您的位置:360文档中心› 阿尔卡特-7750SR路由器加固

阿尔卡特-7750SR路由器加固

合集下载

Alcatel-Lucent 7750 SR 高级配置指南说明书

Alcatel-Lucent 7750 SR 高级配置指南说明书

PrefaceAbout This GuideThis guide provides advanced configuration solutions for Alcatel-Lucent’s 7750 SR and 7450 ESSrouter and is meant to be supplemental to the basic user configuration guides listed below.The guide is organized alphabetically and provides feature and configuration explanations, CLIdescriptions and overall solutions.AudienceThis manual is intended for network administrators who are responsible for configuring therouters. It is assumed that the network administrators have a detailed understanding of networkingprinciples and configurations.List of Technical PublicationsThe 7750 SR documentation set is composed of the following guides:•Basic System Configuration GuideThis guide describes basic system configurations and operations.•System Management GuideThis guide describes system security and access configurations as well as event loggingand accounting logs.•Interface Configuration GuideThis guide describes card, Media Dependent Adapter (MDA) and port provisioning.•Router Configuration GuideThis guide describes logical IP routing interfaces and associated attributes such as an IPaddress, as well as IP and MAC-based filtering, and VRRP and Cflowd.•Routing Protocols GuidePrefaceThis guide provides an overview of routing concepts and provides configuration examplesfor RIP, OSPF, IS-IS, BGP, and route policies.•MPLS Configuration GuideThis guide describes how to configure Multiprotocol Label Switching (MPLS) and LabelDistribution Protocol (LDP).•Services Overview GuideThis guide describes how to configure service parameters such as service distributionpoints (SDPs), customer information, and user services.•Layer 2 Services and EVPN GuideThis guide describes Virtual Leased Lines (VLL), Virtual Private LAN Service (VPLS),Provider Backbone Bridging (PBB), and Ethernet VPN (EVPN).•Layer 3 Services GuideThis guide describes Internet Enhanced Services (IES) and Virtual Private RoutedNetwork (VPRN) services.•Versatile Service Module GuideThis guide describes how to configure service parameters for the Versatile Service Module(VSM).•OAM and Diagnostics GuideThis guide describes how to configure features such as service mirroring and Operations,Administration and Management (OAM) tools.•Triple Play GuideThis guide describes Triple Play services and support provided by the routers and presentsexamples to configure and implement various protocols and services.•Quality of Service GuideThis guide describes how to configure Quality of Service (QoS) policy management.•RADIUS Attributes GuideThis guide describes all supported RADIUS Authentication, Authorization andAccounting attributes.•Multi-Service Integrated Service Adapter GuideThis guide describes services provided by integrated service adapters such as ApplicationAssurance, IPSec, ad insertion (ADI) and Network Address Translation (NAT).•Gx A VPs Reference GuideThis guide describes Gx Attribute Value Pairs (A VP).PrefaceTechnical SupportIf you purchased a service agreement for your router and related products from a distributor orauthorized reseller, contact the technical support staff for that distributor or reseller for assistance.If you purchased an Alcatel-Lucent service agreement, contact your welcome center:/wps/portal/supportReport documentation errors, omissions and comments to:**************************************Include document name, version, part number and page(s) affected.Preface。

阿尔卡特7750配置文档

阿尔卡特7750配置文档

上海贝尔阿尔卡特7750SR配置标准模板目录一、硬件配置 (5)1.1配置IOM卡 (5)1.1.1 查看已经插入的IOM卡的类型 (5)1.1.2正确配置IOM卡的类型 (5)1.2配置MDA卡 (5)1.2.1查看已经插入的MDA卡的类型 (5)1.2.2正确配置MDA卡的类型 (5)1.3配置MDA端口 (6)1.3.1 POS端口配置 (6)1.3.2 以太口配置 (6)1.3.3 查看port信息 (6)二、设备管理配置 (7)2.1配置路由器名称、LOCATION、CONTACT (7)2.2配置系统时间 (7)2.3配置SNTP (7)2.3.1 打开SNTP(简单网络时间协议) (7)2.3.2 配置SNTP地址 (7)2.4配置SR为TELNET服务器 (7)2.5配置TELNET登陆限制 (8)2.5.1 配置默认动作为允许,因为是所有上主控板的流量。

(8)2.5.2 配置允许IP段的ACL,配置源IP,协议,目的端口 (8)2.5.3 配置一条拒绝的ACL,拒绝其他IP段。

(8)2.6配置用户 (8)2.6.1 配置用户名 (8)2.6.2 配置用户密码 (8)2.6.3 配置用户登陆方式 (9)2.6.4 配置用户所属的组 (9)2.7配置LOG (9)2.7.1 配置log-id (9)2.7.2 配置log信息类型 (9)2.7.3 配置记录log的方式 (9)2.7.4 配置记录log方式的具体配置 (9)2.8配置SNMP (10)2.9配置主备板同步 (10)2.9.1 配置自动同步 (10)2.9.2 手工同步命令 (10)2.10配置空闲时间 (10)2.11配置ANTI-SPOOF (10)三、路由配置 (11)3.1配置路由器系统地址 (11)3.2配置网络接口 (11)3.2.2 配置IP地址 (11)3.2.3 配置关联端口 (11)3.2.4 查看配置的路由器接口 (11)3.3配置静态及OSPF路由协议 (12)3.3.1 配置静态路由 (12)3.3.2 配置OSPF区域 (12)3.3.3 配置ospf接口cost值 (12)3.3.4 配置一个stub区域 (12)3.3.5 配置NSSA区域 (12)3.3.6 配置虚链路 (13)3.3.7 配置认证 (13)3.3.8配置路由聚合 (13)3.3.9 配置静态路由注入到OSPF路由协议 (13)3.3.10 查看运行在ospf协议下的接口 (14)3.3.11 查看ospf邻居建立关系 (14)3.3.12 查看ospf路由表 (14)3.4配置IS-IS (14)3.4.1 配置区域ID (14)3.4.2 配置路由器等级能力 (15)3.4.3 配置IS-IS接口 (15)3.4.4 查看ISIS下的接口 (15)3.4.5 添加已经配置到ISIS的每个网络接口 (15)3.4.6 查看ISIS邻接关系 (15)3.4.7 查看ISIS路由表 (15)3.5BGP配置 (16)3.5.1 创建AS (16)3.5.2 配置路由器 ID5 (16)3.5.3 配置 BGP (16)3.6配置POLICY (16)3.6.1 配置policy名称 (16)3.6.2 配置从静态路由分布到ospf路由协议中的policy (17)3.6.3 配置commit使之生效 (17)3.6.4 应用policy (17)3.7IP F ILTER配置 (17)3.7.1创建ip filter (17)3.7.2 指定默认动作 (17)3. 7.3 创建条目,指定动作、源、目的IP (17)3.7.4 应用ip filter (18)四、 MPLS 配置以及业务配置 (19)4.1MPLS配置 (19)4.1.1 MPLS接口配置 (19)4.1.3 配置 MPLS LSP和主路径 (19)4.1.4 查看命令 (20)4.1.5 改变每个网络接口的最大传输单元(MTU)尺寸 (20)4.2 E P IPE 配置 (20)4.2.1 创建客户并将其与提供的业务相关联 (20)4.2.2 指向客户的接口(在我们的网络中由膝上电脑表示)称为“toCustomer”,必须配置为接入接口。

阿尔卡特7750SR路由器现场维护手册

阿尔卡特7750SR路由器现场维护手册

阿尔卡特7750SR路由器日常维护操作手册上海贝尔阿尔卡特股份有限公司互联网事业部二零零六年十月目录1. 总体概述................................................. 错误!未定义书签。

2. 常用软件操作............................................. 错误!未定义书签。

. 通过Console线缆连接路由器....................... 错误!未定义书签。

. SR系列路由器配置过程............................ 错误!未定义书签。

. 设备重启......................................... 错误!未定义书签。

. 路由引擎切换..................................... 错误!未定义书签。

. TiMOS软件升级步骤............................... 错误!未定义书签。

软件升级相关文件............................. 错误!未定义书签。

升级步骤..................................... 错误!未定义书签。

. 密码恢复......................................... 错误!未定义书签。

. 在CLI中获取帮助................................. 错误!未定义书签。

3. 7750SR-12 ................................................ 错误!未定义书签。

. 7750SR-12结构................................... 错误!未定义书签。

设备描述..................................... 错误!未定义书签。

7750SR业务路由器

7750SR业务路由器

引导市场的革新阿尔卡特7750 SR 的核心是FLEXIBLE FAST PATH —一个基于最先进的网络处理器阵列(NPA )芯片技术的完全可编程快速路径。

FLEXIBLE FAST PATH 以10Gb/s 的速度执行带有强大数据包监测和处理的转发。

每个单芯片NPA 都是由一系列定制的、完全可编程的处理器组成,而且这些处理器均为线速包处理进行了优化。

基于传统ASIC 架构的路由器缺乏特性的灵活性,而基于传统网络处理器的路由器又缺乏足够的转发性能,无法以10Gb/s 的速率运营,且通常成本昂贵,与这些架构和设计相比,NPA 能为客户提供明显的价值。

FLEXIBLE FAST PATH 转发技术的性能和功能使阿尔卡特7750 SR 能够在具有最快交换机的速度和密度的同时具备在IP/MPLS网络基础设施上提供新的高级业务所需的可编程能力和数据包处理智能。

阿尔卡特7750 SR 业务路由器是业内第一个专为高级互联网和虚拟专用网络(VPN )业务而设计和优化的IP/MPLS 业务路由器。

阿尔卡特7750 SR 有四种尺寸可供选择:单槽、4槽、7槽和12槽,可提供具有卓越性能和高密度的各种接口。

作为目前业内最具扩展性的路由器平台,阿尔卡特7750 SR 具有为高效传送基于服务等级协议(SLA )的业务而设计的软件和硬件架构,因此阿尔卡特7750 SR 不仅仅是强大的互联网路由器,更是一个灵活、强大的业务供应平台。

业务阿尔卡特7750 SR 为众多产生收益的业务提供高效的开通和运行手段。

阿尔卡特7750 SR 区别于典型的边缘路由器的关键在于紧密集成到产品架构中的与业务相关的特性和功能。

这使阿尔卡特7750 SR 能够支持广泛的IP/MPLS 业务,包括:>直接互联网接入(DIA )>以太网、帧中继和ATM 点到点第二层VPN (也被称为虚拟租用线路(VLL ))>多点第二层VPN (虚拟专用以太网业务(VPLS ))> BGP/MPLS VPN (RFC2547bis )通过采用对每个服务具有独立QoS 和统计计费功能的IP 和MPLS 隧道技术,阿尔卡特7750 SR 能够实现上万个独立的业务。

7750-SR设备常见故障处理指导书

7750-SR设备常见故障处理指导书

中国移动通信集团山西有限公司7750SR设备常见故障处理指导书上海贝尔阿尔卡特股份有限公司工程服务部二零零七年十月1 检查硬件运行状态 (4)1.17750SR硬件介绍 (4)1.2设备启动 (6)1.3检查管理连接状态 (10)1.3.1 Console 口连接 (10)1.4检查机箱状态 (12)1.4.1 机箱状态 (12)1.5检查电源 (13)1.6检查风扇 (14)1.7检查SF/CPM状态 (14)1.7.1 SF/CPM LED状态 (14)1.7.2 SF/CPM 排错命令 (16)1.7.3 检查SF/CPM 状态详情 (18)1.8检查IOM状态 (22)1.9检查MDA状态 (24)2 系统级排错 (25)2.1硬件初始化常见问题 (25)2.2检查文件配置 (27)2.2验证系统管理配置信息 (32)2.3显示系统信息 (32)2.4验证同步和冗余状态 (33)3 OA&M排错命令 (34)3.1LSP诊断命令 (35)3.2SDP D IAGNOSTICS (35)3.3业务诊断 (36)3.4VPLS MAC诊断 (36)3.5OAM命令汇总 (37)4 常见排错案例 (38)4.1硬件常见故障处理 (38)4.1.1 内存损失造成不能正常启动 (38)4.1.2 设备启动不成功 (39)4.1.3 MDA卡无法注册 (40)4.1.4 主控板无法注册 (40)4.1.5 console口无法输出信息 (41)4.1.6 软件升版不当导致CPM反复重启 (41)4.2端口常见故障处理 (44)4.2.1 pos端口常见故障处理 (44)4.2.2 ethernet端口常见故障处理 (46)4.3路由协议常见故障处理 (48)4.3.1 链路无法负载均衡 (48)4.3.2 等价路由情况下的PING问题 (49)4.3.3 访问控制列表配置不当引起路由协议DOWN掉 (54)4.3.4 升级后部分路由无法正常转发 (55)4.3.5 Ospf常见故障处理: (58)4.3.5.1 MTU配置问题导致OSPF无法与对端设备建立邻接关系 (58)4.3.5.2 配置了将直连路由重分发进ospf后,直连路由没有发布出去 (59)4.3.5.3 OSPF参考带宽与其他厂商互联设备设置不一致引起的路由问题 (59)4.3.5.4 移动voip大业务量倒换测试问题处理 (63)4.3.6 isis常见故障处理 (66)4.3.6.1 MD5的HASH算法版本不匹配导致ISIS验证失败 (66)4.3.6.2 与第三方设备(测试仪表类)建立ISIS邻接关系时遇到的问题 (66)4.3.7 bgp常见故障处理 (67)4.3.7.1 IBGP连接经常重启故障案例 (67)4.3.7.2 BGP宣告路由不全问题的处理 (71)4.3.7.3 7750路由宣告问题的处理 (72)4.3.8 mpls常见故障处理 (72)4.3.8.1 由于更改system地址后没有restart ospf导致MPLS-TE FRR故障 (72)4.3.8.2 由于不同厂商mpls分发机制不同引起的业务故障 (76)4.4业务常见故障处理 (78)4.4.1 ies常见故障处理 (78)4.4.1.1 ies割接后业务不通,对端用户无法ping通 (78)4.4.1.2 subscriber-interface业务无法开通故障 (79)4.4.2 vpls常见故障处理 (81)4.4.2.1 arp广播引起的网络设备故障 (81)4.4.2.2 使用filter-log进行vpls业务丢包故障定位 (83)4.4.3 vprn常见故障处理 (84)4.4.3.1 vprn的路由限制功能无法生效 (84)4.4.3.2 vprn通过option a方式实现跨域mpls vpn时,对端asbr无法学到本as内的私网路由。

SR7750配置步骤-自己总结滴

SR7750配置步骤-自己总结滴

SR7750配置步骤一、基本配置1、在config-system 视图下,1)起名字标示此设备:name liaocheng-842-7750-ar1SystemPort 有两种模式network和access 又都分为输入、输出两个方向ingress egressconfig>system>security>profile 默认为none 不授权修改默认启动文件,确保下次依然生效vrrp配置时要注意主地址和vrrp地址一定要在同一子网下。

掩码要正确。

2、在config-router 视图下,在router 视图下做autonomous-system 200 AS号,否则bgp邻居无法建立配置习惯为进config—router ,,interface,bgp,isis等在此视图下。

而不是router bgp 100 ,这个设备的treeRouter id 必配。

Family ipv4 router>bgp# info----------------------------------------------group "to-h3c"type externallocal-as 200peer-as 100neighbor 10.10.10.2exitexitgroup "to-3528"local-address 10.10.20.1type externalpeer-as 100neighbor 10.10.20.2exit端口的典型配置接用户的端口port 1/2/5description "GE1/2/5 To SDLC-T600-1 GE1/0/0->OMC&Signal"ethernetmode accessencap-type dot1qmtu 9192no autonegotiateexitno shutdown接上行设备端口port 1/1/1description "POS1/1/1 To SDJN-YXS-N5KE-B1 POS12/0/2 155M JN-LC S-1N7002(backup)"networkegresspoolslope-policy "CU-WRED"exitexitexitsonet-sdhframing sdhhold-time up 30 down 1speed oc3pathmtu 9180scramblenetworkqueue-policy "CU-NetworkEgressQ"exitno shutdownexitexitno shutdown都分为全局配置,具体配置在什么视图下建立的,show的时候就得注意。

7750 SR OS 路由器配置指南.pdf_1701712574.009497说明书

7750 SR OS 路由器配置指南.pdf_1701712574.009497说明书

Common CLI Command DescriptionsIn This ChapterThis section provides information about common Command Line Interface (CLI) syntax andcommand usage.Topics in this chapter include:•SAP syntax on page 616Common CLI Command DescriptionsCommon Service CommandssapSyntax[no] sap sap-idDescription This command specifies the physical port identifier portion of the SAP definition.Parameters sap-id — Specifies the physical port identifier portion of the SAP definition.The sap-id can be configured in one of the following formats:null[port-id | bundle-id| bpgrp-id | lag-id | aps-id]port-id: 1/1/3bundle-id: bundle-ppp-1/1.1bpgrp-id: bpgrp-ima-1lag-id: lag-63aps-id: aps-1dot1q[port-id | bundle-id| bpgrp-id | lag-id | aps-id]:qtag1port-id:qtag1: 1/1/3:100bundle-id: bundle-ppp-1/1.1bpgrp-id: bpgrp-ima-1lag-id:qtag1:lag-61:102aps-id:qtag1: aps-1:27qinq[port-id |bundle-id| bpgrp-id | lag-id]:qtag1.qtag2port-id:qtag1.qtag2: 1/1/3:100.10bundle-id: bundle-ppp-1/1.1bpgrp-id: bpgrp-ima-1lag-id:qtag1.qtag2:lag-10:atm[port-id | aps-id | bundle-id | bpgrp-id][:vpi/vci |vpi |vpi1.vpi2]port-id: 1/1/1aps-id: aps-1bundle-id: bundle-ima-1/1.1bundle-ppp-1/1.1bpgrp-id: bpgrp-ima-1vpi/vci: 16/26vpi: 16vpi1.vpi2: 16.200frame-relay [port-id| aps-id]:dlci port-id: 1/1/1:100aps-id: aps-1dlci: 16cisco-hdlc slot/mda/port.channel port-id: 1/1/3.1Common CLI Command Descriptions Values:sap-id null[port-id | bundle-id | bpgrp-id | lag-id | aps-id]dot1q [port-id | bundle-id | bpgrp-id | lag-id | aps-id]:qtag1qinq[port-id | bundle-id | bpgrp-id | lag-id]:qtag1.qtag2atm [port-id | aps-id][:vpi/vci|vpi| vpi1.vpi2]frame [port-id | aps-id]:dlcicisco-hdlc slot/mda/port.channelcem slot/mda/port.channelima-grp [bundle-id[:vpi/vci|vpi|vpi1.vpi2]port-id slot/mda/port[.channel]bundle-id bundle-type-slot/mda.bundle-numbundle keywordtype ima, fr, pppbundle-num 1 — 336bpgrp-id bpgrp-type-bpgrp-numbpgrp keywordtype ima, fr, pppbpgrp-num 1 — 2000aps-id aps-group-id[.channel]aps keywordgroup-id 1 — 64ccag-id ccag-id.path-id[cc-type]:cc-idccag keywordid 1 — 8path-id a, bcc-type .sap-net, .net-sapcc-id 0 — 4094lag-id lag-idlag keywordid 1 — 200qtag1 0 — 4094qtag2 *, 0 — 4094vpi NNI: 0 — 4095UNI: 0 — 255vci 1, 2, 5 — 65535dlci 16 — 1022ipsec-id ipsec-id.[private | public]:tagipsec keywordid 1 — 4tag 0 — 4094bundle-id — Specifies the multilink bundle to be associated with this IP interface. The bundle keyword must be entered at the beginning of the parameter.The command syntax must be configured as follows:bundle-id:bundle-type-slot-id/mda-slot.bundle-numbundle-id value range: 1 — 336For example:Common CLI Command Descriptions*A:ALA-12>config# port bundle-ppp-5/1.1*A:ALA-12>config>port# multilink-bundlebgprp-id — Specifies the bundle protection group ID to be associated with this IP interface. The bpgrp keyword must be entered at the beginning of the parameter.The command syntax must be configured as follows:bpgrp-id: bpgrp-type-bpgrp-numtype:imabpgrp-num value range: 1 — 2000For example:*A:ALA-12>config# port bpgrp-ima-1*A:ALA-12>config>service>vpls$ sap bpgrp-ima-1qtag1, qtag2 — Specifies the encapsulation value used to identify the SAP on the port or sub-port. If this parameter is not specificially defined, the default value is 0.Values qtag1: * | 0 — 4094qtag2 : * | 0 — 4094The values depends on the encapsulation type configured for the interface. The following tabledescribes the allowed values for the port and encapsulation types.Ethernet Dot1q0 — 4094The SAP is identified by the 802.1Q tag on the port.Note that a 0 qtag1 value also accepts untagged packetson the dot1q port.Ethernet QinQ qtag1: 0 — 4094qtag2: 0 — 4094The SAP is identified by two 802.1Q tags on the port. Note that a 0 qtag1 value also accepts untagged packets on the Dot1q port.SONET/SDH IPCP-The SAP is identified by the channel. No BCP isdeployed and all traffic is IP.SONET/SDH TDM BCP-Null0The SAP is identified with a single service on thechannel. Tags are assumed to be part of the customerpacket and not a service delimiter.SONET/SDHTDMBCP-Dot1q0 — 4094The SAP is identified by the 802.1Q tag on the channel.SONET/SDH TDM Frame Relay16 — 991The SAP is identified by the data link connectionidentifier (DLCI).SONET/SDH ATM ATM vpi (NNI) 0 — 4095vpi (UNI) 0 — 255vci 1, 2, 5 — 65535The SAP is identified by port or by PVPC or PVCCidentifier (vpi, vpi/vci, or vpi range)Common CLI Command Descriptions sap ipsec-id.private|public:tag — This parameter associates an IPSec group SAP with this interface. This is the public side for an IPSec tunnel. Tunnels referencing this IPSec group in the private side may be created if their local IP is in the subnet of the interface subnet and the routing context specified matches with the one of the interface.This context will provide a SAP to the tunnel. The operator may associate an ingress and egress QoS policies as well as filters and virtual scheduling contexts. Internally this creates an Ethernet SAP that will be used to send and receive encrypted traffic to and from the MDA. Multiple tunnels can beassociated with this SAP. The “tag” will be a dot1q value. The operator may see it as an identifier. The range is limited to 1 — 4095.Common CLI Command Descriptions。

7750SR路由器快速配置手册

7750SR路由器快速配置手册

阿尔卡特7750SR路由器快速配置手册上海贝尔阿尔卡特股份有限公司7750SR 路由器日常维护手册第 2 页 共 55 页 2 目 录1. 总体概述 (4)2.新增板卡配置 (6)2.1. IOM 模块配置 (7)2.2. MDA 模块配置 (8)3. 新增链路配置 (10)3.1. 物理端口配置 (10)3.1.1. Pos 口配置 (10)3.1.2. Ethernet 口配置 (11)3.2. 逻辑接口配置 (12)3.2.1. 配置逻辑接口 (12)3.2.2. 检查接口状态 (12)3.3. 与Cisco 、Huawei 配置的比较 (13)4. 系统管理配置 (15)4.1基本信息配置 (15)4.1.1 配置系统名称 (15)4.1.2 配置系统时间 (15)4.1.3配置登陆信息 (15)4.2 安全配置 (16)4.2.1 启用服务 (16)4.2.2 创建用户 (16)4.2.3配置对上送系统CPU 报文的控制cpm-filter (16)4.3 Log 配置 (17)5. 路由器基本配置 (18)5.1 配置逻辑接口 (18)5.1.1 系统管理地址 (18)5.1.2 网络接口地址 (18)5.2 配置Router ID (18)5.3 配置自治系统号 (19)5.4 过滤器ip-filter 配置 (19)5.4.1 配置ip-filter (19)5.4.2 将ip-filter 应用到逻辑接口 (19)5.5 用ip-filter 来抓包 (20)6. 路由协议配置 (20)6.1 静态路由 (20)6.2 OSPF 协议 (20)6.2.1 基本配置 (20)6.2.2 配置路由再分配 (21)6.3 ISIS 协议 (22)6.3.1 基本配置 (22)6.3.2 配置路由再分配 (23)6.4 BGP 协议 (23)6.5 MPLS 协议 (24)7750SR 路由器日常维护手册第 3 页 共 55 页 36.6 LDP 协议 (24)6.7 路由策略配置 (25)7. VPN 配置 (26)8. Qos 配置 (27)8.1 QOS 实现模型 (27)8.2 QoS 配置 (28)8.2.1网络口出队列策略 (28)8.2.2网络口出队列QoS 的应用 (29)8.2.3网络口进队列策略 (29)8.2.4网络口进队列QoS 的应用 (31)8.2.5网络口QoS 策略 (31)8.2.6网络口QoS 策略的应用 (33)8.2.7业务口进队列策略和策略应用 (34)8.2.8业务口出队列策略和策略应用 (39)8.2.9业务限速策略 (44)9.设备日常维护 (45)9.1日常维护步骤 (45)9.2 LED 说明 (45)9.3设备主备用引擎状态和配置的检查 (48)9.4检查设备内存和CPU 的利用率 (49)9.5检查设备的环境参数 (51)9.6检查交换结构的冗余状态 (52)9.7设备的日志检查 (53)9.8链路流量及状态的监测 (54)9.9板卡状态的监测 (55)7750SR-12 7750SR-77750SR-17750SR 路由器日常维护手册第 5 页 共 55 页 5本文档针对7750在中国移动IP 承载网中的具体应用,为了使用户尽快熟悉7750设备的配置,能够通过快速的配置达到开通一些常用的业务。

阿尔卡特7750培训资料1:路由配置

阿尔卡特7750培训资料1:路由配置
解决这种情形的方法被称为Proxy ARP(代理ARP) 。这个技术允许配置在本 地网之间的路由器代替D来响应设备A的广播。这个路由器不会将设备D的硬 件地址发送回给设备A。因为他们不在同一网络中,A不能直接发送给D。路 由器发送给A收到ARP请求的接口的硬件地址。A然后发送数据到路由器,路 由器发送这个数据到其他网络的D。这个路由器也代替A为D做相同的事情, 并且当广播包的目的地和ARP发起者不在同一物理网络上时,路由器为任何 在两个网络上的其他设备都采取相同的方法。
− L1, L 1-2,和L2 − 从其他协议分发进来的IPv4 的路由汇总 − 汇总路由所通告的量度比其他具体的IPv4 路由的量度要小。。
• 可基于每个消息类型和每个level,支持抑制IS-IS认证。提高与非 7750 IS-IS 部署的互操作性。
• 不间断路由
7750SR 路由和路由策略
Alcatel Proprietary, all rights reserved © 2005, Alcatel
• 出站路由过滤 (ORF) –BGP的一个特征:一个BGP 发送者请求他的
邻居不发送给它特定的路由。在 7750VPRN上支持。 • TTL 安全– 能够指定一个进入的BGP 信息包的最小TTL 值 。
− 多数eBGP对等体关系在邻近的路由器间建立。 − 假如一个信息包的TTL值不在指定的范围内,便丢弃这个信息包并产生一
7750 SR 业务实现R3.0
Alcatel University
代理-ARP
子网 20
主机 A IP add.=IP_A MAC add.= MAC_A
子网 10
主机C IP add.=IP_C MAC add.= MAC_C
接口 X

Alcatel 7750技术资料

Alcatel 7750技术资料
All Rights Reserved © 2007, Alcatel-Lucent @@MODULEPARTNUMBER Edition @@MODULEEDITION Section @@SECTION · Module @@MODULE · Page 1
目标
@@SECTIONTITLE · @@MODULETITLE
IES--Alcatel-Lucent的专用Internet访问 (Dedicated Internet Access DIA),可以 根据用户要求很容易地提供Internet访问的业务.
使用IES, 运营商通过他自己的路由域为用户提供被路由的(而非基于隧道的) Internet接入。IES提供:
系统可扩展性和高端口密度 大量有效的可配置入口和出口访问控制列表(ACL) 支持数百万的IP地址转发表 支持几个关键的网络路由协议 (BGP4, IS-IS, OSPF) 支持IPv4和IPv6 支持几个用户路由协议(BGP4, IS-IS, OSPF, RIP, 因特网组管理协议[IGMP],
关键不同之处
All Rights Reserved © Alcatel-Lucent 2007
可靠性: 7750 SR 的充分的冗余的平台提供了高可靠性的特性,例如:业务在线软件升级 (In-Service Software Upgrade ISSU),不间断的转发和路由,快速收敛和多种 保护机制 (APS, BFD, LAG).
• Qos的提升
@@SECTION · @@MODULE · 8
9
Internet
Subscriber Network
@@PRODUCT @@COURSENAME
All Rights Reserved © Alcatel-Lucent 2007

阿尔卡特7750SR发布路由

阿尔卡特7750SR发布路由
community "GDGZ_CMCC_OLT_WanGuan"
exit
action accept
exit
exit
exit
exit
policy-statement "GDGZ_CMCC_OLT_WanGuan_Export"
entry 10
from
exit
entry 500
action reject
exit
exit
policy-statement "GDGZ_CMCC_IPPBX_Import"
policy-statement "GDGZ_CMCC_OLT_WanGuan_Import"
entry 10
from
protocol bgp-vpn
prefix 172.16.26.0/24 longer
exit
prefix-list "OLT_WanGuan_Direct_Route"
prefix 172.17.25.0/25 exact
entry 10
from
protocol bgp-vpn
community "GDGZ_CMCC_IPPBX_Center"
entry 500
action reject------------------------------
prefix-list "Direct_Route"
prefix 120.196.3.188/30 exact
prefix 120.196.3.196/30 exact

Alcatel7750SR常用命令集

Alcatel7750SR常用命令集

Alcatel7750SR常用命令集1. 简介本文档是关于Alcatel7750SR常用命令集的指南。

Alcatel7750SR是一款多功能的路由器和交换机,广泛应用于电信运营商和企业网络中。

本文档将介绍一些常用的命令,以帮助用户更好地了解和使用Alcatel7750SR。

2. 登录与退出2.1 登录要登录到Alcatel7750SR设备,可以使用以下命令:login <用户名> <密码>其中,<用户名>和<密码>分别是您的登录名和密码。

2.2 退出要退出登录,可以使用以下命令:logout3. 基本配置3.1 设置主机名可以使用以下命令设置设备的主机名:configure systemset hostname <主机名>end其中,<主机名>是您要设置的主机名。

3.2 设置IP地址要设置设备的IP地址,可以使用以下命令:configure systemset address <接口> ip-address <IP地址>/<子网掩码>end其中,<接口>是设备的接口名,如ethernet 1/1/1,<IP 地址>是您要设置的IP地址,<子网掩码>是IP地址的子网掩码。

4. 路由配置4.1 静态路由要配置静态路由,可以使用以下命令:configure router static-routeadd <目标网络> next-hop <下一跳地址>end其中,<目标网络>是要配置的目标网络,如10.0.0.0/24,<下一跳地址>是下一跳的IP地址。

4.2 动态路由要配置动态路由,可以使用以下命令:configure router dynamic-routeospfarea <区域号>network <网络地址> mask <子网掩码>exitexit其中,<区域号>是OSPF的区域号,<网络地址>是要配置的网络地址,<子网掩码>是网络地址的子网掩码。

7750 SR OS Router 配置指南说明书

7750 SR OS Router 配置指南说明书

CflowdIn This ChapterThis chapter provides information to configure Cflowd.Topics in this chapter include:•Cflowd Overview on page 560→Operation on page 561→Cflowd Filter Matching on page 565•Cflowd Configuration Process Overview on page 566•Configuration Notes on page 567Cflowd OverviewCflowd is a tool used to sample IPv4, IPv6 and MPLS traffic data flows through a router. Cflowdenables traffic sampling and analysis by ISPs and network engineers to support capacity planning,trends analysis, and characterization of workloads in a network service provider environment.Cflowd is also useful for Web host tracking, accounting, network planning and analysis, networkmonitoring, developing user profiles, data warehousing and mining, as well as security-relatedinvestigations. Collected information can be viewed several ways such as in port, AS, or networkmatrices, and pure flow structures. The amount of data stored depends on the cflowdconfigurations.Cflowd maintains a list of data flows through a router. A flow is a uni-directional traffic streamdefined by several characteristics such as source and destination IP addresses, source anddestination ports, inbound interface, IP protocol and TOS bits.When a router receives a packet for which it currently does not have a flow entry, a flow structureis initialized to maintain state information regarding that flow, such as the number of bytesexchanged, IP addresses, port numbers, AS numbers, etc. Each subsequent packet matching thesame parameters of the flow contribute to the byte and packet count of the flow until the flow isterminated and exported to a collector for storage.Cflowd is not supported on the 7750 SR-1 chassis.CflowdOperationFigure 27 depicts the basic operation of the cflowd feature. This sample flow is only used todescribe the basic steps that are performed. It is not intended to specify implementation.Figure 27: Basic Cflowd Steps1.As a packet ingresses a port, a decision is made to forward or drop the packet.2.If the packet is forwarded, it is then decided if the packet should be sampled for cflowd.3.If a new flow is found, a new entry is added to the cache. If the flow already exists in thecache, the flow statistics are updated.4.If a new flow is detected and the maximum number of entries are already in the flow cache, theearliest expiry entry is removed. The earliest expiry entry/flow is the next flow that will expiredue to the active or inactive timer expiration.5.If a flow has been inactive for a period of time equal to or greater then the inactive timer(default 15 seconds), then the entry is removed from the flow cache.6.If a flow has been active for a period of time equal to or greater than the active timer (default30 minutes), then the entry is removed from the flow cache.When a flow is exported from the cache, the collected data is sent to an external collector which maintains an accumulation of historical data flows that network operators can use to analyze traffic patterns.Data is exported in one of the following formats:•Version 5 — Generates a fixed export record for each individual flow captured.•Version 8 — Aggregates multiple individual flows into a fixed aggregate record.•Version 9 — Generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flow captured.•Version 10 (IPFIX) — Generates a variable export record, depending on user configuration and sampled traffic type (IPv4, IPv6, or MPLS), for each individual flowcaptured.There are several different aggregate flow types including:•AS matrix•Destination prefix matrix•Source prefix matrix•Prefix matrix•Protocol/port matrix.V8 is an aggregated export format. As individual flows are aged out of the raw flow cache, the data is added to the aggregate flow cache for each configured aggregate type. Each of these aggregate flows are also aged in a manner similar to the method the active flow cache entries are aged. When an aggregate flow is aged out, it is sent to the external collector in the V8 record format.Figure 28 depicts Version 5, Version 8, Version 9, and Version 10 flow processing.CflowdFigure 28: V5, V8, V9, V10, and Flow Processing1.As flows are expired from the active flow cache, the export format must be determined, eitherVersion 5, Version 8, Version 9, and Version 10.2.If the export format is Version 5 or Version 9 and Version 10, no further processing is per-formed and the flow data is accumulated to be sent to the external collector.3.If the export format is Version 8, then the flow entry is added to one or more of the configuredaggregation matrices.As the entries within the aggregate matrices are aged out, they are accumulated to be sent to the external flow collector in Version 8 format.The sample rate and cache size are configurable values. The cache size default is 64K flow entries.A flow terminates when one of the following conditions is met:•When the inactive timeout period expires (default: 15 seconds). A flow is considered terminated when no packets are seen for the flow for N seconds.•When an active timeout expires (default: 30 seconds). Default active timeout is 30 minutes. A flow terminates according to the time duration regardless of whether or notthere are packets coming in for the flow.•When the user executes a clear cflowd command.•When other measures are met that apply to aggressively age flows as the cache becomes too full (such as overflow percent).Version 9The Version 9 format is a more flexible format and allows for different templates or sets of cflowddata to be sent based on the type of traffic being sampled and the template set configured.Version 9 is interoperable with RFC 3954, Cisco Systems NetFlow Services Export Version 9.Version 10Version 10 is a new format and protocol that inter-operates with the specifications from the IETFas the IP Flow Information Export (IPFIX) standard. Like Version 9, the version 10 format usestemplates to allow for different data elements regarding a flow that is to be exported and to handledifferent type of data flows such as IPv4, IPv6, and MPLS.Version 10 is interoperable with RFC 5150 and 5102.CflowdCflowd Filter MatchingIn the filter-matching process, normally, every packet is matched against filter (access list) criteriato determine acceptability. With cflowd, only the first packet of a flow is checked. If the firstpacket is forwarded, an entry is added to the cflowd cache. Subsequent packets in the same floware then forwarded without needing to be matched against the complete set of filters. Specificperformance varies depending on the number and complexity of the filters.Cflowd Configuration Process OverviewFigure 29 displays the process to configure Cflowd parameters.Figure 29: Cflowd Configuration and Implementation FlowThere are three modes in which cflowd can be enabled to sample traffic on a given interface:•Cflowd interface, where all traffic entering a given port will be subjected to sampling as the configured sampling rate •Cflowd interface plus the definition of IP filters which specify an action of interface-disable-sample, in which traffic that matches these filter entries will not be subject to cflowd sampling.•Cflowd ACL, where IP filters must be created with entries containing the action filter-sampled. In this mode only traffic matching these filter entries will be subject to the cflowd sampling process.Cflowd Configuration NotesThe following cflowd components must be configured for cflowd to be operational:•Cflowd is enabled globally.•At least one collector must be configured and enabled.• A cflowd option must be specified and enabled on a router interface.•Sampling must be enabled on either:→An IP filter which is applied to a port or service.→An interface on a port or service.。

阿尔卡特7750SR路由器现场维护手册

阿尔卡特7750SR路由器现场维护手册

阿尔卡特7750SR路由器日常维护操作手册上海贝尔阿尔卡特股份有限公司互联网事业部二零零六年十月目录1. 总体概述................................................. 错误!未定义书签。

2. 常用软件操作............................................. 错误!未定义书签。

. 通过Console线缆连接路由器....................... 错误!未定义书签。

. SR系列路由器配置过程............................ 错误!未定义书签。

. 设备重启......................................... 错误!未定义书签。

. 路由引擎切换..................................... 错误!未定义书签。

. TiMOS软件升级步骤............................... 错误!未定义书签。

软件升级相关文件............................. 错误!未定义书签。

升级步骤..................................... 错误!未定义书签。

. 密码恢复......................................... 错误!未定义书签。

. 在CLI中获取帮助................................. 错误!未定义书签。

3. 7750SR-12 ................................................ 错误!未定义书签。

. 7750SR-12结构................................... 错误!未定义书签。

设备描述..................................... 错误!未定义书签。

7750SR配置方法

7750SR配置方法

实用文案7750SR路由器配置规范V2.1上海贝尔阿尔卡特股份有限公司互联网事业部二零零六年十一月目录1.概述 (5)2.系统基本配置 (7)2.1.层次化命令结构 (7)2.2.在CLI中获得帮助 (8)2.3.硬件板卡配置 (9)2.4.设备名称配置 (11)2.5.系统时间配置 (11)2.6.NTP配置 (11)2.7.主备卡切换配置 (12)2.8.AAA配置(登录用户) (14)3.端口配置 (16)3.1.Loopback端口配置 (16)3.2.GE端口配置 (16)3.3.POS端口配置 (17)3.4.端口镜像配置 (18)4.安全配置 (23)4.1.ACL配置 (23)4.2.防攻击配置 (24)5.网管配置 (31)5.1.网管地址配置 (31)5.2.TELNET配置 (32)5.3.FTP配置 (33)5.4.SNMP (33)5.5.SYSLOG (35)5.6.配置备份 (36)5.7.SSH配置 (36)Flow备份 (37)6.路由配置 (39)6.1.黑洞路由配置 (39)6.2.静态路由配置 (39)6.3.OSPF配置 (39)6.4.ISIS配置 (44)6.5.BGP配置 (47)7.业务配置 (54)7.1.专线业务配置(IES配置) (54)7.2.MPLS VPN业务配置 (56)7.2.1P路由器配置 (56)7.2.2PE路由器配置(VPRN) (60)7.2.3PE路由器配置(VPLS) (63)8.7750SR常用维护命令 (67)1.概述阿尔卡特7750SR路由器是业内第一个专为高级互联网和虚拟专用网络(VPN)业务而设计和优化的IP/MPLS业务路由器。

阿尔卡特7750SR有三种尺寸可供选择:单槽、7槽和12槽,可提供具有卓越性能和高密度的各种接口。

作为目前业内最具扩展性的路由器平台,阿尔卡特7750SR具有为高效传送基于服务等级协议(SLA)的业务而设计的软件和硬件架构,因此阿尔卡特7750SR不仅仅是强大的互联网路由器,更是一个灵活、强大的业务供应平台。

7750 SR Advanced Configuration Guide.pdf_170171049

7750 SR Advanced Configuration Guide.pdf_170171049

Application Assurance – HTTP InBrowser NotificationIn This ChapterThis section provides information about Application Assurance HTTP in browser notification.Topics in this section include:•Applicability on page 1312•Summary on page 1313•Configuration on page 1314•Conclusion on page 13247750 SR Advanced Configuration Guide Page 1311ApplicabilityApplicabilityThis section is applicable to all 7750, 7450 and 7750-SRc chassis supporting ApplicationAssurance and was tested on SR OS release 12.0.R1.There are no specific prerequisites for this example.Page 13127750 SR Advanced Configuration GuideApplication Assurance – HTTP In Browser Notifica-SummaryUsing the Alcatel-Lucent 7x50s and Application Assurance, subscribers connected to an operatornetwork can be sent fully customizable on-screen notification messages displayed in a non-disruptive and cost-effective manner through their web browser.This example describes the different options for the operator to customize the notificationmessages returned to the subscriber using either different HTTP-Notification policies or using theflexible HTTP-URL-PARAM VSA mechanism.7750 SR Advanced Configuration Guide Page 1313ConfigurationConfigurationThe setup comprises of the following elements, see Figure 186 on page 1314:•7750 SR + ISA-AA.•Apache Web Server (delivering notification Javascript and content).•Subscriber (Desktop/Tablet/Smartphone).•Authentication, Authorization and Accounting (AAA) for subscriber authentication and Policy Modification.•Internet Access.Figure 186: HTTP Notification –SetupThis example describes how to configure HTTP notification to display different notificationmessages. It demonstrates a simple example in the context of a residential deployment where amessage is displayed when the subscriber reaches 80% or 100% of their maximum allowedvolume (usage cap).Page 13147750 SR Advanced Configuration GuideApplication Assurance – HTTP In Browser Notifica-Figure 187: Notification Message Example – Quota 80%In this context the operator has two options:•Use a dedicated http-notification policy per message type.•Use a common http-notification policy for any message type together with the newly introduced Http-Url-Param RADIUS VSA.This example provides configuration examples for both options.7750 SR Advanced Configuration Guide Page 1315HTTP Notification Policy per Message TypeHTTP Notification Policy per Message TypeIn this option a dedicated http-notification policy for each notification message is required.HTTP Notification PolicyTwo dedicated HTTP notification policies are used to return a different message to the subscriberswhen reaching 80% and 100% of their usage cap, the interval in between notifications is set to 15minutes.configureapplication-assurance group 1http-notification "notification-quota-100" createdescription "100% Usage Cap Notification"script-url "http://192.168.150.251/In-Browser-Notification/script/quota-100.js"template 1interval 15no shutdownexitconfigureapplication-assurance group 1http-notification "notification-quota-80" createdescription "80% Usage Cap Notification"script-url "http://192.168.150.251/In-Browser-Notification/script/quota-80.js"template 1interval 15no shutdownexitApp-Profiles and App-Service-OptionsEvent based HTTP notifications is enabled by a policy modification triggered via RADIUS or Gxby modifying the subscriber app-profile or using the Application Service Option (ASO) override.In this implementation of the HTTP notification policy per message type, the following ASOconfiguration is used:configureapplication-assurance group 1:1 policyapp-service-optioncharacteristic "quota-message-notification" createvalue "100"value "80"value "disabled"default-value "disabled"exitexitPage 13167750 SR Advanced Configuration GuideApplication Assurance – HTTP In Browser Notifica- app-profile "1-1/Default" createdivertexitThe ASO characteristic quota-message values of 100 and 80 enable the App-Qos-Policy (AQP)notification-quota-100 and notification-quota-80 as defined below:configureapplication-assurance group 1:1 policy app-qos-policyentry 1000 creatematchcharacteristic "quota-message-notification" eq "100"exitactionhttp-notification "notification-quota-100"exitno shutdownexitentry 1100 creatematchcharacteristic "quota-message-notification" eq "80"exitactionhttp-notification "notification-quota-80"exitno shutdownexitRADIUS PolicyThe following RADIUS CoA message is used to override the ASO characteristic of a residentialsubscriber so that a notification message can be returned to the subscriber when they reach 80% oftheir usage cap:NAS-Port-Id = "1/1/5:4088"Framed-IP-Address = 192.168.211.30Alc-AA-App-Service-Options = "quota-message-notification=80"Alc-App-Prof-Str = "1-1/Default"7750 SR Advanced Configuration Guide Page 1317HTTP Notification Policy per Message TypeShow CommandsBefore the subscriber usage cap limit is reached, and before the RADIUS CoA message isreceived, the subscriber ASO parameter flag quota-message-notification is set to its default valuedisabled and therefore no App QoS Policy is triggered.A:PE# show application-assurance group 1:1 aa-sub esm "sub1" summary===============================================================================Application-Assurance Subscriber Summary (realtime)===============================================================================AA-Subscriber : sub1 (esm)ISA assigned : 1/2App-Profile : 1-1/DefaultApp-Profile divert : YesCapacity cost : 1Aarp Instance Id : N/AHTTP URL Parameters : (Not Specified)Last HTTP Notified Time : N/A-------------------------------------------------------------------------------Traffic Octets Packets Flows-------------------------------------------------------------------------------... ...-------------------------------------------------------------------------------Application Service Options (ASO)-------------------------------------------------------------------------------Characteristic Value Derived from-------------------------------------------------------------------------------quota-message-notification disabled default===============================================================================After the RADIUS CoA message is sent, the subscriber ASO characteristic quota-message-notification value is set to 80, the subscriber-related App QoS Policy entry 1100 now matches forthis subscriber:A:PE# show application-assurance group 1:1 aa-sub esm "sub1" summary===============================================================================Application-Assurance Subscriber Summary (realtime)===============================================================================AA-Subscriber : sub1 (esm)ISA assigned : 1/2App-Profile : 1-1/DefaultApp-Profile divert : YesCapacity cost : 1Aarp Instance Id : N/AHTTP URL Parameters : (Not Specified)Last HTTP Notified Time : N/A-------------------------------------------------------------------------------Traffic Octets Packets Flows-------------------------------------------------------------------------------... ...-------------------------------------------------------------------------------Application Service Options (ASO)-------------------------------------------------------------------------------Characteristic Value Derived from-------------------------------------------------------------------------------Page 13187750 SR Advanced Configuration GuideApplication Assurance – HTTP In Browser Notifica-quota-message-notification 80 dyn-override===============================================================================The same command can be used to identify when the last successful subscriber notificationoccurred, see the Last HTTP Notified Time field:A:PE# show application-assurance group 1:1 aa-sub esm "sub1" summary===============================================================================Application-Assurance Subscriber Summary (realtime)===============================================================================AA-Subscriber : sub1 (esm)ISA assigned : 1/2App-Profile : 1-1/DefaultApp-Profile divert : YesCapacity cost : 1Aarp Instance Id : N/AHTTP URL Parameters : (Not Specified)Last HTTP Notified Time : 2014/06/24 15:35:49-------------------------------------------------------------------------------The operator can also identify how many notifications have been sent per http-notification policyper partition:A:PE# show application-assurance group 1 http-notification "notification-quota-80"===============================================================================Application Assurance Group 1 HTTP Notification "notification-quota-80"===============================================================================Description : 80% Usage Cap NotificationTemplate : 1 - Javascript-url with subId and optional Http-Url-ParamScript URL : http://192.168.150.251/In-Browser-Notification/script/quota-80.jsAdmin Status : UpAQP Ref : YesInterval : 15 minutes-------------------------------------------------------------------------Group Notified Notification SelectionCriteria Not Matched-------------------------------------------------------------------------1:1 1 101:2 0 01:3 0 0-------------------------------------------------------------------------Total 1 10-------------------------------------------------------------------------===============================================================================The counter Notification Selection Criteria Not Matched is the number of HTTP flows which didnot meet the AA ISA flow selection criteria for In Browser Notification. HTTP flow selection isconstrained so that only HTTP web pages flows originating from a web browser are targeted,HTTP requests for content such as video or images are not candidate for notification.7750 SR Advanced Configuration Guide Page 1319HTTP Notification Customization using RADIUS VSAHTTP Notification Customization using RADIUS VSAInstead of using a dedicated HTTP notification policy for every single message type, the operatorcan return a RADIUS Http-Url-Param VSA at subscriber creation time or via CoA to customizethe notification URL using a single policy. This VSA string is automatically appended to the endof the HTTP notification script-url by the 7x50 which can then be used by the web server to decidewhich notification message to return to the subscriber.SR OS release 12.0.R1 supports 1 active HTTP Notification policy per subscriber, 8 differentHTTP notification policies per AA ISA group and 1500 different values for the Http-Url-ParamVSA. Therefore, using the Http-Url-Param VSA for the customization of the notification is therecommended model to scale the number of notification messages.For example:•RADIUS VSA (Alc-AA-Sub-Http-Url-Param): &message=quota80"•7750 HTTP Notification configured script-url: http://1.1.1.1/notification.js•Subscriber HTTP request to the messaging server:http://1.1.1.1/notification.js?SubId=sub1&var=&message=quota80HTTP Notification PolicyA single HTTP notification policy is used to return different notification messages, the intervalbetween notifications is set to 15 minutes.configureapplication-assurance group 1http-notification "in-browser-notification" createdescription "Default HTTP Notification Policy"script-url "http://192.168.150.251/In-Browser-Notification/script/notification-select.php"template 1interval 15no shutdownexitNote: This example does not describe the content of the notification-select.php file used to parsethe URL parameters.Page 13207750 SR Advanced Configuration GuideApplication Assurance – HTTP In Browser Notifica-App-Profile and App-Service-OptionsSimilar to the previous example, HTTP notifications are enabled per subscriber using RADIUS orGx by modifying the subscriber app-profile or using ASO override.The following ASO configuration is used:configureapplication-assurance group 1:1 policyapp-service-optioncharacteristic "in-browser-notification"value "enabled"value "disabled"default-value "disabled"exitThe ASO characteristic in-browser-notification value enabled is used to enable the app-qos-policy matching the http-notification policy in-browser-notification as shown below:configureapplication-assurance group 1:1 policy app-qos-policyentry 1300 creatematchcharacteristic "in-browser-notification" eq "enabled"exitactionhttp-notification "in-browser-notification"exitno shutdown7750 SR Advanced Configuration Guide Page 1321HTTP Notification Customization using RADIUS VSARADIUS PolicyThe following RADIUS CoA message is used to modify the ASO characteristic of a residentialsubscriber and assign a specific Http-Url-Param VSA. The in-browser-notification ASOcharacteristic with value enabled is dynamically assigned to the subscriber along with the Http-Url-Param &message=quota80:NAS-Port-Id = "1/1/5:4088"Framed-IP-Address = 192.168.211.30Alc-AA-App-Service-Options = "in-browser-notification=enabled"Alc-AA-Sub-Http-Url-Param = "&message=quota80"Alc-App-Prof-Str = "1-1/Default"The subscriber HTTP request to the messaging server has the following format and includes theHttp-Url-Param value as an argument of the URL:http://192.168.150.251/In-Browser-Notification/script/notification-select.php?SubId=sub1&var=&message=quota80The web server can now use the parameter value to make a decision to return a suitablenotification message related to the subscriber usage cap.Show CommandsBoth the in-browser-notification ASO characteristic with value enabled and the HTTP-Url-Param VSA can be shown as follows:A:PE# show application-assurance group 1:1 aa-sub esm "sub1" summary===============================================================================Application-Assurance Subscriber Summary (realtime)===============================================================================AA-Subscriber : sub1 (esm)ISA assigned : 1/2App-Profile : 1-1/DefaultApp-Profile divert : YesCapacity cost : 1Aarp Instance Id : N/AHTTP URL Parameters : &message=quota80Last HTTP Notified Time : N/A-------------------------------------------------------------------------------Traffic Octets Packets Flows-------------------------------------------------------------------------------... ...-------------------------------------------------------------------------------Application Service Options (ASO)-------------------------------------------------------------------------------Characteristic Value Derived from-------------------------------------------------------------------------------in-browser-notification enabled dyn-overridequota-message-notification disabled default===============================================================================Page 13227750 SR Advanced Configuration GuideApplication Assurance – HTTP In Browser Notifica-The operator can also display the HTTP URL parameters VSA currently in use, per AA ISAgroup:A:PE## tools dump application-assurance group 1 http-url-param-list-------------------------------------------------------------------------------Application-Assurance Subscriber HTTP URL parameters for Group 1:-------------------------------------------------------------------------------==============================================Http Url Parameter Sub Usage----------------------------------------------"&message=quota80" 1==============================================Total entries displayed 17750 SR Advanced Configuration Guide Page 1323ConclusionConclusionThis example, intended for Application Assurance (AA) network architects and engineers,provides two implementation options for configuring and deploying HTTP In BrowserNotification. It also explains how to take advantage of the Http-Url-Param RADIUS VSA toflexibly define various messaging campaigns using a common AA notification policy.Page 13247750 SR Advanced Configuration Guide。

相关主题
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

7750SR路由器安全加固手册V1.1(适用于SR12, SR7)上海贝尔阿尔卡特股份有限公司互联网事业部二零一一年一月1关闭未用服务正常情况下,现场较多使用telnet登录、管理、配置路由器,其他服务在需要的时候再打开,不用时关闭。

7750SR路由器的SSH 服务系统缺省是打开的,建议关闭。

➢通过如下命令关闭ssh server和ftp服务:#config>system>security>ssh# server-shutdown#config>system>security>no ftp-server➢通过如下命令确认系统开放端口:#show system connections➢正常情况下系统只开放如下端口:TCP 179:用于BGP连接TCP 22:用于SSH登录TCP 646:用于LDPUDP 161:用于SNMPUDP 123:用于NTP2限制异常流量带宽7750SR路由器对于那些必须经过CPM上的CPU进行处理的流量可以通过cpm-filter命令来进行识别,该命令作用于流量到达CPM CPU之前的P-Chip芯片上,并可根据情况选择这些流量通过、拒绝或对其进行cpm-queue限速。

2.1.限制异常ICMP流量大量对路由器端口或system地址的Ping包都会造成CPM CPU利用率增加,可通过cpm-filter匹配由IOM送到CPM板卡上的ICMP报文,并通过cpm-queue限制其速率。

参考配置如下:部署CPM-Queue>config>sys>security>cpm-queue# info----------------------------------------------queue 40 createcbs 1000 mbs 1000rate 2000 cir 2000 //为ICMP协议只分配2000 kbps带宽exit----------------------------------------------部署CPM-Filter>config>sys>security>cpm-filter# info----------------------------------------------ip-filterno shutdownentry 40 createaction queue 40match protocol icmpexitexitexit----------------------------------------------注:经测试,上述配置可保证该路由器正常响应一台网络设备的快速Ping,在两台以上网络设备同时对其进行fast ping时,会造成丢包,但CPM上的CPU可得到较好保护。

用户可根据网络实际情况适当放宽ICMP流量带宽,但应注意放宽的流量越大,路由器受ICMP攻击的风险也越大。

2.2.限制异常TCP SYN流量TCP SYN Flood攻击通过大量伪造的源地址报文向路由器发送TCP SYN连接请求,路由器的TCP缓存队列被占满后,将拒绝新的连接请求。

通常路由器设备的TCP连接主要来自临近路由设备的路由协议(如BGP协议采用TCP179端口,LDP协议使用646端口建立TCP Session),以及telnet, ssh等管理需要。

参考配置如下:部署CPM-Queue>config>sys>security>cpm-queue# info----------------------------------------------queue 50 createcbs 1000 mbs 1000rate 2000 cir 2000 //为TCP SYN流量只分配2000 kbps带宽exit----------------------------------------------部署CPM-Filter>config>sys>security>cpm-filter# info----------------------------------------------ip-filterno shutdownentry 50 createaction queue 50match protocol tcptcp-syn truesrc-ip 10.0.0.0/8exitexitentry 51 createaction queue 50match protocol tcptcp-syn truesrc-ip 172.16.0.0/12exitexitentry 52 createaction queue 50match protocol tcptcp-syn truesrc-ip 192.168.0.0/16exitexitexit----------------------------------------------注:上述配置基于常见SYN Flood采用的源地址,只对这些源地址产生的TCP连接进行限速,其他正常的TCP连接不受影响。

3限制路由器的访问控制7750SR路由器可通过management-access-filter命令控制进、出CPM的流量,其动作只有permit或deny,可用于设置路由器的登录访问控制:对SSH登录源地址限制:>config>system>security>mgmt-access-filter# info----------------------------------------------default-action permit //必须为permit,否则所有未明确permit的流量均会被拒绝entry 10src-ip x.x.x.x/32//允许登录的第一台主机dst-port 22 65535action permitexitentry 15src-ip y.y.y.y/32 //允许登录的第二台主机dst-port 22 65535action permitexit......entry 100 //该条目放在最后,用于拒绝所有其他主机dst-port 22 65535action denyexit----------------------------------------------对于Telnet登录限制可将上述配置中的dst-port值设置成23,Entry编号从110-200;对于SNMP访问控制可将上述配置中的dst-port值设置成161,Entry编号从210-300;4密码管理7750SR的系统密码管理缺省配置如下:>config>system>security>password# info detail----------------------------------------------authentication-order radius tacplus localno agingminimum-length 6attempts 3 time 5 lockout 10complexityhealth-checkno admin-password----------------------------------------------●建议设置AAA服务器管理用户登录;●建议设置密码失效时间为30天;●建议设置密码最短长度为8;●建议加强本地密码设置的复杂程度,如必须包含数字,必须包含特殊字符,必须包含字母大小写。

●建议配置admin-password,该命令可允许任何在线用户通过输入enable-admin密码后成为系统管理员。

密码参数修改后如下:>config>system>security>password# info detail----------------------------------------------authentication-order radius tacplus localaging 30minimum-length 8attempts 3 time 5 lockout 10complexity numeric mixed-case special-characterhealth-checkadmin-password----------------------------------------------5设置登录信息缺省情况下,7750登录前会显示路由器版本信息,例如:TiMOS-C-4.0.R5 cpm/hops ALCATEL SR 7750 Copyright (c) 2000-2006 Alcatel.All rights reserved. All use subject to applicable license agreements.Built on Tue Aug 29 11:54:54 PST 2006 by builder in /rel4.0/b1/R5/panos/main这些内容为网络攻击提供了重要的参考信息,建议将其屏蔽;#configure system login-control no login-banner配置系统登录警告,要求非授权用户立即退出:>config>system>login-control# pre-login-message"********************************************************\n* [WARNING] *\n* This system is owned by XX-Telecom. If you are not *\n* authorized to access this system, exit immediately.*\n********************************************************\n"完成上述修改后,登录界面如下:********************************************************* [WARNING] ** This system is owned by XX-Telecom. If you are not ** authorized to access this system, exit immediately. *********************************************************Login:6限制登录帐号的命令使用:1)创建Profile:profile "gdnmc"entry 10match "show"action permitexitentry 20match "ping"action permitexitentry 30match "traceroute"action permitexitentry 40match "monitor"action permitexitentry 50match "logout"action permitexitentry 60match "telnet"action permitexitentry 70match "info"action permitexitexit2)将Profile应用到帐号中user "dsk"password "Btd24O2FUgBvCDR0lW4lFE" hash2 access consoleconsolemember "default"member "gdnmc"exitexit。

相关文档
最新文档