    Smart Licensing Smart Licensing Bulk Statistics ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 181: Monitoring The System

    C H A P T E R Monitoring the System This chapter provides information for monitoring system status and performance using the show commands found in the Command Line Interface (CLI). These command have many related keywords that allow them to provide useful information on all aspects of the system ranging from current software configuration through call activity and status.
  • Page 182: Asr 5500 System Administration Guide, Staros Release 21.4

    Monitoring the System Monitoring System Status and Performance Table 7: System Status and Performance Monitoring Commands To do this: Enter this command: View Administrative Information Display Current Administrative User Access View a list of all administrative users currently logged on the system show administrators View the context in which the administrative user is working, the IP address show administrators session id...
  • Page 183: Monitoring Asr 5500 Hardware Status

    Monitoring the System Monitoring ASR 5500 Hardware Status To do this: Enter this command: View information about system components, storage devices and network show hardware interfaces View Card Information and Statistics View diagnostics for all cards or for a card in a specific slot/port; (for VPC, show card diag slot/port slot = VM) View detailed information for all cards or a card in a specific slot/port (for...
  • Page 184: Asr 5500 System Administration Guide, Staros Release 21.4

    Monitoring the System Monitoring ASR 5500 Hardware Status Table 8: Hardware Monitoring Commands To do this: Enter this command: View the Status of the Power System View the status of the PFUs show power chassis View the power status of the individual chassis slots show power all View the Status of the Fan Trays View the status of the fan trays, including current relative speeds and...
  • Page 185: Clearing Statistics And Counters

    Monitoring the System Clearing Statistics and Counters Clearing Statistics and Counters It may be necessary to periodically clear statistics and counters in order to gather new information. The system provides the ability to clear statistics and counters based on their grouping (PPP, MIPHA, MIPFA, etc.). Statistics and counters can be cleared using the CLI clear command.
  • Page 186: Asr 5500 System Administration Guide, Staros Release 21.4

    Monitoring the System Clearing Statistics and Counters ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 187: Bulk Statistics

    C H A P T E R Bulk Statistics This chapter provides configuration information for: • Feature Summary and Revision History, page 155 • Configuring Communication with the Collection Server, page 156 • Viewing Collected Bulk Statistics Data, page 160 •...
  • Page 188: Configuring Communication With The Collection Server

    Bulk Statistics Configuring Communication with the Collection Server Related Documentation • ASR 5500 System Administration Guide • Command Line Interface Reference • VPC-DI System Administration Guide • VPC-SI System Administration Guide Revision History Revision history details are not provided for features introduced before releases 21.2 and N5.5. Note Revision Details Release...
  • Page 189: Configuring Optional Settings

    Bulk Statistics Configuring Optional Settings sample-interval time_interval transfer-interval xmit_time_interval limit mem_limit exit bulkstats collection Configuring Optional Settings This section describes optional commands that can be used within the Bulk Statistics Configuration mode. Specifically, you can configure bulk statistic "files" under which to group the bulk statistics. "Files" are used to group bulk statistic schema, delivery options, and receiver configuration.
  • Page 190: Configuring A Separate Bulkstats Config File

    Bulk Statistics Configuring a Separate Bulkstats Config File Configuring a Separate Bulkstats Config File You can configure a separate destination file for storing the bulk statistics sub-mode configuration. Run the show configuration bulkstats command to confirm the configuration. The bulkstats configuration file stores the configuration that was previously stored in the system configuration file under the bulk statistics sub-mode.
  • Page 191: Verifying Your Configuration

    Bulk Statistics Verifying Your Configuration In addition, show configuration bulkstats brief displays the bulkstats configuration at a global scope, as well as all server configuration. It does not display the schema configuration. Verifying Your Configuration After configuring support for bulk statistics on the system, you can check your settings prior to saving them. Follow the instructions in this section to verify your bulk statistic settings.
  • Page 192: Saving Your Configuration

    Bulk Statistics Saving Your Configuration Saving Your Configuration Save the configuration as described in the Verifying and Saving Your Configuration chapter. Viewing Collected Bulk Statistics Data The system provides a mechanism for viewing data that has been collected but has not been transferred. This data is referred to as "pending data".
  • Page 193: Clearing Bulk Statistics Counters And Information

    Bulk Statistics Clearing Bulk Statistics Counters and Information To manually initiate the transferring of bulk statistics prior to reaching the of the maximum configured storage limit, enter the following Exec mode command: bulkstats force transfer Clearing Bulk Statistics Counters and Information It may be necessary to periodically clear counters pertaining to bulk statistics in order to gather new information or to remove bulk statistics information that has already been collected.
  • Page 194: Data Types

    Bulk Statistics Data Types • Gauge: A gauge statistic indicates a single value; a snapshot representation of a single point in time within a defined time frame. The gauge changes to a new value with each snapshot though a value may repeat from one period to the next.
  • Page 195: Asr 5500 System Administration Guide, Staros Release 21.4

    Bulk Statistics Key Variables Variables Description Statistic Type Data Type date3 The UTC date that the collection file was created in YYMMDD Information String format where YY represents the year, MM represents the month and DD represents the day. time The UTC time that the collection file was created in HHMMSS Information String...
  • Page 196: Bulk Statistics Event Log Messages

    Bulk Statistics Bulk Statistics Event Log Messages Variables Description Statistic Type Data Type localtzoffset The offset from UTC/GMT for the local timezone. Format = "+" Information String or "-" HHMM. swbuild The build number of the StarOS version. Information String Bulk Statistics Event Log Messages The stat logging facility captures several events that can be useful for diagnosing errors that could occur with either the creation or writing of a bulk statistic data set to a particular location.
  • Page 197: Feature Summary And Revision History

    C H A P T E R System Logs This chapter describes how to configure parameters related to the various types of logging and how to viewing their content. It includes the following sections: • Feature Summary and Revision History, page 165 •...
  • Page 198: System Log Types

    System Logs System Log Types Applicable Platform(s) ASR 5500 VPC-SI VPC-DI Feature Default Enabled Related Changes in This Release: Not Applicable Related Documentation • ASR 5500 System Administration Guide • Command Line Interface Reference • VPC-DI System Administration Guide • VPC-SI System Administration Guide Revision History Revision history details are not provided for features introduced before releases 21.2 and N5.5.
  • Page 199: Configuring Event Logging Parameters

    System Logs Configuring Event Logging Parameters • Event: Event logging can be used to determine system status and capture important information pertaining to protocols and tasks in use by the system. This is a global function that will be applied to all contexts, sessions, and processes.
  • Page 200: Configuring Event Log Filters

    System Logs Configuring Event Log Filters Configuring Event Log Filters You can filter the contents of event logs at the Exec mode and Global Configuration mode levels. For additional information, see the Command Line Interface Reference. Exec Mode Filtering These commands allow you to limit the amount of data contained in logs without changing global logging parameters.
  • Page 201: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Configuring Event Log Filters • enable – Enables logging for a specific instance or all instances. This keyword is only supported for aaamgr, hamgr and sessmgr facilities. By default logging is enabled for all instances of aaamgr, hamgr and sessmgr.
  • Page 202: Global Configuration Mode Filtering

    System Logs Configuring Event Log Filters You can display the instance numbers for enabled instances per facility using the Exec mode show instance-logging command. Global Configuration Mode Filtering You can filter the contents of event logs at the Exec mode and Global Configuration mode levels. Follow the example below to configure run time event logging parameters for the system: configure logging filter runtime facility facility level report_level...
  • Page 203: Configuring Syslog Servers

    System Logs Configuring syslog Servers … Thu May 11 15:35:25 2017 Internal trap notification 1361 (DisabledEventIDs) Event IDs from 100 to 1000 have been disabled by user adminuser context context privilege level security administrator ttyname tty address type IPV4 remote ip address 1.2.3.4 …...
  • Page 204: Specifying Facilities

    System Logs Specifying Facilities Active logs are not written to the active memory buffer by default. To write active logs to the active memory buffer execute the following command in the Global Configuration mode: host_name logging runtime buffer store all-events [local] (config)# When active logs are written to the active memory buffer, they are available to all users in all CLI instances.
  • Page 205: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities • afmgr: Fabric Manager logging facility [ASR 5500 only] • alarmctrl: Alarm Controller facility • alcap: Access Link Control Application Part (ALCAP) protocol logging facility • alcapmgr: ALCAP manager logging facility • all: All facilities • bfd: Bidirectional Forwarding Detection (BFD) protocol logging facility •...
  • Page 206: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities • dhcpv6: DHCPv6 • dhost: Distributed Host logging facility • diabase: Diabase messages facility • diactrl: Diameter Controller proclet logging facility • diameter: Diameter endpoint logging facility • diameter-acct: Diameter Accounting • diameter-auth: Diameter Authentication • diameter-dns: Diameter DNS subsystem •...
  • Page 207: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities ◦ For 3G: Logs the access application layer (above the RANAP layer) • gprs-app: GPRS Application logging facility • gprs-ns: GPRS Network Service Protocol (layer between SGSN and the BSS) logging facility • gq-rx-tx-diameter: Gq/Rx/Tx Diameter messages facility •...
  • Page 208: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities • ims-sh: HSS Diameter Sh Interface Service facility • imsimgr: SGSN IMSI Manager facility • imsue: IMS User Equipment (IMSUE) facility • ip-arp: IP Address Resolution Protocol facility • ip-interface: IP interface facility • ip-route: IP route facility •...
  • Page 209: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities • mme-misc: MME miscellaneous logging facility • mmedemux: MME Demux Manager logging facility • mmemgr: MME Manager facility • mmgr: Master Manager logging facility • mobile-ip: Mobile IP processes • mobile-ip-data: Mobile IP data facility • mobile-ipv6: Mobile IPv6 logging facility •...
  • Page 210: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities • ocsp: Online Certificate Status Protocol logging facility. • orbs: Object Request Broker System logging facility • ospf: OSPF protocol logging facility • ospfv3: OSPFv3 protocol logging facility • p2p: Peer-to-Peer Detection logging facility • pagingmgr: PAGINGMGR logging facility •...
  • Page 211: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities • saegw: System Architecture Evolution (SAE) Gateway facility • sbc: SBc protocol logging facility • sccp: Signalling Connection Control Part (SCCP) Protocol logging (connection-oriented messages between RANAP and TCAP layers). • sct: Shared Configuration Task logging facility •...
  • Page 212: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Specifying Facilities • srp: Service Redundancy Protocol (SRP) logging facility • sscfnni: Service-Specific Coordination Function for Signaling at the Network Node Interface (SSCF-NNI) logging facility • sscop: Service-Specific Connection-Oriented Protocol (SSCOP) logging facility • ssh-ipsec: Secure Shell (SSH) IP Security logging facility •...
  • Page 213: Configuring Trace Logging

    System Logs Configuring Trace Logging Configuring Trace Logging Trace logging is useful for quickly resolving issues for specific sessions that are currently active. They are temporary filters that are generated based on a qualifier that is independent of the global event log filter configured using the logging filter command in the Exec mode.
  • Page 214: Viewing Logging Configuration And Statistics

    System Logs Viewing Logging Configuration and Statistics Viewing Logging Configuration and Statistics Logging configuration and statistics can be verified by entering the following command from the Exec mode: host_name show logging [ active | verbose ] [local] When no keyword is specified, the global filter configuration is displayed as well as information about any other type of logging that is enabled.
  • Page 215: Configuring And Viewing Crash Logs

    System Logs Configuring and Viewing Crash Logs • From the console port: By default, the system automatically displays events over the console interface to a terminal provided that there is no CLI session active. This section provides instructions for viewing event logs using the CLI. These instructions assume that you are at the root prompt for the Exec mode.
  • Page 216: Configuring Software Crash Log Destinations

    System Logs Configuring Software Crash Log Destinations 2 The associated minicore, NPU or kernel dump file is stored in the /flash/crsh2 directory. 3 A full core dump is stored in a user configured directory. Important The crashlog2 file along with associated minicore, NPU and kernel dumps are automatically synchronized across redundant management cards (SMC, MIO/UMIO).
  • Page 217: Viewing Abridged Crash Log Information Using The Cli

    System Logs Viewing Abridged Crash Log Information Using the CLI Crash log files (full core dumps) are written with unique names as they occur to the specified location. The name format is crash-card-cpu-time-core. Where card is the card slot, cpu is the number of the CPU on the card, and time is the Portable Operating System Interface (POSIX) timestamp in hexadecimal notation.
  • Page 218: Reducing Excessive Event Logging

    System Logs Reducing Excessive Event Logging • Process – where the crash occurred (Card, CPU, PID, etc.) • Crash time – timestamp for when the crash occurred in the format: YYYY-MMM-DD+hh:mm:ss time zone • Recent errno – text of most recent error number. •...
  • Page 219: Configuring Log Source Thresholds

    System Logs Configuring Log Source Thresholds Both traps can be enabled or suppressed via the Global Configuration mode snmp trap command. Configuring Log Source Thresholds There are three Global Configuration mode commands associated with configuring and implementing Log Source thresholds. 1 threshold ls-logs-volume –...
  • Page 220: Saving Log Files

    System Logs Saving Log Files Checkpointing logs should be done periodically to prevent the log files becoming full. Logs which have Important 50,000 events logged will discard the oldest events first as new events are logged. An Inspector-level administrative user cannot execute this command. Important Saving Log Files Log files can be saved to a file in a local or remote location specified by a URL.
  • Page 221: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range acsmgr Active Charging Service Manager (ACSMgr) Facility 91000-91999 afctrl Ares Fabric Controller (ASR 5500 only) 186000-186999 afmgr Ares Fabric Manager (ASR 5500 only) 187000-187999 alarmctrl Alarm Controller Facility 65000-65999 alcap Access Link Control Application Part (ALCAP) Protocol Facility 160900-161399 alcapmgr...
  • Page 222: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range dcardctrl Daughter Card Controller Facility 62000-62999 dcardmgr Daughter Card Manager Facility 57000-57999 demuxmgr Demux Manager Facility 110000-110999 dgmbmgr Diameter Gmb (DGMB) Application Manager Facility 126000-126999 dhcp DHCP Facility 53000-53999 dhcpv6 DHCPv6 Protocol Facility 123000-123999 dhost...
  • Page 223: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range Femto Network Gateway (FNG) Facility 149000-149999 gbrmgr Gb-Manager Facility 201900-202699 gcdr GGSN-Charging Data Record (G-CDR) Facility 66000-66999 GPRS Mobility Management (GMM) Facility 88100-88299 gprs-app General Packet Radio Service (GPRS) Application Facility 115100-115399 gprs-ns GPRS-NS Protocol Facility...
  • Page 224: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range ims-sh IMS SH Library Facility 124000-124999 imsimgr International Mobile Subscriber Identity (IMSI) Manager Facility 114000-114999 imsue IMS User Equipment (IMSUE) Facility 144000-145999 ip-arp IP Address Resolution Protocol (ARP) Facility 19000-19999 ip-interface IP Interface Facility 18000-18999...
  • Page 225: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range mme-misc MME Miscellaneous Facility 155800-156199 mmedemux MME Demux Manager Facility 154000-154999 mmemgr MME Manager Facility 137000-137499 mmgr Master Manager (MMGR) Facility 86000-86399 mobile-ip Mobile IP (MIP) Protocol Facility 26000-26999 mobile-ip-data MIP Tunneled Data Facility 27000-27999 mobile-ipv6...
  • Page 226: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range npumgr-port NPUMGR Port Facility 166000-166999 npumgr-recovery NPUMGR Recovery Facility 165000-165999 npumgr-vpn NPUMGR VPN Facility 181000-181999 npusim NPUSIM Facility 176000-176999 ntfy-intf Event Notification Interface Facility 170000-170499 orbs Object Request Broker (ORB) System Facility 15000-15999 ospf Open Shortest Path First (OSPF) Protocol Facility...
  • Page 227: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range rsvp RSVP Protocol Facility 93000-93999 RANAP User Adaptation (RUA) Protocol Facility 152000-152009 s1ap S1 Application Protocol (S1AP) Facility 155200-155799 saegw System Architecture Evolution Gateway Facility 191000-191999 sccp Signalling Connection Control Part (SCCP) Protocol Facility 86700-86899 [SS7] Shared Configuration Task (SCT) Facility...
  • Page 228: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Event ID Overview Facility Description Event ID Range snmp Simple Network Management Protocol (SNMP) Facility 22000-22999 sprmgr Subscriber Policy Register (SPR) Manager Facility 159500-159999 srdb Static Rating Database Facility 102000-102999 Service Redundancy Protocol (SRP) Facility 84000-84999 sscfnni SSCFNNI Protocol Facility [ATM] 115500-115599 sscop SSCOP Protocol Facility [ATM]...
  • Page 229: Event Severities

    System Logs Event Severities Event Severities The system provides the flexibility to configure the level of information that is displayed when logging is enabled. The following levels are supported: • critical: Logs only those events indicating a serious error has occurred that is causing the system tor a system component to cease functioning.
  • Page 230: Asr 5500 System Administration Guide, Staros Release 21.4

    System Logs Understanding Event ID Information in Logged Output Element Description [software internal system] Indicates that the event was generated because of system operation. CLI session ended for Security Administrator The event's details. Event details may, or may not include admin on device /dev/pts/2 variables that are specific to the occurrence of the event.
  • Page 231: Troubleshooting

    C H A P T E R Troubleshooting This chapter provides information and instructions for using the system command line interface (CLI) for troubleshooting any issues that may arise during system operation. Refer to the ASR 5500 Installation Guide for comprehensive descriptions of the hardware components addressed by these troubleshooting procedures.
  • Page 232: Licensing Issues

    Troubleshooting Licensing Issues Licensing Issues The system boot process is governed by StarOS licenses. During the startup process, each card performs a series of Power-On Self Tests (POSTs) to ensure that the hardware is operational. These tests also verify that the card meets all license requirements to operate in this chassis.
  • Page 233: Asr 5500 System Administration Guide, Staros Release 21.4

    Troubleshooting Checking the LEDs on the PFU Each LED on the PFU should illuminate blue for normal operating conditions. Figure 13: PFU LEDs The possible states for these LEDs are described in the following table. If the LED is not blue, use the troubleshooting information below to diagnose the problem.
  • Page 234: Checking The Leds On The Mio Card

    Troubleshooting Checking the LEDs on the MIO Card Checking the LEDs on the MIO Card Each MIO/UMIO/MIO2 is equipped with the following LEDs: • Run/Fail • Active • Redundancy • Master • Busy Figure 14: MIO Card Status LEDs The possible states for all MIO/UMIO/MIO2 LEDs are described in the sections that follow. MIO Run/Fail LED States The MIO/UMIO/MIO2 Run/Fail LED indicates the overall status of the card.
  • Page 235: Mio Active Led States

    Troubleshooting Checking the LEDs on the MIO Card Color Description Troubleshooting Blinking Green Card is initializing and/or This is normal operation during boot-up. loading software Card powered with error(s) Errors were detected during the Power On Self Tests (POSTs). It is likely that detected the errors were logged to the system's command line interface during boot.
  • Page 236: Mio Redundancy Led States

    Troubleshooting Checking the LEDs on the MIO Card MIO Redundancy LED States The Redundancy LED on the MIO/UMIO/MIO2 indicates that software is loaded on the card, but it is serving as a redundant component. For the MIO/UMIO/MIO2 installed in slot 6, this LED should be green for normal operation.
  • Page 237: Mio Busy Led States

    Troubleshooting Checking the LEDs on the MIO Card Color Description Troubleshooting None This card is the Standby MIO. Verify that the Run/Fail LED is green. If so, the card is receiving power and POST results are positive. If it is off, refer to MIO Run/Fail LED States, on page 202 for troubleshooting information.
  • Page 238: Mio – Interface Activity Led States

    Troubleshooting Checking the LEDs on the DPC Color Description Troubleshooting None No power to card. Verify that the Run/Fail LED is green. If so, the card is receiving power. If it is off, refer to MIO Run/Fail LED States, on page 202 for troubleshooting information.
  • Page 239: Dpc Run/Fail Led States

    Troubleshooting Checking the LEDs on the DPC • Redundancy Figure 15: DPC Status LEDs The possible states for all of the DPC/UDPC or /DPC2/UDPC2 LEDs are described in the sections that follow. DPC Run/Fail LED States The DPC/UDPC or /DPC2/UDPC2 Run/Fail LED indicates the overall status of the card. This LED should be green for normal operation.
  • Page 240: Dpc Active Led States

    Troubleshooting Checking the LEDs on the DPC Color Description Troubleshooting None Card is not receiving power. Verify that the LEDs on the PFUs are blue. If they are not, refer to Checking the LEDs on the PFU, on page 200 for troubleshooting information.
  • Page 241: Dpc Redundancy Led States

    Troubleshooting Checking the LEDs on the FSC DPC Redundancy LED States The Redundancy LED on the DPC/UDPC or /DPC2/UDPC2 indicates that software is loaded on the card, but it is serving as a standby component. DPC/UDPCs or /DPC2/UDPC2s support n:1 redundancy; the Redundancy LED should be green on only one DPC/UDPC or /DPC2/UDPC2 for normal system operation.
  • Page 242: Fsc Run/Fail Led States

    Troubleshooting Checking the LEDs on the FSC • Drive 2 Activity Figure 16: FSC Status LEDs The possible states for all FSC LEDs are described in the sections that follow. FSC Run/Fail LED States The FSC Run/Fail LED indicates the overall status of the card. This LED should be green for normal operation. The possible states for this LED are described in the following table.
  • Page 243: Fsc Active Led States

    Troubleshooting Checking the LEDs on the FSC Color Description Troubleshooting None Card is not receiving power Verify that the LEDs on the PFUs are blue. If they are not, refer to Checking the LEDs on the PFU, on page 200 for troubleshooting information.
  • Page 244: Fsc Drive N Activity Led States

    Troubleshooting Checking the LEDs on the FSC Table 27: FSC Redundancy LED States Color Description Troubleshooting Green Card is in redundant mode None needed. There is at least one FSC in Standby mode. Amber Card is not backed up by a Check the status of the other FSCs.
  • Page 245: Checking The Leds On The Ssc

    Troubleshooting Checking the LEDs on the SSC Checking the LEDs on the SSC Each SSC is equipped with the following LEDs as shown in the accompanying figure: • Run/Fail • Active • Redundancy • System Status • System Service Figure 17: SSC Status LEDs The possible states for all SSC LEDs are described in the sections that follow.
  • Page 246: Ssc Active Led States

    Troubleshooting Checking the LEDs on the SSC Table 29: SSC Run/Fail LED States Color Description Troubleshooting Green Card powered with no errors None needed. detected Blinking Green Card is initializing and/or This is normal operation during boot-up. loading software Card powered with error(s) Errors were detected during the Power On Self Tests (POSTs).
  • Page 247: Ssc Redundancy Led States

    Troubleshooting Checking the LEDs on the SSC SSC Redundancy LED States The Redundancy LED on the SSC indicates that software is loaded on the card, but it is serving as a standby component. SSC support 1:1 redundancy; the Redundancy LED should be green on the other SSC for normal system operation.
  • Page 248: Ssc System Service Led States

    Troubleshooting Testing System Alarm Outputs SSC System Service LED States The System Service LED on the SSC illuminates amber to indicate that the system has experienced a hardware component failure. This LED is off during normal operation. The possible states for this LED are described in the following table. If the LED is not green, use the troubleshooting information in the table to diagnose the problem.
  • Page 249: Switching Mios

    Troubleshooting Switching MIOs Switching MIOs When the system boots up, the MIO/UMIO/MIO2 installed in chassis slot 5 will boot into the Active mode and begin booting other system components. The MIO/UMIO/MIO2 installed in chassis slot 6 will automatically be booted into Standby mode dictating that it will serve as a redundant component. The active MIO/UMIO/MIO2 automatically synchronizes currently running tasks or processes with the standby MIO/UMIO/MIO2.
  • Page 250: Migrating A Dpc

    Troubleshooting Migrating a DPC Migrating a DPC When the system boots up, all DPC/UDPCs or DPC2/UDPC2s enter the "standby" mode. The standby mode indicates that the card is available for use but is not configured for operation. Installed components can be made active through the software configuration process.
  • Page 251: Initiate A Card Halt

    Troubleshooting Halting Cards Initiate a Card Halt Important Do not initiate a card halt for an active FSC if there are less than two active FSCs in the system. The system returns an error message if there are less than two active FSCs. There are similar restrictions when executing the card reboot or card upgrade commands on active FSCs.
  • Page 252: Verifying Network Connectivity

    Troubleshooting Verifying Network Connectivity Verifying Network Connectivity There are multiple commands supported by the system to verify and/or troubleshoot network connectivity. Note that network connectivity can only be tested once system interfaces and ports have been configured and bound. The commands specified in this section should be issued on a context-by-context basis. Contexts act like virtual private networks (VPNs) that operate independently of other contexts.
  • Page 253: Using The Traceroute Or Traceroute6 Command

    Troubleshooting Using the traceroute or traceroute6 Command • Verify the port is operational. • Verify that the configuration of the ports and interfaces within the context are correct. • If the configuration is correct and you have access to the device that you're attempting to ping, ping the system from that device.
  • Page 254: Viewing Ip Routes

    Troubleshooting Viewing IP Routes Viewing IP Routes The system provides a mechanism for viewing route information to a specific node or for an entire context. This information can be used to verify network connectivity and to ensure the efficiency of the network connection.
  • Page 255: Using The System Diagnostic Utilities

    Troubleshooting Using the System Diagnostic Utilities Using the System Diagnostic Utilities The system provides protocol monitor and test utilities that are useful when troubleshooting or verifying configurations. The information generated by these utilities can help identify the root cause of a software or network configuration issue.
  • Page 256: Using The Protocol Monitor For A Specific Subscriber

    Troubleshooting Using the Protocol Monitor Step 5 Enter Y to proceed with the monitor or N to go back to the previous menu. C - Control Events (ON ) D - Data Events (ON ) E - EventID Info (ON ) H - Display ethernet (ON ) I - Inbound Events...
  • Page 257: Asr 5500 System Administration Guide, Staros Release 21.4

    Troubleshooting Using the Protocol Monitor Option Y for performing multi-call traces is only supported for use with the GGSN. Step 5 Repeat step 6 as needed to enable or disable multiple protocols. Step 6 Press Enter to refresh the screen and begin monitoring. The following displays a portion of a sample of the monitor's output for a subscriber named user2@aaa.
  • Page 258: Generating An Ssd

    Troubleshooting Generating an SSD PPP Rx PDU (12) IPCP 12: Conf-Req(3), IP-Addr=192.168.250.87 The monitor remains active until disabled. To quit the protocol monitor and return to the prompt, press q. Generating an SSD An SSD is an instance of the output when the Exec mode show support details command is run. It displays a comprehensive list of system information that is useful for troubleshooting purposes.
  • Page 259: Asr 5500 System Administration Guide, Staros Release 21.4

    Troubleshooting Configuring and Using the Support Data Collector on a periodic basis. The record collector always runs in the background and checks if there are records to be collected. When it is time to collect support data, the scheduler executes the configured sequence of CLI commands and stores the results in a gunzipped (.gz) file on the hard-disk.
  • Page 260: Asr 5500 System Administration Guide, Staros Release 21.4

    Troubleshooting Configuring and Using the Support Data Collector ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 261: Feature Information

    C H A P T E R Packet Capture (PCAP) Trace • Feature Information, page 229 • Feature Description, page 230 • Configuring PCAP Trace, page 230 • Monitoring and Troubleshooting PCAP Trace, page 237 Feature Information Summary Data Applicable Product(s) or Functional Area •...
  • Page 262: Feature Description

    Packet Capture (PCAP) Trace Feature Description Related Documentation • ASR 5000 System Administration Guide • ASR 5500 System Administration Guide • Command Line Interface Reference Guide • ePDG Administration Guide • IPSec Reference Guide • SaMOG Administration Guide • VPC-SI System Administration Guide Revision History Revision history details are not provided for features introduced before release 21.2.
  • Page 263: Configuring The Hexdump Module

    Packet Capture (PCAP) Trace Configuring the Hexdump Module • Although hexdump record generation is supported on both single-mode and multi-mode, it is recommended to enable the CDR multi-mode. • Use the default cdr-multi-mode command to configure this command with its default setting. •...
  • Page 264: Asr 5500 System Administration Guide, Staros Release 21.4

    Packet Capture (PCAP) Trace Configuring the Hexdump Module ◦ time-limit seconds: Specifies that hexdump records are to be deleted from the hard drive upon reaching a time limit defined in seconds. seconds must be an integer from 600 through 2592000. ◦...
  • Page 265: Configuring The Hexdump File Parameters

    Packet Capture (PCAP) Trace Configuring the Hexdump File Parameters ◦ secondary secondary-url secondary_url: Specifies the secondary URL location to which the system pushes the hexdump files. secondary_url must be an alphanumeric string of 1 through 1024 characters in the format: //user:password@host:[port]/direct.
  • Page 266: Asr 5500 System Administration Guide, Staros Release 21.4

    Packet Capture (PCAP) Trace Configuring the Hexdump File Parameters • Use the current-prefix prefix keyword to specify a string to add at the beginning of the hexdump file that is currently being used to store records. ◦ prefix must be an alphanumeric string of 1 through 31 characters. ◦...
  • Page 267: Asr 5500 System Administration Guide, Staros Release 21.4

    Packet Capture (PCAP) Trace Configuring the Hexdump File Parameters ◦ tariff-time minute minutes hour hours: Specifies to close the current hexdump file and create a new one based on the tariff time (in minutes and hours). minutes must be an integer from 0 through 59. hours must be an integer from 0 through 23.
  • Page 268: Enabling Or Disabling Hexdump

    Packet Capture (PCAP) Trace Enabling or Disabling Hexdump • Use the trap-on-file-delete keyword to instruct the system to send an SNMP notification (trap) when a hexdump file is deleted due to lack of space. Default: Disabled • Use the xor-final-record keyword to insert an exclusive OR (XOR) checksum (instead of a CRC checksum) into the hexdump file header, if the exclude-checksum-record is left at its default setting.
  • Page 269: Monitoring And Troubleshooting Pcap Trace

    Packet Capture (PCAP) Trace Monitoring and Troubleshooting PCAP Trace ◦ Chunk flags ◦ Transmission Sequence Numbers (TSN) ◦ Stream identifier ◦ Stream sequence number • When the SCTP protocol option is selected in monpro, PCAP hexdump will have the original SCTP header.
  • Page 270: Show { Hexdump-Module | Cdr } File-Space-Usage

    Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Hexdump-module files rotated due Total number of times a hexdump file was closed and a new hexdump to time limit file was created since the time limit was reached. Hexdump-module files rotated due Total number of times a hexdump file was closed and a new hexdump to tariff-time file was created since the tariff time was reached.
  • Page 271: Show Hexdump-Module Statistics

    Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Percentage of Hexdump-module file Indicates the total percentage of storage used for hexdump files. store usage show hexdump-module statistics The following fields are available in the output of the show hexdump-module statistics command in support of this feature.
  • Page 272: Asr 5500 System Administration Guide, Staros Release 21.4

    Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Table 36: show hexdump-module statistics Command Output Descriptions Field Description Hexdump-module-Record file Statistics: CDRMOD Instance Id Indicates the CDRMOD instance id for which the statistics are collected. Hexdump-module files rotated Total number of times a hexdump file was closed and a new hexdump file was created.
  • Page 273: Asr 5500 System Administration Guide, Staros Release 21.4

    Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Num of times PUSH Failed Total number of times PUSH operation failed. Num of times PUSH cancelled due to HD failure Total number of times PUSH operation failed due to hard disk failure.
  • Page 274: Asr 5500 System Administration Guide, Staros Release 21.4

    Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Failed File Transfers Total number of hexdump files that failed transfer to the secondary storage server. Num of times PUSH initiated Total number of times PUSH operation was initiated to transfer hexdump files to the secondary storage server.
  • Page 275: Chapter

    C H A P T E R System Recovery This chapter describes how to recover a system after it has failed to complete a reboot following a power off cycle or interruption of the normal boot sequence following a reload command. This system recovery process interrupts subscriber service by dropping any existing flows and preventing Caution traffic from being processed during the boot interval.
  • Page 276: Accessing The Boot Cli

    System Recovery Accessing the boot CLI The system recovery process will prompt you to enter the path name for the location of the StarOS boot image from which the system will boot. By default the boot command will timeout and attempt to reload the highest priority image from flash memory using the default configuration file.
  • Page 277: Enter Cli Mode

    System Recovery Enter CLI Mode aborted by user 8/0:boot> Enter CLI Mode With the boot prompt displayed, enter cli to access the boot recovery CLI. The CLI prompt changes as shown below: 8/0:boot> 8/0:cli> boot Command Syntax The boot recovery command has the following syntax: boot [ -show | -priority=* | -config=* | -noconfig ] { bootfile_URL } The options for this command include: •...
  • Page 278: Boot Using A Specified Configuration File

    System Recovery Boot Using A Specified Configuration File You can exit the Quick Setup Wizard by entering no in response to the above prompt. Load a desired configuration file using the Exec mode configure command followed by the URL for the configuration file as shown in the example below: host_name configure /flash/system.cfg...
  • Page 279: Access Control Lists

    C H A P T E R Access Control Lists This chapter describes system support for access control lists and explains how they are configured. The product administration guides provide examples and procedures for configuration of basic services on the system.
  • Page 280: Understanding Acls

    Access Control Lists Understanding ACLs Separate ACLs may be created for IPv4 and IPv6 access routes. Understanding ACLs This section discusses the two main aspects to ACLs on the system: • Rule(s), on page 248 • Rule Order, on page 250 Refer to ACL Configuration Mode Commands and the IPv6 ACL Configuration Mode Commands chapter Important in the Command Line Interface Reference for the full command syntax.
  • Page 281: Asr 5500 System Administration Guide, Staros Release 21.4

    Access Control Lists Rule(s) • Any: Filters all packets • Host: Filters packets based on the source host IP address • ICMP: Filters Internet Control Message Protocol (ICMP) packets • IP: Filters Internet Protocol (IP) packets • Source IP Address: Filter packets based on one or more source IP addresses •...
  • Page 282: Rule Order

    Access Control Lists Rule Order Rule Order A single ACL can consist of multiple rules. Each packet is compared against each of the ACL rules, in the order in which they were entered, until a match is found. Once a match is identified, all subsequent rules are ignored.
  • Page 283: Configuring Action And Criteria For Subscriber Traffic

    Access Control Lists Configuring Action and Criteria for Subscriber Traffic { ip | ipv6 } access-list acl_list_name Notes: • The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task. Typically, the maximum is less than 200. Configuring Action and Criteria for Subscriber Traffic To create rules to deny/permit the subscriber traffic and apply the rules after or before action, enter the following command sequence from the Exec mode of the system CLI:...
  • Page 284: Verifying The Acl Configuration

    Access Control Lists Verifying the ACL Configuration • Context name is the name of the context containing the "undefined" ACL to be modified. For more information, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference. Verifying the ACL Configuration To verify the ACL configuration, enter the Exec mode show { ip | ipv6 } access-list command.
  • Page 285: Asr 5500 System Administration Guide, Staros Release 21.4

    Access Control Lists Applying IP ACLs If ACLs are applied at multiple levels within a single context (such as an ACL is applied to an interface within the context and another ACL is applied to the entire context), they will be processed as shown in the following figure and table.
  • Page 286: Applying The Acl To An Interface

    Access Control Lists Applying the ACL to an Interface In the event that an IP ACL is applied that has not been configured (for example, the name of the applied ACL was configured incorrectly), the system uses an "undefined" ACL mechanism for filtering the packet(s). This section provides information and instructions for applying ACLs and for configuring an "undefined"...
  • Page 287: Verifying The Acl Configuration On An Interface

    Access Control Lists Applying the ACL to a Context Verifying the ACL Configuration on an Interface This section describes how to verify the ACL configuration. In the Exec Mode, enter the following command: host_name show configuration context context_name [local] context_name is the name of the context containing the interface to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context.
  • Page 288: Applying An Acl To All Traffic Within A Context

    Access Control Lists Applying the ACL to a Context • Outgoing packets to an external source. • Incoming packets that fail flow match and are forwarded again. In this case, the context ACL applies first and only if it passes are packets forwarded. During forwarding, if an ACL rule is added with a destination address as a loopback address, the context ACL is also applied.
  • Page 289: Applying An Acl To A Radius-Based Subscriber

    Access Control Lists Applying an ACL to a RADIUS-based Subscriber configure context_name context acl_name ip access-list ip_address deny host ip_address deny ip any host exit access_group_name ip access-group service-redundancy-protocol exit interface_name interface ip_address/mask ip address exit subscriber default exit aaa group default exit gtpp group default Applying an ACL to a RADIUS-based Subscriber...
  • Page 290: Applying An Acl To An Individual Subscriber

    Access Control Lists Applying an ACL to an Individual Subscriber Applying an ACL to an Individual Subscriber To apply the ACL to an individual subscriber, use the following configuration: configure context acl_ctxt_name [ -noconfirm ] subscriber name subs_name { ip | ipv6 } access-group acl_list_name [ in | out ] Notes: •...
  • Page 291: Applying An Acl To The Subscriber Named Default

    Access Control Lists Applying an ACL to the Subscriber Named default access_group_name ip access-group access_group_name ip access-group exit aaa group default exit gtpp group default exit cfsg_name content-filtering server-group response_timeout response-timeout retry_timeout connection retry-timeout Applying an ACL to the Subscriber Named default This section provides information and instructions for applying an ACL to the subscriber named default.
  • Page 292: Verifying The Acl Configuration To The Subscriber Named Default

    Access Control Lists Applying an ACL to Service-specified Default Subscriber • If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets. • The ACL to be applied must be configured in the context specified by this command. •...
  • Page 293: Applying An Acl To Service-Specified Default Subscriber

    Access Control Lists Applying an ACL to Service-specified Default Subscriber This section provides the minimum instruction set for applying the ACL list to all traffic within a context. Important For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.
  • Page 294: Applying A Single Acl To Multiple Subscribers

    Access Control Lists Applying a Single ACL to Multiple Subscribers context_name is the name of the context containing the service with the default subscriber to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration.
  • Page 295: Applying An Acl To Multiple Subscriber Via Apns

    Access Control Lists Applying a Single ACL to Multiple Subscribers When configured properly, the functions described in the table above could be used to apply an ACL to: • All subscribers facilitated within a specific context by applying the ACL to the profile of the subscriber named default.
  • Page 296: Verifying The Acl Configuration To Apns

    Access Control Lists Applying a Single ACL to Multiple Subscribers To configure the system to provide access control list facility to subscribers: Step 1 Apply the configured access control list by following the example configuration in Applying an ACL to Multiple Subscriber via APNs, on page 263.
  • Page 297: Overview

    C H A P T E R Congestion Control This chapter describes the Congestion Control feature. It covers the following topics: • Overview, page 265 • Configuring Congestion Control, page 266 Overview Congestion Control monitors the system for conditions that could potentially degrade performance when the system is under heavy load.
  • Page 298: Configuring Congestion Control

    Congestion Control Configuring Congestion Control This section provides the minimum instruction set for configuring congestion control. Commands that Important configure additional interface or port properties are provided in Subscriber Configuration Mode in the Command Line Interface Reference. Always refer to the Administration Guides for all of the licensed products running on this platform for additional configuration information with respect to congestion control.
  • Page 299: Configuring Service Congestion Policies

    Congestion Control Configuring Service Congestion Policies Mode Commands, LTE Policy Configuration Mode Commands and Congestion Action Profile Configuration Mode Commands in the Command Line Interface Reference for more information. • Repeat this configuration as needed for additional thresholds. Configuring Service Congestion Policies To create a congestion control policy, apply the following example configuration in the Global Configuration mode of the CLI: configure...
  • Page 300: Enabling Congestion Control Redirect Overload Policy

    Congestion Control Enabling Congestion Control Redirect Overload Policy Enabling Congestion Control Redirect Overload Policy To create a congestion control policy and configure a redirect overload policy for the service, apply the following example configuration: configure congestion-control context context_name {service_configuration_mode} policy overload redirect address Notes: •...
  • Page 301: Asr 5500 System Administration Guide, Staros Release 21.4

    Congestion Control Enabling Congestion Control Redirect Overload Policy To enable overload disconnect for the currently selected subscriber, use the following configuration example: configure context context_name subscriber name subscriber_name default overload-disconnect threshold inactivity-time dur_thresh default overload-disconnect threshold connect-time dur_thresh To disable the overload disconnect feature for this subscriber, use the following configuration example: configure context context_name subscriber subscriber_name...
  • Page 302: Asr 5500 System Administration Guide, Staros Release 21.4

    Congestion Control Enabling Congestion Control Redirect Overload Policy ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 303: Routing Policies

    C H A P T E R Routing This chapter provides information on configuring an enhanced, or extended, service. The product administration guides provide examples and procedures for configuring basic services on the system. You should select the configuration example that best meets your service model, and configure the required elements for that model before using the procedures described below.
  • Page 304: Creating Ip Prefix Lists

    Routing Creating IP Prefix Lists of control you use IP Prefix Lists, Route Access Lists and AS Path Access Lists to specify IP addresses, address ranges, and Autonomous System paths. Creating IP Prefix Lists Use the following configuration example to create IP Prefix Lists: config context context_name ip prefix-list name list_name { deny | permit } network_address/net_mask...
  • Page 305: Creating Route Maps

    Routing Creating Route Maps Creating Route Maps Use the following configuration example to create a Route Map: config context context_name route-map map_name { deny | permit } seq_number Notes: • Use the match and set commands in Route Map Configuration mode to configure the route map. Refer to the Command Line Interface Reference for more information on these commands.
  • Page 306: Adding Static Routes To A Context

    It also describes how to enable the base OSPF functionality and lists the commands that are available for more complex configurations. You must purchase and install a license key before you can use this feature. Contact your Cisco account representative for more information on licenses.
  • Page 307: Ospf Version 2 Overview

    Routing OSPF Version 2 Overview During system task recovery, it is possible for a dynamically-learned forwarding entry to incorrectly Important remain in the system forwarding table if that forwarding entry has been removed from the dynamic routing protocol during the recovery. On the ASR 5500, OSPF routes with IPv6 prefix lengths less than /12 and between the range of /64 and Important /128 are not supported.
  • Page 308: Basic Ospfv2 Configuration

    Routing Basic OSPFv2 Configuration Basic OSPFv2 Configuration This section describes how to implement basic OSPF routing. Enabling OSPF Routing For a Specific Context Use the following configuration example to enable OSPF Routing for a specific context: config context context_name router ospf Notes: •...
  • Page 309: Confirming Ospf Configuration Parameters

    Routing OSPFv3 Routing Confirming OSPF Configuration Parameters To confirm the OSPF router configuration, use the following command and look for the section labeled router ospf in the screen output: show config context ctxt_name [ verbose ] OSPFv3 Routing This section gives an overview of Open Shortest Path First Version 3 (OSPFv3) routing and its implementation in the system.
  • Page 310: Enabling Ospfv6 Over A Specific Interface

    Routing Confirming OSPFv3 Configuration Parameters Enabling OSPFv6 Over a Specific Interface After you enable OSPFv3 specify the area in which it will run. Use the following command to enable OSPFv3: area { area_id | area_ip_address } [ default-cost dflt-cost ] [ stub stub-area ] [ virtual-link vl-neighbor-ipv4address ] The default cost for OSPFv3 on the system is 10.
  • Page 311: Bgp-4 Routing

    Routing BGP-4 Routing The following command configures the maximum number of equal cost paths that can be submitted by a routing protocol: config context context_name ip routing maximum-paths [ max_num ] Notes: • max_num is an integer from 1 through 10 (releases prior to 18.2) or 1 through 32 (release 18.2+). •...
  • Page 312: Configuring Bgp

    Routing Configuring BGP • Route Filtering for inbound and outbound routes • Route redistribution and route-maps • Support for BGP communities and extended communities in route maps • Local preference for IPv4 and IPv6 (IBGP peers) IP pool routes and loopback routes are advertised in the BGP domain in the following ways: •...
  • Page 313: Bgp Communities And Extended Communities

    Routing BGP Communities and Extended Communities • The redistribution options are connected, ospf, rip, or static. Refer to the Border Gateway Protocol Configuration Mode Commands chapter of the Command Line Interface Reference for details on the redistribute command. • A maximum of 64 route-maps are supported per context. •...
  • Page 314: Setting The Community Attribute

    Routing BGP Communities and Extended Communities Setting the Community Attribute You set the BGP community attribute via a set community command in a route map. config context context_name route-map map_name { deny | permit } sequence_number set community [additive]{ internet | local-AS | no-advertise | no-export | none | value AS-community_number AS-community_number AS-community_number ...} { internet | local-AS | no-advertise | no-export | none | value AS-community_number AS-community_number AS-community_number ...
  • Page 315: Setting The Extended Community Attribute

    Routing ICSR and SRP Groups Setting the Extended Community Attribute You set the BGP extended community attribute via a set extcommunity command in a route map. config context context_name route-map map_name { deny | permit } sequence_number set extcommunity rt rt_number rt_number rt_number ... rt_number specifies a Route Target as a string in AS:NN format, where AS = 2-byte AS-community hexadecimal number and NN = 2-byte hexadecimal number (1 to 11 characters).
  • Page 316: Configurable Bgp Route Advertisement Interval For Icsr

    Routing Configurable BGP Route Advertisement Interval for ICSR from deploying BGP Prefix Independent Convergence (PIC) in the Optical Transport Network Generation Next (OTNGN). BGP PIC is intended to improve network convergence which will safely allow for setting aggressive ICSR failure detection timers. configure context context_name service-redundancy-protocol...
  • Page 317: Asr 5500 System Administration Guide, Staros Release 21.4

    Routing BGP CLI Configuration Commands configure context context_name router bgp as_number Table 39: BGP Configuration Mode CLI Commands bgp Command Description accept-zero-as-rd Configures to accept VPN prefixes with Route Distinguisher (RD) value having Administrator Subfield, which is an AS number 0. address-family { ipv4 | ipv6 } Enters the IPv4 or IPv6 Address Family configuration mode.
  • Page 318: Confirming Bgp Configuration Parameters

    Routing Confirming BGP Configuration Parameters bgp Command Description neighbor ip_address { activate | Configures BGP routers that interconnect to advertisement-interval adv_time | capability non-broadcast networks. Note that a remote AS number must be specified for a neighbor before other graceful-restart | default-originate [ route-map map_name ] | distribute-list dist_list{ in | out } | parameters can be configured.
  • Page 319: Overview Of Bfd Support

    Routing Overview of BFD Support them. The session is established with a three-way handshake, and is torn down the same way. Authentication may be enabled on the session. A choice of simple password, MD5 or SHA1 authentication is available. Overview of BFD Support BFD does not have a discovery mechanism;...
  • Page 320: Configuring A Bfd Context

    Routing Configuring BFD Configuring a BFD Context config context context_name bfd-protocol [ bfd echo ] exit Notes: • Echo function can be optionally enabled for all interfaces in this context. • 16 BFD sessions per context and 64 per chassis. Configuring IPv4 BFD for Static Routes Enable BFD on an interface.
  • Page 321: Configuring Bfd For Single Hop

    Routing Configuring BFD On the ASR 5500, static routes with IPv6 prefix lengths less than /12 and between the range of /64 and Important /128 are not supported. Configuring BFD for Single Hop Enable BFD on an interface. config context bfd_context_name interface if_name ip address ipv4_address ipv4_mask ipv6 address ipv6_address ipv6_mask...
  • Page 322: Scaling Of Bfd

    Routing Configuring BFD Scaling of BFD Configure an active BFD session using one of the above methods and use same BFD neighbor while configuring the active interface. For additional information, see Associating BFD Neighbor Groups with the BFD Protocol, on page 290.
  • Page 323: Enabling Bfd On Ospf Interfaces

    Routing Chassis-to-Chassis BFD Monitoring for ICSR Enabling BFD on OSPF Interfaces All OSPF Interfaces config context context_name router ospf bfd-all-interfaces Specific OSPF Interface config context context_name interface interface_name broadcast ip ospf bfd Monitoring BFD Connection for ICSR For ICSR configurations, the following command sequence initiates monitoring of the connection between the primary chassis and the BFD neighbor in the specified context.
  • Page 324: Enable Primary Chassis Bfd Monitoring

    Routing Chassis-to-Chassis BFD Monitoring for ICSR • Enable Primary Chassis BFD Monitoring, on page 292. • Set BFD to Ignore ICSR Dead Interval, on page 292. • Configure ICSR Switchover Guard Timer, on page 292. • Enable BFD Multihop Fall-over , on page 293.
  • Page 325: Enable Bfd Multihop Fall-Over

    Routing Chassis-to-Chassis BFD Monitoring for ICSR • diameter-switchover-timers – sets timers that prevent a back-to-back ICSR switchover due to a Diameter failure (post ICSR switchover) while the network is still converging. ◦damping-period – configures a delay time to trigger an ICSR switchover due to a monitoring failure within the guard-period.
  • Page 326: Ip Routev6 Command

    Routing BFD Support for Link Aggregation Member Links ip routev6 Command configure context context_name ipv6 route ipv6_address/prefix_length { interface name | next-hop ipv6_address interface name } [ cost cost] [ fall-over bfd multihop mhsess_name ] [ precedence precedence ] [ vrf vrf_name [ cost value ] [ fall-over bfd multihop mhsess_name ] [ precedence precedence ] The ipv6 route command now also allows you to add a static multihop BFD route.
  • Page 327: Overview

    Routing BFD Support for Link Aggregation Member Links Overview A BFD Configuration mode CLI command configures BFD interactions with the linkagg task. Once a session is configured, BFD creates per member link BFD sessions and starts sending packets on each of the linkagg member links.
  • Page 328: Saving The Configuration

    Routing Viewing Routing Information bfd linkagg-peer linkagg_group_id local-endpt-addr local-endpt_ipaddress remote-endpt-addr remote_endpt_ipaddress interval tx_interval min_rx rx_interval multiplier multiplier_value [ slot slot_number ] no bfd linkagg-peer linkagg_group_id [ slot slot_number ] Notes: • linkagg_group_id specifies the LAG number as an integer from 1 through 255. •...
  • Page 329: Asr 5500 System Administration Guide, Staros Release 21.4

    Routing Viewing Routing Information *208.230.231.0/24 0.0.0.0 connected local1 Total route count: 5 ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 330: Asr 5500 System Administration Guide, Staros Release 21.4

    Routing Viewing Routing Information ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 331: Vlans

    VLANs. You should select the configuration example that best meets your service model before using the procedures described below. VLAN – Layer 2 Traffic Management is a Cisco feature that requires a separate license. Contact your Important Cisco account representative for detailed information on specific licensing requirements.
  • Page 332: Overlapping Ip Address Pool Support – Ggsn

    VLANs Overlapping IP Address Pool Support – GGSN Overlapping IP Address Pool Support – GGSN Overlapping IP Address pools allow operators to more flexibly support multiple corporate VPN customers with the same private IP address space without expensive investments in physically separate routers or virtual routers.
  • Page 333: Apn Support – Pdn Gateway (P-Gw)

    VLANs APN Support – PDN Gateway (P-GW) APN Support – PDN Gateway (P-GW) P-GW Access Point Name (APN) supports extensive parameter configuration flexibility for the APN. VLAN tagging may be selected by the APN, but are configured in the P-GW independently from the APN. Creating VLAN Tags Use the following example to create VLANs on a port and bind them to pre-existing interfaces.
  • Page 334: Configuring Subscriber Vlan Associations

    VLANs Configuring Subscriber VLAN Associations Flow Control : Enabled Link Aggregation Group : None Untagged: Logical ifIndex : 85262337 Operational State : Up, Active Tagged VLAN: VID 10 Logical ifIndex : 285278210 VLAN Type : Standard VLAN Priority Administrative State : Enabled Operational State : Up, Active...
  • Page 335: Verify The Subscriber Profile Configuration

    VLANs Verify the Subscriber Profile Configuration These instructions assume that you have already configured subscriber-type VLAN tags according to the Important instructions provided in Creating VLAN Tags, on page 301. config context context_name subscriber name user_name ip vlan vlan_id Verify the Subscriber Profile Configuration Use the following command to view the configuration for a subscriber profile: host_name show subscriber configuration username user_name...
  • Page 336: Asr 5500 System Administration Guide, Staros Release 21.4

    VLANs VLAN-Related CLI Commands CLI Mode Command Description Context Configuration Mode ip pool pool_name nexthop forwarding When a nexthop forwarding address is address ip_address overlap vlanid configured, the overlap vlanid keyword vlan_id enables support for overlapping IP address pools and associates the pool with the specified VLAN ID.
  • Page 337: Asr 5500 System Administration Guide, Staros Release 21.4

    VLANs VLAN-Related CLI Commands CLI Mode Command Description VLAN Configuration Mode [no] shutdown Enables or disables traffic over the current VLAN. VLAN Configuration Mode vlan-map interface if_name Associates an IP interface having a VLAN context_name ID with a context. Table 41: VLAN-Related Monitoring Commands CLI Mode Command Description...
  • Page 338: Asr 5500 System Administration Guide, Staros Release 21.4

    VLANs VLAN-Related CLI Commands ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 339: Bgp Mpls Vpns

    Switching (MPLS) Virtual Private Networks (VPNs). Important MPLS is a licensed Cisco feature that requires a separate license. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of Software Management Operations.
  • Page 340: Mpls-Ce Connected To Pe

    BGP MPLS VPNs MPLS-CE Connected to PE MPLS-CE Connected to PE In this scenario the ASR 5500 functions as an MPLS-CE (Customer Edge) network element connected to a Provider Edge (PE) Label Edge Router (LER), which in turn connects to the MPLS core (RFC 4364). See the figure below.
  • Page 341: Overview

    BGP MPLS VPNs ASR 5500 as a PE ASR 5500 as a PE Overview In this scenario, the ASR 5500 functions as a PE router sitting at the edge of the MPLS core. See the figure below. Figure 21: ASR 5500 as a PE The ASR 5500 eliminates the need for an ASBR or PE as shown in the first two scenarios.
  • Page 342: Asr 5500 System Administration Guide, Staros Release 21.4

    BGP MPLS VPNs Sample Configuration LDP. The ASR 5500 forwards the packets to the next-hop with two labels – an inner label learned from PE and an outer label learned from the next hop IBGP neighbor. Figure 22: Sample Configuration mpls ip protocol ldp enable...
  • Page 343: Ipv6 Support For Bgp Mpls Vpns

    BGP MPLS VPNs IPv6 Support for BGP MPLS VPNs network 192.168.109.0/24 area 0.0.0.0 exit IPv6 Support for BGP MPLS VPNs Overview The ASR 5500 supports VPNv6 as described in RFC 4659 – BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN. An IPv6 VPN is connected over an IPv6 interface or sub-interface to the Service Provider (SP) backbone via a PE router.
  • Page 344: Sample Configuration

    BGP MPLS VPNs Sample Configuration Sample Configuration This example assumes three VRFs. VRF 1 has only IPv4 routes, VRF f2 has both IPv4 and IPv6 routes, and VRF 3 has only IPv6 routes. Figure 24: VPNv6 Sample Configuration Configure VRFs. ip vrf vrf1 exit ip vrf vrf2...
  • Page 345: Asr 5500 System Administration Guide, Staros Release 21.4

    BGP MPLS VPNs Sample Configuration ip address 2005:0202:0101::1/128 exit interface vrf3-v6loop loopback ip vrf forwarding vrf3 ip address 2005:0303:0101::1/128 exit Configure BGP along with address families and redistribution rules. router bgp 800 router-id 1.1.1.1 neighbor 192.168.110.20 remote-as 1003 neighbor 192.168.110.20 activate address-family vpnv4 neighbor 192.168.110.20 activate neighbor 192.168.110.20 send-community both...
  • Page 346: Vpn-Related Cli Commands

    BGP MPLS VPNs VPN-Related CLI Commands accounting-mode none aaa group apple-group authentication pap 1 chap 2 allow-noauthip context-name Gi_ce ipv6 address prefix-pool vrf3-v6pool exit aaa-group amazon-group radius ip vrf vrf2 aaa group default exit gtpp group default exit ip igmp profile default exit Bind physical interfaces with the port.
  • Page 347: Asr 5500 System Administration Guide, Staros Release 21.4

    BGP MPLS VPNs VPN-Related CLI Commands CLI Mode Command Description BGP Address-Family (VRF) neighbor ip_address send Sends the extended-community Configuration Mode community { both | extended | attribute to a peer router. In VPN, route-distinguisher and route-target standard } are encoded in the BGP extended-community.
  • Page 348: Asr 5500 System Administration Guide, Staros Release 21.4

    BGP MPLS VPNs VPN-Related CLI Commands CLI Mode Command Description Context Configuration Mode ipv6 pool pool_name vrf Associates the pool with that VRF. vrf_name Note: By default the configured ipv6 pool will be associated with the global routing domain. Context Configuration Mode mpls bgp forwarding Globally enables MPLS Border Gateway Protocol (BGP)
  • Page 349: Asr 5500 System Administration Guide, Staros Release 21.4

    BGP MPLS VPNs VPN-Related CLI Commands CLI Mode Command Description Exec Mode lsp-traceroute ip_prefix_FEC Discovers MPLS LSP routes that packets actually take when traveling to their destinations. It must be followed by an IPv4 or IPv6 FEC prefix. IP VRF Context Configuration mpls map-dscp-to-exp dscp Maps the final differentiated Mode...
  • Page 350: Asr 5500 System Administration Guide, Staros Release 21.4

    BGP MPLS VPNs VPN-Related CLI Commands Table 43: VPN-Related Monitoring Commands CLI Mode Command Description Exec Mode show Commands show ip bgp neighbors Displays information regarding BGP neighbors. Exec Mode show Commands Displays all VPNv4 routing data, show ip bgp vpnv4 { all | route-distinguisher | vrf } routing data for a VRF or a route-distinguisher.
  • Page 351: Content Service Steering

    Internal CSS is a generic feature, if an ECSv2 license is installed on your system, internal CSS can be Important enabled. A separate license is not required to enable internal CSS. Contact your local Cisco account representative for information on how to obtain a license.
  • Page 352: Configuring Internal Content Service Steering

    Content Service Steering Configuring Internal Content Service Steering Configuring Internal Content Service Steering To configure and activate a single CSS service for redirecting all of a subscriber's IP traffic to an internal in-line service: Step 1 Define an IP ACL as described in Defining IP Access Lists for Internal CSS, on page 320 Step 2 Optional: Apply an ACL to an individual subscriber as described in...
  • Page 353: Applying An Acl To An Individual Subscriber (Optional)

    Content Service Steering Applying an ACL to an Individual Subscriber (Optional) • For IPv6 ACLs, the same configurations must be done in the IPv6 ACL Configuration Mode. See the IPv6 ACL Configuration Mode Commands chapter in the Command Line Interface Reference. Applying an ACL to an Individual Subscriber (Optional) For information on how to apply an ACL to an individual subscriber, refer to the Applying an ACL to an Individual Subscriber section of the Access Control Lists chapter.
  • Page 354: Asr 5500 System Administration Guide, Staros Release 21.4

    Content Service Steering Applying an ACL to Multiple Subscribers via APNs (Optional) ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 355: Session Recovery

    This chapter describes the Session Recovery feature that provides seamless failover and reconstruction of subscriber session information in the event of a hardware or software fault. Session Recovery is a licensed Cisco feature. A separate feature license may be required. Contact your Important Cisco account representative for detailed information on specific licensing requirements.
  • Page 356: Asr 5500 System Administration Guide, Staros Release 21.4

    Session Recovery How Session Recovery Works means that additional hardware may be required to enable this feature (see Additional ASR 5500 Hardware Requirements, on page 326). Other key system-level software tasks, such as VPN manager, are performed on a physically separate packet processing card to ensure that a double software fault (for example, session manager and VPN manager fails at same time on same card) cannot occur.
  • Page 357: Asr 5500 System Administration Guide, Staros Release 21.4

    Session Recovery How Session Recovery Works • ASR 5500 only – HNB-GW: HNB-CN Session over IuPS and IuCS • ASR 5500 only – HNB-GW: SeGW Session IPSec Tunnel • ASR 5500 only – HSGW services for IPv4 • IPCF (Intelligent Policy Control Function) •...
  • Page 358: Additional Asr 5500 Hardware Requirements

    Session Recovery Additional ASR 5500 Hardware Requirements Any partially connected calls (for example, a session where HA authentication was pending but has not Important yet been acknowledged by the AAA server) are not recovered when a failure occurs. Additional ASR 5500 Hardware Requirements Because session recovery requires numerous hardware resources, such as memory, control processors, NPU processing capacity, some additional hardware may be required to ensure that enough resources are available to fully support this feature.
  • Page 359: Enabling Session Recovery

    Session Recovery Enabling Session Recovery Enabling Session Recovery As noted earlier, session recovery can be enabled on a system that is out-of-service (OOS) and does not yet have any contexts configured, or on an in-service system that is currently capable of processing calls. However, if the system is in-service, it must be restarted before the session recovery feature takes effect.
  • Page 360: Disabling The Session Recovery Feature

    Session Recovery Disabling the Session Recovery Feature Step 2 Use the following configuration example to enable session recovery. configure require session recovery This feature does not take effect until after the system has been restarted. Step 3 Save your configuration as described in Verifying and Saving Your Configuration. Step 4 Perform a system restart by entering the reload command: The following prompt appears:...
  • Page 361: Viewing Recovered Session Information

    Session Recovery Viewing Recovered Session Information host_name show session recovery status verbose [local] Session Recovery Status: Overall Status Ready For Recovery Last Status Update 2 seconds ago ----sessmgr---- ----aaamgr---- demux cpu state active standby active standby active status ---- ------- ------ ------- ------...
  • Page 362: Recovery Control Task Statistics

    Session Recovery Recovery Control Task Statistics Full: Micro: Current state: SMGR_STATE_CONNECTED FSM Event trace: State Event SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_CONNECTED SMGR_EVT_REQ_SUB_SESSION SMGR_STATE_CONNECTED SMGR_EVT_RSP_SUB_SESSION SMGR_STATE_CONNECTED SMGR_EVT_ADD_SUB_SESSION SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED...
  • Page 363: Show Rct Stats Command

    Session Recovery show rct stats Command show rct stats Command The Exec mode show rct stats command employs the following syntax: host_name show rct stats [verbose] [local] Without the verbose keyword, a summary output is displayed as show in the example below: RCT stats details (Last 1 Actions) Action Type...
  • Page 364: Asr 5500 System Administration Guide, Staros Release 21.4

    Session Recovery Sample Output for show rct stats verbose From : 11 Start Time : 2017-Apr-04+03:03:40.120 Is Card Usable : Yes Failure Reason : N.A. Failure Device : N.A Recovery Status : Success Facility : N.A Instance : N.A Duration : 003.423 sec Graceful : Enabled...
  • Page 365: Interchassis Session Recovery

    Administration Guide, before using the procedures described below. ICSR is a licensed Cisco feature that requires a separate license. Contact your Cisco account representative Important for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of Software Management Operations.
  • Page 366: Asr 5500 System Administration Guide, Staros Release 21.4

    ICSR support for LAC requires a separate LAC license, as well as an Inter-Chassis Session Recovery Important license. Contact your Cisco account representative to verify whether a specific service supports ICSR as an option. Important ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 367: Interchassis Communication

    Interchassis Session Recovery Interchassis Communication Interchassis Communication Chassis configured to support ICSR communicate using periodic Hello messages. These messages are sent by each chassis to notify the peer of its current state. The Hello message contains information about the chassis such as its configuration and priority.
  • Page 368: Show Commands

    Interchassis Session Recovery SRP CLI Commands Command Description srp initiate-switchover Executes a forced switchover from active to inactive. When executed on the active chassis, this command switches the active chassis to the inactive state and the inactive chassis to an active state. See Note below.
  • Page 369: Aaa Monitor

    Interchassis Session Recovery AAA Monitor For additional information about the output of show srp commands, see the Statistics and Counters Reference. AAA Monitor AAA servers are monitored using the authentication probe mechanism. AAA servers are considered Up if the authentication-probe receives a valid response. AAA servers are considered Down when the max-retries count specified in the configuration of the AAA server has been reached.
  • Page 370: Asr 5500 System Administration Guide, Staros Release 21.4

    ◦Destination – to configure monitoring and routing to the PDN. • Border Gateway Protocol (BGP) – ICSR uses the route modifier to determine the chassis priority. ICSR is a licensed Cisco feature. Verify that each chassis has the appropriate license before using these Important procedures.
  • Page 371: Icsr Operation

    Interchassis Session Recovery ICSR Operation The following figure shows an ICSR network. Figure 25: ASR 5500 ICSR Network ICSR Operation This section shows operational flows for ICSR. ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 372: Asr 5500 System Administration Guide, Staros Release 21.4

    Interchassis Session Recovery ICSR Operation The following figure shows an ICSR process flow due to a primary failure. Figure 26: ICSR Process Flow (Primary Failure) ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 373: Asr 5500 System Administration Guide, Staros Release 21.4

    Interchassis Session Recovery ICSR Operation The following figure shows an ICSR process flow due to a manual switchover. Figure 27: ICSR Process Flow (Manual Switchover) ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 374: Chassis Initialization

    Interchassis Session Recovery Chassis Initialization Chassis Initialization When the chassis are simultaneously initialized, they send Hello messages to their configured peer. The peer sends a response, establishes communication between the chassis, and messages are sent that contain configuration information. During initialization, if both chassis are misconfigured in the same mode - both active (primary) or both standby (backup), the chassis with the highest priority (lowest number set with the ICSR priority command) becomes active and the other chassis becomes the standby.
  • Page 375: Configuring Icsr

    Interchassis Session Recovery Configuring ICSR pool routes into the routing domain. Once the chassis becomes active, it continues to process existing AAA services and subscriber sessions that had checkpoint information, and is also able to establish new subscriber sessions. When the primary chassis is back in service, it sends Hello messages to the configured peer. The peer sends a response, establishes communication between the chassis, and sends Hello messages that contain configuration information.
  • Page 376: Configuring The Service Redundancy Protocol (Srp) Context

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context To configure ICSR on a primary and/or backup chassis: Step 1 Configure the SRP context by applying the example configuration in Configuring the Service Redundancy Protocol (SRP) Context, on page 344.
  • Page 377: Configuring Srp Context Parameters

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context ICSR is configured on two VPC-DI instances. Be sure to create the redundancy context on both systems. Important CLI commands must be executed on both systems. Log onto both active CFs before continuing. Always make configuration changes on the active CF in the primary VPC-DI instance first.
  • Page 378: Srp Redundancy, Aaa And Diameter Guard Timers

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context • The priority determines which chassis becomes active in the event that both chassis are misconfigured with the same chassis mode; see Chassis Initialization, on page 342. The higher priority chassis has the lower number.
  • Page 379: Dscp Marking Of Srp Messages

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context DSCP Marking of SRP Messages You can enable separate DSCP marking of SRP control and checkpoint messages. The dscp-marking command sets DSCP marking values for SRP control and checkpoint (session maintenance) messages. configure context context_name service-redundancy-protocol...
  • Page 380: Allow Non-Volte Traffic During Icsr Switchover

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context These features require an updated ICSR license to support the enhancements. Contact your Cisco account Important representative for additional information. Allow Non-VoLTE Traffic During ICSR Switchover The ICSR framework reduces switchover disruption for VoLTE traffic by enabling VoLTE traffic on the newly active gateway prior to reconciling the billing information and enabling communication with the newly active gateway when accounting is not deemed critical.
  • Page 381: Asr 5500 System Administration Guide, Staros Release 21.4

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context • When the newly active gateway receives all billing-related checkpointing information from the previously active gateway, it reconciles the billing data before communicating with external billing servers OCS (Online Charging System) or OFCS (Offline Charging System). Figure 28: Call Flow: Reduce Non-VoLTE Data Outage The switchover allow-all-data-traffic SRP Configuration mode CLI command allows all data traffic (VoLTE and non-VoLTE) during switchover transition.
  • Page 382: Allow All Data Traffic

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context service-redundancy-protocol switchover allow-volte-data-traffic [ maintain-accounting ] Notes: • When maintain-accounting is enabled, accounting accuracy is maintained for VoLTE calls.VoLTE data is allowed on the active gateway after VoLTE accounting statistics are flushed. Allow All Data Traffic The SRP Configuration mode switchover allow-all-data-traffic command allows all data traffic (VoLTE and non-VoLTE) during switchover transition.
  • Page 383: Optimization Of Switchover Control Outage Time

    Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context The require graceful-cleanup-during-audit-failure Global Configuration mode CLI command enables or disables the graceful cleanup feature. configure require graceful-cleanup-during-audit-failure [ del-cause non-ims-apn { system-failure | none } ] Optimization of Switchover Control Outage Time The ICSR framework minimizes control outage time associated with the flushing of critical full checkpoint statistics, network convergence and internal auditing.
  • Page 384: Configuring Nack Generation For Srp Checkpoint Messaging Failures

    (FCs) between the active and standby chassis. The periodic-interval keyword will only appear if a special ICSR optimization feature license has been Important purchased and installed. Contact your Cisco account representative for assistance. configure context context_name...
  • Page 385: Selective Disabling Of Nack Messaging

    LZ4 compression algorithm. The compression keyword will only appear if a special ICSR optimization feature license has been Important purchased and installed. Contact your Cisco account representative for assistance. The following command sequence enables the use of LZ4 compression: configure...
  • Page 386: Verifying Srp Configuration

    Interchassis Session Recovery Modifying the Source Context for ICSR chassis waits for seven heart beat messages from the active chassis before it is ready to accept data. This may cause significant delay in session manager database synchronization on the standby chassis. You can enable an aggressive method for synchronizing the session manager database reduces recovery time in the following scenarios: •...
  • Page 387: Configuring Bgp Router And Gateway Address

    Interchassis Session Recovery Modifying the Source Context for ICSR Configuring BGP Router and Gateway Address Use the following example to create the BGP context and network addresses. configure context source_ctxt_name router bgp AS_num network gw_ip_address neighbor neighbor_ip_address remote-as AS_num Notes: •...
  • Page 388: Modifying The Destination Context For Icsr

    Interchassis Session Recovery Modifying the Destination Context for ICSR Modifying the Destination Context for ICSR To modify the destination context of core service: Step 1 Add the BGP router and configure the gateway IP address, neighbor IP address, remote IP address in the destination context where the core network service is configured, by applying the example configuration in Configuring BGP Router and Gateway Address in Destination Context, on page...
  • Page 389: Verifying Bgp Configuration In Destination Context

    Interchassis Session Recovery Disabling Bulk Statistics Collection on a Standby System Verifying BGP Configuration in Destination Context Verify your BGP configuration by entering the show srp monitor bgp command (Exec Mode). Disabling Bulk Statistics Collection on a Standby System You can disable the collection of bulk statistics from a system when it is in the standby mode of operation. Important When this feature is enabled and a system transitions to standby state, any pending accumulated statistical data is transferred at the first opportunity.
  • Page 390: Configuring Subscriber State Management Audit Process

    Interchassis Session Recovery Configuring Subscriber State Management Audit Process #exit #exit Configuring Subscriber State Management Audit Process This audit is to ensures that two ICSR peers are in synch and identifies any discrepancies prior to any scheduled or unscheduled switchover events. Step 1 Enter the SRP Context mode and enter the service-redundancy-protocol command.
  • Page 391: Updating The Operating System

    Interchassis Session Recovery Updating the Operating System • show srp checkpoint statistics ipsecmgr all • show srp checkpoint statistics sessmgr all write-list-stats • show srp checkpoint info • show srp monitor • show srp monitor all • show srp monitor diameter debug •...
  • Page 392: Asr 5500 System Administration Guide, Staros Release 21.4

    Enabling the Demux on MIO/UMIO/MIO2 feature changes resource allocations within the system. This Caution directly impacts an upgrade or downgrade between StarOS versions in ICSR configurations. Contact Cisco TAC for procedural assistance prior to upgrading or downgrading your ICSR deployment.
  • Page 393: Asr 5500 System Administration Guide, Staros Release 21.4

    Interchassis Session Recovery Updating the Operating System Figure 30: ICSR Software Upgrade – Part 2 ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 394: Asr 5500 System Administration Guide, Staros Release 21.4

    Interchassis Session Recovery Updating the Operating System Figure 31: ICSR Software Upgrade – Part 3 ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 395: Asr 5500 System Administration Guide, Staros Release 21.4

    Interchassis Session Recovery Updating the Operating System Figure 32: ICSR Software Upgrade – Part 4 ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 396: Both Icsr Systems

    Exec mode command:[local]host_name# directory /flash Step 2 Access to the Cisco support site and download facility is username and password controlled. Download the software image to a network location or physical device (USB stick) from which it can be uploaded to the /flash device.
  • Page 397: Standby Icsr System

    Interchassis Session Recovery Standby ICSR System a) Copy the file from a network location or local device plugged into the MIO/UMIO/MIO2 using the copy command. host_name copy from_url to_url [-noconfirm] [local] b) Transfer the file to the /flash device using an FTP client with access to the system. The FTP client must be configured to transfer the file using binary mode.
  • Page 398: Performing Bgp Checks

    Interchassis Session Recovery Standby ICSR System Performing BGP Checks Border Gateway Protocol (BGP) checks are only required when BGP is used to support redundant interchassis communication. These checks are run per context and per service type. Step 1 For each BGP-enabled context, run show ip bgp summary. Verify that the BGP peers are connected and that IPv4 and IPv6 peers are up.
  • Page 399: Updating The Configuration File

    Features in the new operating system may require changes to the configuration file. These changes can be done manually or facilitated by custom scripts prepared by Cisco TAC. Make whatever changes are necessary prior to saving the updated configuration file.
  • Page 400: Waiting For Session Synchronization

    Interchassis Session Recovery Primary System Waiting for Session Synchronization Allow time for session synchronization to occur between the ICSR chassis before preceding to the next steps. Step 1 Run the show session recovery status verbose command on both chassis. Proceed to the next steps only when no errors are seen in the output of this command.
  • Page 401: Completing The Software Update

    Interchassis Session Recovery Primary System Completing the Software Update Log into the backup (standby) system and repeat the following tasks to complete the upgrade process on the backup (standby) system: • Updating the Boot Record, on page 366 • Reboot StarOS, on page 366 •...
  • Page 402: Fallback Procedure

    Interchassis Session Recovery Fallback Procedure Fallback Procedure To revert to the previous configuration and software build, perform the following steps as a user with administrative privileges. Step 1 Run the Exec mode show boot command. The topmost lowest numbered entry of the displayed output should be the new configuration with the new software build.
  • Page 403: Support Data Collector

    C H A P T E R Support Data Collector The Support Data Collector (SDC) is a system feature that allows scheduled collection of process state, counter, event and attribute data that may be useful when troubleshooting problems at an installation site. This chapter includes the following sections: •...
  • Page 404: Configuring Sdr Collection

    Support Data Collector Configuring SDR Collection below shows system tasks that contain state and counter information. Arrows between tasks and processes represent messenger requests and indicate the predominant flow of data. Figure 33: SDC Tasks and Processes< Configuring SDR Collection The Support Data Record (SDR) is an ordered set of the CLI support commands' display output that is stored in a stand-alone compressed file.
  • Page 405: Collecting And Storing The Sdr Information

    Support Data Collector Collecting and Storing the SDR Information Collecting and Storing the SDR Information At the scheduled time, the Support Data Collector (SDC), if active, runs in the background to collect all the record section commands that have been specified. This information is concatenated as one contiguous output. The output is compressed and stored as a file on disk in the /hd-raid/support/record/ directory.
  • Page 406 Support Data Collector Managing Record Collection The next older SDR is record-id 1, and so on, for the number of records in the stored collection. For example, if there are five SDRs, they are identified as SDR-0 through SDR-4. Figure 34: Support Data Collection Hierarchy When a new SDR is created, the numbers all increment by one and the newest SDR is given the value of 0.
  • Page 407: Using Sdrs To Diagnose Problems

    The administrator may decide to transfer the SDRs off the system to be analyzed remotely, for example, by Cisco TAC. ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 408: Configuration Commands (Global Configuration Mode)

    Support Data Collector Configuration Commands (Global Configuration Mode) For complete descriptions of the CLI commands discussed below, refer to the Command Line Interface Reference. Configuration Commands (Global Configuration Mode) support record support record section section-name command "command-string" [ section section-name command "command-string"...
  • Page 409: Exec Mode Commands

    Support Data Collector Exec Mode Commands SDR files will be stored in the /hd-raid/support/records/ directory. Important For example: host_name support collection sleep-duration minute 30 max-records 50 [local] (config)# Use the no support collection command to explicitly disable the collection of the SDRs. If no record section commands are defined, the support data collector mechanism is also effectively disabled.
  • Page 410 Support Data Collector Exec Mode Commands Name Size Date/Time sdr.167.gz 42863 Monday October 21 04:40:00 PDT 2013 sdr.166.gz 170425 Monday October 21 05:40:08 PDT 2013 total SDRs 2, total bytes 2132880, time span is last 1 day(s) 1 hour(s) The optional definitions keyword displays the list of default support record section definitions. This is the list of all valid record section definitions.
  • Page 411: Engineering Rules

    A P P E N D I X Engineering Rules This appendix provides engineering guidelines for configuring the system to meet network deployment requirements. • CLI Session Rules, page 379 • ASR 5500 Interface and Port Rules, page 379 • Context Rules, page 380 •...
  • Page 412: Packet Data Network (Pdn) Interface Rules

    Engineering Rules Packet Data Network (PDN) Interface Rules • A single physical port can support multiple logical interfaces when you configure VLAN tags for that physical port. You can use VLAN tagging to bind a single physical port to multiple logical interfaces that reside in different contexts.
  • Page 413 Engineering Rules Context Rules ◦ 256 loopback interfaces • IP Addresses and IP Address Pools ◦ Up to 2,000 IPv4 address pools can be configured within a single context. ◦ Prior to Release 15.0: Up to 32 IPv6 pools can be configured within a single context. ◦...
  • Page 414 Engineering Rules Context Rules ◦ Releases 17, 18 and higher: 64,000 BGP prefixes can be learned/advertised per context (64,000 per chassis) ◦ 64 EBGP peers can be configured per context (512 per chassis) ◦ 16 IBGP peers per context ◦ 512 BGP/AAA monitors per context in support of Interchassis Session Recovery (ICSR) •...
  • Page 415: Subscriber Rules

    Large numbers of services greatly increase the complexity of management and may affect overall system performance. Therefore, you should not configure a large number of services unless your application absolutely requires it. Please contact your Cisco service representative for more information.
  • Page 416: Access Control List (Acl) Engineering Rules

    Engineering Rules Access Control List (ACL) Engineering Rules • Although you can use service names that are identical to those configured in different contexts on the same system, this is not a good practice. Services with the same name can lead to confusion and difficulty in troubleshooting problems, and make it difficult to understand the output of show commands.
  • Page 417: Staros Tasks

    A P P E N D I X StarOS Tasks This appendix describes system and subsystem tasks running under StarOS on an ASR 5500 and virtualized platforms. Important This appendix is not a comprehensive list of all StarOS tasks. It simply provides general descriptions of the primary tasks and subsystems within StarOS.
  • Page 418: Primary Task Subsystems

    StarOS Tasks Primary Task Subsystems Primary Task Subsystems The individual tasks that run on the CPUs are divided into subsystems. Following is a list of the primary subsystems responsible for call session processing: • System Initiation Task (SIT): This subsystem starts tasks and initializes the system. This includes starting a set of initial tasks at system startup time (static tasks), and starting individual tasks on demand at arbitrary times (dynamic tasks).
  • Page 419: Controllers And Managers

    StarOS Tasks Controllers and Managers • Per-interface packet filtering • Traffic management and traffic engineering • Passing user data frames to/from packet processing CPUs • Modifying, adding, or stripping datalink/network layer headers • Recalculating checksums • Maintaining statistics • Managing external Ethernet interfaces •...
  • Page 420: Subsystem Tasks

    StarOS Tasks Subsystem Tasks Subsystem Tasks The following subsections list and briefly describe StarOS tasks for various subsystems: • System Initiation Subsystem, on page 388 • High Availability Subsystem, on page 389 • Resource Manager Subsystem, on page 390 • Virtual Private Networking Subsystem, on page 390 •...
  • Page 421: High Availability Subsystem

    StarOS Tasks High Availability Subsystem High Availability Subsystem Table 47: High Availability Subsystem Tasks Task Description Function hatcpu High Availability Task CPU Performs device initialization and control functions based on the CPUs hardware capabilities. Reports the loss of any task on its CPU to hatsystem sub-function. Controls the LEDs on the packet processing cards.
  • Page 422: Resource Manager Subsystem

    StarOS Tasks Resource Manager Subsystem Resource Manager Subsystem Table 48: Resource Manager (RM) Subsystem Tasks Task Description Function rmctrl Resource Manager Controller Started by the sitparent task on StarOS startup, and monitored by HAT for a failure. Initializes resources such as CPUs and memory. Requests updated card status from the CSP subsystem and updates the system card table.
  • Page 423 StarOS Tasks Virtual Private Networking Subsystem Task Description Function vpnmgr VPN Manager Started by the VPN Controller for each configured context (one is always present for the local context). Performs IP address pool and subscriber IP address management. Performs all context specific operations including but not limited to: UCM services, IP interfaces, the Address Resolution Protocol (ARP), IP address pool management, slow path forwarding, NPU flows, port Access Control Lists (ACLs), and logging.
  • Page 424: Network Processing Unit Subsystem

    StarOS Tasks Network Processing Unit Subsystem Task Description Function Routing Information Protocol Created by VPN Manager for each context that has enabled the RIP routing protocol (router rip Context Configuration mode CLI command) Responsible for learning and redistributing routing information via the RIP protocol.
  • Page 425 StarOS Tasks Network Processing Unit Subsystem Task Description Function npuctrl NPU Controller Created at StarOS start-up. Only one NPU Controller operates in the system at any time. Monitors the state of NPU Managers in the system. Registers to receive notifications when NPU Manager crashes. Controls recovery operation.
  • Page 426: Session Subsystem

    StarOS Tasks Session Subsystem Session Subsystem Table 51: Session Subsystem Tasks Task Description Function sessctrl Session Controller Created at StarOS start-up. Only one Session Controller instantiated in the system at any time. Acts as the primary point of contact for the Session Subsystem. Since it is aware of the other subsystems running within the system, the Session Controller acts as a proxy for the other components, or tasks, that make up the subsystem.
  • Page 427 StarOS Tasks Session Subsystem Task Description Function a11mgr A11 Manager Created by the Session Controller for each context in which a PDSN service is configured. Receives the R-P sessions from the PCF and distributes them to different Session Manager tasks for load balancing. Maintains a list of current Session Manager tasks to aid in system recovery.
  • Page 428 StarOS Tasks Session Subsystem Task Description Function acsctrl Active Charging System (ACS) Active Charging service is defined at the global level and can be utilized Controller through CSS commands from any VPN context. Enable via the Global Configuration mode active-charging service CLI command. The ACS controller runs on the primary packet processing card and is responsible for managing the ACS service.
  • Page 429 StarOS Tasks Session Subsystem Task Description Function egtpemgrr Enhanced GPRS Tunneling Created by the Session Controller for each context in which an egtp-service Protocol Egress Manager of interface type sgw-egress or MME is configured. Handles certain EGTP messages from SGW, PGW. Maintains list of current EGTP sessions.
  • Page 430 StarOS Tasks Session Subsystem Task Description Function gtpumgr GPRS Tunneling Protocol User Created by the Session Controller for each context in which a GTPU (GTP-U Manager service is configured. Supported for both GTPUv0 and GTPUv1 Maintains a list of the GTPU-services available within the context and performs load-balancing (of only Error-Ind) for them.
  • Page 431 StarOS Tasks Session Subsystem Task Description Function hnbmgr Home NodeB (HNB) Manager Starts when an HNB-GW service configuration is detected. There can be multiple instances of this task for load sharing. All HNB Managers have all the Active HNB-GW Services configured and be identical in configuration and capabilities.
  • Page 432 StarOS Tasks Session Subsystem Task Description Function ipsgmgr IP Services Gateway Manager Created by the Session Controller. In Server mode, acts as a RADIUS server, and supports Proxy functionality. In Snoop mode supports snooping RADIUS Accounting messages. Load balances requests among different SessMgrs. Activates and deactivates sessions.
  • Page 433 StarOS Tasks Session Subsystem Task Description Function magmgr Mobile Access Gateway Created by the Session Controller when the first MAG service is created (MAG) Manager in a context. Sends and receives PMIP control messages (PBU/PBA). Adds an NPU flow to receive MIPv6 PBA packets. This flow is identical to the flow used in the HAMgr.
  • Page 434 StarOS Tasks Session Subsystem Task Description Function mmemgr Mobility Management Entity Starts when an MME service configuration is detected. There can be Manager multiple instances of this task for load sharing. All mmemgrs will have all the Active MME Services configured and will be identical in configuration and capabilities.
  • Page 435: Platform Processes

    StarOS Tasks Platform Processes Task Description Function sgtpcmgr SGSN GPRS Tunneling Created by the Session Controller for each VPN context in which an SGSN Protocol Control message service is configured. Manager Terminates Gn/Gp and GTP-U interfaces from peer GGSNs and SGSNs for SGSN Services.
  • Page 436 StarOS Tasks Platform Processes Task Description Function connproxy TCP/SCTP Connection proxy Allows applications on any card to share the same TCP/SCTP connection to the same remote endpoint instead of opening a new connection for each application on the card. cspctrl Card-Slot-Port Controller Manages physical chassis components.
  • Page 437 StarOS Tasks Platform Processes Task Description Function hwctrl Hardware Controller The hwctrl task has several timers that manage polling loops for hardware sensor readings, sensor threshold monitoring, and fan tray monitoring. hwmgr Hardware Manager The hwmgr task runs on all cards in the chassis to read local accessible hardware sensors and report them back to the hwctrl.
  • Page 438: Management Processes

    StarOS Tasks Management Processes Task Description Function nscontrol Name Service Controller As part of the Messenger process, provides a reliable channel for tasks to send control messages to the Messenger Daemon. ntpd Network Time Protocol (NTP) Maintains the system time in synchronization with time servers using NTP. Daemon Enabled when one or more NTP servers have been configured via the NTP Configuration mode ntp server CLI command.
  • Page 439 StarOS Tasks Management Processes Task Description Function orbns ORBEM Notification Service Notifies the EMS servers of event occurrences. [ASR 5500 only] Registers such EMS servers and subscribes them to associated event types. As the events occur, the concerned Controller Task notifies orbs (ORBEM), which then notifies the subscribing EMS servers.
  • Page 440 StarOS Tasks Management Processes ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 441: Netconf And Confd

    A P P E N D I X NETCONF and ConfD This chapter describes NETCONF and the StarOS process called ConfD manager. It contains the following sections: • Feature Summary and Revision History, page 409 • Overview, page 410 • Configuring ConfD, page 412 •...
  • Page 442: Overview

    Overview StarOS provides a northbound NETCONF interface that supports a YANG data model for transferring configuration and operational data with the Cisco Network Service Orchestrator (NSO). It also incorporates a ConfD manager (confdmgr) to communicate with the NSO management console.
  • Page 443 NETCONF and ConfD Overview ConfD is an on-device management framework that provides a set of interfaces to manage a device. The ConfD framework automatically renders all the management interfaces from a data model. ConfD implements the full NETCONF specification and runs over SSH with content encoded in XML. ConfD is configured to allow only authenticated/authorized access through external authentication.
  • Page 444: Configuring Confd

    NETCONF and ConfD Configuring ConfD For additional NSO information, refer to the NSO user documentation. Figure 35: NETCONF System Flow Configuring ConfD To enable NETCONF protocol in StarOS, you must enable server confd and enter the NETCONF Protocol Configuration mode. The NETCONF Protocol Configuration mode supports optional configuration commands. SSH Key Requirement NETCONF-ConfD support requires that a V2-RSA SSH key be configured on the local context.
  • Page 445: Netconf Protocol Configuration Mode

    NETCONF and ConfD NETCONF Protocol Configuration Mode NETCONF Protocol Configuration Mode The NETCONF protocol is enabled via the Context Configuration mode server conf command. This command is restricted to the local context only. host_name configure [local] host_name context local [local] (config)# host_name server confd...
  • Page 446: Netconf Notifications Events

    NETCONF and ConfD NETCONF Protocol Configuration Mode The NETCONF or RESTful session must still be established with verifiable credentials. Important netconf notifications events This NETCONF Protocol Configuration mode command enables events logged in StarOS to be sent out as NETCONF notifications on the stream named "StarOS." Level specifies the lowest event severity level that results in a notification.
  • Page 447: Rest Auth-Policy

    NETCONF and ConfD NETCONF Protocol Configuration Mode rest auth-policy This NETCONF Protocol Configuration mode command controls the level of verification the server does on client certificates. CA (certificate authority) certificates can be configured using the existing ca-certificate command in Global Configuration mode. The command syntax is: rest auth-policy { none | peer | peer-fail }, where •...
  • Page 448: Rest Hostname

    NETCONF and ConfD Sample Configuration A change to the REST interface certificate may result in a planned restart of ConfD and temporary loss Important of connectivity over the NETCONF and REST (if still enabled) interfaces. Changes to global certificates which ConfD is using while REST is enabled will also result in a restart of ConfD.
  • Page 449: Verifying The Configuration

    NETCONF and ConfD Verifying the Configuration bulkstats confd-user NETCONF rest certificate rest-cert #exit subscriber default exit aaa group default #exit gtpp group default #exit #exit Notes: • bulkstats, confd-user, and rest are optional. Just configuring server confd enables NETCONF support. Verifying the Configuration There are two Exec mode show commands that display information about the NETCONF-ConfD configuration.
  • Page 450 NETCONF and ConfD show confdmgr Command Subscriptions Last successful id 1461-704882-705350 Last failed id None Username Not configured Bulkstats Enabled Event notification level Disabled SNMP notifications Disabled REST interface authentication none REST interface certificate rest-cert REST interface host name Not configured Interface Status Port...
  • Page 451 [ secure_admin ] rule any-access action permit rule secure_admin_server_confd module-name cisco-staros-cli-config path /context/server/confd access-operations create,read,update action permit nacm rule-list inspector group [ inspector ] rule any-access...
  • Page 452 NETCONF and ConfD show confdmgr Command netconf-state statistics in-sessions 0 netconf-state statistics dropped-sessions 0 netconf-state statistics in-rpcs 0 netconf-state datastores datastore candidate netconf-state schemas schema cisco-staros-bulkstats 2016-12-14 yang namespace http://www.cisco.com/staros-bulkstats location [ NETCONF ] netconf-state schemas schema cisco-staros-bulkstats-config 2016-12-14 yang namespace http://www.cisco.com/staros-config...
  • Page 453 NETCONF and ConfD show confdmgr Command exported-to-all iana-crypt-hash confd-state loaded-data-models data-model revision 2014-08-06 namespace urn:ietf:params:xml:ns:yang:iana-crypt-hash prefix ianach exported-to-all ietf-inet-types confd-state loaded-data-models data-model revision 2013-07-15 namespace urn:ietf:params:xml:ns:yang:ietf-inet-types prefix inet exported-to-all ietf-netconf-acm confd-state loaded-data-models data-model revision 2012-02-22 namespace urn:ietf:params:xml:ns:yang:ietf-netconf-acm prefix nacm exported-to-all confd-state loaded-data-models data-model ietf-netconf-monitoring revision 2010-10-04...
  • Page 454 NETCONF and ConfD show confdmgr Command namespace http://tail-f.com/yang/netconf-monitoring prefix tncm exported-to-all confd-state loaded-data-models data-model tailf-rollback revision 2016-09-15 namespace http://tail-f.com/ns/rollback prefix rollback exported-to [ rest ] confd-state loaded-data-models data-model tailf-webui revision 2013-03-07 namespace http://tail-f.com/ns/webui prefix webui exported-to-all NETCONF SSH listen addresses: PORT --------------- 0.0.0.0...
  • Page 455 NETCONF and ConfD show confdmgr Command show confdmgr model bulkstats See below for a sample output for show confdmgr model bulkstats: [local]<host_name># show confdmgr model bulkstats Model: Bulkstats ---------------- Operational Data: Requests Records Failures Configuration: CLI updates NETCONF updates Aborts Failures local]<host_name># The Operational Data portion of this output includes the following information:...
  • Page 456: Clear Confdmgr Confd Cdb

    See below for a sample output for show confdmgr subscriptions: [local]<host_name># show confdmgr subscriptions Subscriptions: Path Index Namespace --------------------------------------------------- /active-charging http://www.cisco.com/staros-cli-con /context http://www.cisco.com/staros-cli-con /bulkstats/server http://www.cisco.com/staros-config /bulkstats/schemas http://www.cisco.com/staros-config /confd http://www.cisco.com/staros-config [local<host_name># Subscriptions are configuration points defined in the Yang model for which confdmgr wants to be notified when a change occurs.
  • Page 457: Yang Models

    (all native models are included here under a common namespace). • cisco-staros-exec.yang - Model to enable CLI exec operations via the restful interface. Only users with admin credentials may use this model. Used by ConfD locally to parse input.
  • Page 458: Confd Examples

    NETCONF and ConfD ConfD Examples ConfD Examples Server ConfD The following examples use full TLS authentication and curl to obtain server ConfD configuration. Server ConfD Configuration See below for a sample configuration for server ConfD with RESTful interface enabled using non-default NETCONF and HTTPS ports: [local]<host_name># show configuration confd [local]<host_name># config...
  • Page 459: Bulkstats

    Using Curl to Obtain the Server ConfD Configuration See below for a sample use of curl to perform the same get-config operation: [<user>@server] ]$ curl -u admin:pswd! https://rtp-mitg-si06.cisco.com:234/api/running/confd?deep --cert /users/<user>/ssl_cert/client_cert/client.crt --key /users/<user>/ssl_cert/client_cert/client.key --cacert /users/<user>/ssl_cert/root_cert/rootCA.pem <confd xmlns="http://www.cisco.com/staros-config" xmlns:y="http://tail-f.com/ns/rest" xmlns:staros_config="http://www.cisco.com/staros-config"> <bulkstats>false</bulkstats> <netconf> <port>123</port> </netconf> <rest>...
  • Page 460 • Statistics will generally be pushed per collection interval timer configured for bulkstats. Using Curl to Read Statistics See below for a sample use of curl to read statistics via the server ConfD RESTful interface: [<user>@server] ]$ curl -u admin:pswd! https://rtp-mitg-si06.cisco.com:234/api/operational/bulkstats-operational?deep --cert /users/<user>/ssl_cert/client_cert/client.crt --key /users/<user>/ssl_cert/client_cert/client.key --cacert /users/<user>/ssl_cert/root_cert/rootCA.pem <bulkstats-operational xmlns="http://www.cisco.com/staros-bulkstats"...
  • Page 461: Exec Cli Model

    Using Curl to Obtain the 'show version' Output See below for a sample use of curl to obtain the show version output: cat exec_cli_show_version.xml <input><args>show version</args></input> ************ [<user>@server] ]$ curl -u admin:pswd! https://rtp-mitg-si06.cisco.com:234/api/running/staros_exec/_operations/exec --cert /users/<user>/ssl_cert/client_cert/client.crt --key /users/<user>/ssl_cert/client_cert/client.key --cacert /users/<user>/ssl_cert/root_cert/rootCA.pem -X POST -T ./exec_cli_show_version.xml <output xmlns='http://www.cisco.com/staros-exec'> <result>Active Software: Image Version: 21.2.M0.private...
  • Page 462: Cli Based Yang Model For Ecs Commands

    ************************************* CLI Based YANG Model for ECS Commands In this release, the cisco-staros-cli-config.yang model supports a limited set of ECS (Enhanced Charging System) configuration commands via NSO. On the southbound side, ConfD communicates with a StarOS process called via a set of APIs provided by the ConfD management agent.
  • Page 463: Seeding And Synchronizing The Cdb

    The CDB only receives updates via the NETCONF interface. In order to keep the CDB and the StarOS configuration databases in sync, all changes made via CLI access (external to NETCONF) to the cisco-staros-cli-config YANG model supported configuration objects must be applied to the CDB manually. Seeding and Synchronizing the CDB After enabling server confd you may need to initially seed the CDB with a local copy of the configuration database (CDB) managed by ConfD on StarOS.
  • Page 464: Cdb Maintenance

    NETCONF and ConfD CDB Maintenance CDB Maintenance A local copy of the ConfD Configuration Database (CDB) is managed by ConfD on StarOS. You can show and save all ConfD supported StarOS configuration commands to a URL. The confd keyword has been added to the show configuration and save configuration commands for these purposes. After saving a ConfD-supported configuration to a URL, you can apply it directly to the CDB via the Exec mode configure confd <url>...
  • Page 465: Save Configuration Confd

    NETCONF and ConfD Supported StarOS ECS Configuration Commands save configuration <url> confd The keyword confd is added to the Exec mode save configuration command. This keyword filters the saved configuration commands to contain only configuration commands that are supported by the YANG model. The command syntax for this process is: host_name save configuration <url>...
  • Page 466 NETCONF and ConfD Supported StarOS ECS Configuration Commands • action priority <priority_number> group-of-ruledefs <ruledefs_group_name> charging-action <charging_action_name> Note "= *" indicates support for every option following the prior keyword/value. ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 467: Overview Of Checkpointing

    A P P E N D I X ICSR Checkpointing This appendix lists and describes macro- and micro-checkpoints employed by the Interchassis Session Recovery framework. Checkpoints are exchanged between the active and standby ICSR chassis via the Service Redundancy Protocol (SRP). The following topics are discussed: •...
  • Page 468: Ggsn_Apn Id Mapping

    ICSR Checkpointing GGSN_APN ID MAPPING GGSN_APN ID MAPPING This macro-checkpoint is sent from the active to the standby chassis to map APN names on the standby chassis. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs whenever a TCP connection is established between the sessmgrs and they move to READY_STATE.
  • Page 469: Vpnmgr_Id Mapping

    ICSR Checkpointing VPNMGR_ID MAPPING • Accounting: No • Delta/Cumulative: N/A • Related CLI command: show session subsystem facility sessmgr instance <instance no> debug-info VPNMGR_ID MAPPING This macro-checkpoint is sent from the active to the standby chassis to map VPNs on the standby chassis. •...
  • Page 470: Uncategorized

    ICSR Checkpointing Uncategorized Uncategorized SESS_UCHKPT_CMD_INVALIDATE_CRR This micro-checkpoint is sent to the standby chassis to clear a deleted call. It carries the Call ID and other information that must be deleted on the standby chassis. • Time based: No • Frequency: N/A •...
  • Page 471: Dcca Category

    ICSR Checkpointing DCCA Category • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 2 • Related CLI command: None DCCA Category SESS_UCHKPT_CMD_DCCA_SESS_INFO This micro-checkpoint sends Credit Control (CC) related information. • Time based: Yes • Frequency: 18 seconds for GR micro-checkpoint •...
  • Page 472: Sess_Uchkpt_Cmd_Acs_Gx_Li_Info

    ICSR Checkpointing ECS Category SESS_UCHKPT_CMD_ACS_GX_LI_INFO This micro-checkpoint sources lawful intercept (LI) related information maintained by ECS. • Time based: Yes • Frequency: — • Event based: Yes • Events: Occurs whenever LI information is created or modified. • Accounting: No •...
  • Page 473: Sess_Uchkpt_Cmd_Del_Acs_Sess_Info

    ICSR Checkpointing ECS Category SESS_UCHKPT_CMD_DEL_ACS_SESS_INFO This micro-checkpoint notifies that a Release Bearer event has occurred. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs whenever an ECS Release Bearer message is processed. • Accounting: No •...
  • Page 474: Sess_Uchkpt_Cmd_Dynamic_Chrg_Del_Qg_Info

    ICSR Checkpointing ECS Category SESS_UCHKPT_CMD_DYNAMIC_CHRG_DEL_QG_INFO This micro-checkpoint notifies that a dynamic QoS group has been deleted. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs whenever a dynamic QoS group has been deleted. • Accounting: No •...
  • Page 475: Sess_Uchkpt_Cmd_Dynamic_Rule_Info

    ICSR Checkpointing ePDG Category SESS_UCHKPT_CMD_DYNAMIC_RULE_INFO This micro-checkpoint sources predefined and dynamic rule related information maintained by ECS. • Time based: Yes • Frequency: — • Event based: Yes • Events: Occurs whenever a dynamic rule is created or modified. • Accounting: No •...
  • Page 476: Sess_Uchkpt_Cmd_Update_Epdg_Peer_Addr

    ICSR Checkpointing ePDG Category • CMD-ID: 110 • Related CLI command: show srp micro-checkpoint statistics debug-info SESS_UCHKPT_CMD_UPDATE_EPDG_PEER_ADDR This micro-checkpoint synchronizes ePDG peer addresses between the active and standby chassis. • Time based: No • Frequency: N/A • Event based: Yes •...
  • Page 477: Firewall/Ecs Category

    ICSR Checkpointing Firewall/ECS Category • Delta/Cumulative: Cumulative • CMD-ID: 110 • Related CLI command: show srp micro-checkpoint statistics debug-info Firewall/ECS Category SESS_UCHKPT_CMD_SFW_DEL_RULE_INFO This micro-checkpoint is sent when a ruledef is deleted for a bearer. • Time based: No • Frequency: N/A •...
  • Page 478: Ggsn Category

    ICSR Checkpointing GGSN Category GGSN Category SESS_UCHKPT_CMD_GGSN_DELETE_SUB_SESS This micro-checkpoint sends an update when a secondary bearer is deleted. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs upon secondary bearer deletion • Accounting: — • Delta/Cumulative: — •...
  • Page 479: Sess_Uchkpt_Cmd_Ggsn_Update_Stats

    ICSR Checkpointing GGSN Category • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs for a network initiated or UE initiated update. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 171 • Related CLI command: show srp checkpoint statistics active verbose, and show session subsystem facility sessmgr instance <instance_number>...
  • Page 480: Gx Interface Category

    ICSR Checkpointing Gx Interface Category Gx Interface Category SESS_UCHKPT_CMD_ACS_VOLUME_USAGE This micro-checkpoint sends volume usage over Gx accounting buckets. • Time based: Yes • Frequency: 4 seconds for aamgr micro-checkpoint and 18 seconds for GR micro-checkpoint • Event based: No • Events: Send along with macro-checkpoint •...
  • Page 481: Sess_Uchkpt_Cmd_Gr_Update_Nat_Realms

    ICSR Checkpointing NAT Category • Event based: Yes • Events: Triggered when a new NAT port chunk is allocated or deleted. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 105 • Related CLI command: None SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALMS This micro-checkpoint is sent when a NAT IP address is allocated to or deallocated from a subscriber. For an on-demand case, it is triggered when the first packet matching a particular NAT realm is received and the NAT IP address is allocated to the subscriber.
  • Page 482: Sess_Uchkpt_Cmd_Nat_Sip_Alg_Contact_Ph_Info

    ICSR Checkpointing NAT Category SESS_UCHKPT_CMD_NAT_SIP_ALG_CONTACT_PH_INFO This micro-checkpoint is sent when a received SIP packet is analyzed and pinholes are created in the NAT firewall. • Time based: No • Frequency: N/A • Event based: Yes • Events: Triggered when a SIP packet creates pinholes in the NAT firewall. •...
  • Page 483: P-Gw Category

    ICSR Checkpointing P-GW Category • Events: Triggered when a new flow with bypass-nat enabled is created or deleted. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 60 • Related CLI command: None P-GW Category SESS_UCHKPT_CMD_PGW_DELETE_SUB_SESS Reserved for future use. SESS_UCHKPT_CMD_PGW_OVRCHRG_PRTCTN_INFO This micro-checkpoint indicates that the S-GW has set the Overcharging Protection bit in the MBR.
  • Page 484: Sess_Uchkpt_Cmd_Pgw_Ubr_Mbr_Info

    ICSR Checkpointing P-GW Category SESS_UCHKPT_CMD_PGW_UBR_MBR_INFO This micro-checkpoint is sent at the end of a UBR (Update Bearer Request ) or MBR (Modify Bearer Request ) except when the UBR /MBR procedure results in the following scenarios: • TFT change • Bearer updat or modification for a collapsed call •...
  • Page 485: Sess_Uchkpt_Cmd_Pgw_Update_Pdn_Common_Param

    ICSR Checkpointing Rf Interface Category • Related CLI command: None SESS_UCHKPT_CMD_PGW_UPDATE_PDN_COMMON_PARAM Reserved for future use. SESS_UCHKPT_CMD_PGW_UPDATE_QOS Reserved for future use. SESS_UCHKPT_CMD_PGW_UPDATE_SGW_CHANGE Reserved for future use. SESS_UCHKPT_CMD_PGW_UPDATE_STATS This micro-checkpoint periodically sends session statistics. • Time based: Yes • Frequency: Every five minutes •...
  • Page 486: Sess_Uchkpt_Cmd_Acs_Accounting_Type_Qci_Rf_With_Fc

    ICSR Checkpointing Rf Interface Category • CMD-ID: 126 • Related CLI command: None SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_QCI_RF_WITH_FC This micro-checkpoint indicates complete SDF+QCI-based Rf accounting buckets. • Time based: Yes • Frequency: 4 seconds for aamgr checkpoint and 18 seconds for GR checkpoint • Event based: No •...
  • Page 487: S6B Interface Category

    ICSR Checkpointing S6b Interface Category • CMD-ID: 163 • Related CLI command: None S6b Interface Category SESS_UCHKPT_CMD_S6B_INFO This micro-checkpoint sends the Restoration Priority Indicator when reauthorization occurs over the S6b interface. • Time based: No • Frequency: N/A • Event based: Yes •...
  • Page 488: Sess_Uchkpt_Cmd_Cgw_Update_Bearer_Qos

    ICSR Checkpointing SaMOG Category SESS_UCHKPT_CMD_CGW_UPDATE_BEARER_QOS This micro-checkpoint indicates a QoS update for the bearer. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs when a change in Bearer QoS is received from the P-GW due to a reauthorization (AAR Received from AAA Server) or Update-Bearer-Request.
  • Page 489: Sess_Uchkpt_Cmd_Samog_Acct_Start_Info

    ICSR Checkpointing SaMOG Category • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs on receipt of an Accounting Req (INTERIM-UPDATE) from the WLC. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 177 • Related CLI command: show subscriber samog-only full SESS_UCHKPT_CMD_SAMOG_ACCT_START_INFO This micro-checkpoint is sent for a SaMOG session on receipt of an Accounting Req (START) from the WLC (Wireless LAN Controller).
  • Page 490: Sess_Uchkpt_Cmd_Samog_Gtpv1_Update_Pdn_Info

    ICSR Checkpointing SaMOG Category SESS_UCHKPT_CMD_SAMOG_GTPV1_UPDATE_PDN_INFO This micro-checkpoint is sent for a SaMOG session upon receipt of an Update-PDP-Context-Req from the GGSN to update the PDN information. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs after successful SaMOG processing of an Update-PDP-Context-Req from the GGSN. •...
  • Page 491: Sess_Uchkpt_Cmd_Samog_Li_Prov_Info

    ICSR Checkpointing SaMOG Category • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 175 • Related CLI command: show subscriber samog-only full SESS_UCHKPT_CMD_SAMOG_LI_PROV_INFO This micro-checkpoint is sent for a SaMOG session that is on lawful intercept (LI) Active-Camp-on mode. • Time based: No •...
  • Page 492 ICSR Checkpointing SaMOG Category • Events: Occurs after SaMOG sends an Access-Challenge for an existing SaMOG subscriber session during Re-authentication. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 184 • Related CLI command: show subscriber samog-only full SESS_UCHKPT_CMD_SAMOG_REAUTHEN_INFO This micro-checkpoint is sent for a SaMOG session when subscriber Re-authentication is completed. •...
  • Page 493 A P P E N D I X ASR 5500 SDR CLI Command Strings • ASR 5500 SDR CLI Command Strings, page 461 ASR 5500 SDR CLI Command Strings This appendix identifies the CLI command strings that can be entered for a record section via the support record section command in the Global Configuration Mode.
  • Page 494 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show hardware inventory" Disabled "show hardware version" Disabled "show card hardware" Disabled "show card dhaccel hardware counters" Enabled "show hd raid verbose" Enabled "debug hdctrl mdstat"...
  • Page 495 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show alarm outstanding" Disabled "show alarm statistics" Enabled "show cpu table" Disabled "show cpu info verbose" Enabled "show cpu errors verbose" Enabled "show cpu performance verbose" Disabled "show resources"...
  • Page 496 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show ipsg statistics" Disabled "show pdsn-service all" Disabled "show hsgw-service all" Disabled "show hsgw-service statistics all" Disabled "show epdg-service all counters" Disabled "show epdg-service statistics" Disabled "show fa-service all"...
  • Page 497 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show session progress" Disabled "show session subsystem data-info verbose" Disabled "show session subsystem full data-info" Disabled "show session subsystem facility sessmgr all debug-info" Disabled "show sessctrl config-reconciliation statistics"...
  • Page 498 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show ss7-routing-domain all sctp asp all status peer-server all peer-server-process all verbose" Enabled "show ss7-routing-domain all sctp asp all statistics gen" Disabled "show ss7-routing-domain all m3ua status peer-server all" Disabled "show ss7-routing-domain all m3ua statistics peer-server all peer-server-process all"...
  • Page 499 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show mme-service statistics debug" Disabled "show mme-service db statistics" Disabled "show sgs-service all" Disabled "show sgs-service vlr-status full" Disabled "show sgs-service statistics all" Enabled "show sgw-service statistics all"...
  • Page 500 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show demuxmgr statistics l2tpmgr all" Disabled "show demuxmgr statistics ipsgmgr all" Enabled "show demuxmgr statistics sgtpcmgr all" Disabled "show demuxmgr statistics imsimgr all" Enabled "show demuxmgr statistics gtpcmgr all"...
  • Page 501 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Enabled "show session recovery status verbose" Enabled "show clock all" Disabled "show sntp statistics verbose" Disabled "show llc statistics verbose" Disabled "show bssgp statistics verbose" Disabled "show bssap+ statistics verbose"...
  • Page 502 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Enabled "show active-charging ruledef statistics all firewall wide" Disabled "show active-charging regex status all" Disabled "show active-charging regex statistics memory summary" Disabled "show active-charging regex statistics ruledef summary" Disabled "show active-charging edr-format statistics"...
  • Page 503 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show diameter route table debug-info" Disabled "show diameter peers full debug" Disabled "show diameter aaa-statistics" Disabled "show diameter aaa-statistics all" Disabled "show diameter aaa-statistics debug-info" Disabled "show diameter accounting servers debug-info"...
  • Page 504 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show content-filtering category database facility srdbmgr all verbose" Disabled "show content-filtering category statistics" Disabled "show content-filtering category statistics facility srdbmgr all" Disabled "show active-charging content-filtering category statistics" Disabled "show active-charging content-filtering server-group statistics verbose"...
  • Page 505 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show pcc-af service all" Disabled "show pcc-af service statistics all" Disabled "show pcc-sp-endpoint all" Disabled "show pcc-sp-endpoint statistics all" Disabled "show event-notif server all" Disabled "show event-notif statistics"...
  • Page 506 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings ASR 5500 System Administration Guide, StarOS Release 21.4...
  • Page 507: Cisco Secure Boot

    A P P E N D I X Cisco Secure Boot This appendix briefly describes the Cisco Secure Boot process and how it impacts image naming conventions. It contains the following sections: • Fundamental Concepts, page 475 • Secure Boot Overview, page 476 •...
  • Page 508: Secure Boot Overview

    Secure Boot Overview Cisco Secure Boot places the Root of Trust in a hardware chip device on a circuit card where it cannot be changed. The first code (microloader) that executes immediately after power on is guaranteed to be legitimate code from Cisco and programmed during the time of system manufacturing.

This manual is also suitable for:

Asr 5500

Table of Contents