MANUAL PAGE     1/190 80-CRA 119 1170/1 Uen C    

Security Service Command Reference

Copyright

© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget LM Ericsson.
NetOp is a trademark of Telefonaktiebolaget LM Ericsson.

Contents

1Commands
1.1asp
1.2asp-count
1.3asp security default
1.4asp group
1.5asp-group
1.6asp pool service
1.7card ase
1.8debug asp engine
1.9debug security
1.10log server
1.11log source
1.12maximum subscribers
1.13maximum tunnels ipsec
1.14pool
1.15priority
1.16show asp
1.17show asp group
1.18show asp pool

Glossary

Reference List

1   Commands

This document provides command syntax and usage guidelines for commands used in the configuration and operation of the advanced services support available when an Advanced Service (ASE) card is installed in a SmartEdge® router. For an overview of the ASE card infrastructure, see Reference [1]. For configuration tasks, see Reference [2] or Reference [3].

1.1   asp

asp slot-id/asp-id

1.1.1   Command Mode

Advanced Services Processor (ASP) pool configuration

1.1.2   Syntax Description

slot-id

Chassis slot number where the ASE card is installed. The range of values depends on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

The ID of the ASP on the ASE card. Possible values are 1 and 2.

1.1.3   Usage Guidelines

Specifies the ASPs associated with the ASP pool.

1.1.4   Default

No ASPs are associated with an ASP pool.

1.1.5   Examples

The following example specifies six ASPs on four ASE cards to associate with the ASP pool being configured:

[local]Redback(config-asp-pool-mode)#asp 1/1 
[local]Redback(config-asp-pool-mode)#asp 1/2 
[local]Redback(config-asp-pool-mode)#asp 3/1 
[local]Redback(config-asp-pool-mode)#asp 3/2 
[local]Redback(config-asp-pool-mode)#asp 4/1 
[local]Redback(config-asp-pool-mode)#asp 5/1

1.2   asp-count

asp-count number

1.2.1   Command Mode

ASP group configuration

1.2.2   Syntax Description

number

1 to 22

1.2.3   Default

No number of ASPs are associated with an ASP group.

1.2.4   Usage Guidelines

Specifies the number of ASPs requested by the ASP group. In conjunction with the priority assigned to the ASP group, ASPs up to the number requested will be allocated to the group from the ASP pool associated with the group.

1.2.5   Examples

The following example specifies that two ASPs are requested by the ASP group.

[local]Redback(config-asp-group-mode)#asp-count 2

1.3   asp security default

asp security default

1.3.1   Command Mode

global configuration

1.3.2   Syntax Description

This command has no keywords or arguments.

1.3.3   Default

None.

1.3.4   Usage Guidelines

Configures the ASP to provide the security service and enters the ASP security default configuration mode.

1.3.5   Examples

[local]Redback(config)#asp security default

1.4   asp group

asp group group-name

1.4.1   Command Mode

global configuration

1.4.2   Syntax Description

group-name

The name of the ASP group.

1.4.3   Default

No ASP groups are configured.

1.4.4   Usage Guidelines

Creates or selects an ASP group and enters ASP group configuration mode.

1.4.5   Examples

The following example configures the ASP group ipsec_group1

[local]Redback(config)#asp group ipsec_group1

1.5   asp-group

asp-group group-name service service-name

1.5.1   Command Mode

context configuration

1.5.2   Syntax Description

group-name

The name of an existing ASP group.

service service-name

The only available value is security. Must match the service-name specified for the ASP pool to which the ASP group belongs.

1.5.3   Default

No ASP groups are associated with an ASE-based service.

1.5.4   Usage Guidelines

Associates an ASP group for the specified service with the context in which this command is entered.

1.5.5   Examples

The following example associates ASP group ipsec_group1 with the context c3.

[local]Redback(config)#context c3 
[local]Redback(config-ctx)#asp-group ipsec_group1 service security

1.6   asp pool service

asp pool pool-name service service-name

1.6.1   Command Mode

global configuration

1.6.2   Syntax Description

pool-name

The name of the ASP pool.

service service-name

Mandatory. The only available value is security.

1.6.3   Default

No ASP pool is configured by default.

1.6.4   Usage Guidelines

Creates or selects an ASP pool and enters ASP pool configuration mode.

1.6.5   Examples

The following example configures an ASP pool ipsec_pool1 for use with the ASE-based service security.

[local]Redback(config)#asp pool ipsec_pool1 service security

1.7   card ase

card ase slot

1.7.1   Command Mode

global configuration

1.7.2   Syntax Description

slot

Chassis slot number where the card is installed. The range of values depends on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

1.7.3   Usage Guidelines

Specifies an ASE card for a slot, or selects one for modification, and enters card configuration mode.

1.7.4   Examples

The following example configures an ASE card in slot 4:

[local]Redback(config)#card ase 4

1.8   debug asp engine

debug asp slot/asp-id engine all {trace | log} {buffer | console } [level level ]

1.8.1   Command Mode

exec

1.8.2   Syntax Description

slot-id

Chassis slot number where the ASE card is installed. The range of values depends on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

The ID of the ASP on the ASE card. Possible values are 1 and 2.

trace

Enables generation of trace messages.

log

Enables generation of log messages.

buffer

Sends debug information to the circular buffer on the ASP.

console

Sends debug information to the console.

level level

Specifies the debug logging level, where level is one of the following (in descending severity order):


  • emergency—Only emergency events.

  • alert—Alert and more severe events.

  • critical—Critical and more severe events.

  • error—Error and more severe events.

  • warning—Warning and more severe events.

  • notice—Notice and more severe events.

  • informational—Informational and more severe events.

  • debug–All events, including debug events.

  • all

1.8.3   Usage Guidelines

Enables the generation of debug messages for a specific ASP engine on a specific ASE card.

 Caution! 
Risk of performance loss. Enabling the generation of debug messages can severely affect system performance. To reduce the risk, exercise caution when enabling the generation of debug messages on a production system.

1.8.4   Examples

Enables the generation of debug messages for the ASP engine of a specific ASP on a specific ASE card.

[local]Redback #debug asp 2/1 engine all

1.9   debug security

debug security {all | asp | config | general | ppa | rcm | service | state | tunnel}

1.9.1   Command Mode

exec

1.9.2   Syntax Description

all

All security service debug messages

asp

ASP messages

config

Security configuration download messages

general

General messages

ppa

Packet Processing ASIC (PPA) messages

rcm

Router Configuration Manager (RCM) messages

service

Security service processing messages

state

State messages

tunnel

Tunnel messages

1.9.3   Usage Guidelines

Enables the generation of debug messages for the ASE-based security service.

 Caution! 
Risk of performance loss. Enabling the generation of debug messages can severely affect system performance. To reduce the risk, exercise caution when enabling the generation of debug messages on a production system.

1.9.4   Examples

The following example enables the generation of all debug messages for the ASE-based security service.

[local]Redback#debug security all

1.10   log server

log server server-ip [transport transport-protocol] [port port]

1.10.1   Command Mode

ASP security default configuration

1.10.2   Syntax Description

server-ip

IP address of the default log server.

transport-protocol

Specifies the transport protocol used for logs. Only UDP is supported.

1.10.3   Default

No log server is configured by default.

1.10.4   Usage Guidelines

Configures the IP address and destination port of the log server. The log server should be reachable through context local.

1.10.5   Examples

[local]Redback(config)#asp security default 
[local]Redback(config-asp-security-default)#log server 10.1.1.2 udp 514 10.1.0.5

1.11   log source

log source source-ip [context context-name]

1.11.1   Command Mode

ASP security default configuration

1.11.2   Syntax Description

source-ip

IP address of the default log source.

context-name

Context through which the log source is reachable.

1.11.3   Default

No log source is configured by default.

1.11.4   Usage Guidelines

Configures the IP address and the context through which the log source is reachable.

1.11.5   Examples

[local]Redback(config-asp-security-default)#log server 10.1.1.2 udp 514 10.1.0.5

1.12   maximum subscribers

maximum subscribers max-subscribers

1.12.1   Command Mode

ASP pool configuration

1.12.2   Syntax Description

max-subscribers

Maximum number of subscribers per ASP. Possible values are 1 to 32,768.

1.12.3   Default

The default number of subscribers admitted per ASP is 8,124.

1.12.4   Usage Guidelines

Specifies the maximum number of subscribers admitted for all ASPs associated with an ASP pool. Each ASP added to the pool can support a maximum of 32,768 units. Subscribers consume a load of 1 unit, so each ASP supports 32,768 subscribers, or a combination of subscribers and tunnels with a maximum load within 32,768 units.

1.12.5   Examples

The following example specifies a limit of 16,384 subscribers for each ASP associated with ASP pool p1.

[local]Redback(config)#asp pool p1 service security 
[local]Redback(config-asp-pool-mode)#maximum subscribers 16384

1.13   maximum tunnels ipsec

maximum tunnels ipsec max-tunnels

1.13.1   Command Mode

ASP pool configuration

1.13.2   Syntax Description

max-tunnels

Maximum number of IPsec tunnels per ASP. Possible values are 1 to 4,096.

1.13.3   Default

The default number of IPsec tunnels admitted per ASP is 2,048.

1.13.4   Usage Guidelines

Specifies the maximum number of IPsec tunnels for all ASPs associated with an ASP pool. Each ASP added to the pool supports a maximum of 32,768 units. IPsec tunnels consume a load of 8 units, so each ASP supports 4,096 tunnels, or a combination of tunnels and subscribers with a maximum load within 32,768 units.

1.13.5   Examples

The following example specifies a limit of 1,024 IPsec tunnels for each ASP associated with ASP pool p1.

[local]Redback(config)#asp pool p1 service security 
[local]Redback(config-asp-pool-mode)#maximum tunnels ipsec 1024

1.14   pool

pool pool-name

1.14.1   Command Mode

ASP group configuration

1.14.2   Syntax Description

pool-name

The name of an existing ASP pool.

1.14.3   Default

No ASP pool is identified for an ASP group by default.

1.14.4   Usage Guidelines

Specifies the ASP pool associated with the ASP group.

1.14.5   Examples

The following example specifies that the existing ASP pool ipsec_pool1 is associated with this ASP group.

[local]Redback(config)#asp group ipsec_group1 
[local]Redback(config-asp-group-mode)#pool ipsec_pool1

1.15   priority

priority number

1.15.1   Command Mode

ASP group configuration

1.15.2   Syntax Description

number

1..1024. The lower the value the higher the priority.

1.15.3   Default

No priority for an ASP group is configured by default.

1.15.4   Usage Guidelines

Configures the priority for the ASP group. Priority is used to determine the order in which ASPs are allocated to the ASP groups.

1.15.5   Examples

The following example configures a priority of 100 for the ASP group. This ASP group will be allocated ASPs before ASP groups with lower priority.

[local]Redback(config-asp-group-mode)#priority 100

1.16   show asp

show asp [slot-id/asp-id]

1.16.1   Command Mode

all modes

1.16.2   Syntax Description

slot-id

Chassis slot number where the ASE card is installed. The range of values depends on the chassis:


  • SmartEdge 800 or 1200: 1 to 6 and 9 to 14

  • SmartEdge 400: 1 to 4

asp-id

The ID of the ASP on the ASE card. Possible values are 1 and 2.

1.16.3   Usage Guidelines

Displays information about ASPs. With no parameters, a one-line summary for each ASP providing the pool name and the group name to which the ASP belongs, the operational state of the ASP, whether the ASP is acting as an active or backup ASP, and the service the ASP provides is displayed. With an ASP specified, the same information for the specified ASP is displayed.

1.16.4   Examples

[local]Redback#show asp
 ASP-Name  Oper-State  Active/Backup Pool       Group         Service

    1/1    up          active        pool1       group1       security

    1/2    up          active        pool2       group2       security

    2/1    up          active        pool_1      ha-grp1      security

    11/1   down        active        ipsec_pool1 ipsec_group1 security


[local]Redback#show asp 11/1
ASP ID : 11/1
        Operating State : up            
        Active or Backup : active           
        Pool : ipsec_pool1 
        Group : ipsec_group1 
        Service : security

1.17   show asp group

show asp group [group-name | detail]

1.17.1   Command Mode

all modes

1.17.2   Syntax Description

group-name

The name of an existing ASP group.

detail

Displays detailed information for each configured ASP group.

1.17.3   Usage Guidelines

Displays information about ASP groups. With no parameters, a one-line summary for each ASP group providing the name of the ASP pool that is referenced by the group, number of configured ASPs for the group and the priority configured for the group is displayed. With an ASP group name specified, the same information is provided for the specified ASP group, and a one line summary for each physical ASP in the ASP group is displayed. With the detail keyword, the same information provided for a single ASP group is displayed for all configured ASP groups.

1.17.4   Examples

[local]Redback#show asp group

ID  Name  Service-Type  Prio  Num-ASPs  Num-ASPs-Assigned

2   ipsec_group1    1    0      1               1 

[local]Redback#show asp group ipsec_group1

Group Name : ipsec_group1
        Service Name : 
        Group ID : 2
        Priority : 0
        Associated Pool : ipsec_pool1
        Configured ASP Count : 1
        Assigned ASP Count : 1
        Assigned ASPs : 
          1. 11/1 (up/active)

1.18   show asp pool

show asp pool [pool-name | detail]

1.18.1   Command Mode

all modes

1.18.2   Syntax Description

pool-name

The name of an existing ASP pool.

detail

Displays detailed information for each configured ASP pool.

1.18.3   Usage Guidelines

Displays information about ASP pools. With no parameters, a one-line summary for each ASP pool providing the pool name, number of configured ASPs for the pool and the service to which the pool belongs is displayed. With an ASP pool name specified, the service which is being provided by the ASP pool, the ASP groups that are referencing it and the set of physical ASPs that belong to the ASP pool and a one line summary for each ASP group and physical ASP is displayed. With the detail keyword, the same information provided for a single ASP pool is displayed for all configured ASP pools.

1.18.4   Examples

[local]Redback#show asp pool
Pool-Name     Service-Name  Number-of-ASPs   

ipsec_pool1   security           2
ipsec_pool2   security           0

[local]Redback#show asp pool ipsec_pool1

Pool Name : ipsec_pool1
        Service Name : security
        Pool ID : 2 
        ASP Groups :
        1. ipsec_group1

        Configured ASPs : 
        1. 11/1 (up/active)

[local]Redback#show asp pool detail

Pool Name : ipsec_pool1
        Service Name : security
        Pool ID : 1
        ASP Groups :
        1. ipsec_group1
        Configured ASPs :

        1. 11/1 (up/active)

Pool Name : ipsec_pool2
        Service Name : security
        Pool ID : 2
        ASP Groups :
        1. group2
        Configured ASPs :

        1. 1/2 (up/active)

Glossary

ASE
Advanced Service
 
ASP
Advanced Services Processor
 
PPA
Packet Processing ASIC
 
RCM
Router Configuration Manager

Reference List

[1] Advanced Services Infrastructure Overview, 1/221 02-CRA 119 1170/1.
[2] Advanced Services Configuration and Operation Using the SmartEdge OS CLI, 1/1543-CRA 119 1170/1.
[3] Advanced Services Configuration and Operation Using the NetOp EMS Software, 1553-CRA 119 1170/1.