User manual
Table Of Contents
- Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide
- Contents
- Preface
- Overview of the ML-Series Card
- CTC Operations on the ML-Series Card
- Initial Configuration of the ML-Series Card
- Configuring Interfaces on the ML-Series Card
- Configuring POS on the ML-Series Card
- Configuring STP and RSTP on the ML-Series Card
- STP Features
- STP Overview
- Supported STP Instances
- Bridge Protocol Data Units
- Election of the Root Switch
- Bridge ID, Switch Priority, and Extended System ID
- Spanning-Tree Timers
- Creating the Spanning-Tree Topology
- Spanning-Tree Interface States
- Spanning-Tree Address Management
- STP and IEEE 802.1Q Trunks
- Spanning Tree and Redundant Connectivity
- Accelerated Aging to Retain Connectivity
- RSTP Features
- Interoperability with IEEE 802.1D STP
- Configuring STP and RSTP Features
- Default STP and RSTP Configuration
- Disabling STP and RSTP
- Configuring the Root Switch
- Configuring the Port Priority
- Configuring the Path Cost
- Configuring the Switch Priority of a Bridge Group
- Configuring the Hello Time
- Configuring the Forwarding-Delay Time for a Bridge Group
- Configuring the Maximum-Aging Time for a Bridge Group
- Verifying and Monitoring STP and RSTP Status
- STP Features
- Configuring VLANs on the ML-Series Card
- Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling on the ML-Series Card
- Configuring Link Aggregation on the ML-Series Card
- Configuring IRB on the ML-Series Card
- Configuring Quality of Service on the ML-Series Card
- Understanding QoS
- ML-Series QoS
- QoS on RPR
- Configuring QoS
- Monitoring and Verifying QoS Configuration
- QoS Configuration Examples
- Understanding Multicast QoS and Multicast Priority Queuing
- Configuring Multicast Priority Queuing QoS
- QoS not Configured on Egress
- ML-Series Egress Bandwidth Example
- Understanding CoS-Based Packet Statistics
- Configuring CoS-Based Packet Statistics
- Understanding IP SLA
- Configuring the Switching Database Manager on the ML-Series Card
- Configuring Access Control Lists on the ML-Series Card
- Configuring Resilient Packet Ring on the ML-Series Card
- Understanding RPR
- Configuring RPR
- Connecting the ML-Series Cards with Point-to-Point STS Circuits
- Configuring CTC Circuits for RPR
- Configuring RPR Characteristics and the SPR Interface on the ML-Series Card
- Assigning the ML-Series Card POS Ports to the SPR Interface
- Creating the Bridge Group and Assigning the Ethernet and SPR Interfaces
- RPR Cisco IOS Configuration Example
- Verifying Ethernet Connectivity Between RPR Ethernet Access Ports
- CRC Threshold Configuration and Detection
- Monitoring and Verifying RPR
- Add an ML-Series Card into an RPR
- Delete an ML-Series Card from an RPR
- Cisco Proprietary RPR KeepAlive
- Cisco Proprietary RPR Shortest Path
- Redundant Interconnect
- Configuring Security for the ML-Series Card
- Understanding Security
- Disabling the Console Port on the ML-Series Card
- Secure Login on the ML-Series Card
- Secure Shell on the ML-Series Card
- RADIUS on the ML-Series Card
- RADIUS Relay Mode
- RADIUS Stand Alone Mode
- Understanding RADIUS
- Configuring RADIUS
- Default RADIUS Configuration
- Identifying the RADIUS Server Host
- Configuring AAA Login Authentication
- Defining AAA Server Groups
- Configuring RADIUS Authorization for User Privileged Access and Network Services
- Starting RADIUS Accounting
- Configuring a nas-ip-address in the RADIUS Packet
- Configuring Settings for All RADIUS Servers
- Configuring the ML-Series Card to Use Vendor-Specific RADIUS Attributes
- Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication
- Displaying the RADIUS Configuration
- Configuring Bridging on the ML-Series Card
- CE-100T-8 Ethernet Operation
- Command Reference for the ML-Series Card
- [no] bridge bridge-group-number protocol {drpri-rstp | ieee | rstp}
- clear counters
- [no] clock auto
- interface spr 1
- [no] pos mode gfp [fcs-disabled]
- [no] pos pdi holdoff time
- [no] pos report alarm
- [non] pos trigger defects condition
- [no] pos trigger delay time
- [no] pos vcat defect {immediate | delayed}
- show controller pos interface-number [details]
- show interface pos interface-number
- show ons alarm
- show ons alarm defect {[eqpt | port [port-number] | sts [sts-number] | vcg [vcg-number] | vt]}
- show ons alarm failure {[eqpt | port [port-number] | sts [sts-number] | vcg [vcg-number] | vt]}
- spr-intf-id shared-packet-ring-number
- [no] spr load-balance { auto | port-based }
- spr station-id station-id-number
- spr wrap { immediate | delayed }
- Unsupported CLI Commands for the ML-Series Card
- Using Technical Support
- Index
15-6
Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5
78-18133-01
Chapter 15 Configuring Security for the ML-Series Card
RADIUS on the ML-Series Card
For more information about these commands, see the “Secure Shell Commands” section in the “Other
Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at
this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr.htm.
RADIUS on the ML-Series Card
RADIUS is a distributed client/server system that secures networks against unauthorized access. Clients
send authentication requests to a central RADIUS server, which contains all user authentication and
network service access information. The RADIUS host is normally a multiuser system running RADIUS
server software from Cisco or another software provider.
Many Cisco products offer RADIUS support, including the ONS 15454, ONS 15454 SDH,
ONS 15310-CL, ONS 15310-MA, and ONS 15600. The ML-Series card also supports RADIUS.
The ML-Series card can operate either in RADIUS relay mode or in RADIUS stand alone mode
(default). In either mode, the RADIUS messages from the ML-Series card are passed to a RADIUS
server that is on the data communications network (DCN) used to manage the ONS node.
RADIUS Relay Mode
In RADIUS relay mode, RADIUS on the ML-Series card is configured by CTC or TL1 and uses the
AAA/RADIUS features of the ONS node, which contains the ML-Series card. There is no interaction
between RADIUS relay mode and RADIUS standalone mode. For information on ONS node security,
refer to the “Security” chapter of the ONS node’s reference manual.
An ML-Series card operating in RADIUS relay mode does need to be specified as a client in the
RADIUS server entries. The RADIUS server uses the client entry for the ONS node as a proxy for the
ML-Series card.
Enabling relay mode disables the Cisco IOS CLI commands used to configure AAA/RADIUS. The user
can still use the Cisco IOS CLI commands not related to AAA/RADIUS.
In relay mode, the ML-Series card shows a RADIUS server host with an IP address that is really the
internal IP address of the active timing, communications, and control card (XTC). When the ML-Series
card actually sends RADIUS packets to this internal address, the XTC converts the RADIUS packet
destination into the real IP address of the RADIUS server. In stand alone mode, the ML-Series card
shows the true IP addresses of the RADIUS servers.
When in relay mode with multiple RADIUS server hosts, the ML-Series card IOS CLI show run output
also shows the internal IP address of the active XTC card. But since the single IP address now represents
multiple hosts, different port numbers are paired with the IP address to distinguish the individual hosts.
These ports are from 1860 to 1869, one for each authentication server host configured, and from 1870
to 1879, one for each accounting server host configured.
The single IP address will not match the host IP addresses shown in CTC, which uses the true addresses
of the RADIUS server hosts. These same true IP addresses appear in the ML-Series card IOS CLI show
run output, when the ML-Series card is in stand alone mode.
Note A user can configure up to 10 servers for either authentication or accounting application, and one server
host can perform both authentication and accounting applications.