Asr 5500 system administration guide, staros release 19 (410 pages)
Summary of Contents for Cisco ASR 5000 Series
Page 1
ASR 5500 System Administration Guide, StarOS Release 21.4 First Published: 2017-11-22 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 2
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
Page 3
C O N T E N T S About this Guide xxix P r e f a c e Conventions Used xxix Related Documentation MIOs and DPCs Contacting Customer Support xxxi System Operation and Configuration C H A P T E R 1 System Management Overview Terminology Contexts...
Page 4
Contents Alphanumeric Strings Character Set Quoted Strings Getting Started C H A P T E R 2 ASR 5500 Configuration Using the ASR 5500 Quick Setup Wizard The Quick Setup Wizard Using the CLI for Initial Configuration Configuring System Administrative Users Limiting the Number of Concurrent CLI Sessions Automatic Logout of CLI Sessions Configuring the System for Remote Access...
Page 5
Contents System Settings C H A P T E R 3 Configuring a Second Management Interface Verifying and Saving Your Interface and Port Configuration Configuring System Timing Setting the System Clock and Time Zone Verifying and Saving Your Clock and Time Zone Configuration Configuring Network Time Protocol Support Configuring NTP Servers with Local Sources Using a Load Balancer...
Page 6
Contents Associating an SFTP root Directory with an Administrator Associating an SFTP root Directory with a Config Administrator Configuring TACACS+ for System Administrative Users Operation User Account Requirements TACACS+ User Account Requirements StarOS User Account Requirements Configuring TACACS+ AAA Services Configuring TACACS+ for Non-local VPN Authentication Verifying the TACACS+ Configuration Separating Authentication Methods...
Page 7
Contents Preferred Slot Auto-Switch Criteria Link Aggregation Control Minimum Links Redundancy Options Horizontal Link Aggregation with Two Ethernet Switches Non-Redundant (Active-Active) LAG Faster Data Plane Convergence Link Aggregation Status Configuring a Demux Card Overview MIO Demux Restrictions Configuration Config Mode Lock Mechanisms C H A P T E R 4 Overview of Config Mode Locking Requesting an Exclusive-Lock...
Page 8
Contents Feature Configuration Service Configuration Context Configuration System Configuration Finding Configuration Errors Synchronizing File Systems Saving the Configuration System Interfaces and Ports C H A P T E R 7 Contexts Creating Contexts Viewing and Verifying Contexts Ethernet Interfaces and Ports Creating an Interface Configuring a Port and Binding It to an Interface Configuring a Static Route for an Interface...
Page 9
Contents User Access to Operating System Shell Test-Commands Enabling cli test-commands Mode Enabling Password for Access to CLI-test commands Exec Mode cli test-commands Configuration Mode cli test-commands Secure System Configuration File C H A P T E R 9 Feature Summary and Revision History Feature Description How System Configuration Files are Secured Create a Digital Signature...
Page 10
Contents Configuring the Boot Stack System Boot Methods Viewing the Current Boot Stack Adding a New Boot Stack Entry Deleting a Boot Stack Entry Network Booting Configuration Requirements Configuring the Boot Interface Configuring the Boot Network Configuring Boot Network Delay Time Configuring a Boot Nameserver Upgrading the Operating System Software Identifying OS Release Version and Build Number...
Page 11
C H A P T E R 1 1 Feature Summary and Revision History Smart Software Licensing Cisco Smart Software Manager Smart Accounts/Virtual Accounts Request a Cisco Smart Account Software Tags and Entitlement Tags Configuring Smart Licensing Monitoring and Troubleshooting Smart Licensing Smart Licensing Bulk Statistics...
Page 12
Contents Configuring Bulk Statistic Schemas Configuring a Separate Bulkstats Config File Using show bulkstats Commands Verifying Your Configuration Saving Your Configuration Viewing Collected Bulk Statistics Data Collecting Bulk Statistics Samples in SSD Manually Gathering and Transferring Bulk Statistics Clearing Bulk Statistics Counters and Information Bulkstats Schema Nomenclature Statistic Types Data Types...
Page 13
Contents Reducing Excessive Event Logging Configuring Log Source Thresholds Checkpointing Logs Saving Log Files Event ID Overview Event Severities Understanding Event ID Information in Logged Output Troubleshooting C H A P T E R 1 5 Detecting Faulty Hardware Licensing Issues Using the CLI to View Status LEDs Checking the LEDs on the PFU Checking the LEDs on the MIO Card...
Page 14
Contents SSC System Service LED States Testing System Alarm Outputs Taking Corrective Action Switching MIOs Busying Out a DPC Migrating a DPC Halting Cards Initiate a Card Halt Restore a Previously Halted Card Verifying Network Connectivity Using the ping or ping6 Command Syntax Troubleshooting Using the traceroute or traceroute6 Command...
Page 15
Contents Show Command(s) and/or Outputs show cdr statistics show { hexdump-module | cdr } file-space-usage show hexdump-module statistics System Recovery C H A P T E R 1 7 Prerequisites Console Access Boot Image Accessing the boot CLI Initiate a Reboot Interrupt the Boot Sequence Enter CLI Mode boot Command Syntax...
Page 16
Contents Applying an ACL to All Traffic Within a Context Verifying the ACL Configuration in a Context Applying an ACL to a RADIUS-based Subscriber Applying an ACL to an Individual Subscriber Verifying the ACL Configuration to an Individual Subscriber Applying an ACL to the Subscriber Named default Applying an ACL to the Subscriber Named default Verifying the ACL Configuration to the Subscriber Named default Applying an ACL to Service-specified Default Subscriber...
Page 17
Contents Static Routing Adding Static Routes to a Context Deleting Static Routes From a Context OSPF Routing OSPF Version 2 Overview Basic OSPFv2 Configuration Enabling OSPF Routing For a Specific Context Enabling OSPF Over a Specific Interface Redistributing Routes Into OSPF (Optional) Confirming OSPF Configuration Parameters OSPFv3 Routing OSPFv3 Overview...
Page 18
Contents BGP CLI Configuration Commands Confirming BGP Configuration Parameters Bidirectional Forwarding Detection Overview of BFD Support Configuring BFD Configuring a BFD Context Configuring IPv4 BFD for Static Routes Configuring IPv6 BFD for Static Routes Configuring BFD for Single Hop Configuring Multihop BFD Scaling of BFD Associating BGP Neighbors with the Context Associating OSPF Neighbors with the Context...
Page 19
Contents VLANs C H A P T E R 2 1 Overview Overlapping IP Address Pool Support – GGSN RADIUS VLAN Support – Enhanced Charging Services APN Support – PDN Gateway (P-GW) Creating VLAN Tags Verifying the Port Configuration Configuring Subscriber VLAN Associations RADIUS Attributes Used Configuring Local Subscriber Profiles Verify the Subscriber Profile Configuration...
Page 20
Contents Session Recovery C H A P T E R 2 4 How Session Recovery Works Additional ASR 5500 Hardware Requirements Configuring the System to Support Session Recovery Enabling Session Recovery Enabling Session Recovery on an Out-of-Service System Enabling Session Recovery on an In-Service System Disabling the Session Recovery Feature Viewing Session Recovery Status Viewing Recovered Session Information...
Page 21
Contents SRP Redundancy, AAA and Diameter Guard Timers DSCP Marking of SRP Messages Optimizing Switchover Transitions Allow Non-VoLTE Traffic During ICSR Switchover Allow All Data Traffic Allow Early Active Transition Graceful Cleanup of ICSR After Audit of Failed Calls Optimization of Switchover Control Outage Time Configuring the SRP Context Interface Parameters Configuring NACK Generation for SRP Checkpoint Messaging Failures Enabling NACK Messaging from the Standby Chassis...
Page 22
Contents Updating the Boot Record Synchronizing File Systems Reboot StarOS Updating the Configuration File Verifying the Software Version Saving the Configuration File Completing the Update Process Waiting for Session Synchronization Primary System Initiating an SRP Switchover Checking AAA Monitor Status on the Newly Active System Completing the Software Update Initiating an SRP Switchover Making Test Calls...
Page 23
Contents Packet Data Network (PDN) Interface Rules Context Rules Subscriber Rules Service Rules Access Control List (ACL) Engineering Rules ECMP Groups StarOS Tasks A P P E N D I X B Overview Primary Task Subsystems Controllers and Managers Subsystem Tasks System Initiation Subsystem High Availability Subsystem Resource Manager Subsystem...
Page 24
Contents rest port Sample Configuration Verifying the Configuration show confdmgr Command clear confdmgr confd cdb clear confdmgr statistics YANG Models Show Support Details (SSD) ConfD Examples Server ConfD Bulkstats Exec CLI Model CLI Based YANG Model for ECS Commands Seeding and Synchronizing the CDB show configuration confd Command CDB Maintenance clear confdmgr confd cdb...
Page 27
SESS_UCHKPT_CMD_SAMOG_MULTI_ROUND_AUTHEN_INFO SESS_UCHKPT_CMD_SAMOG_REAUTHEN_INFO SESS_UCHKPT_CMD_SAMOG_REAUTHOR_INFO ASR 5500 SDR CLI Command Strings A P P E N D I X E Cisco Secure Boot A P P E N D I X F Fundamental Concepts Secure Boot Overview MIO2 Support for Secure Boot...
Page 28
Contents ASR 5500 System Administration Guide, StarOS Release 21.4 xxviii...
About this Guide This preface describes the ASR 5500 System Administration Guide, how it is organized and its document conventions. The System Administration Guide describes how to generally configure and maintain StarOS running on an ASR 5500 platform. It also includes information on monitoring system performance and troubleshooting. •...
Related Documentation The most up-to-date information for this product is available in the product Release Notes provided with each software release. The following user documents are available on www.cisco.com: • ASR 5500 Installation Guide • AAA Interface Administration and Reference •...
Use the information in this section to contact customer support. Refer to the support area of http://www.cisco.com for up-to-date product documentation or to submit a service request. A valid username and password are required to access this site. Please contact your Cisco sales or service representative for additional information.
Page 32
About this Guide Contacting Customer Support ASR 5500 System Administration Guide, StarOS Release 21.4 xxxii...
C H A P T E R System Operation and Configuration The ASR 5500 is designed to provide subscriber management services for Mobile Packet Core networks. Before you connect to the command line interface (CLI) and begin system configuration, you must understand how the system supports these services.
System Operation and Configuration System Management Overview There are multiple ways to manage the system either locally or remotely using its out-of-band management interfaces. Figure 1: System Management Interfaces Management options include: • Local login through the Console port on the MIO/MIO2 card using an RS-232 Console connection (RJ45) directly or indirectly via a terminal server •...
Universal PID license must be purchased and installed on the chassis for each installed UMIO and UDPC/UDPC2. Contact your Cisco account representative for additional licensing information. Throughout this guide, any reference to an MIO card or DPC is assumed to also refer to the UMIO and Important UDPC/UDPC2 respectively.
System Operation and Configuration Logical Interfaces Logical Interfaces You must associate a port with a StarOS virtual circuit or tunnel called a logical interface before the port can allow the flow of user data.Within StarOS, a logical interface is a named interface associated with a virtual router instance that provides higher-layer protocol transport, such as Layer 3 IP addressing.
System Operation and Configuration Trusted Builds • Local Subscribers: These are subscribers, primarily used for testing purposes, that are configured and authenticated within a specific context. Unlike RADIUS-based subscribers, the local subscriber's user profile (containing attributes like those used by RADIUS-based subscribers) is configured within the context where they are created.
System Operation and Configuration How the System Selects Contexts How the System Selects Contexts This section describes the process that determines which context to use for context-level administrative users or subscriber sessions. Understanding this process allows you to better plan your configuration in terms of how many contexts and interfaces you need to configure.
System Operation and Configuration Context Selection for Context-level Administrative User Sessions The following table and flowchart describe the process that the system uses to select an AAA context for a context-level administrative user. Items in the table correspond to the circled numbers in the flowchart. Figure 2: Context-level Administrative User AAA Context ASR 5500 System Administration Guide, StarOS Release 21.4...
System Operation and Configuration Context Selection for Context-level Administrative User Sessions Table 1: Context-level Administrative User AAA Context Selection Item Description During authentication, the system determines whether local authentication is enabled in the local context. If it is, the system attempts to authenticate the administrative user in the local context. If it is not, proceed to item 2 in this table.
System Operation and Configuration Context Selection for Subscriber Sessions Context Selection for Subscriber Sessions The context selection process for a subscriber session is more involved than that for the administrative users. Subscriber session context selection information for specific products is located in the Administration Guide for the individual product.
System Operation and Configuration Understanding Configuration Files The following steps describe the system's boot process: Step 1 When power is first applied to the chassis, or after a reboot, only the MIO/UMIO/MIO2s in slot 5 and slot 6 receive power. Step 2 During the startup process, the MIO/UMIO/MIO2 performs a series of power-on self tests (POSTs) to ensure that its hardware is operational.
System Operation and Configuration Understanding Configuration Files Pipes ( | ), used with the grep and more keywords, can potentially cause errors in configuration file Important processing. Therefore, the system automatically ignores keywords with pipes during processing. Always save configuration files in UNIX format. Failure to do so can result in errors that prevent Important configuration file processing.
System Operation and Configuration IP Address Notation IP Address Notation When configuring a port interface via the CLI you must enter an IP address. The CLI always accepts an IPv4 address, and in some cases accepts an IPv6 address as an alternative. For some configuration commands, the CLI also accepts CIDR notation.
System Operation and Configuration Alphanumeric Strings CIDR notation is constructed from the IP address and the prefix size, the latter being the number of leading 1 bits of the routing prefix. The IP address is expressed according to the standards of IPv4 or IPv6. It is followed by a separator character, the slash (/) character, and the prefix size expressed as a decimal number.
System Operation and Configuration Quoted Strings Quoted Strings If descriptive text requires the use of spaces between words, the string must be entered within double quotation marks (" "). For example: interface "Rack 3 Chassis 1 port 5/2" ASR 5500 System Administration Guide, StarOS Release 21.4...
C H A P T E R Getting Started • ASR 5500 Configuration, page 17 • Using the ASR 5500 Quick Setup Wizard, page 17 • Using the CLI for Initial Configuration, page 24 • Configuring System Administrative Users, page 26 •...
Getting Started The Quick Setup Wizard The Quick Setup Wizard The Quick Setup Wizard consists of a series of questions that prompt you for input before proceeding to the next question. Some prompts may be skipped depending on previous responses or whether a particular function is supported in the StarOS release.
Getting Started The Quick Setup Wizard Ques. Task Description/Notes Change chassis key value. A unique chassis key is configured at the factory for each system. This key is used to decrypt encrypted passwords found in generated configuration files. The system administrator can create a unique chassis key that will be used to encrypt passwords stored in configuration files.
Getting Started The Quick Setup Wizard Ques. Task Description/Notes 14, 17, Configure a single Management Input/Output Traffic on the management LAN is not transferred (MIO/UMIO/MIO2) out-of-band over the same media as user data and control management interface for out-of-band system signaling.
Getting Started The Quick Setup Wizard Ques. Task Description/Notes Enable FTP access to the system. File Transfer Protocol (FTP) uses TCP port number 21 by default, if enabled. Note: For maximum system security, do not enable FTP. Note: in release 20.0 and higher Trusted StarOS builds, FTP is not supported.
Getting Started The Quick Setup Wizard Once configuration using the wizard is complete, proceed to instructions on how to configure other system Important parameters. Figure 4: MIO Interfaces Console port [Port 3] USB port ASR 5500 System Administration Guide, StarOS Release 21.4...
Getting Started Using the CLI for Initial Configuration 1 GbE ports (1000Base-T) [Ports 1 and 2] 100 GbE ports, DC-2 [Ports 20 and 21] 10GbE ports, DC-2 [Ports 22 and 23] Using the CLI for Initial Configuration The initial configuration consists of the following: •...
Getting Started Using the CLI for Initial Configuration Step 5 Enter the following command to configure a hostname by which the system will be recognized on the network: host_name system hostname host_name [local] (config)# host_name is the name by which the system will be recognized on the network. The hostname is an alphanumeric string of 1 through 63 characters that is case sensitive.
Getting Started Configuring System Administrative Users Configuring System Administrative Users This section describes some of the security features that allow security administrators to control user accounts. Limiting the Number of Concurrent CLI Sessions Security administrators can limit the number of concurrent interactive CLI sessions. Limiting the number of concurrent interactive sessions reduces the consumption of system-wide resources.
Getting Started Configuring the System for Remote Access Idle Timeout: allows a security administrator to specify the maximum amount of minutes that a session can remain in an idle state before the session is automatically disconnected. The session timeout and idle timeout fields are not exclusive. If both are specified, then the idle timeout Important should always be lower than the session timeout since a lower session timeout will always be reached first.
Getting Started Configuring the System for Remote Access Step 3 Configure the system to allow SSH access: host_name ssh generate key [ type { v1-rsa | v2-rsa | v2-dsa } ] [local] (config-ctx)# v2-rsa is the recommended key type. In StarOS 19.2 and higher, the v1-rsa keyword has been removed from and the v2-dsa keyword has been concealed within the Context Configuration mode ssh generate CLI command.
Getting Started Configuring SSH Options Step 8 Verify the configuration of the IP routes by entering the following command: host_name show ip route [local] The CLI output should be similar to the sample output: "*" indicates the Best or Used route. Destination Nexthop Protocol...
Getting Started SSH Host Keys The v1-rsa keyword has been removed from the Exec mode show ssh key CLI command. SSH Host Keys SSH key-based authentication uses two keys, one "public" key that anyone is allowed to see, and another "private"...
Getting Started SSH Host Keys Specifying SSH Encryption Ciphers The SSH Configuration mode ciphers CLI command configures the cipher priority list in sshd for SSH symmetric encryption. It changes the cipher options for that context. Step 1 Enter the SSH Configuration mode. host_name server sshd [local]...
Getting Started Authorized SSH User Access Generating SSH Keys The ssh generate command generates a public/private key pair which is to be used by the SSH server. The v1-rsa keyword has been removed from and the v2-dsa keyword concealed within the ssh generate CLI command.
Getting Started SSH User Login Restrictions Authorizing SSH User Access The SSH Configuration mode authorized-key command grants user access to a context from a specified host. Step 1 Go to the SSH Configuration mode. server sshd [local]host_name(config-ctx)# [local]host_name(config-sshd)# Step 2 Specify administrative user access via the authorized-key command.
Getting Started SSH User Login Authentication Step 2 Go to the SSH Configuration mode. host_name server sshd [local] (config-ctx)# Step 3 Configure the SSH user list. host_name allowusers add user_list [local] (config-sshd)# user_list specifies a list of user name patterns, separated by spaces, as an alphanumeric string of 1 through 999 characters. If the pattern takes the form 'USER' then login is restricted for that user.
45 seconds (using default parameters). Two SSH Configuration mode CLI commands allow you to disable or modify this default sshd disconnect behavior. For higher security, Cisco recommends at least a client-alive-countmax of 2 and client-alive-interval of Important 5.
Getting Started SSH Client Login to External Servers Step 3 Set the ClientAliveCountmax parameter to 2. host_name client-alive-countmax 2 [local] (config-sshd)# Step 4 Set the ClientAliveInterval parameter to 5 seconds. host_name client-alive-interval 5 [local] (config-sshd)# Step 5 Exit the SSH Configuration mode. host_name [local] (config-sshd)#...
Getting Started SSH Client Login to External Servers • aes256-gcm@openssh.com – AES, 256-bit key size, GCM, OpenSSH • chacha20-poly1305@openssh.com – ChaCha20 symmetric cipher, Poly1305 cryptographic Message Authentication Code [MAC], OpenSSH The default string for algorithms in a Normal build is: aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com, blowfish-cbc,3des-cbc,aes128-cbc The default string for algorithms in a Trusted build is:...
Getting Started SSH Client Login to External Servers Generating SSH Client Key Pair You use commands in the SSH Client Configuration mode to specify a private key and generate the SSH client key pair. Step 1 Enter the SSH client configuration mode. host_name client ssh [local]...
An SSH key is a requirement before NETCONF protocol and the ConfD engine can be enabled in support of Cisco Network Service Orchestrator (NSO). Refer to the NETCONF and ConfD appendix in this guide for detailed information on how to enable NETCONF.
Getting Started Configuring the Management Interface with a Second IP Address Step 7 Save your configuration as described in Verifying and Saving Your Configuration. ASR 5500 System Administration Guide, StarOS Release 21.4...
C H A P T E R System Settings This chapter provides instructions for configuring the following StarOS options. It is assumed that the procedures to initially configure the system as described in Getting Started have been completed. The commands used in the configuration examples in this section are the most likely-used commands Important and/or keyword options.
System Settings Configuring a Second Management Interface Configuring a Second Management Interface Refer to Getting Started for instructions on configuring a system management interface on the Management Input/Output (MIO/UMIO/MIO2) card. This section provides described how to configure a second management interface.
System Settings Configuring System Timing Verify that the port configuration settings are correct by entering the following command: show configuration port slot#/port# slot# is the chassis slot number of the line card where the physical port resides. slot# is either 5 or 6. port# is the number of the port (either 1 or 2).
System Settings Verifying and Saving Your Clock and Time Zone Configuration Verifying and Saving Your Clock and Time Zone Configuration Enter the following command to verify that you configured the time and time zone correctly: show clock The output displays the date, time, and time zone that you configured. Configuring Network Time Protocol Support This section provides information and instructions for configuring the system to enable the use of the Network Time Protocol (NTP).
System Settings Configuring NTP Servers with Local Sources Do not change the maxpoll, minpoll, or version keyword settings unless instructed to do so by Cisco Important TAC. Use the following example to configure the necessary NTP association parameters: configure enable...
System Settings Verifying the NTP Configuration Verifying the NTP Configuration Verify the NTP configuration is correct. Enter the following command at the Exec mode prompt: show ntp associations The output displays information about all NTP servers. See the output below for an example deploying two NTP servers.
System Settings Configuring SF Boot Configuration Pause Column Title Description delay Round-trip delay (in milliseconds) for messages exchanged between the system and the NTP server. offset Number of milliseconds by which the system clock must be adjusted to synchronize it with the NTP server. jitter Jitter in milliseconds between the system and the NTP server.
System Settings Configuring CLI Confirmation Prompts The date and time appear immediately after you execute the command. Save the configuration as described in the Verifying and Saving Your Configuration chapter. Configuring CLI Confirmation Prompts A number of Exec mode and Global Configuration mode commands prompt users for a confirmation (Are you sure? [Yes|No]:) prior to executing the command.
System Settings Requiring Confirmation for Specific Exec Mode Commands The following command sequence enables the commandguard feature: configure commandguard With commandguard enabled the confirmation prompt appears as shown in the example below: host_name configure [local] Are you sure? [Yes|No]: host_name [local] (config)# To disable commandguard once it has been enabled, use the no commandguard command.
System Settings Configuring System Administrative Users • You can turn off confirmation prompting for a specific category using no commandguard exec-command exec_mode_category. • If autoconfirm is overridden by commandguard exec-command for an Exec mode command, StarOS displays an informational message indicating why autoconfirm is being overridden when you attempt to execute the command.
System Settings Configuring Context-level Administrative Users If you attempt to create a user name that does not adhere to these standards, you will receive the following message: "Invalid character; legal characters are "0123456789.-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ". Configuring Context-level Administrative Users This user type is configured at the context-level and relies on the AAA subsystems for validating user names and passwords during login.
System Settings Configuring Context-level Administrative Users Configuring Context-level Administrators Use the example below to configure context-level configuration administrators: configure context local config-administrator user_name { [ encrypted ] [ nopassword ] password password } Notes: • Additional keyword options are available that identify active administrators or place time thresholds on the administrator.
System Settings Configuring Context-level Administrative Users • Additional keyword options are available that identify active administrators or place time thresholds on the administrator. Refer to the Command Line Interface Reference for more information about the inspector command. • The nopassword option allows you to create an inspector without an associated password. Enable this option when using ssh public keys (authorized key command in SSH Configuration mode) as a sole means of authentication.
For a detailed description of the Global Configuration mode require segregated li-configuration and associated commands, see the Lawful Intercept CLI Commands appendix in the Lawful Intercept Configuration Guide. The Lawful Intercept Configuration Guide is not available on www.cisco.com. Contact your Cisco account Note representative to obtain a copy of this guide.
System Settings Configuring Local-User Administrative Users This command displays all of the configuration parameters you modified within the Local context during this session. The following displays sample output for this command. In this example, a security administrator named testadmin was configured. config context local interface mgmt1...
System Settings Configuring Local-User Administrative Users Password Expired: Locked: Suspended: Lockout on Pw Aging: Lockout on Login Fail: Yes Updating Local-User Database Update the local-user (administrative) configuration by running the following Exec mode command. This command should be run immediately after creating, removing or editing administrative users. update local-user database Updating and Downgrading the local-user Database Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved...
StarOS services that support Lawful Intercept. This guide is not available on www.cisco.com. It can only be obtained by contacting your Cisco account representative.
System Settings Restricting User Access to a Specified Root Directory re-configured any other type of LI context system. Refer to the Lawful Intercept Configuration Guide before attempting to create a Dedicated-LI context. Figure 6: LI Context Configurations In Release 21.4 and higher (Trusted builds only): •...
System Settings Restricting User Access to a Specified Root Directory Configuring an SFTP root Directory The subsystem sftp command allows the assignment of an SFTP root directory and associated access privilege level. configure context local server sshd subsystem sftp [ name sftp_name root-dir pathname mode { read-only | readwrite } ] Notes: •...
System Settings Configuring TACACS+ for System Administrative Users Configuring TACACS+ for System Administrative Users This section describes TACACS+ (Terminal Access Controller Access Control System+) AAA (Authentication Authorization and Accounting) service functionality and configuration on the ASR 5500. Operation TACACS+ is a secure, encrypted protocol. By remotely accessing TACACS+ servers that are provisioned with the administrative user account database, the ASR 5500 system can provide TACACS+ AAA services for system administrative users.
System Settings User Account Requirements For releases after 15.0 MR4, TACACS+ accounting (CLI event logging) will not be generated for Lawful Important Intercept users with privilege level set to 15 and 13. User Account Requirements Before configuring TACACS+ AAA services, note the following TACACS+ server and StarOS user account provisioning requirements.
System Settings Configuring TACACS+ AAA Services For instructions on defining users and administrative privileges on the system, refer to Configuring System Important Administrative Users. Configuring TACACS+ AAA Services This section provides an example of how to configure TACACS+ AAA services for administrative users on the system.
System Settings Configuring TACACS+ for Non-local VPN Authentication Configuring TACACS+ for Non-local VPN Authentication By default TACACS+ authentication is associated with login to the local context. TACACS+ authentication can also be configured for non-local context VPN logins. TACACS+ must configured and enabled with the option described below.
System Settings Separating Authentication Methods For details on all TACACS+ maintenance commands, refer to the Command Line Interface Reference. Important Separating Authentication Methods You can configure separate authentication methods for accessing the Console port and establishing SSH/telnet sessions (vty lines). If you configure TACACS+ globally, access to the Console and vty lines are both authenticated using that method.
System Settings Disable TACACS+ Authentication at the Context Level Since local-user authentication is always performed before AAA-based authentication and local-user allow-aaa-authentication noconsole is enabled, the behavior is the same as if no local-user allow-aaa-authentication is configured. There is no impact on vty lines. Important This command does not apply for a Trusted build because the local-used database is unavailable.
System Settings Limit Console Access for AAA-based Users This command does not apply for a Trusted build because the local-used database is unavailable. Important Limit Console Access for AAA-based Users AAA-based users normally login through on a vty line. However, you may want to limit a few users to accessing just the Console line.
System Settings Configuring a New Chassis Key Value The chassis key is used to generate the chassis ID which is stored in a file and used as the master key for protecting sensitive data (such as passwords and secrets) in configuration files For release 15.0 and higher, the chassis ID is an SHA256 hash of the chassis key.
System Settings Configuring MIO/UMIO/MIO2 Port Redundancy However, if the chassis key is reset in Release 15 through the Quick Setup Wizard or CLI command, a new chassis ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will not recognize the 44-character chassis ID.
System Settings Configuring MIO/UMIO/MIO2 Port Redundancy With port redundancy, if a failover occurs, only the specific port(s) become active. For example; if port 5/1 fails, then port 6/1 becomes active, while all other active ports on the line card in slot 5 remain in the same active state.
System Settings Configuring MIO/UMIO/MIO2 Port Redundancy This feature requires specific network topologies to work properly. The network must have redundant switching components or other devices that the system is connected to. The following diagrams show examples of a redundant switching topologies and how the system reacts to various external network device scenarios. Figure 7: Network Topology Example Using MIO/UMIO Port Redundancy Figure 8: Port Redundancy Failover in Cable Defect Scenario In the example above, an Ethernet cable is cut or unplugged, causing the link to go down.
System Settings Configuring MIO/UMIO/MIO2 Port Redundancy Auto-Recovery the port on the secondary switch to which the MIO/UMIO/MIO2 in slot 6 is connected, allowing it to redirect and transport data. Figure 9: Port Redundancy Failover in External Network Device Failure Scenario In the example above, a switch failure causes a link down state on all ports connected to that switch.
System Settings Configuring Data Processing Card Availability Verifying Port Redundancy Auto-Recovery Verify port information by entering the following command show port info slot#/port# slot# is the chassis slot number of the MIO/UMIO/MIO2 card on which the physical port resides. port# is the physical port on the MIO/UMIO/MIO2. The following shows a sample output of this command for port 1 on the MIO/UMIO/MIO2 in slot 5: host_name [local]...
System Settings Verifying Card Configurations Notes: • When activating cards, remember to keep at least one DPC/UDPC or DPC2/UDPC2 in standby mode for redundancy. • Repeat for every other DPC/UDPC or DPC2/UDPC2 in the chassis that you wish to activate. Save the configuration as described in the Verifying and Saving Your Configuration chapter.
System Settings LAG and Master Port LAG and Master Port Logical port configurations (VLAN and binding) are defined in the master port of the LAG. If the master port is removed because of a card removal/failure, another member port becomes the master port (resulting in VPN binding change and outage), unless there is a redundant master port available.
System Settings LAG and Multiple Switches Multiple Switches with L2 Redundancy To handle the implementation of LACP without requiring standby ports to pass LACP packets, two separate instances of LACP are started on redundant cards. The two LACP instances and port link state are monitored to determine whether to initiate an auto-switch (including automatic L2 port switch).
System Settings Link Aggregation Control The LAG manager also enters/extends the hold period when an administrator manually switches ports to trigger a card switch. Preferred Slot You can define which card is preferred per LAG group as a preferred slot. When a preferred MIO/UMIO/MIO2 slot is specified, it is selected for the initial timeout period to make the selection of a switch less random.
System Settings Minimum Links The VPN can only bind the master port, and a VLAN can only be created on the master port. A failure Important message is generated if you attempt to bind to a link aggregation member port. Each system that participates in link aggregation has a unique system ID that consists of a two-byte priority (where the lowest number [0] has the highest priority) and a six-byte MAC address derived from the first port's MAC address.
System Settings Redundancy Options link-aggreagation master ( global | group } number min-link number_links Redundancy Options For L2 redundancy set the following option on the master port for use with the whole group: link-aggregation redundancy standard [hold-time sec ] [preferred slot { card_number | none } Standard redundancy treats all cards in the group as one group.
System Settings Faster Data Plane Convergence In the above configuration, there is a single, primary LAG. All ports work as a single bundle of ports that distribute the traffic. If you use the Ethernet Port Configuration mode shutdown command to shut down one of the ports on Important an MIO/UMIO/MIO2 card in this LAG configuration, by default the paired port on the other MIO/UMIO/MIO2 card will also be shut down.
System Settings Link Aggregation Status Active-Active LAG groups must be configured, along with aggressive microBFD timers (such as 150*3). Important During MIO card recovery BGP Sessions might flap based on the configuration. To avoid traffic loss during these events, BGP graceful restart must be configured with proper hold/keepalive and restart timers. See the description of the bgp graceful-restart command in the BGP Configuration Mode Commands chapter of the Command Line Interface Reference.
Caution Enabling the Demux on MIO/UMIO/MIO2 feature changes resource allocations within the system. This directly impacts an upgrade or downgrade between StarOS versions in ICSR configurations. Contact Cisco TAC for procedural assistance prior to upgrading or downgrading your ICSR deployment.
System Settings Configuration Contact Cisco TAC for additional assistance when assessing the impact to system configurations when Important enabling the Demux on MIO/UMIO/MIO2 feature. Configuration For releases prior to 15.0, to configure a DPC/UDPC as a demux card enter the following CLI commands:...
C H A P T E R Config Mode Lock Mechanisms This chapter describes how administrative lock mechanisms operate within StarOS configuration mode. It contains the following sections: • Overview of Config Mode Locking, page 83 • Requesting an Exclusive-Lock, page 84 •...
Config Mode Lock Mechanisms Requesting an Exclusive-Lock A shutdown-lock is enabled during a save configuration operation to prevent other users from reloading or shutting down the system while the configuration is being saved. Config mode locking mechanisms such as shared-lock, exclusive-lock and shutdown-lock mitigate the possibility of conflicting commands, file corruption and reboot issues.
Config Mode Lock Mechanisms Effect of Config Lock on URL Scripts A configure lock force command may not be successful because there is a very small chance that another administrator may be in the middle of entering a password or performing a critical system operation that cannot be interrupted.
Config Mode Lock Mechanisms Saving a Configuration File Saving a Configuration File Saving a partial or incomplete configuration file can cause StarOS to become unstable when the saved configuration is loaded at a later time. StarOS inhibits the user from saving a configuration which is in the process of being modified.
Config Mode Lock Mechanisms show administrators Command Broadcast message from root (pts/2) Wed May 11 16:08:16 2016... The system is going down for reboot NOW !! Caution Employing the ignore-locks keyword when rebooting the system may corrupt the configuration file. show administrators Command The Exec mode show administrators command has a single-character "M"...
C H A P T E R Management Settings This chapter provides instructions for configuring Object Request Broker Element Management (ORBEM) and Simple Network Management Protocol (SNMP) options. This chapter includes the following sections: • ORBEM, page 89 • SNMP MIB Browser, page 91 •...
Management Settings Configuring ORBEM Client and Port Parameters To configure the system to communicate with an EMS: Step 1 Set client ID parameters and configure the STOP/TCP port settings by applying the example configuration in Configuring ORBEM Client and Port Parameters, on page 90 Step 2 Configure Internet Inter-ORB Protocol (IIOP) transport parameters by applying the example configuration in Configuring...
: 87950 usecs SNMP MIB Browser This section provides instructions to access the latest Cisco Starent MIB files using a MIB Browser. An updated MIB file accompanies every StarOS release. For assistance to set up an account and access files, please contact your Cisco sales or service representative for additional information.
Use the following procedure to view the SNMP MIBs for a specific StarOS build : Step 1 Contact Cisco sales or a service representative, to obtain access to the MIB files for a specific StarOS release. Step 2 Download the compressed companion file to a folder on your desktop. The file name follows the convention: companion_xx.x.x.tgz...
Management Settings SNMP MIB Browser In the example below the MIB Browser presents a tree diagram that allows you to display details for each Object, Trap and Conformance. The example below includes the OID number and trap details for the starCardPACMigrateFailed trap. The SNMP MIB browser allows you to search for specific MIBs.
Management Settings SNMP Support SNMP Support The system uses the SNMP to send traps or events to the EMS server or an alarm server on the network. You must configure SNMP settings to communicate with those devices. Commands used in the configuration samples in this section provide base functionality. The most common Important commands and keyword options are presented.
• The snmp user name is for SNMP v3 and is optional. There are numerous keyword options associated with this command. • Use the snmp mib command to enable other industry standard and Cisco MIBs. By default only the STARENT-MIB is enabled.
Management Settings Controlling SNMP Trap Generation CISCO-PROCESS-MIB : Disabled CISCO-ENTITY-FRU-CONTROL-MIB : Disabled Step 2 Verify that the SNMP community(ies) were configured properly by entering the following command: show snmp communities The output of this command lists the configured SNMP communities and their corresponding access levels.
C H A P T E R Verifying and Saving Your Configuration This chapter describes how to save your system configuration. • Verifying the Configuration, page 97 • Synchronizing File Systems, page 99 • Saving the Configuration, page 99 Verifying the Configuration You can use a number of commands to verify the configuration of your feature, service, or system.
Verifying and Saving Your Configuration Service Configuration To configure features on the system, use the show commands specifically for these features. Refer to the Important Exec Mode show Commands chapter in the Command Line Interface Reference for complete information. Service Configuration Verify that your service was created and configured properly by entering the following command: show service_type service_name The output is a concise listing of the service parameter settings similar to the sample displayed below.
Verifying and Saving Your Configuration Synchronizing File Systems You must refine this command to specify particular sections of the configuration. Add the section keyword and choose a section from the help menu as shown in the examples below. show configuration errors section ggsn-service show configuration errors section aaa-config If the configuration contains no errors, an output similar to the following is displayed: ##############################################################################...
Verifying and Saving Your Configuration Saving the Configuration The obsolete-encryption and showsecrets keywords have been removed from the save configuration Important command in StarOS 19.2 and higher. If you run a script or configuration that contains the removed keyword, a warning message is generated. For complete information about the above command, see the Exec Mode Commands chapter of the Command Line Interface Reference.
C H A P T E R System Interfaces and Ports This chapter describes how to create a context and configure system interfaces and ports within the context. Before beginning these procedures, refer to your product-specific administration guide for configuration information for your product.
System Interfaces and Ports Viewing and Verifying Contexts Viewing and Verifying Contexts Step 1 Verify that your contexts were successfully created by entering the following command: host_name show context all [local] The output is a two-column table similar to the example below. This example shows that two contexts were created: one named source and one named destination.
System Interfaces and Ports Creating an Interface Creating an Interface Use the following example to create a new interface in a context: configure context name interface name { ip | ipv6 } address address subnetmask secondary Notes: • Optional: Add the loopback keyword option to the interface name command, to set the interface type as "loopback"...
System Interfaces and Ports Viewing and Verifying Port Configuration { ip | ipv6 } route ip_address netmask next-hop gw_address interface_name Notes: • ip_address and netmask are the IP address and subnet mask of the target network. This IP address can be entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
System Interfaces and Ports VLANs bind interface rp1 source #end Step 3 Verify that your static route(s) was configured properly by entering the following command: context_name host_name show ip static-route Example: This command produces an output similar to that displayed in the following example that shows a static route to a gateway with an IP address of 192.168.250.1.
System Interfaces and Ports VLANs and Management Ports This feature is implemented by adding support for the vlan command to the management port in the local context. See the example command sequence below. configure port ethernet 1/1 vlan 184 no shutdown bind interface 19/3-UHA foo ASR 5500 System Administration Guide, StarOS Release 21.4...
C H A P T E R System Security This chapter describes the StarOS security features. This chapter explores the following topics: • Per-Chassis Key Identifier, page 107 • Protection of Passwords, page 108 • Support for ICSR Configurations, page 110 •...
System Security MIO Synchronization Changing a chassis key may invalidate previously generated configurations. This is because any secret Important portions of the earlier generated configuration will have used a different encryption key. For this reason the configuration needs to be recreated and restored. To make password configuration easier for administrators, the chassis key should be set during the initial Important chassis set-up.
System Security Secure Password Encryption Secure Password Encryption By default for StarOS releases prior to 21.0 the system encrypts passwords using an MD5-based cipher (option A). These passwords also have a random 64-bit (8-byte) salt added to the password. The chassis key is used as the encryption key.
System Security Support for ICSR Configurations • Change the chassis key to the new desired value. • Save the configuration with this new chassis key. Refer to Configuring a Chassis Key in System Settings for additional information. Support for ICSR Configurations Inter-Chassis Session Recovery (ICSR) is a redundancy configuration that employs two identically configured ASR 5500 chassis/instances as a redundant pair.
System Security Modifying Intercepts If no information related to LI server addresses is received for that subscriber, LI server addresses will not be restricted. A maximum of five LI server addresses are supported via an authenticating agent. Important The ability to restrict destination addresses for LI content and event delivery using RADIUS attributes is Important supported only for PDSN and HA gateways.
CLI test-commands are intended for diagnostic use only. Access to these commands is not required during normal system operation. These commands are intended for use by Cisco TAC personnel only. Some of these commands can slow system performance, drop subscribers, and/or render the system inoperable.
System Security Exec Mode cli test-commands This command sequence is shown below. host_name config [local] host_name tech-support test-commands password new_password [ old-password [local] (config)# old_password ] host_name [local] (config)# If the new password replaces an existing password, you must enter the old password for the change to be accepted.
System Security Configuration Mode cli test-commands An SNMP trap (starTestModeEntered) is generated whenever a user enters CLI test-commands mode. Important ASR 5500 System Administration Guide, StarOS Release 21.4...
C H A P T E R Secure System Configuration File • Feature Summary and Revision History, page 115 • Feature Description, page 116 • How System Configuration Files are Secured, page 116 • Configuring Signature Verification, page 117 Feature Summary and Revision History Summary Data Applicable Product(s) or Functional Area...
Secure System Configuration File Feature Description Revision History Revision Details Release First Introduced. 21.3 Feature Description A system configuration file contains crucial configuration information used to setup and operate the operator's network. The configuration file must be properly authenticated before it is loaded to avoid unauthorized changes to the file that could harm the network.
Secure System Configuration File Validate the Digital Signature Generating the Public and Private Keys The RSA public key is stored in PEM format (.pem file), and can be generated using one of the following OpenSSL commands in the example below: openssl rsa -in pri_key.pem - pubout -out pub_key.pem –-or-- openssl rsa -in pri_key.pem -RSAPublicKey_out -out pub_key.pem...
Secure System Configuration File Enable or Disable Signature Verification tftp://host[:port][/<directory>]/filename ftp://[username[:password]@]host[:port][/directory]/filename sftp://[username[:password]@]host[:port][/directory]/filename http://[username[:password]@]host[:port][/directory]/filename https://[username[:password]@]host[:port][/directory]/filename Enable or Disable Signature Verification Use the following command to enable (or disable) signature verification in the configuration file: Important This command can only be executed from the console. [ no ] cfg-security sign Notes: •...
C H A P T E R Software Management Operations This chapter provides information about software management operations on the system. • Understanding the Local File System, page 119 • Maintaining the Local File System, page 120 • Configuring the Boot Stack, page 125 •...
Software Management Operations Understanding the boot.sys File • CLI Configuration File: This file type is identified by its .cfg extension. These are text files that contain CLI commands that work in conjunction with the operating system software image. These files determine services to be provided, hardware and software configurations, and other functions performed by the system.
Software Management Operations File System Management Commands For complete information on the commands listed below, see the Exec Mode Commands chapter of the Important Command Line Interface Reference. Synchronizing the File System Commands are supported for mirroring the local file systems from the active MIO/UMIO/MIO2 to the standby MIO/UMIO/MIO2 in systems containing two cards.
Software Management Operations File System Management Commands Copying Files These instructions assume that you are at the root prompt for the Exec mode. To save your current configuration, enter the following command: host_name copy from_url to_url [-noconfirm] [local] To copy a configuration file called system.cfg from a directory that was called cfgfiles to a directory named configs_old, enter the following command: host_name copy /flash/cfgfiles/system.cfg /flash/configs_old/system_2011.cfg...
Software Management Operations Applying Pre-existing CLI Configuration Files Local devices that have been formatted using other methods such as NTFS or FAT32 may be used to store Important various operating system, CLI configuration, and crash log files. However, when placing a new local device into the MIO/UMIO/MIO2 for regular use, you should format the device via the system prior to use.
Software Management Operations Viewing Files on the Local File System Viewing CLI Configuration and boot.sys Files The contents of CLI configuration and boot.sys files, contained on the local file system, can be viewed off-line (without loading them into the OS) by entering the following command at the Exec mode prompt: host_name show file url { /flash | /usb1 | /hd-raid } filename [local]...
Software Management Operations Configuring the Boot Stack Configuring the Boot Stack The boot stack consists of a prioritized listing of operating system software image-to-CLI configuration file associations. These associations determine the software image and configuration file that gets loaded during system startup or upon a reload/reboot.
Software Management Operations Viewing the Current Boot Stack The StarOS image filename scheme changed with release 16.1. Pre-16.1, format = "production.image.bin". Important For 16.1 onwards, format = "asr5500-image_number.bin". This change is reflected in the examples provided below. Example 1 – StarOS releases prior to 16.1: boot system priority 18 \ image /flash/15-0-builds/production.45666.bin \ config /flash/general_config.cfg...
Software Management Operations Adding a New Boot Stack Entry Adding a New Boot Stack Entry Important Before performing this procedure, verify that there are less than 10 entries in the boot.sys file and that a higher priority entry is available (i.e. that minimally there is no priority 1 entry in the boot stack). Refer to Viewing the Current Boot Stack for more information.
Software Management Operations Network Booting Configuration Requirements This procedure details how to configure the boot interface for reliable communications with your network server. Make sure you are at the Exec mode prompt. Step 1 Enter the Global Configuration mode by entering the following command: host_name configure [local]...
Software Management Operations Upgrading the Operating System Software The next example uses static IP addresses for MIO/UMIO/MIO2 in slot 5, which can access the external network server through a gateway whose IP address is 135.212.10.2. host_name boot networkconfig static ip address mio5 192.168.206.101 netmask 255.255.255.0 [local] (config)# gateway 135.212.10.2...
[local] Download the Software Image from the Support Site Access to the Cisco support site and download facility is username and password controlled. You must have an active customer account to access the site and download the StarOS image. Download the software image to a network location or physical device (USB stick) from which it can be uploaded to the /flash device.
Software Management Operations Transfer StarOS Image to /flash Transfer StarOS Image to /flash Transfer the new operating system image file to the /flash directory on the MIO/UMIO/MIO2 using one of the following methods: • Copy the file from a network location or local device plugged in into the MIO/UMIO/MIO2 by entering the following command: host_name copy from_url to_url [ -noconfirm ]...
Software Management Operations Downgrading from Release 20.0 Downgrading from Release 20.0 Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved in the database. In release 20. 0, PBKDF2 (Password Based Key Derivation Function - Version 2) is now used to derive a key of given length, based on entered data, salt and number of iterations.
Software Management Operations Off-line Software Upgrade Newcall policies are created on a per-service basis. If you have multiple services running on the chassis, Important you can configure multiple newcall policies. The syntax for newcall policies is described below: host_name newcall policy { asngw-service | asnpc-service | sgsn-service } { all | name [local] service_name } reject host_name...
Software Management Operations Off-line Software Upgrade Assign the next highest priority to this entry, by using the <N-1> method, wherein you assign a priority number that is one number less than your current highest priority. Run the Exec mode show boot command to verify that there are less than 10 entries in the boot.sys file Important and that a higher priority entry is available (minimally there is no priority 1 entry in the boot stack).
Software Management Operations Verify the Running Software Version Verify the Running Software Version After the system has successfully booted, verify that the new StarOS version is running by executing the Exec mode show version command. host_name show version [local You can run the Exec mode show build command to display additional information about the running StarOS build release.
Software Management Operations New System License Keys New System License Keys New systems are delivered with no license keys installed. In most cases, you receive the license key in electronic format (usually through e-mail). When a system boots with no license key installed a default set of restricted session use and feature licenses is installed.
Software Management Operations Installing New License Keys LSP=000000|LSH=000000|LSG=500000|LSL=500000\|FIS=Y|FR4=Y|FPP=Y|FCS=Y|FTC=Y|FMG=Y| FCR=Y|FSR=Y|FPM=Y|FID=Y|SIG=MCwCF\Esnq6Bs/ XdmyfLe7rHcD4sVP2bzAhQ3IeHDoyyd6388jHsHD99sg36SG267gshssja77 Step 2 Verify that the license key just entered was accepted by entering the following command at the Exec mode prompt: host_name show license key [local] The new license key should be displayed. If it is not, return to the Global configuration mode and re-enter the key using the license key command.
Requesting License Keys License keys for the system can be obtained through your Cisco account representative. Specific information is required before a license key may be generated: • Sales Order or Purchase Order information • Desired session capacity •...
Software Management Operations Management Card Replacement and License Keys Management Card Replacement and License Keys License keys are stored on a midplane EEPROM in the ASR 5500 chassis. The MIO/UMIO/MIO2s share these license keys. There is no need to swap memory cards into replacement MIO/UMIO/MIO2s. Managing Local-User Administrative Accounts Unlike context-level administrative accounts which are configured via a configuration file, information for local-user administrative accounts is maintained in a separate file in flash memory and managed through the...
Software Management Operations Changing Local-User Passwords • Password Aging: The configured maximum password age has been reached. Refer to the local-user password command in the Global Configuration Mode Commands chapter of the Command Line Interface Reference for details. Accounts that are locked out are inaccessible to the user until either the configured lockout time is reached (refer to the local-user lockout-time command in the Global Configuration Mode Commands chapter of the Command Line Interface Reference) or a security administrator clears the lockout (refer to the clear local-user command in the Exec Mode Commands chapter of the Command Line Interface Reference).
C H A P T E R Smart Licensing • Feature Summary and Revision History, page 141 • Smart Software Licensing, page 142 • Configuring Smart Licensing, page 145 • Monitoring and Troubleshooting Smart Licensing, page 146 Feature Summary and Revision History Summary Data Applicable Product(s) or Functional Area...
Licensing consists of software activation by installing Product Activation Keys (PAK) on to the Cisco product. A Product Activation Key is a purchasable item, ordered in the same manner as other Cisco equipment and used to obtain license files for feature set on Cisco Products. Smart Software Licensing is a cloud based licensing of the end-to-end platform through the use of a few tools that authorize and deliver license reporting.
Request a Cisco Smart Account A Cisco Smart Account is an account where all products enabled for Smart Licensing are deposited. A Cisco Smart Account allows you to manage and activate your licenses to devices, monitor license use, and track Cisco license purchases.
Software Tags Software tags uniquely identify each licenseable software product or product suite on a device. The following software tags exist for the StarOS. Product Type / Description Software Tag ASR5500 regid.2017-02.com.cisco.ASR5500,1.0_401f2e9e-67fd -4131-b61d-6e229d13a338 ASR-5500 Multimedia Core Platform VPC_SI regid.2017-02.com.cisco.VPC_SI,1.0_dcb12293-10c0 -4e90-b35e-b10a9f8bfac1...
Before you begin, ensure you have: • created a Smart Licensing/Virtual account on https://software.cisco.com • registered products on https://software.cisco.com using the ID tokens created as part of virtual account. • enabled a communication path between the StarOS system to the CSSM server.
Smart Licensing Monitoring and Troubleshooting Smart Licensing Handling Out of Compliance If there are not enough licenses in the virtual account for a given SKU, CSSM sends Out Of Compliance (OOC) message to the device, in response to authorization request. The system stops allowing additional sessions until the OOC state is cleared.
• max_call_count – Maximum number of sessions/calls counted for the entire product for a particular service type. • last_lic_count – License count last reported to Cisco licensing (CSSM) for particular service type. • max_lic_count – Maximum license count reported to Cisco licensing (CSSM) for particular service type up to this point in time.
C H A P T E R Monitoring the System This chapter provides information for monitoring system status and performance using the show commands found in the Command Line Interface (CLI). These command have many related keywords that allow them to provide useful information on all aspects of the system ranging from current software configuration through call activity and status.
Monitoring the System Monitoring System Status and Performance Table 7: System Status and Performance Monitoring Commands To do this: Enter this command: View Administrative Information Display Current Administrative User Access View a list of all administrative users currently logged on the system show administrators View the context in which the administrative user is working, the IP address show administrators session id...
Monitoring the System Monitoring ASR 5500 Hardware Status To do this: Enter this command: View information about system components, storage devices and network show hardware interfaces View Card Information and Statistics View diagnostics for all cards or for a card in a specific slot/port; (for VPC, show card diag slot/port slot = VM) View detailed information for all cards or a card in a specific slot/port (for...
Monitoring the System Monitoring ASR 5500 Hardware Status Table 8: Hardware Monitoring Commands To do this: Enter this command: View the Status of the Power System View the status of the PFUs show power chassis View the power status of the individual chassis slots show power all View the Status of the Fan Trays View the status of the fan trays, including current relative speeds and...
Monitoring the System Clearing Statistics and Counters Clearing Statistics and Counters It may be necessary to periodically clear statistics and counters in order to gather new information. The system provides the ability to clear statistics and counters based on their grouping (PPP, MIPHA, MIPFA, etc.). Statistics and counters can be cleared using the CLI clear command.
C H A P T E R Bulk Statistics This chapter provides configuration information for: • Feature Summary and Revision History, page 155 • Configuring Communication with the Collection Server, page 156 • Viewing Collected Bulk Statistics Data, page 160 •...
Bulk Statistics Configuring Communication with the Collection Server Related Documentation • ASR 5500 System Administration Guide • Command Line Interface Reference • VPC-DI System Administration Guide • VPC-SI System Administration Guide Revision History Revision history details are not provided for features introduced before releases 21.2 and N5.5. Note Revision Details Release...
Bulk Statistics Configuring Optional Settings sample-interval time_interval transfer-interval xmit_time_interval limit mem_limit exit bulkstats collection Configuring Optional Settings This section describes optional commands that can be used within the Bulk Statistics Configuration mode. Specifically, you can configure bulk statistic "files" under which to group the bulk statistics. "Files" are used to group bulk statistic schema, delivery options, and receiver configuration.
Bulk Statistics Configuring a Separate Bulkstats Config File Configuring a Separate Bulkstats Config File You can configure a separate destination file for storing the bulk statistics sub-mode configuration. Run the show configuration bulkstats command to confirm the configuration. The bulkstats configuration file stores the configuration that was previously stored in the system configuration file under the bulk statistics sub-mode.
Bulk Statistics Verifying Your Configuration In addition, show configuration bulkstats brief displays the bulkstats configuration at a global scope, as well as all server configuration. It does not display the schema configuration. Verifying Your Configuration After configuring support for bulk statistics on the system, you can check your settings prior to saving them. Follow the instructions in this section to verify your bulk statistic settings.
Bulk Statistics Saving Your Configuration Saving Your Configuration Save the configuration as described in the Verifying and Saving Your Configuration chapter. Viewing Collected Bulk Statistics Data The system provides a mechanism for viewing data that has been collected but has not been transferred. This data is referred to as "pending data".
Bulk Statistics Clearing Bulk Statistics Counters and Information To manually initiate the transferring of bulk statistics prior to reaching the of the maximum configured storage limit, enter the following Exec mode command: bulkstats force transfer Clearing Bulk Statistics Counters and Information It may be necessary to periodically clear counters pertaining to bulk statistics in order to gather new information or to remove bulk statistics information that has already been collected.
Bulk Statistics Data Types • Gauge: A gauge statistic indicates a single value; a snapshot representation of a single point in time within a defined time frame. The gauge changes to a new value with each snapshot though a value may repeat from one period to the next.
Bulk Statistics Key Variables Variables Description Statistic Type Data Type date3 The UTC date that the collection file was created in YYMMDD Information String format where YY represents the year, MM represents the month and DD represents the day. time The UTC time that the collection file was created in HHMMSS Information String...
Bulk Statistics Bulk Statistics Event Log Messages Variables Description Statistic Type Data Type localtzoffset The offset from UTC/GMT for the local timezone. Format = "+" Information String or "-" HHMM. swbuild The build number of the StarOS version. Information String Bulk Statistics Event Log Messages The stat logging facility captures several events that can be useful for diagnosing errors that could occur with either the creation or writing of a bulk statistic data set to a particular location.
C H A P T E R System Logs This chapter describes how to configure parameters related to the various types of logging and how to viewing their content. It includes the following sections: • Feature Summary and Revision History, page 165 •...
System Logs System Log Types Applicable Platform(s) ASR 5500 VPC-SI VPC-DI Feature Default Enabled Related Changes in This Release: Not Applicable Related Documentation • ASR 5500 System Administration Guide • Command Line Interface Reference • VPC-DI System Administration Guide • VPC-SI System Administration Guide Revision History Revision history details are not provided for features introduced before releases 21.2 and N5.5.
System Logs Configuring Event Logging Parameters • Event: Event logging can be used to determine system status and capture important information pertaining to protocols and tasks in use by the system. This is a global function that will be applied to all contexts, sessions, and processes.
System Logs Configuring Event Log Filters Configuring Event Log Filters You can filter the contents of event logs at the Exec mode and Global Configuration mode levels. For additional information, see the Command Line Interface Reference. Exec Mode Filtering These commands allow you to limit the amount of data contained in logs without changing global logging parameters.
System Logs Configuring Event Log Filters • enable – Enables logging for a specific instance or all instances. This keyword is only supported for aaamgr, hamgr and sessmgr facilities. By default logging is enabled for all instances of aaamgr, hamgr and sessmgr.
System Logs Configuring Event Log Filters You can display the instance numbers for enabled instances per facility using the Exec mode show instance-logging command. Global Configuration Mode Filtering You can filter the contents of event logs at the Exec mode and Global Configuration mode levels. Follow the example below to configure run time event logging parameters for the system: configure logging filter runtime facility facility level report_level...
System Logs Configuring syslog Servers … Thu May 11 15:35:25 2017 Internal trap notification 1361 (DisabledEventIDs) Event IDs from 100 to 1000 have been disabled by user adminuser context context privilege level security administrator ttyname tty address type IPV4 remote ip address 1.2.3.4 …...
System Logs Specifying Facilities Active logs are not written to the active memory buffer by default. To write active logs to the active memory buffer execute the following command in the Global Configuration mode: host_name logging runtime buffer store all-events [local] (config)# When active logs are written to the active memory buffer, they are available to all users in all CLI instances.
System Logs Configuring Trace Logging Configuring Trace Logging Trace logging is useful for quickly resolving issues for specific sessions that are currently active. They are temporary filters that are generated based on a qualifier that is independent of the global event log filter configured using the logging filter command in the Exec mode.
System Logs Viewing Logging Configuration and Statistics Viewing Logging Configuration and Statistics Logging configuration and statistics can be verified by entering the following command from the Exec mode: host_name show logging [ active | verbose ] [local] When no keyword is specified, the global filter configuration is displayed as well as information about any other type of logging that is enabled.
System Logs Configuring and Viewing Crash Logs • From the console port: By default, the system automatically displays events over the console interface to a terminal provided that there is no CLI session active. This section provides instructions for viewing event logs using the CLI. These instructions assume that you are at the root prompt for the Exec mode.
System Logs Configuring Software Crash Log Destinations 2 The associated minicore, NPU or kernel dump file is stored in the /flash/crsh2 directory. 3 A full core dump is stored in a user configured directory. Important The crashlog2 file along with associated minicore, NPU and kernel dumps are automatically synchronized across redundant management cards (SMC, MIO/UMIO).
System Logs Viewing Abridged Crash Log Information Using the CLI Crash log files (full core dumps) are written with unique names as they occur to the specified location. The name format is crash-card-cpu-time-core. Where card is the card slot, cpu is the number of the CPU on the card, and time is the Portable Operating System Interface (POSIX) timestamp in hexadecimal notation.
System Logs Reducing Excessive Event Logging • Process – where the crash occurred (Card, CPU, PID, etc.) • Crash time – timestamp for when the crash occurred in the format: YYYY-MMM-DD+hh:mm:ss time zone • Recent errno – text of most recent error number. •...
System Logs Configuring Log Source Thresholds Both traps can be enabled or suppressed via the Global Configuration mode snmp trap command. Configuring Log Source Thresholds There are three Global Configuration mode commands associated with configuring and implementing Log Source thresholds. 1 threshold ls-logs-volume –...
System Logs Saving Log Files Checkpointing logs should be done periodically to prevent the log files becoming full. Logs which have Important 50,000 events logged will discard the oldest events first as new events are logged. An Inspector-level administrative user cannot execute this command. Important Saving Log Files Log files can be saved to a file in a local or remote location specified by a URL.
System Logs Event ID Overview Facility Description Event ID Range ims-sh IMS SH Library Facility 124000-124999 imsimgr International Mobile Subscriber Identity (IMSI) Manager Facility 114000-114999 imsue IMS User Equipment (IMSUE) Facility 144000-145999 ip-arp IP Address Resolution Protocol (ARP) Facility 19000-19999 ip-interface IP Interface Facility 18000-18999...
System Logs Event Severities Event Severities The system provides the flexibility to configure the level of information that is displayed when logging is enabled. The following levels are supported: • critical: Logs only those events indicating a serious error has occurred that is causing the system tor a system component to cease functioning.
System Logs Understanding Event ID Information in Logged Output Element Description [software internal system] Indicates that the event was generated because of system operation. CLI session ended for Security Administrator The event's details. Event details may, or may not include admin on device /dev/pts/2 variables that are specific to the occurrence of the event.
C H A P T E R Troubleshooting This chapter provides information and instructions for using the system command line interface (CLI) for troubleshooting any issues that may arise during system operation. Refer to the ASR 5500 Installation Guide for comprehensive descriptions of the hardware components addressed by these troubleshooting procedures.
Troubleshooting Licensing Issues Licensing Issues The system boot process is governed by StarOS licenses. During the startup process, each card performs a series of Power-On Self Tests (POSTs) to ensure that the hardware is operational. These tests also verify that the card meets all license requirements to operate in this chassis.
Troubleshooting Checking the LEDs on the PFU Each LED on the PFU should illuminate blue for normal operating conditions. Figure 13: PFU LEDs The possible states for these LEDs are described in the following table. If the LED is not blue, use the troubleshooting information below to diagnose the problem.
Troubleshooting Checking the LEDs on the MIO Card Checking the LEDs on the MIO Card Each MIO/UMIO/MIO2 is equipped with the following LEDs: • Run/Fail • Active • Redundancy • Master • Busy Figure 14: MIO Card Status LEDs The possible states for all MIO/UMIO/MIO2 LEDs are described in the sections that follow. MIO Run/Fail LED States The MIO/UMIO/MIO2 Run/Fail LED indicates the overall status of the card.
Troubleshooting Checking the LEDs on the MIO Card Color Description Troubleshooting Blinking Green Card is initializing and/or This is normal operation during boot-up. loading software Card powered with error(s) Errors were detected during the Power On Self Tests (POSTs). It is likely that detected the errors were logged to the system's command line interface during boot.
Troubleshooting Checking the LEDs on the MIO Card MIO Redundancy LED States The Redundancy LED on the MIO/UMIO/MIO2 indicates that software is loaded on the card, but it is serving as a redundant component. For the MIO/UMIO/MIO2 installed in slot 6, this LED should be green for normal operation.
Troubleshooting Checking the LEDs on the MIO Card Color Description Troubleshooting None This card is the Standby MIO. Verify that the Run/Fail LED is green. If so, the card is receiving power and POST results are positive. If it is off, refer to MIO Run/Fail LED States, on page 202 for troubleshooting information.
Troubleshooting Checking the LEDs on the DPC Color Description Troubleshooting None No power to card. Verify that the Run/Fail LED is green. If so, the card is receiving power. If it is off, refer to MIO Run/Fail LED States, on page 202 for troubleshooting information.
Troubleshooting Checking the LEDs on the DPC • Redundancy Figure 15: DPC Status LEDs The possible states for all of the DPC/UDPC or /DPC2/UDPC2 LEDs are described in the sections that follow. DPC Run/Fail LED States The DPC/UDPC or /DPC2/UDPC2 Run/Fail LED indicates the overall status of the card. This LED should be green for normal operation.
Troubleshooting Checking the LEDs on the DPC Color Description Troubleshooting None Card is not receiving power. Verify that the LEDs on the PFUs are blue. If they are not, refer to Checking the LEDs on the PFU, on page 200 for troubleshooting information.
Troubleshooting Checking the LEDs on the FSC DPC Redundancy LED States The Redundancy LED on the DPC/UDPC or /DPC2/UDPC2 indicates that software is loaded on the card, but it is serving as a standby component. DPC/UDPCs or /DPC2/UDPC2s support n:1 redundancy; the Redundancy LED should be green on only one DPC/UDPC or /DPC2/UDPC2 for normal system operation.
Troubleshooting Checking the LEDs on the FSC • Drive 2 Activity Figure 16: FSC Status LEDs The possible states for all FSC LEDs are described in the sections that follow. FSC Run/Fail LED States The FSC Run/Fail LED indicates the overall status of the card. This LED should be green for normal operation. The possible states for this LED are described in the following table.
Troubleshooting Checking the LEDs on the FSC Color Description Troubleshooting None Card is not receiving power Verify that the LEDs on the PFUs are blue. If they are not, refer to Checking the LEDs on the PFU, on page 200 for troubleshooting information.
Troubleshooting Checking the LEDs on the FSC Table 27: FSC Redundancy LED States Color Description Troubleshooting Green Card is in redundant mode None needed. There is at least one FSC in Standby mode. Amber Card is not backed up by a Check the status of the other FSCs.
Troubleshooting Checking the LEDs on the SSC Checking the LEDs on the SSC Each SSC is equipped with the following LEDs as shown in the accompanying figure: • Run/Fail • Active • Redundancy • System Status • System Service Figure 17: SSC Status LEDs The possible states for all SSC LEDs are described in the sections that follow.
Troubleshooting Checking the LEDs on the SSC Table 29: SSC Run/Fail LED States Color Description Troubleshooting Green Card powered with no errors None needed. detected Blinking Green Card is initializing and/or This is normal operation during boot-up. loading software Card powered with error(s) Errors were detected during the Power On Self Tests (POSTs).
Troubleshooting Checking the LEDs on the SSC SSC Redundancy LED States The Redundancy LED on the SSC indicates that software is loaded on the card, but it is serving as a standby component. SSC support 1:1 redundancy; the Redundancy LED should be green on the other SSC for normal system operation.
Troubleshooting Testing System Alarm Outputs SSC System Service LED States The System Service LED on the SSC illuminates amber to indicate that the system has experienced a hardware component failure. This LED is off during normal operation. The possible states for this LED are described in the following table. If the LED is not green, use the troubleshooting information in the table to diagnose the problem.
Troubleshooting Switching MIOs Switching MIOs When the system boots up, the MIO/UMIO/MIO2 installed in chassis slot 5 will boot into the Active mode and begin booting other system components. The MIO/UMIO/MIO2 installed in chassis slot 6 will automatically be booted into Standby mode dictating that it will serve as a redundant component. The active MIO/UMIO/MIO2 automatically synchronizes currently running tasks or processes with the standby MIO/UMIO/MIO2.
Troubleshooting Migrating a DPC Migrating a DPC When the system boots up, all DPC/UDPCs or DPC2/UDPC2s enter the "standby" mode. The standby mode indicates that the card is available for use but is not configured for operation. Installed components can be made active through the software configuration process.
Troubleshooting Halting Cards Initiate a Card Halt Important Do not initiate a card halt for an active FSC if there are less than two active FSCs in the system. The system returns an error message if there are less than two active FSCs. There are similar restrictions when executing the card reboot or card upgrade commands on active FSCs.
Troubleshooting Verifying Network Connectivity Verifying Network Connectivity There are multiple commands supported by the system to verify and/or troubleshoot network connectivity. Note that network connectivity can only be tested once system interfaces and ports have been configured and bound. The commands specified in this section should be issued on a context-by-context basis. Contexts act like virtual private networks (VPNs) that operate independently of other contexts.
Troubleshooting Using the traceroute or traceroute6 Command • Verify the port is operational. • Verify that the configuration of the ports and interfaces within the context are correct. • If the configuration is correct and you have access to the device that you're attempting to ping, ping the system from that device.
Troubleshooting Viewing IP Routes Viewing IP Routes The system provides a mechanism for viewing route information to a specific node or for an entire context. This information can be used to verify network connectivity and to ensure the efficiency of the network connection.
Troubleshooting Using the System Diagnostic Utilities Using the System Diagnostic Utilities The system provides protocol monitor and test utilities that are useful when troubleshooting or verifying configurations. The information generated by these utilities can help identify the root cause of a software or network configuration issue.
Troubleshooting Using the Protocol Monitor Step 5 Enter Y to proceed with the monitor or N to go back to the previous menu. C - Control Events (ON ) D - Data Events (ON ) E - EventID Info (ON ) H - Display ethernet (ON ) I - Inbound Events...
Troubleshooting Using the Protocol Monitor Option Y for performing multi-call traces is only supported for use with the GGSN. Step 5 Repeat step 6 as needed to enable or disable multiple protocols. Step 6 Press Enter to refresh the screen and begin monitoring. The following displays a portion of a sample of the monitor's output for a subscriber named user2@aaa.
Troubleshooting Generating an SSD PPP Rx PDU (12) IPCP 12: Conf-Req(3), IP-Addr=192.168.250.87 The monitor remains active until disabled. To quit the protocol monitor and return to the prompt, press q. Generating an SSD An SSD is an instance of the output when the Exec mode show support details command is run. It displays a comprehensive list of system information that is useful for troubleshooting purposes.
Troubleshooting Configuring and Using the Support Data Collector on a periodic basis. The record collector always runs in the background and checks if there are records to be collected. When it is time to collect support data, the scheduler executes the configured sequence of CLI commands and stores the results in a gunzipped (.gz) file on the hard-disk.
C H A P T E R Packet Capture (PCAP) Trace • Feature Information, page 229 • Feature Description, page 230 • Configuring PCAP Trace, page 230 • Monitoring and Troubleshooting PCAP Trace, page 237 Feature Information Summary Data Applicable Product(s) or Functional Area •...
Packet Capture (PCAP) Trace Feature Description Related Documentation • ASR 5000 System Administration Guide • ASR 5500 System Administration Guide • Command Line Interface Reference Guide • ePDG Administration Guide • IPSec Reference Guide • SaMOG Administration Guide • VPC-SI System Administration Guide Revision History Revision history details are not provided for features introduced before release 21.2.
Packet Capture (PCAP) Trace Configuring the Hexdump Module • Although hexdump record generation is supported on both single-mode and multi-mode, it is recommended to enable the CDR multi-mode. • Use the default cdr-multi-mode command to configure this command with its default setting. •...
Packet Capture (PCAP) Trace Configuring the Hexdump Module ◦ time-limit seconds: Specifies that hexdump records are to be deleted from the hard drive upon reaching a time limit defined in seconds. seconds must be an integer from 600 through 2592000. ◦...
Packet Capture (PCAP) Trace Configuring the Hexdump File Parameters ◦ secondary secondary-url secondary_url: Specifies the secondary URL location to which the system pushes the hexdump files. secondary_url must be an alphanumeric string of 1 through 1024 characters in the format: //user:password@host:[port]/direct.
Packet Capture (PCAP) Trace Configuring the Hexdump File Parameters • Use the current-prefix prefix keyword to specify a string to add at the beginning of the hexdump file that is currently being used to store records. ◦ prefix must be an alphanumeric string of 1 through 31 characters. ◦...
Packet Capture (PCAP) Trace Configuring the Hexdump File Parameters ◦ tariff-time minute minutes hour hours: Specifies to close the current hexdump file and create a new one based on the tariff time (in minutes and hours). minutes must be an integer from 0 through 59. hours must be an integer from 0 through 23.
Packet Capture (PCAP) Trace Enabling or Disabling Hexdump • Use the trap-on-file-delete keyword to instruct the system to send an SNMP notification (trap) when a hexdump file is deleted due to lack of space. Default: Disabled • Use the xor-final-record keyword to insert an exclusive OR (XOR) checksum (instead of a CRC checksum) into the hexdump file header, if the exclude-checksum-record is left at its default setting.
Packet Capture (PCAP) Trace Monitoring and Troubleshooting PCAP Trace ◦ Chunk flags ◦ Transmission Sequence Numbers (TSN) ◦ Stream identifier ◦ Stream sequence number • When the SCTP protocol option is selected in monpro, PCAP hexdump will have the original SCTP header.
Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Hexdump-module files rotated due Total number of times a hexdump file was closed and a new hexdump to time limit file was created since the time limit was reached. Hexdump-module files rotated due Total number of times a hexdump file was closed and a new hexdump to tariff-time file was created since the tariff time was reached.
Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Percentage of Hexdump-module file Indicates the total percentage of storage used for hexdump files. store usage show hexdump-module statistics The following fields are available in the output of the show hexdump-module statistics command in support of this feature.
Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Table 36: show hexdump-module statistics Command Output Descriptions Field Description Hexdump-module-Record file Statistics: CDRMOD Instance Id Indicates the CDRMOD instance id for which the statistics are collected. Hexdump-module files rotated Total number of times a hexdump file was closed and a new hexdump file was created.
Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Num of times PUSH Failed Total number of times PUSH operation failed. Num of times PUSH cancelled due to HD failure Total number of times PUSH operation failed due to hard disk failure.
Packet Capture (PCAP) Trace Show Command(s) and/or Outputs Field Description Failed File Transfers Total number of hexdump files that failed transfer to the secondary storage server. Num of times PUSH initiated Total number of times PUSH operation was initiated to transfer hexdump files to the secondary storage server.
C H A P T E R System Recovery This chapter describes how to recover a system after it has failed to complete a reboot following a power off cycle or interruption of the normal boot sequence following a reload command. This system recovery process interrupts subscriber service by dropping any existing flows and preventing Caution traffic from being processed during the boot interval.
System Recovery Accessing the boot CLI The system recovery process will prompt you to enter the path name for the location of the StarOS boot image from which the system will boot. By default the boot command will timeout and attempt to reload the highest priority image from flash memory using the default configuration file.
System Recovery Enter CLI Mode aborted by user 8/0:boot> Enter CLI Mode With the boot prompt displayed, enter cli to access the boot recovery CLI. The CLI prompt changes as shown below: 8/0:boot> 8/0:cli> boot Command Syntax The boot recovery command has the following syntax: boot [ -show | -priority=* | -config=* | -noconfig ] { bootfile_URL } The options for this command include: •...
System Recovery Boot Using A Specified Configuration File You can exit the Quick Setup Wizard by entering no in response to the above prompt. Load a desired configuration file using the Exec mode configure command followed by the URL for the configuration file as shown in the example below: host_name configure /flash/system.cfg...
C H A P T E R Access Control Lists This chapter describes system support for access control lists and explains how they are configured. The product administration guides provide examples and procedures for configuration of basic services on the system.
Access Control Lists Understanding ACLs Separate ACLs may be created for IPv4 and IPv6 access routes. Understanding ACLs This section discusses the two main aspects to ACLs on the system: • Rule(s), on page 248 • Rule Order, on page 250 Refer to ACL Configuration Mode Commands and the IPv6 ACL Configuration Mode Commands chapter Important in the Command Line Interface Reference for the full command syntax.
Access Control Lists Rule(s) • Any: Filters all packets • Host: Filters packets based on the source host IP address • ICMP: Filters Internet Control Message Protocol (ICMP) packets • IP: Filters Internet Protocol (IP) packets • Source IP Address: Filter packets based on one or more source IP addresses •...
Access Control Lists Rule Order Rule Order A single ACL can consist of multiple rules. Each packet is compared against each of the ACL rules, in the order in which they were entered, until a match is found. Once a match is identified, all subsequent rules are ignored.
Access Control Lists Configuring Action and Criteria for Subscriber Traffic { ip | ipv6 } access-list acl_list_name Notes: • The maximum number of ACLs that can be configured per context is limited by the amount of available memory in the VPN Manager software task. Typically, the maximum is less than 200. Configuring Action and Criteria for Subscriber Traffic To create rules to deny/permit the subscriber traffic and apply the rules after or before action, enter the following command sequence from the Exec mode of the system CLI:...
Access Control Lists Verifying the ACL Configuration • Context name is the name of the context containing the "undefined" ACL to be modified. For more information, refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference. Verifying the ACL Configuration To verify the ACL configuration, enter the Exec mode show { ip | ipv6 } access-list command.
Access Control Lists Applying IP ACLs If ACLs are applied at multiple levels within a single context (such as an ACL is applied to an interface within the context and another ACL is applied to the entire context), they will be processed as shown in the following figure and table.
Access Control Lists Applying the ACL to an Interface In the event that an IP ACL is applied that has not been configured (for example, the name of the applied ACL was configured incorrectly), the system uses an "undefined" ACL mechanism for filtering the packet(s). This section provides information and instructions for applying ACLs and for configuring an "undefined"...
Access Control Lists Applying the ACL to a Context Verifying the ACL Configuration on an Interface This section describes how to verify the ACL configuration. In the Exec Mode, enter the following command: host_name show configuration context context_name [local] context_name is the name of the context containing the interface to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context.
Access Control Lists Applying the ACL to a Context • Outgoing packets to an external source. • Incoming packets that fail flow match and are forwarded again. In this case, the context ACL applies first and only if it passes are packets forwarded. During forwarding, if an ACL rule is added with a destination address as a loopback address, the context ACL is also applied.
Access Control Lists Applying an ACL to a RADIUS-based Subscriber configure context_name context acl_name ip access-list ip_address deny host ip_address deny ip any host exit access_group_name ip access-group service-redundancy-protocol exit interface_name interface ip_address/mask ip address exit subscriber default exit aaa group default exit gtpp group default Applying an ACL to a RADIUS-based Subscriber...
Access Control Lists Applying an ACL to an Individual Subscriber Applying an ACL to an Individual Subscriber To apply the ACL to an individual subscriber, use the following configuration: configure context acl_ctxt_name [ -noconfirm ] subscriber name subs_name { ip | ipv6 } access-group acl_list_name [ in | out ] Notes: •...
Access Control Lists Applying an ACL to the Subscriber Named default access_group_name ip access-group access_group_name ip access-group exit aaa group default exit gtpp group default exit cfsg_name content-filtering server-group response_timeout response-timeout retry_timeout connection retry-timeout Applying an ACL to the Subscriber Named default This section provides information and instructions for applying an ACL to the subscriber named default.
Access Control Lists Applying an ACL to Service-specified Default Subscriber • If neither the in nor the out keyword is specified, the ACL will be applied to all inbound and outbound packets. • The ACL to be applied must be configured in the context specified by this command. •...
Access Control Lists Applying an ACL to Service-specified Default Subscriber This section provides the minimum instruction set for applying the ACL list to all traffic within a context. Important For more information on commands that configure additional parameters and options, refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference.
Access Control Lists Applying a Single ACL to Multiple Subscribers context_name is the name of the context containing the service with the default subscriber to which the ACL(s) was/were applied. The output of this command displays the configuration of the entire context. Examine the output for the commands pertaining to interface configuration.
Access Control Lists Applying a Single ACL to Multiple Subscribers When configured properly, the functions described in the table above could be used to apply an ACL to: • All subscribers facilitated within a specific context by applying the ACL to the profile of the subscriber named default.
Access Control Lists Applying a Single ACL to Multiple Subscribers To configure the system to provide access control list facility to subscribers: Step 1 Apply the configured access control list by following the example configuration in Applying an ACL to Multiple Subscriber via APNs, on page 263.
C H A P T E R Congestion Control This chapter describes the Congestion Control feature. It covers the following topics: • Overview, page 265 • Configuring Congestion Control, page 266 Overview Congestion Control monitors the system for conditions that could potentially degrade performance when the system is under heavy load.
Congestion Control Configuring Congestion Control This section provides the minimum instruction set for configuring congestion control. Commands that Important configure additional interface or port properties are provided in Subscriber Configuration Mode in the Command Line Interface Reference. Always refer to the Administration Guides for all of the licensed products running on this platform for additional configuration information with respect to congestion control.
Congestion Control Configuring Service Congestion Policies Mode Commands, LTE Policy Configuration Mode Commands and Congestion Action Profile Configuration Mode Commands in the Command Line Interface Reference for more information. • Repeat this configuration as needed for additional thresholds. Configuring Service Congestion Policies To create a congestion control policy, apply the following example configuration in the Global Configuration mode of the CLI: configure...
Congestion Control Enabling Congestion Control Redirect Overload Policy Enabling Congestion Control Redirect Overload Policy To create a congestion control policy and configure a redirect overload policy for the service, apply the following example configuration: configure congestion-control context context_name {service_configuration_mode} policy overload redirect address Notes: •...
Congestion Control Enabling Congestion Control Redirect Overload Policy To enable overload disconnect for the currently selected subscriber, use the following configuration example: configure context context_name subscriber name subscriber_name default overload-disconnect threshold inactivity-time dur_thresh default overload-disconnect threshold connect-time dur_thresh To disable the overload disconnect feature for this subscriber, use the following configuration example: configure context context_name subscriber subscriber_name...
C H A P T E R Routing This chapter provides information on configuring an enhanced, or extended, service. The product administration guides provide examples and procedures for configuring basic services on the system. You should select the configuration example that best meets your service model, and configure the required elements for that model before using the procedures described below.
Routing Creating IP Prefix Lists of control you use IP Prefix Lists, Route Access Lists and AS Path Access Lists to specify IP addresses, address ranges, and Autonomous System paths. Creating IP Prefix Lists Use the following configuration example to create IP Prefix Lists: config context context_name ip prefix-list name list_name { deny | permit } network_address/net_mask...
Routing Creating Route Maps Creating Route Maps Use the following configuration example to create a Route Map: config context context_name route-map map_name { deny | permit } seq_number Notes: • Use the match and set commands in Route Map Configuration mode to configure the route map. Refer to the Command Line Interface Reference for more information on these commands.
It also describes how to enable the base OSPF functionality and lists the commands that are available for more complex configurations. You must purchase and install a license key before you can use this feature. Contact your Cisco account representative for more information on licenses.
Routing OSPF Version 2 Overview During system task recovery, it is possible for a dynamically-learned forwarding entry to incorrectly Important remain in the system forwarding table if that forwarding entry has been removed from the dynamic routing protocol during the recovery. On the ASR 5500, OSPF routes with IPv6 prefix lengths less than /12 and between the range of /64 and Important /128 are not supported.
Routing Basic OSPFv2 Configuration Basic OSPFv2 Configuration This section describes how to implement basic OSPF routing. Enabling OSPF Routing For a Specific Context Use the following configuration example to enable OSPF Routing for a specific context: config context context_name router ospf Notes: •...
Routing OSPFv3 Routing Confirming OSPF Configuration Parameters To confirm the OSPF router configuration, use the following command and look for the section labeled router ospf in the screen output: show config context ctxt_name [ verbose ] OSPFv3 Routing This section gives an overview of Open Shortest Path First Version 3 (OSPFv3) routing and its implementation in the system.
Routing Confirming OSPFv3 Configuration Parameters Enabling OSPFv6 Over a Specific Interface After you enable OSPFv3 specify the area in which it will run. Use the following command to enable OSPFv3: area { area_id | area_ip_address } [ default-cost dflt-cost ] [ stub stub-area ] [ virtual-link vl-neighbor-ipv4address ] The default cost for OSPFv3 on the system is 10.
Routing BGP-4 Routing The following command configures the maximum number of equal cost paths that can be submitted by a routing protocol: config context context_name ip routing maximum-paths [ max_num ] Notes: • max_num is an integer from 1 through 10 (releases prior to 18.2) or 1 through 32 (release 18.2+). •...
Routing Configuring BGP • Route Filtering for inbound and outbound routes • Route redistribution and route-maps • Support for BGP communities and extended communities in route maps • Local preference for IPv4 and IPv6 (IBGP peers) IP pool routes and loopback routes are advertised in the BGP domain in the following ways: •...
Routing BGP Communities and Extended Communities • The redistribution options are connected, ospf, rip, or static. Refer to the Border Gateway Protocol Configuration Mode Commands chapter of the Command Line Interface Reference for details on the redistribute command. • A maximum of 64 route-maps are supported per context. •...
Routing BGP Communities and Extended Communities Setting the Community Attribute You set the BGP community attribute via a set community command in a route map. config context context_name route-map map_name { deny | permit } sequence_number set community [additive]{ internet | local-AS | no-advertise | no-export | none | value AS-community_number AS-community_number AS-community_number ...} { internet | local-AS | no-advertise | no-export | none | value AS-community_number AS-community_number AS-community_number ...
Routing ICSR and SRP Groups Setting the Extended Community Attribute You set the BGP extended community attribute via a set extcommunity command in a route map. config context context_name route-map map_name { deny | permit } sequence_number set extcommunity rt rt_number rt_number rt_number ... rt_number specifies a Route Target as a string in AS:NN format, where AS = 2-byte AS-community hexadecimal number and NN = 2-byte hexadecimal number (1 to 11 characters).
Routing Configurable BGP Route Advertisement Interval for ICSR from deploying BGP Prefix Independent Convergence (PIC) in the Optical Transport Network Generation Next (OTNGN). BGP PIC is intended to improve network convergence which will safely allow for setting aggressive ICSR failure detection timers. configure context context_name service-redundancy-protocol...
Routing BGP CLI Configuration Commands configure context context_name router bgp as_number Table 39: BGP Configuration Mode CLI Commands bgp Command Description accept-zero-as-rd Configures to accept VPN prefixes with Route Distinguisher (RD) value having Administrator Subfield, which is an AS number 0. address-family { ipv4 | ipv6 } Enters the IPv4 or IPv6 Address Family configuration mode.
Routing Confirming BGP Configuration Parameters bgp Command Description neighbor ip_address { activate | Configures BGP routers that interconnect to advertisement-interval adv_time | capability non-broadcast networks. Note that a remote AS number must be specified for a neighbor before other graceful-restart | default-originate [ route-map map_name ] | distribute-list dist_list{ in | out } | parameters can be configured.
Routing Overview of BFD Support them. The session is established with a three-way handshake, and is torn down the same way. Authentication may be enabled on the session. A choice of simple password, MD5 or SHA1 authentication is available. Overview of BFD Support BFD does not have a discovery mechanism;...
Routing Configuring BFD Configuring a BFD Context config context context_name bfd-protocol [ bfd echo ] exit Notes: • Echo function can be optionally enabled for all interfaces in this context. • 16 BFD sessions per context and 64 per chassis. Configuring IPv4 BFD for Static Routes Enable BFD on an interface.
Routing Configuring BFD On the ASR 5500, static routes with IPv6 prefix lengths less than /12 and between the range of /64 and Important /128 are not supported. Configuring BFD for Single Hop Enable BFD on an interface. config context bfd_context_name interface if_name ip address ipv4_address ipv4_mask ipv6 address ipv6_address ipv6_mask...
Routing Configuring BFD Scaling of BFD Configure an active BFD session using one of the above methods and use same BFD neighbor while configuring the active interface. For additional information, see Associating BFD Neighbor Groups with the BFD Protocol, on page 290.
Routing Chassis-to-Chassis BFD Monitoring for ICSR Enabling BFD on OSPF Interfaces All OSPF Interfaces config context context_name router ospf bfd-all-interfaces Specific OSPF Interface config context context_name interface interface_name broadcast ip ospf bfd Monitoring BFD Connection for ICSR For ICSR configurations, the following command sequence initiates monitoring of the connection between the primary chassis and the BFD neighbor in the specified context.
Routing Chassis-to-Chassis BFD Monitoring for ICSR • diameter-switchover-timers – sets timers that prevent a back-to-back ICSR switchover due to a Diameter failure (post ICSR switchover) while the network is still converging. ◦damping-period – configures a delay time to trigger an ICSR switchover due to a monitoring failure within the guard-period.
Routing BFD Support for Link Aggregation Member Links Overview A BFD Configuration mode CLI command configures BFD interactions with the linkagg task. Once a session is configured, BFD creates per member link BFD sessions and starts sending packets on each of the linkagg member links.
Routing Viewing Routing Information bfd linkagg-peer linkagg_group_id local-endpt-addr local-endpt_ipaddress remote-endpt-addr remote_endpt_ipaddress interval tx_interval min_rx rx_interval multiplier multiplier_value [ slot slot_number ] no bfd linkagg-peer linkagg_group_id [ slot slot_number ] Notes: • linkagg_group_id specifies the LAG number as an integer from 1 through 255. •...
Routing Viewing Routing Information *208.230.231.0/24 0.0.0.0 connected local1 Total route count: 5 ASR 5500 System Administration Guide, StarOS Release 21.4...
VLANs. You should select the configuration example that best meets your service model before using the procedures described below. VLAN – Layer 2 Traffic Management is a Cisco feature that requires a separate license. Contact your Important Cisco account representative for detailed information on specific licensing requirements.
VLANs Overlapping IP Address Pool Support – GGSN Overlapping IP Address Pool Support – GGSN Overlapping IP Address pools allow operators to more flexibly support multiple corporate VPN customers with the same private IP address space without expensive investments in physically separate routers or virtual routers.
VLANs APN Support – PDN Gateway (P-GW) APN Support – PDN Gateway (P-GW) P-GW Access Point Name (APN) supports extensive parameter configuration flexibility for the APN. VLAN tagging may be selected by the APN, but are configured in the P-GW independently from the APN. Creating VLAN Tags Use the following example to create VLANs on a port and bind them to pre-existing interfaces.
VLANs Configuring Subscriber VLAN Associations Flow Control : Enabled Link Aggregation Group : None Untagged: Logical ifIndex : 85262337 Operational State : Up, Active Tagged VLAN: VID 10 Logical ifIndex : 285278210 VLAN Type : Standard VLAN Priority Administrative State : Enabled Operational State : Up, Active...
VLANs Verify the Subscriber Profile Configuration These instructions assume that you have already configured subscriber-type VLAN tags according to the Important instructions provided in Creating VLAN Tags, on page 301. config context context_name subscriber name user_name ip vlan vlan_id Verify the Subscriber Profile Configuration Use the following command to view the configuration for a subscriber profile: host_name show subscriber configuration username user_name...
VLANs VLAN-Related CLI Commands CLI Mode Command Description Context Configuration Mode ip pool pool_name nexthop forwarding When a nexthop forwarding address is address ip_address overlap vlanid configured, the overlap vlanid keyword vlan_id enables support for overlapping IP address pools and associates the pool with the specified VLAN ID.
VLANs VLAN-Related CLI Commands CLI Mode Command Description VLAN Configuration Mode [no] shutdown Enables or disables traffic over the current VLAN. VLAN Configuration Mode vlan-map interface if_name Associates an IP interface having a VLAN context_name ID with a context. Table 41: VLAN-Related Monitoring Commands CLI Mode Command Description...
Switching (MPLS) Virtual Private Networks (VPNs). Important MPLS is a licensed Cisco feature that requires a separate license. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of Software Management Operations.
BGP MPLS VPNs MPLS-CE Connected to PE MPLS-CE Connected to PE In this scenario the ASR 5500 functions as an MPLS-CE (Customer Edge) network element connected to a Provider Edge (PE) Label Edge Router (LER), which in turn connects to the MPLS core (RFC 4364). See the figure below.
BGP MPLS VPNs ASR 5500 as a PE ASR 5500 as a PE Overview In this scenario, the ASR 5500 functions as a PE router sitting at the edge of the MPLS core. See the figure below. Figure 21: ASR 5500 as a PE The ASR 5500 eliminates the need for an ASBR or PE as shown in the first two scenarios.
BGP MPLS VPNs Sample Configuration LDP. The ASR 5500 forwards the packets to the next-hop with two labels – an inner label learned from PE and an outer label learned from the next hop IBGP neighbor. Figure 22: Sample Configuration mpls ip protocol ldp enable...
BGP MPLS VPNs IPv6 Support for BGP MPLS VPNs network 192.168.109.0/24 area 0.0.0.0 exit IPv6 Support for BGP MPLS VPNs Overview The ASR 5500 supports VPNv6 as described in RFC 4659 – BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN. An IPv6 VPN is connected over an IPv6 interface or sub-interface to the Service Provider (SP) backbone via a PE router.
BGP MPLS VPNs Sample Configuration Sample Configuration This example assumes three VRFs. VRF 1 has only IPv4 routes, VRF f2 has both IPv4 and IPv6 routes, and VRF 3 has only IPv6 routes. Figure 24: VPNv6 Sample Configuration Configure VRFs. ip vrf vrf1 exit ip vrf vrf2...
BGP MPLS VPNs VPN-Related CLI Commands CLI Mode Command Description BGP Address-Family (VRF) neighbor ip_address send Sends the extended-community Configuration Mode community { both | extended | attribute to a peer router. In VPN, route-distinguisher and route-target standard } are encoded in the BGP extended-community.
BGP MPLS VPNs VPN-Related CLI Commands CLI Mode Command Description Context Configuration Mode ipv6 pool pool_name vrf Associates the pool with that VRF. vrf_name Note: By default the configured ipv6 pool will be associated with the global routing domain. Context Configuration Mode mpls bgp forwarding Globally enables MPLS Border Gateway Protocol (BGP)
BGP MPLS VPNs VPN-Related CLI Commands CLI Mode Command Description Exec Mode lsp-traceroute ip_prefix_FEC Discovers MPLS LSP routes that packets actually take when traveling to their destinations. It must be followed by an IPv4 or IPv6 FEC prefix. IP VRF Context Configuration mpls map-dscp-to-exp dscp Maps the final differentiated Mode...
BGP MPLS VPNs VPN-Related CLI Commands Table 43: VPN-Related Monitoring Commands CLI Mode Command Description Exec Mode show Commands show ip bgp neighbors Displays information regarding BGP neighbors. Exec Mode show Commands Displays all VPNv4 routing data, show ip bgp vpnv4 { all | route-distinguisher | vrf } routing data for a VRF or a route-distinguisher.
Internal CSS is a generic feature, if an ECSv2 license is installed on your system, internal CSS can be Important enabled. A separate license is not required to enable internal CSS. Contact your local Cisco account representative for information on how to obtain a license.
Content Service Steering Configuring Internal Content Service Steering Configuring Internal Content Service Steering To configure and activate a single CSS service for redirecting all of a subscriber's IP traffic to an internal in-line service: Step 1 Define an IP ACL as described in Defining IP Access Lists for Internal CSS, on page 320 Step 2 Optional: Apply an ACL to an individual subscriber as described in...
Content Service Steering Applying an ACL to an Individual Subscriber (Optional) • For IPv6 ACLs, the same configurations must be done in the IPv6 ACL Configuration Mode. See the IPv6 ACL Configuration Mode Commands chapter in the Command Line Interface Reference. Applying an ACL to an Individual Subscriber (Optional) For information on how to apply an ACL to an individual subscriber, refer to the Applying an ACL to an Individual Subscriber section of the Access Control Lists chapter.
This chapter describes the Session Recovery feature that provides seamless failover and reconstruction of subscriber session information in the event of a hardware or software fault. Session Recovery is a licensed Cisco feature. A separate feature license may be required. Contact your Important Cisco account representative for detailed information on specific licensing requirements.
Session Recovery How Session Recovery Works means that additional hardware may be required to enable this feature (see Additional ASR 5500 Hardware Requirements, on page 326). Other key system-level software tasks, such as VPN manager, are performed on a physically separate packet processing card to ensure that a double software fault (for example, session manager and VPN manager fails at same time on same card) cannot occur.
Session Recovery How Session Recovery Works • ASR 5500 only – HNB-GW: HNB-CN Session over IuPS and IuCS • ASR 5500 only – HNB-GW: SeGW Session IPSec Tunnel • ASR 5500 only – HSGW services for IPv4 • IPCF (Intelligent Policy Control Function) •...
Session Recovery Additional ASR 5500 Hardware Requirements Any partially connected calls (for example, a session where HA authentication was pending but has not Important yet been acknowledged by the AAA server) are not recovered when a failure occurs. Additional ASR 5500 Hardware Requirements Because session recovery requires numerous hardware resources, such as memory, control processors, NPU processing capacity, some additional hardware may be required to ensure that enough resources are available to fully support this feature.
Session Recovery Enabling Session Recovery Enabling Session Recovery As noted earlier, session recovery can be enabled on a system that is out-of-service (OOS) and does not yet have any contexts configured, or on an in-service system that is currently capable of processing calls. However, if the system is in-service, it must be restarted before the session recovery feature takes effect.
Session Recovery Disabling the Session Recovery Feature Step 2 Use the following configuration example to enable session recovery. configure require session recovery This feature does not take effect until after the system has been restarted. Step 3 Save your configuration as described in Verifying and Saving Your Configuration. Step 4 Perform a system restart by entering the reload command: The following prompt appears:...
Session Recovery Viewing Recovered Session Information host_name show session recovery status verbose [local] Session Recovery Status: Overall Status Ready For Recovery Last Status Update 2 seconds ago ----sessmgr---- ----aaamgr---- demux cpu state active standby active standby active status ---- ------- ------ ------- ------...
Session Recovery show rct stats Command show rct stats Command The Exec mode show rct stats command employs the following syntax: host_name show rct stats [verbose] [local] Without the verbose keyword, a summary output is displayed as show in the example below: RCT stats details (Last 1 Actions) Action Type...
Administration Guide, before using the procedures described below. ICSR is a licensed Cisco feature that requires a separate license. Contact your Cisco account representative Important for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of Software Management Operations.
ICSR support for LAC requires a separate LAC license, as well as an Inter-Chassis Session Recovery Important license. Contact your Cisco account representative to verify whether a specific service supports ICSR as an option. Important ASR 5500 System Administration Guide, StarOS Release 21.4...
Interchassis Session Recovery Interchassis Communication Interchassis Communication Chassis configured to support ICSR communicate using periodic Hello messages. These messages are sent by each chassis to notify the peer of its current state. The Hello message contains information about the chassis such as its configuration and priority.
Interchassis Session Recovery SRP CLI Commands Command Description srp initiate-switchover Executes a forced switchover from active to inactive. When executed on the active chassis, this command switches the active chassis to the inactive state and the inactive chassis to an active state. See Note below.
Interchassis Session Recovery AAA Monitor For additional information about the output of show srp commands, see the Statistics and Counters Reference. AAA Monitor AAA servers are monitored using the authentication probe mechanism. AAA servers are considered Up if the authentication-probe receives a valid response. AAA servers are considered Down when the max-retries count specified in the configuration of the AAA server has been reached.
◦Destination – to configure monitoring and routing to the PDN. • Border Gateway Protocol (BGP) – ICSR uses the route modifier to determine the chassis priority. ICSR is a licensed Cisco feature. Verify that each chassis has the appropriate license before using these Important procedures.
Interchassis Session Recovery ICSR Operation The following figure shows an ICSR network. Figure 25: ASR 5500 ICSR Network ICSR Operation This section shows operational flows for ICSR. ASR 5500 System Administration Guide, StarOS Release 21.4...
Interchassis Session Recovery ICSR Operation The following figure shows an ICSR process flow due to a primary failure. Figure 26: ICSR Process Flow (Primary Failure) ASR 5500 System Administration Guide, StarOS Release 21.4...
Interchassis Session Recovery ICSR Operation The following figure shows an ICSR process flow due to a manual switchover. Figure 27: ICSR Process Flow (Manual Switchover) ASR 5500 System Administration Guide, StarOS Release 21.4...
Interchassis Session Recovery Chassis Initialization Chassis Initialization When the chassis are simultaneously initialized, they send Hello messages to their configured peer. The peer sends a response, establishes communication between the chassis, and messages are sent that contain configuration information. During initialization, if both chassis are misconfigured in the same mode - both active (primary) or both standby (backup), the chassis with the highest priority (lowest number set with the ICSR priority command) becomes active and the other chassis becomes the standby.
Interchassis Session Recovery Configuring ICSR pool routes into the routing domain. Once the chassis becomes active, it continues to process existing AAA services and subscriber sessions that had checkpoint information, and is also able to establish new subscriber sessions. When the primary chassis is back in service, it sends Hello messages to the configured peer. The peer sends a response, establishes communication between the chassis, and sends Hello messages that contain configuration information.
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context To configure ICSR on a primary and/or backup chassis: Step 1 Configure the SRP context by applying the example configuration in Configuring the Service Redundancy Protocol (SRP) Context, on page 344.
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context ICSR is configured on two VPC-DI instances. Be sure to create the redundancy context on both systems. Important CLI commands must be executed on both systems. Log onto both active CFs before continuing. Always make configuration changes on the active CF in the primary VPC-DI instance first.
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context • The priority determines which chassis becomes active in the event that both chassis are misconfigured with the same chassis mode; see Chassis Initialization, on page 342. The higher priority chassis has the lower number.
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context DSCP Marking of SRP Messages You can enable separate DSCP marking of SRP control and checkpoint messages. The dscp-marking command sets DSCP marking values for SRP control and checkpoint (session maintenance) messages. configure context context_name service-redundancy-protocol...
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context These features require an updated ICSR license to support the enhancements. Contact your Cisco account Important representative for additional information. Allow Non-VoLTE Traffic During ICSR Switchover The ICSR framework reduces switchover disruption for VoLTE traffic by enabling VoLTE traffic on the newly active gateway prior to reconciling the billing information and enabling communication with the newly active gateway when accounting is not deemed critical.
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context • When the newly active gateway receives all billing-related checkpointing information from the previously active gateway, it reconciles the billing data before communicating with external billing servers OCS (Online Charging System) or OFCS (Offline Charging System). Figure 28: Call Flow: Reduce Non-VoLTE Data Outage The switchover allow-all-data-traffic SRP Configuration mode CLI command allows all data traffic (VoLTE and non-VoLTE) during switchover transition.
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context service-redundancy-protocol switchover allow-volte-data-traffic [ maintain-accounting ] Notes: • When maintain-accounting is enabled, accounting accuracy is maintained for VoLTE calls.VoLTE data is allowed on the active gateway after VoLTE accounting statistics are flushed. Allow All Data Traffic The SRP Configuration mode switchover allow-all-data-traffic command allows all data traffic (VoLTE and non-VoLTE) during switchover transition.
Interchassis Session Recovery Configuring the Service Redundancy Protocol (SRP) Context The require graceful-cleanup-during-audit-failure Global Configuration mode CLI command enables or disables the graceful cleanup feature. configure require graceful-cleanup-during-audit-failure [ del-cause non-ims-apn { system-failure | none } ] Optimization of Switchover Control Outage Time The ICSR framework minimizes control outage time associated with the flushing of critical full checkpoint statistics, network convergence and internal auditing.
(FCs) between the active and standby chassis. The periodic-interval keyword will only appear if a special ICSR optimization feature license has been Important purchased and installed. Contact your Cisco account representative for assistance. configure context context_name...
LZ4 compression algorithm. The compression keyword will only appear if a special ICSR optimization feature license has been Important purchased and installed. Contact your Cisco account representative for assistance. The following command sequence enables the use of LZ4 compression: configure...
Interchassis Session Recovery Modifying the Source Context for ICSR chassis waits for seven heart beat messages from the active chassis before it is ready to accept data. This may cause significant delay in session manager database synchronization on the standby chassis. You can enable an aggressive method for synchronizing the session manager database reduces recovery time in the following scenarios: •...
Interchassis Session Recovery Modifying the Source Context for ICSR Configuring BGP Router and Gateway Address Use the following example to create the BGP context and network addresses. configure context source_ctxt_name router bgp AS_num network gw_ip_address neighbor neighbor_ip_address remote-as AS_num Notes: •...
Interchassis Session Recovery Modifying the Destination Context for ICSR Modifying the Destination Context for ICSR To modify the destination context of core service: Step 1 Add the BGP router and configure the gateway IP address, neighbor IP address, remote IP address in the destination context where the core network service is configured, by applying the example configuration in Configuring BGP Router and Gateway Address in Destination Context, on page...
Interchassis Session Recovery Disabling Bulk Statistics Collection on a Standby System Verifying BGP Configuration in Destination Context Verify your BGP configuration by entering the show srp monitor bgp command (Exec Mode). Disabling Bulk Statistics Collection on a Standby System You can disable the collection of bulk statistics from a system when it is in the standby mode of operation. Important When this feature is enabled and a system transitions to standby state, any pending accumulated statistical data is transferred at the first opportunity.
Interchassis Session Recovery Configuring Subscriber State Management Audit Process #exit #exit Configuring Subscriber State Management Audit Process This audit is to ensures that two ICSR peers are in synch and identifies any discrepancies prior to any scheduled or unscheduled switchover events. Step 1 Enter the SRP Context mode and enter the service-redundancy-protocol command.
Interchassis Session Recovery Updating the Operating System • show srp checkpoint statistics ipsecmgr all • show srp checkpoint statistics sessmgr all write-list-stats • show srp checkpoint info • show srp monitor • show srp monitor all • show srp monitor diameter debug •...
Enabling the Demux on MIO/UMIO/MIO2 feature changes resource allocations within the system. This Caution directly impacts an upgrade or downgrade between StarOS versions in ICSR configurations. Contact Cisco TAC for procedural assistance prior to upgrading or downgrading your ICSR deployment.
Interchassis Session Recovery Updating the Operating System Figure 30: ICSR Software Upgrade – Part 2 ASR 5500 System Administration Guide, StarOS Release 21.4...
Interchassis Session Recovery Updating the Operating System Figure 31: ICSR Software Upgrade – Part 3 ASR 5500 System Administration Guide, StarOS Release 21.4...
Interchassis Session Recovery Updating the Operating System Figure 32: ICSR Software Upgrade – Part 4 ASR 5500 System Administration Guide, StarOS Release 21.4...
Exec mode command:[local]host_name# directory /flash Step 2 Access to the Cisco support site and download facility is username and password controlled. Download the software image to a network location or physical device (USB stick) from which it can be uploaded to the /flash device.
Interchassis Session Recovery Standby ICSR System a) Copy the file from a network location or local device plugged into the MIO/UMIO/MIO2 using the copy command. host_name copy from_url to_url [-noconfirm] [local] b) Transfer the file to the /flash device using an FTP client with access to the system. The FTP client must be configured to transfer the file using binary mode.
Interchassis Session Recovery Standby ICSR System Performing BGP Checks Border Gateway Protocol (BGP) checks are only required when BGP is used to support redundant interchassis communication. These checks are run per context and per service type. Step 1 For each BGP-enabled context, run show ip bgp summary. Verify that the BGP peers are connected and that IPv4 and IPv6 peers are up.
Features in the new operating system may require changes to the configuration file. These changes can be done manually or facilitated by custom scripts prepared by Cisco TAC. Make whatever changes are necessary prior to saving the updated configuration file.
Interchassis Session Recovery Primary System Waiting for Session Synchronization Allow time for session synchronization to occur between the ICSR chassis before preceding to the next steps. Step 1 Run the show session recovery status verbose command on both chassis. Proceed to the next steps only when no errors are seen in the output of this command.
Interchassis Session Recovery Primary System Completing the Software Update Log into the backup (standby) system and repeat the following tasks to complete the upgrade process on the backup (standby) system: • Updating the Boot Record, on page 366 • Reboot StarOS, on page 366 •...
Interchassis Session Recovery Fallback Procedure Fallback Procedure To revert to the previous configuration and software build, perform the following steps as a user with administrative privileges. Step 1 Run the Exec mode show boot command. The topmost lowest numbered entry of the displayed output should be the new configuration with the new software build.
C H A P T E R Support Data Collector The Support Data Collector (SDC) is a system feature that allows scheduled collection of process state, counter, event and attribute data that may be useful when troubleshooting problems at an installation site. This chapter includes the following sections: •...
Support Data Collector Configuring SDR Collection below shows system tasks that contain state and counter information. Arrows between tasks and processes represent messenger requests and indicate the predominant flow of data. Figure 33: SDC Tasks and Processes< Configuring SDR Collection The Support Data Record (SDR) is an ordered set of the CLI support commands' display output that is stored in a stand-alone compressed file.
Support Data Collector Collecting and Storing the SDR Information Collecting and Storing the SDR Information At the scheduled time, the Support Data Collector (SDC), if active, runs in the background to collect all the record section commands that have been specified. This information is concatenated as one contiguous output. The output is compressed and stored as a file on disk in the /hd-raid/support/record/ directory.
Page 406
Support Data Collector Managing Record Collection The next older SDR is record-id 1, and so on, for the number of records in the stored collection. For example, if there are five SDRs, they are identified as SDR-0 through SDR-4. Figure 34: Support Data Collection Hierarchy When a new SDR is created, the numbers all increment by one and the newest SDR is given the value of 0.
The administrator may decide to transfer the SDRs off the system to be analyzed remotely, for example, by Cisco TAC. ASR 5500 System Administration Guide, StarOS Release 21.4...
Support Data Collector Configuration Commands (Global Configuration Mode) For complete descriptions of the CLI commands discussed below, refer to the Command Line Interface Reference. Configuration Commands (Global Configuration Mode) support record support record section section-name command "command-string" [ section section-name command "command-string"...
Support Data Collector Exec Mode Commands SDR files will be stored in the /hd-raid/support/records/ directory. Important For example: host_name support collection sleep-duration minute 30 max-records 50 [local] (config)# Use the no support collection command to explicitly disable the collection of the SDRs. If no record section commands are defined, the support data collector mechanism is also effectively disabled.
Page 410
Support Data Collector Exec Mode Commands Name Size Date/Time sdr.167.gz 42863 Monday October 21 04:40:00 PDT 2013 sdr.166.gz 170425 Monday October 21 05:40:08 PDT 2013 total SDRs 2, total bytes 2132880, time span is last 1 day(s) 1 hour(s) The optional definitions keyword displays the list of default support record section definitions. This is the list of all valid record section definitions.
A P P E N D I X Engineering Rules This appendix provides engineering guidelines for configuring the system to meet network deployment requirements. • CLI Session Rules, page 379 • ASR 5500 Interface and Port Rules, page 379 • Context Rules, page 380 •...
Engineering Rules Packet Data Network (PDN) Interface Rules • A single physical port can support multiple logical interfaces when you configure VLAN tags for that physical port. You can use VLAN tagging to bind a single physical port to multiple logical interfaces that reside in different contexts.
Page 413
Engineering Rules Context Rules ◦ 256 loopback interfaces • IP Addresses and IP Address Pools ◦ Up to 2,000 IPv4 address pools can be configured within a single context. ◦ Prior to Release 15.0: Up to 32 IPv6 pools can be configured within a single context. ◦...
Page 414
Engineering Rules Context Rules ◦ Releases 17, 18 and higher: 64,000 BGP prefixes can be learned/advertised per context (64,000 per chassis) ◦ 64 EBGP peers can be configured per context (512 per chassis) ◦ 16 IBGP peers per context ◦ 512 BGP/AAA monitors per context in support of Interchassis Session Recovery (ICSR) •...
Large numbers of services greatly increase the complexity of management and may affect overall system performance. Therefore, you should not configure a large number of services unless your application absolutely requires it. Please contact your Cisco service representative for more information.
Engineering Rules Access Control List (ACL) Engineering Rules • Although you can use service names that are identical to those configured in different contexts on the same system, this is not a good practice. Services with the same name can lead to confusion and difficulty in troubleshooting problems, and make it difficult to understand the output of show commands.
A P P E N D I X StarOS Tasks This appendix describes system and subsystem tasks running under StarOS on an ASR 5500 and virtualized platforms. Important This appendix is not a comprehensive list of all StarOS tasks. It simply provides general descriptions of the primary tasks and subsystems within StarOS.
StarOS Tasks Primary Task Subsystems Primary Task Subsystems The individual tasks that run on the CPUs are divided into subsystems. Following is a list of the primary subsystems responsible for call session processing: • System Initiation Task (SIT): This subsystem starts tasks and initializes the system. This includes starting a set of initial tasks at system startup time (static tasks), and starting individual tasks on demand at arbitrary times (dynamic tasks).
StarOS Tasks Subsystem Tasks Subsystem Tasks The following subsections list and briefly describe StarOS tasks for various subsystems: • System Initiation Subsystem, on page 388 • High Availability Subsystem, on page 389 • Resource Manager Subsystem, on page 390 • Virtual Private Networking Subsystem, on page 390 •...
StarOS Tasks High Availability Subsystem High Availability Subsystem Table 47: High Availability Subsystem Tasks Task Description Function hatcpu High Availability Task CPU Performs device initialization and control functions based on the CPUs hardware capabilities. Reports the loss of any task on its CPU to hatsystem sub-function. Controls the LEDs on the packet processing cards.
StarOS Tasks Resource Manager Subsystem Resource Manager Subsystem Table 48: Resource Manager (RM) Subsystem Tasks Task Description Function rmctrl Resource Manager Controller Started by the sitparent task on StarOS startup, and monitored by HAT for a failure. Initializes resources such as CPUs and memory. Requests updated card status from the CSP subsystem and updates the system card table.
Page 423
StarOS Tasks Virtual Private Networking Subsystem Task Description Function vpnmgr VPN Manager Started by the VPN Controller for each configured context (one is always present for the local context). Performs IP address pool and subscriber IP address management. Performs all context specific operations including but not limited to: UCM services, IP interfaces, the Address Resolution Protocol (ARP), IP address pool management, slow path forwarding, NPU flows, port Access Control Lists (ACLs), and logging.
StarOS Tasks Network Processing Unit Subsystem Task Description Function Routing Information Protocol Created by VPN Manager for each context that has enabled the RIP routing protocol (router rip Context Configuration mode CLI command) Responsible for learning and redistributing routing information via the RIP protocol.
Page 425
StarOS Tasks Network Processing Unit Subsystem Task Description Function npuctrl NPU Controller Created at StarOS start-up. Only one NPU Controller operates in the system at any time. Monitors the state of NPU Managers in the system. Registers to receive notifications when NPU Manager crashes. Controls recovery operation.
StarOS Tasks Session Subsystem Session Subsystem Table 51: Session Subsystem Tasks Task Description Function sessctrl Session Controller Created at StarOS start-up. Only one Session Controller instantiated in the system at any time. Acts as the primary point of contact for the Session Subsystem. Since it is aware of the other subsystems running within the system, the Session Controller acts as a proxy for the other components, or tasks, that make up the subsystem.
Page 427
StarOS Tasks Session Subsystem Task Description Function a11mgr A11 Manager Created by the Session Controller for each context in which a PDSN service is configured. Receives the R-P sessions from the PCF and distributes them to different Session Manager tasks for load balancing. Maintains a list of current Session Manager tasks to aid in system recovery.
Page 428
StarOS Tasks Session Subsystem Task Description Function acsctrl Active Charging System (ACS) Active Charging service is defined at the global level and can be utilized Controller through CSS commands from any VPN context. Enable via the Global Configuration mode active-charging service CLI command. The ACS controller runs on the primary packet processing card and is responsible for managing the ACS service.
Page 429
StarOS Tasks Session Subsystem Task Description Function egtpemgrr Enhanced GPRS Tunneling Created by the Session Controller for each context in which an egtp-service Protocol Egress Manager of interface type sgw-egress or MME is configured. Handles certain EGTP messages from SGW, PGW. Maintains list of current EGTP sessions.
Page 430
StarOS Tasks Session Subsystem Task Description Function gtpumgr GPRS Tunneling Protocol User Created by the Session Controller for each context in which a GTPU (GTP-U Manager service is configured. Supported for both GTPUv0 and GTPUv1 Maintains a list of the GTPU-services available within the context and performs load-balancing (of only Error-Ind) for them.
Page 431
StarOS Tasks Session Subsystem Task Description Function hnbmgr Home NodeB (HNB) Manager Starts when an HNB-GW service configuration is detected. There can be multiple instances of this task for load sharing. All HNB Managers have all the Active HNB-GW Services configured and be identical in configuration and capabilities.
Page 432
StarOS Tasks Session Subsystem Task Description Function ipsgmgr IP Services Gateway Manager Created by the Session Controller. In Server mode, acts as a RADIUS server, and supports Proxy functionality. In Snoop mode supports snooping RADIUS Accounting messages. Load balances requests among different SessMgrs. Activates and deactivates sessions.
Page 433
StarOS Tasks Session Subsystem Task Description Function magmgr Mobile Access Gateway Created by the Session Controller when the first MAG service is created (MAG) Manager in a context. Sends and receives PMIP control messages (PBU/PBA). Adds an NPU flow to receive MIPv6 PBA packets. This flow is identical to the flow used in the HAMgr.
Page 434
StarOS Tasks Session Subsystem Task Description Function mmemgr Mobility Management Entity Starts when an MME service configuration is detected. There can be Manager multiple instances of this task for load sharing. All mmemgrs will have all the Active MME Services configured and will be identical in configuration and capabilities.
StarOS Tasks Platform Processes Task Description Function sgtpcmgr SGSN GPRS Tunneling Created by the Session Controller for each VPN context in which an SGSN Protocol Control message service is configured. Manager Terminates Gn/Gp and GTP-U interfaces from peer GGSNs and SGSNs for SGSN Services.
Page 436
StarOS Tasks Platform Processes Task Description Function connproxy TCP/SCTP Connection proxy Allows applications on any card to share the same TCP/SCTP connection to the same remote endpoint instead of opening a new connection for each application on the card. cspctrl Card-Slot-Port Controller Manages physical chassis components.
Page 437
StarOS Tasks Platform Processes Task Description Function hwctrl Hardware Controller The hwctrl task has several timers that manage polling loops for hardware sensor readings, sensor threshold monitoring, and fan tray monitoring. hwmgr Hardware Manager The hwmgr task runs on all cards in the chassis to read local accessible hardware sensors and report them back to the hwctrl.
StarOS Tasks Management Processes Task Description Function nscontrol Name Service Controller As part of the Messenger process, provides a reliable channel for tasks to send control messages to the Messenger Daemon. ntpd Network Time Protocol (NTP) Maintains the system time in synchronization with time servers using NTP. Daemon Enabled when one or more NTP servers have been configured via the NTP Configuration mode ntp server CLI command.
Page 439
StarOS Tasks Management Processes Task Description Function orbns ORBEM Notification Service Notifies the EMS servers of event occurrences. [ASR 5500 only] Registers such EMS servers and subscribes them to associated event types. As the events occur, the concerned Controller Task notifies orbs (ORBEM), which then notifies the subscribing EMS servers.
Page 440
StarOS Tasks Management Processes ASR 5500 System Administration Guide, StarOS Release 21.4...
A P P E N D I X NETCONF and ConfD This chapter describes NETCONF and the StarOS process called ConfD manager. It contains the following sections: • Feature Summary and Revision History, page 409 • Overview, page 410 • Configuring ConfD, page 412 •...
Overview StarOS provides a northbound NETCONF interface that supports a YANG data model for transferring configuration and operational data with the Cisco Network Service Orchestrator (NSO). It also incorporates a ConfD manager (confdmgr) to communicate with the NSO management console.
Page 443
NETCONF and ConfD Overview ConfD is an on-device management framework that provides a set of interfaces to manage a device. The ConfD framework automatically renders all the management interfaces from a data model. ConfD implements the full NETCONF specification and runs over SSH with content encoded in XML. ConfD is configured to allow only authenticated/authorized access through external authentication.
NETCONF and ConfD Configuring ConfD For additional NSO information, refer to the NSO user documentation. Figure 35: NETCONF System Flow Configuring ConfD To enable NETCONF protocol in StarOS, you must enable server confd and enter the NETCONF Protocol Configuration mode. The NETCONF Protocol Configuration mode supports optional configuration commands. SSH Key Requirement NETCONF-ConfD support requires that a V2-RSA SSH key be configured on the local context.
NETCONF and ConfD NETCONF Protocol Configuration Mode NETCONF Protocol Configuration Mode The NETCONF protocol is enabled via the Context Configuration mode server conf command. This command is restricted to the local context only. host_name configure [local] host_name context local [local] (config)# host_name server confd...
NETCONF and ConfD NETCONF Protocol Configuration Mode The NETCONF or RESTful session must still be established with verifiable credentials. Important netconf notifications events This NETCONF Protocol Configuration mode command enables events logged in StarOS to be sent out as NETCONF notifications on the stream named "StarOS." Level specifies the lowest event severity level that results in a notification.
NETCONF and ConfD NETCONF Protocol Configuration Mode rest auth-policy This NETCONF Protocol Configuration mode command controls the level of verification the server does on client certificates. CA (certificate authority) certificates can be configured using the existing ca-certificate command in Global Configuration mode. The command syntax is: rest auth-policy { none | peer | peer-fail }, where •...
NETCONF and ConfD Sample Configuration A change to the REST interface certificate may result in a planned restart of ConfD and temporary loss Important of connectivity over the NETCONF and REST (if still enabled) interfaces. Changes to global certificates which ConfD is using while REST is enabled will also result in a restart of ConfD.
NETCONF and ConfD Verifying the Configuration bulkstats confd-user NETCONF rest certificate rest-cert #exit subscriber default exit aaa group default #exit gtpp group default #exit #exit Notes: • bulkstats, confd-user, and rest are optional. Just configuring server confd enables NETCONF support. Verifying the Configuration There are two Exec mode show commands that display information about the NETCONF-ConfD configuration.
Page 450
NETCONF and ConfD show confdmgr Command Subscriptions Last successful id 1461-704882-705350 Last failed id None Username Not configured Bulkstats Enabled Event notification level Disabled SNMP notifications Disabled REST interface authentication none REST interface certificate rest-cert REST interface host name Not configured Interface Status Port...
Page 455
NETCONF and ConfD show confdmgr Command show confdmgr model bulkstats See below for a sample output for show confdmgr model bulkstats: [local]<host_name># show confdmgr model bulkstats Model: Bulkstats ---------------- Operational Data: Requests Records Failures Configuration: CLI updates NETCONF updates Aborts Failures local]<host_name># The Operational Data portion of this output includes the following information:...
See below for a sample output for show confdmgr subscriptions: [local]<host_name># show confdmgr subscriptions Subscriptions: Path Index Namespace --------------------------------------------------- /active-charging http://www.cisco.com/staros-cli-con /context http://www.cisco.com/staros-cli-con /bulkstats/server http://www.cisco.com/staros-config /bulkstats/schemas http://www.cisco.com/staros-config /confd http://www.cisco.com/staros-config [local<host_name># Subscriptions are configuration points defined in the Yang model for which confdmgr wants to be notified when a change occurs.
(all native models are included here under a common namespace). • cisco-staros-exec.yang - Model to enable CLI exec operations via the restful interface. Only users with admin credentials may use this model. Used by ConfD locally to parse input.
NETCONF and ConfD ConfD Examples ConfD Examples Server ConfD The following examples use full TLS authentication and curl to obtain server ConfD configuration. Server ConfD Configuration See below for a sample configuration for server ConfD with RESTful interface enabled using non-default NETCONF and HTTPS ports: [local]<host_name># show configuration confd [local]<host_name># config...
Using Curl to Obtain the Server ConfD Configuration See below for a sample use of curl to perform the same get-config operation: [<user>@server] ]$ curl -u admin:pswd! https://rtp-mitg-si06.cisco.com:234/api/running/confd?deep --cert /users/<user>/ssl_cert/client_cert/client.crt --key /users/<user>/ssl_cert/client_cert/client.key --cacert /users/<user>/ssl_cert/root_cert/rootCA.pem <confd xmlns="http://www.cisco.com/staros-config" xmlns:y="http://tail-f.com/ns/rest" xmlns:staros_config="http://www.cisco.com/staros-config"> <bulkstats>false</bulkstats> <netconf> <port>123</port> </netconf> <rest>...
Page 460
• Statistics will generally be pushed per collection interval timer configured for bulkstats. Using Curl to Read Statistics See below for a sample use of curl to read statistics via the server ConfD RESTful interface: [<user>@server] ]$ curl -u admin:pswd! https://rtp-mitg-si06.cisco.com:234/api/operational/bulkstats-operational?deep --cert /users/<user>/ssl_cert/client_cert/client.crt --key /users/<user>/ssl_cert/client_cert/client.key --cacert /users/<user>/ssl_cert/root_cert/rootCA.pem <bulkstats-operational xmlns="http://www.cisco.com/staros-bulkstats"...
Using Curl to Obtain the 'show version' Output See below for a sample use of curl to obtain the show version output: cat exec_cli_show_version.xml <input><args>show version</args></input> ************ [<user>@server] ]$ curl -u admin:pswd! https://rtp-mitg-si06.cisco.com:234/api/running/staros_exec/_operations/exec --cert /users/<user>/ssl_cert/client_cert/client.crt --key /users/<user>/ssl_cert/client_cert/client.key --cacert /users/<user>/ssl_cert/root_cert/rootCA.pem -X POST -T ./exec_cli_show_version.xml <output xmlns='http://www.cisco.com/staros-exec'> <result>Active Software: Image Version: 21.2.M0.private...
************************************* CLI Based YANG Model for ECS Commands In this release, the cisco-staros-cli-config.yang model supports a limited set of ECS (Enhanced Charging System) configuration commands via NSO. On the southbound side, ConfD communicates with a StarOS process called via a set of APIs provided by the ConfD management agent.
The CDB only receives updates via the NETCONF interface. In order to keep the CDB and the StarOS configuration databases in sync, all changes made via CLI access (external to NETCONF) to the cisco-staros-cli-config YANG model supported configuration objects must be applied to the CDB manually. Seeding and Synchronizing the CDB After enabling server confd you may need to initially seed the CDB with a local copy of the configuration database (CDB) managed by ConfD on StarOS.
NETCONF and ConfD CDB Maintenance CDB Maintenance A local copy of the ConfD Configuration Database (CDB) is managed by ConfD on StarOS. You can show and save all ConfD supported StarOS configuration commands to a URL. The confd keyword has been added to the show configuration and save configuration commands for these purposes. After saving a ConfD-supported configuration to a URL, you can apply it directly to the CDB via the Exec mode configure confd <url>...
NETCONF and ConfD Supported StarOS ECS Configuration Commands save configuration <url> confd The keyword confd is added to the Exec mode save configuration command. This keyword filters the saved configuration commands to contain only configuration commands that are supported by the YANG model. The command syntax for this process is: host_name save configuration <url>...
Page 466
NETCONF and ConfD Supported StarOS ECS Configuration Commands • action priority <priority_number> group-of-ruledefs <ruledefs_group_name> charging-action <charging_action_name> Note "= *" indicates support for every option following the prior keyword/value. ASR 5500 System Administration Guide, StarOS Release 21.4...
A P P E N D I X ICSR Checkpointing This appendix lists and describes macro- and micro-checkpoints employed by the Interchassis Session Recovery framework. Checkpoints are exchanged between the active and standby ICSR chassis via the Service Redundancy Protocol (SRP). The following topics are discussed: •...
ICSR Checkpointing GGSN_APN ID MAPPING GGSN_APN ID MAPPING This macro-checkpoint is sent from the active to the standby chassis to map APN names on the standby chassis. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs whenever a TCP connection is established between the sessmgrs and they move to READY_STATE.
ICSR Checkpointing VPNMGR_ID MAPPING • Accounting: No • Delta/Cumulative: N/A • Related CLI command: show session subsystem facility sessmgr instance <instance no> debug-info VPNMGR_ID MAPPING This macro-checkpoint is sent from the active to the standby chassis to map VPNs on the standby chassis. •...
ICSR Checkpointing Uncategorized Uncategorized SESS_UCHKPT_CMD_INVALIDATE_CRR This micro-checkpoint is sent to the standby chassis to clear a deleted call. It carries the Call ID and other information that must be deleted on the standby chassis. • Time based: No • Frequency: N/A •...
ICSR Checkpointing ECS Category SESS_UCHKPT_CMD_ACS_GX_LI_INFO This micro-checkpoint sources lawful intercept (LI) related information maintained by ECS. • Time based: Yes • Frequency: — • Event based: Yes • Events: Occurs whenever LI information is created or modified. • Accounting: No •...
ICSR Checkpointing ECS Category SESS_UCHKPT_CMD_DEL_ACS_SESS_INFO This micro-checkpoint notifies that a Release Bearer event has occurred. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs whenever an ECS Release Bearer message is processed. • Accounting: No •...
ICSR Checkpointing ECS Category SESS_UCHKPT_CMD_DYNAMIC_CHRG_DEL_QG_INFO This micro-checkpoint notifies that a dynamic QoS group has been deleted. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs whenever a dynamic QoS group has been deleted. • Accounting: No •...
ICSR Checkpointing ePDG Category SESS_UCHKPT_CMD_DYNAMIC_RULE_INFO This micro-checkpoint sources predefined and dynamic rule related information maintained by ECS. • Time based: Yes • Frequency: — • Event based: Yes • Events: Occurs whenever a dynamic rule is created or modified. • Accounting: No •...
ICSR Checkpointing ePDG Category • CMD-ID: 110 • Related CLI command: show srp micro-checkpoint statistics debug-info SESS_UCHKPT_CMD_UPDATE_EPDG_PEER_ADDR This micro-checkpoint synchronizes ePDG peer addresses between the active and standby chassis. • Time based: No • Frequency: N/A • Event based: Yes •...
ICSR Checkpointing Firewall/ECS Category • Delta/Cumulative: Cumulative • CMD-ID: 110 • Related CLI command: show srp micro-checkpoint statistics debug-info Firewall/ECS Category SESS_UCHKPT_CMD_SFW_DEL_RULE_INFO This micro-checkpoint is sent when a ruledef is deleted for a bearer. • Time based: No • Frequency: N/A •...
ICSR Checkpointing GGSN Category • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs for a network initiated or UE initiated update. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 171 • Related CLI command: show srp checkpoint statistics active verbose, and show session subsystem facility sessmgr instance <instance_number>...
ICSR Checkpointing Gx Interface Category Gx Interface Category SESS_UCHKPT_CMD_ACS_VOLUME_USAGE This micro-checkpoint sends volume usage over Gx accounting buckets. • Time based: Yes • Frequency: 4 seconds for aamgr micro-checkpoint and 18 seconds for GR micro-checkpoint • Event based: No • Events: Send along with macro-checkpoint •...
ICSR Checkpointing NAT Category • Event based: Yes • Events: Triggered when a new NAT port chunk is allocated or deleted. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 105 • Related CLI command: None SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALMS This micro-checkpoint is sent when a NAT IP address is allocated to or deallocated from a subscriber. For an on-demand case, it is triggered when the first packet matching a particular NAT realm is received and the NAT IP address is allocated to the subscriber.
ICSR Checkpointing NAT Category SESS_UCHKPT_CMD_NAT_SIP_ALG_CONTACT_PH_INFO This micro-checkpoint is sent when a received SIP packet is analyzed and pinholes are created in the NAT firewall. • Time based: No • Frequency: N/A • Event based: Yes • Events: Triggered when a SIP packet creates pinholes in the NAT firewall. •...
ICSR Checkpointing P-GW Category • Events: Triggered when a new flow with bypass-nat enabled is created or deleted. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 60 • Related CLI command: None P-GW Category SESS_UCHKPT_CMD_PGW_DELETE_SUB_SESS Reserved for future use. SESS_UCHKPT_CMD_PGW_OVRCHRG_PRTCTN_INFO This micro-checkpoint indicates that the S-GW has set the Overcharging Protection bit in the MBR.
ICSR Checkpointing P-GW Category SESS_UCHKPT_CMD_PGW_UBR_MBR_INFO This micro-checkpoint is sent at the end of a UBR (Update Bearer Request ) or MBR (Modify Bearer Request ) except when the UBR /MBR procedure results in the following scenarios: • TFT change • Bearer updat or modification for a collapsed call •...
ICSR Checkpointing SaMOG Category SESS_UCHKPT_CMD_CGW_UPDATE_BEARER_QOS This micro-checkpoint indicates a QoS update for the bearer. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs when a change in Bearer QoS is received from the P-GW due to a reauthorization (AAR Received from AAA Server) or Update-Bearer-Request.
ICSR Checkpointing SaMOG Category • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs on receipt of an Accounting Req (INTERIM-UPDATE) from the WLC. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 177 • Related CLI command: show subscriber samog-only full SESS_UCHKPT_CMD_SAMOG_ACCT_START_INFO This micro-checkpoint is sent for a SaMOG session on receipt of an Accounting Req (START) from the WLC (Wireless LAN Controller).
ICSR Checkpointing SaMOG Category SESS_UCHKPT_CMD_SAMOG_GTPV1_UPDATE_PDN_INFO This micro-checkpoint is sent for a SaMOG session upon receipt of an Update-PDP-Context-Req from the GGSN to update the PDN information. • Time based: No • Frequency: N/A • Event based: Yes • Events: Occurs after successful SaMOG processing of an Update-PDP-Context-Req from the GGSN. •...
ICSR Checkpointing SaMOG Category • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 175 • Related CLI command: show subscriber samog-only full SESS_UCHKPT_CMD_SAMOG_LI_PROV_INFO This micro-checkpoint is sent for a SaMOG session that is on lawful intercept (LI) Active-Camp-on mode. • Time based: No •...
Page 492
ICSR Checkpointing SaMOG Category • Events: Occurs after SaMOG sends an Access-Challenge for an existing SaMOG subscriber session during Re-authentication. • Accounting: No • Delta/Cumulative: N/A • CMD-ID: 184 • Related CLI command: show subscriber samog-only full SESS_UCHKPT_CMD_SAMOG_REAUTHEN_INFO This micro-checkpoint is sent for a SaMOG session when subscriber Re-authentication is completed. •...
Page 493
A P P E N D I X ASR 5500 SDR CLI Command Strings • ASR 5500 SDR CLI Command Strings, page 461 ASR 5500 SDR CLI Command Strings This appendix identifies the CLI command strings that can be entered for a record section via the support record section command in the Global Configuration Mode.
Page 498
ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings Default SDR Command String Disabled "show ss7-routing-domain all sctp asp all status peer-server all peer-server-process all verbose" Enabled "show ss7-routing-domain all sctp asp all statistics gen" Disabled "show ss7-routing-domain all m3ua status peer-server all" Disabled "show ss7-routing-domain all m3ua statistics peer-server all peer-server-process all"...
A P P E N D I X Cisco Secure Boot This appendix briefly describes the Cisco Secure Boot process and how it impacts image naming conventions. It contains the following sections: • Fundamental Concepts, page 475 • Secure Boot Overview, page 476 •...
Secure Boot Overview Cisco Secure Boot places the Root of Trust in a hardware chip device on a circuit card where it cannot be changed. The first code (microloader) that executes immediately after power on is guaranteed to be legitimate code from Cisco and programmed during the time of system manufacturing.