SYSTEM ADMINISTRATOR GUIDE     1/1543-CRA 119 1170/1 Uen B

Advanced Services Configuration and Operation Using the SmartEdge OS CLI

Copyright

© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

Contents

1   Introduction

The Advanced Services Engine (ASE) card contains two Advanced Service Processors (ASPs) that provide additional processing power on a SmartEdge® router. ASE-based services (currently only Security Service) run on these ASPs. In the current release, the SmartEdge OS, the ASE-based Security Service supports two applications: Internet Protocol Security (IPsec) Virtual Private Network (VPN), which provides support for secure tunnels, and Application Traffic Management, which provides support for managing application traffic using Deep Packet Inspection (DPI) and heuristic mechanisms. You can use the Command Line Interface (CLI) of the SmartEdge OS to configure these applications.

1.1   Scope

This document describes how to use the CLI to add an Advanced Services Engine (ASE) card to the configuration of a SmartEdge router and configure the ASP pools and ASP groups. ASP pools and groups distribute the processing capabilities of the ASPs on the ASE cards installed in the router, provide load balancing when multiple ASPs are installed, and support resiliency when excess ASPs are available. The document also describes how to view information about ASP pools and groups and configure ASP logging.

1.2   Target Groups

This document is intended for network planners responsible for the design of advanced network services that use the SmartEdge router and for operators of the SmartEdge OS responsible for entering the configuration on individual SmartEdge routers.

1.3   Prerequisites

The contexts that carry traffic that you want directed to ASPs on an ASE card for processing by the security applications must be configured on the SmartEdge router. Until a context is associated with an ASP group, ASE-based services cannot be accessed.

Before you configure ASP logging, a loopback interface must be configured in the local context for use as the ASP log source IP address. Its IP address is required to configure ASP logging. The IP address and port on the log server to which the ASP log messages are forwarded must also be known. The only supported transport protocol in this release is User Datagram Protocol (UDP).

2   ASE Card Configuration

ASE card configuration prepares the ASPs on the card to provide ASE-based services.

You can add an ASE card to the configuration of a SmartEdge router before it is physically installed in the chassis. The card is detected when it is physically installed and the ASE configuration is processed. It takes longer for an ASE card to become active and start processing traffic than a traffic card due to the additional complexity of the ASE-based services provided by the ASPs on the card.

2.1   Configuration Tasks

To configure an ASE card, enter the following command in global configuration mode:

card ase slot

Commit the transaction.

2.2   Configuration Examples

The following example shows how to configure an ASE card in slot 4:

[local]Redback(config)#card ase 4
[local]Redback(config-card)#

3   Security Service Configuration

Security Service configuration consists of configuring ASP pools, configuring ASP groups, and associating a context with an ASP group. You can define ASP pools and groups at any time; however, and you can add an ASP to an ASP pool without an ASE card installed in the chassis. For information on ASP pools and ASP groups, see Reference [1].

3.1   ASP Pool Configuration

An ASP pool contains the following information:

• ASPs on ASE cards configured on the SmartEdge router that are assigned to this pool
• Specific service provided by the ASPs in this pool (currently, only the Security Service type is supported)

3.1.1   Configuration Tasks

To configure an ASP pool, enter the following commands:

1. Configure the ASP pool in global configuration mode:

   (config)#asp pool pool-name service service-name

2. Add an ASP to the pool in ASP pool configuration mode:

   (cfg-asp-pool-mode)#asp slot-id/asp-id

3. Commit the transaction.

3.1.2   Configuration Examples

The following example shows how to configure the p1 ASP pool and specify six ASPs on four ASE cards to associate with the ASP pool:

[local]Redback(config)#asp pool p1 service security
[local]Redback(cfg-asp-pool-mode)#asp 1/1 
[local]Redback(cfg-asp-pool-mode)#asp 1/2 
[local]Redback(cfg-asp-pool-mode)#asp 3/1 
[local]Redback(cfg-asp-pool-mode)#asp 3/2 
[local]Redback(cfg-asp-pool-mode)#asp 4/1 
[local]Redback(cfg-asp-pool-mode)#asp 5/1

3.2   ASP Group Configuration

An ASP group contains the following information:

• A reference to an ASP pool that provides the ASPs for the group.
• Number of ASPs requested from the ASP pool.
• Priority of the ASP group, which determines:
  1. The distribution of ASPs to groups when the number of available ASPs is fewer than the total requested.
  2. The ASP group that is allocated a newly operational ASP. The lower the number, the higher the priority.

3.2.1   Configuration Tasks

To configure an ASP group, enter the following commands:

1. Configure the ASP group in global configuration mode:

   (config)#asp group group-name

2. Associate the group with an existing ASP pool in ASP group configuration mode:

   (cfg-asp-group-mode)#pool pool-name

3. Specify the number of ASPs requested from the ASP pool in ASP group configuration mode:

   (cfg-asp-group-mode)#asp-count number

4. Specify the priority for the ASP group in ASP group configuration mode:

   (cfg-asp-group-mode)#priority number

5. Commit the transaction.

3.2.2   Configuration Examples

The following example shows how to configure the g1 ASP group, associate the group with the p1 ASP pool, specify that two ASPs must be associated with the ASP group, and set the priority to 100 for the ASP group:

[local]Redback(config)#asp group g1
[local]Redback(cfg-asp-group-mode)#pool p1
[local]Redback(cfg-asp-group-mode)#asp-count 2
[local]Redback(cfg-asp-group-mode)#priority 100

3.3   Enabling a Context to Provide an ASE-Based Service

For subscribers to receive ASE-based services, the subscriber's context must be enabled for subscriber-based Security Services and associated with an ASP group. Associating the context with an ASP group directs traffic belonging to the context to the ASPs in the ASP group for processing.

In the current release, the only available ASE-based service is security.

3.3.1   Configuration Tasks

To configure a context to provide ASE-based service on traffic, enter the following commands:

1. Configure the context in global configuration mode:

   (config)#context ctx-name

2. Associate the context with an existing ASP group and service in context configuration mode. You can associate all or some of the contexts to the same ASP group, or associate each context to a different ASP group.

   (config-ctx)#asp-group group-name service service-name

3. Commit the transaction.

3.3.2   Configuration Examples

The following example shows how to associate the g1 ASP group with the security advanced service within the c3 context:

[local]Redback(config)#context c3
[local]Redback(config-ctx)#asp-group g1 service security

4   Displaying ASP Pool and Group Information

Show commands display a variety of information for ASP pools and groups and for security-enabled contexts, as shown in Table 1.

For more information about show commands see Reference [2].

5   Configuring Log Server Settings for Security Service

Reporting for advanced services is based on log messages. Log messages can be sent to the console or a log forwarding server and integrated with third-party reporting solutions or used by proprietary reporting solutions to generate deployment-specific reports. Log messages from all ASPs in all ASE cards installed in the SmartEdge router are sent using the specified ASP source to the specified log server. Each log message contains the system host name which must be set to a valid value; see the system command in Reference [4].

You must configure the source IP on the SmartEdge router for log messages that are forwarded to an external log server, such as the NetOp EMS Log Mediation server, and the IP address of the external log server. These settings are configurable default settings for the Security Service. No configuration is needed to control the generation of IKE or IPsec log messages from the IPsec VPN application. Additional configuration is required for the generation of P2P statistics; see Reference [3].

5.1   Configuration Tasks

To send log messages to a log forwarding server, perform the following steps:

1. Configure the default settings for the Security Service in global configuration mode.

   (config)#asp security default

2. Configure the IP address of the log forwarding server, and the optional transport protocol and forwarding port in ASP security default configuration mode.

   (config-asp-security-default)#log server server-ip transport transport-protocol port port

   The log server should be reachable through local context.

3. Configure the IP address of the log source and the context through which it is reachable:

   (config-asp-security-default)#log source source-ip context context

   The source-ip must be the IP address of a loopback interface in context local.

4. Commit the transaction.

5.2   Configuration Example

The following example configures logging to an external server:

[local]Redback(config)#asp security default
(config-asp-security-default)#log server 10.172.55.55 
  transport udp port 514
(config-asp-security-default)#log source 10.192.22.24 
  context c3

Glossary

Reference List