|
|
This chapter explains how to operate the Cisco ICS 7750 and is organized as follows:
 |
Note For information on how to install and maintain system hardware, including hardware component specifications, refer to the Cisco ICS 7750 Hardware Installation Guide. For information on software configuration, see the Cisco ICS 7700 System Manager User Guide and the Cisco ICS 7750 Software Configuration Guide. |
This section describes system hardware components.
The chassis houses the following components:
The system is designed for use with Catalyst 3524-PWR XL switches (see "Switches" later in this chapter).
The Cisco ICS 7750 can contain many combinations of cards. The Cisco ICS 7700 System Manager software detects the cards present at system startup.
Figure 1-1 shows a typical hardware configuration. Take a moment to become familiar with your system's configuration by glancing at the front panel, using Table 1-1 as a reference.
Table 1-1 describes system cards. The number of cards installed in a chassis varies.
| Card Name | Number of Cards Per Chassis | Chassis Slot Number | Card Description | Number of External Ports Per Card |
|---|---|---|---|---|
System processing engine (SPE) | 1 to 5 | 1 | No external ports | |
Multiservice route processor (MRP) | 0 to 5 | 1 | Many combinations of ports are available depending on which WICs and VICs are installed on each MRP.1 | |
System switch processor (SSP) | 1 | 7 | An Ethernet switch that passes data between all system cards and to any other switches connected to the system. | 2 Ethernet 10/100 |
System alarm processor (SAP) | 1 | 8 | 3 serial (2 COM, |
Slots for two 240W power supply modules are located on the right side of the system chassis. If your system has two power supply modules, normal operation can continue even if only one power supply module is functioning.
If you intend to use a backup power device such as an uninterruptible power supply (UPS), avoid devices that use ferroresonant technology. A UPS that uses ferroresonant technology can become unstable when used with components that can cause substantial current draw fluctuations, such as Catalyst 3524-PWR XL switches. Cisco recommends that you use the Cisco redundant power supply (RPS) 300 to provide backup power to Catalyst 3524-PWR XL switches.
|
Note For more information about backup power devices that are approved for use with the system, contact your sales representative. |
The system is cooled by four fans, which are located in the fan tray at the bottom of the system chassis. Individual fans are not field replaceable—you should replace the entire fan tray if there is a problem with one or more system fans.
You can attach a stack of interconnected Catalyst 3524-PWR XL switches to a Cisco ICS 7750. See the Cisco ICS 7750 Hardware Installation Guide and the documentation that came with your switches for additional information.
|
Note Cisco recommends that you attach no more than five Catalyst 3524-PWR XL switches to a single Cisco ICS 7750. |
To access the system, use the Cisco ICS 7700 System Manager software. Powering up the system automatically launches the Cisco ICS 7700 System Manager (referred to as the System Manager from this point on).
At first system startup, you need to initialize the system's addresses and configure its parameters. To streamline this process, the system uses the Dynamic Host Configuration Protocol (DHCP), an industry-standard protocol for automatically assigning IP addresses and configuration information. Because it is DHCP-based, the System Manager prompts you to provide a pool of IP addresses that it can choose from.
When you complete the initial configuration, you can access the System Manager by pointing a Web browser at the System Manager's IP address. The System Manager runs on the system processing engine (SPE) card.
|
Note For detailed System Manager usage instructions, see the Cisco ICS 7700 System Manager User Guide. |
The System Manager includes detailed online help in HTML format.
The MRPs, SSP, and Catalyst 3524-PWR XL switches run Cisco IOS software, a powerful command-line interface (CLI) tool that is particularly well-suited for system troubleshooting.
|
Note For information about how to access the system through the console port and for information about IOS software commands that you are likely to use with the Cisco ICS 7750, refer to the Cisco ICS 7750 Software Configuration Guide. For an overview of IOS software configuration, refer to the Cisco IOS Configuration Fundamentals Configuration Guide. |
 |
Caution Some tasks should not be done with IOS software because they are configured through the System Manager and might conflict with its configurations. These tasks include software upgrade, assigning and changing passwords, assigning IP information and removing an IP address, specifying a domain name and configuring the domain name system (DNS) server, disabling and enabling the Simple Network Management Protocol (SNMP), configuring SNMP community strings, configuring SNMP trap managers and enabling SNMP traps, disabling the Cisco Discovery Protocol (CDP), and disabling the Network Time Protocol (NTP). |
When you log in to the IOS software, you begin in user mode, often called EXEC mode. Only a limited subset of the commands are available in EXEC mode. To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. From privileged mode, you can enter any EXEC command or enter global configuration mode. Most of the EXEC commands are one-time commands, such as show commands, which show important status information, and clear commands, which clear counters or interfaces. The EXEC commands are not saved when the device reboots.
The configuration modes enable you to make changes to the running configuration. To enter the configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and a variety of protocol-specific modes.
ROM monitor mode is a separate mode that is used when a device running IOS software cannot boot properly. If your device does not find a valid system image when it is booting, or if its configuration file is corrupted at startup, the system might enter ROM monitor mode.
Table 1-2 lists the most common IOS command modes.
| Command Mode | Access Method | Prompt | Exit Method |
|---|---|---|---|
User EXEC | Log in. | Cisco ICS 7750> | Enter the logout command. |
Privileged EXEC | From user EXEC mode, enter the enable EXEC command. | Cisco ICS 7750# | To exit to user EXEC mode, enter the disable command. To enter global configuration mode, enter the configure terminal privileged EXEC command. |
Global configuration | From privileged EXEC mode, enter the configure terminal command. | Cisco ICS 7750 (config)# | To exit to privileged EXEC mode, enter the exit or end command or press Ctrl-z. To enter interface configuration mode, use an interface configuration command. |
Interface configuration | From the global configuration mode, enter the interface type number command, such as interface serial 0/0. | Cisco ICS 7750 (config-if)# | To exit to global configuration mode, enter the exit command. To exit to privileged EXEC mode, press Ctrl-z. |
ROM monitor | From privileged EXEC mode, enter the reload EXEC command. Press the Break key during the first 60 seconds while the system is booting. | > | To exit to user EXEC mode, enter the continue command. |
Entering a question mark (?) at the system prompt displays a list of commands available for each command mode. You can also get a list of keywords and arguments associated with any command by using the context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the commands shown in Table 1-3.
Command | Purpose |
|---|---|
|
|
|
|
|
|
|
|
|
|
Almost every configuration command has a no form. In general, enter the no form to disable a function. Enter the command without the keyword no to reenable a disabled function or to enable a function that is disabled by default. For example, IP routing is enabled by default. To disable IP routing, enter the no ip routing command and enter ip routing to reenable it. IOS software command reference publications provide the complete syntax for the configuration commands and describe what the no form of a command does.
Configuration commands can also have a default form. The default form of a command returns the command setting to its default. Most commands are disabled by default, so the default form is the same as the no form. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values. The IOS software command reference publications describe what the default form of a command does if the command is not the same as the no form.
System software runs in the background, collecting data on the status of system components. You can access the system software CLI by opening a telnet session or by pressing Ctrl-Backslash (\).
Table 1-4 lists system software CLI commands:
Command | Purpose | ||
|---|---|---|---|
|
| ||
|
| ||
|
| ||
|
| ||
|
|
|
Note System software commands are not case sensitive. You can use any combination of upper and lowercase letters when entering these commands. Command arguments are preceded by a hyphen (-). |
To get help specific to a system software command or a command argument, use one of the following commands:
Command | Purpose |
|---|---|
|
|
|
|
You can use the System Manager to ensure that only those with proper authorization have access to sensitive information.
For example, the System Manager includes seven pre-configured user groups, based on different types of roles; a member of the "Administrator" group might add and delete users, while a member of the "CallManager" group might only be responsible for phone moves, adds, and changes (MACs).
|
Note For additional information, refer to the Cisco ICS 7700 System Manager User Guide or the Cisco ICS 7700 System Manager Online Help. |
Because connecting to the Internet presents security risks, use a set of overlapping security mechanisms, including authentication (verifying that a person is who they say they are), authorization (defining user access privileges), firewalls (hardware, software, or a combination of both that enforces security policies at the network boundary), and packet filters (software controls that prevent unauthorized packets from leaving, or in some cases entering, the network).
You can use the System Manager to configure authentication and authorization privileges; therefore, this section describes only the following:
|
Note For additional information about how to use IOS commands to related to security, refer to the Cisco ICS 7750 Software Configuration Guide. |
Typically, a network firewall consists of several different machines. An example of a possible firewall architecture is shown in Figure 1-2.
In this architecture, the router that is connected to the Internet forces all incoming traffic to go to the application gateway. The router that is connected to the internal network accepts packets only from the application gateway.
The application gateway institutes per-application and per-user policies. In effect, the gateway controls the delivery of network-based services both to and from the internal network. For example, only certain users might be allowed to communicate with the Internet, or only certain applications might be permitted to establish connections between an interior and exterior host.
Set up the route and packet filters to reflect the same policies. (See "Setting Up Packet Filters" later in this chapter.) If mail is the only permitted application, only mail packets should be allowed through the router. This restriction keeps the application gateway from being overwhelmed by packets it would otherwise discard.
Suppose that your network is set up as shown in Figure 1-3. The firewall router allows incoming new connections to one or more communication servers or hosts. Having a designated router act as a firewall clearly identifies the router's purpose as the external gateway and avoids encumbering other routers with this task. If the internal network needs to isolate itself, the firewall router provides the point of isolation so that the rest of the internal network structure is not affected.
Connections to the hosts are restricted to incoming file transfer protocol (FTP) requests and e-mail services, and incoming Telnet or modem connections are screened by the communication server.
Set up your security policy so that packet filters follow one of the following policies:
The first policy requires a thorough understanding of specific security threats and can be hard to implement.
The second policy is easier to implement and more secure because you do not have to predict future attacks for which packets should be denied. The second policy is also easier to test because there is a finite set of accepted uses of the network. Cisco devices which support Cisco IOS implement this second type of policy in their packet filters, which Cisco calls access control lists (ACLs).
This section provides the following information about ACLs:
An ACL on an MRP, router or switch running IOS always has an implicit deny-all statement at the end. Accept statements are processed before the implicit deny-all statement. (The statement is implicit because you do not have to actually enter it, though it is a good idea to enter it to make the behavior of the list more obvious.)
ACLs help you determine whether network traffic is forwarded or blocked at interfaces on an MRP, router or switch. ACL definitions provide criteria that are applied to packets that enter or exit an interface. Typical criteria are the packet source address, the packet destination address, or the upper-layer protocol in the packet.
Because IOS tests a packet against each criterion in the list until a match is found, design ACLs with care to provide good performance. By studying traffic flow, you can design the list so that most packets match the earliest conditions. Fewer conditions to check per packet means better throughput. It is best to order the list with the most general statements at the top and the most specific statements at the bottom, with the last statement being the general, implicit deny-all statement.
To provide security on the firewall router, as shown in Figure 1-3, you can use ACLs as described below.
Suppose that you decide to permit incoming email and news access for a few hosts, but you want to limit FTP, Telnet, and rlogin services only to hosts on the firewall subnet. You could use IP extended ACLs (range 100 to 199) and transmission control protocol (TCP) or user datagram protocol (UDP) port numbers to filter traffic. When a connection is to be established for e-mail, Telnet, FTP, and so forth, the connection attempts to open a service on a specified port number. You can, therefore, filter out selected types of connections by denying packets that are attempting to use that service.
An ACL is invoked after a routing decision has been made but before the packet is sent out on an interface. The best place to define an ACL is on a preferred host using a text editor. You can create a file that contains the ACL commands, place the file (marked readable) in the default TFTP directory, and then load the file onto the MRP or router.
|
Note The network server storing the file must be running a TFTP daemon and have TCP network access to the firewall router. |
Examples of specific ACL entries follow (use Figure 1-3 as a reference):
no access-list 101
access-list 101 permit ip B.B.14.2 0.0.0.0 0.0.0.0 255.255.255.255
access-list 101 deny ip B.B.0.0 0.0.255.255 0.0.0.0 255.255.255.255
access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123
access-list 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2049
access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.2 0.0.0.0 eq 23
access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 eq 21 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 eq 20
access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.1.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 B.B.1.101 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 B.B.13.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 B.B.1.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 B.B.1.101 0.0.0.0 gt 1023
interface ethernet 0
ip access-group 101
Figure 1-4 illustrates a host that is spoofing (illegally claiming to be an address that it is not). Someone in the outside world is claiming to originate traffic from network 131.108.17.0. Although the address is spoofed, the router interface to the outside world assumes that the packet is coming from 131.108.17.0. If the input ACL on the router allows traffic coming from 131.108.17.0, it will accept the illegal packet. To avoid this spoofing situation, an input ACL should be applied to the router interface to the outside world. This ACL would not allow any packets with addresses that are from the internal networks of which the router is aware (17.0 and 18.0).
This section describes alarms, which indicate problems on the Cisco ICS 7750 itself or on systems with which it is communicating.
Alarms are associated with the following:
|
Note For more information about SNMP messages, see "System Monitoring." To find out how to identify and solve system problems, see "System Troubleshooting Guidelines" and "Error Message Summary." |
The system can notify you of alarms in any of the following ways:
The system has the following two alarm levels:
This section provides the following information about logging:
The system offers the following logging features:
You can access log messages in any of the following ways:
|
Note For Cisco ICS 7750 components that support IOS (cards and Catalyst 3524-PWR XL switches), if you want them to log messages to the System Manager for analysis, you must configure them accordingly. (See "How to Change the Log Configuration" later in this chapter.) |
The System Manager provides several options for handling the log messages directed to it. By default, the system sends all log messages to the SPE, where they are stored on disk.
The System Manager also provides log message filtering and review capabilities, allowing you to define policies (a set of rules based on log message syntax) that specify whether a particular log message is sent to file, generates an e-mail, or a number of other options. For additional information about log message handling with the System Manager, refer to the Cisco ICS 7700 System Manager User Guide.
You can use IOS software to access system messages by logging into the console through Telnet. You can monitor system messages remotely from any workstation that supports the Telnet protocol. For example, you can remotely monitor the messages originating from the SSP or MRPs.
The system saves syslog messages in an internal buffer. You can configure the system to read messages from the buffer and send them to a specified syslog server.
|
Note For instructions on how to view and change the log configuration, see "How to Change the Log Configuration" later in this chapter. |
The mandatory portion of a log message begins with a percent sign (%) and can contain up to 80 characters. The message fields that precede the percent sign (date, time, time zone, and time zone offset) are optional.
Messages are displayed in the following format, on a single line:
[date] [time] [TIME ZONE] [time zone offset]:
%FACILITY-[SUB_FACILITY-]SEVERITY-MNEMONIC:message_text
Table 1-6 describes the elements of log messages.
| Element | Example | Format | Description |
|---|---|---|---|
date | | yyyy mmm dd | The date of the occurrence as defined at the source device. |
time | | hh:mm:ss | The time of the occurrence as defined at the source device. |
TIME ZONE | GMT | STRING | The time zone as defined at the source device. |
time zone offset | | (- | +) hh:mm | The amount of time offset from UTC as defined at the source device. |
%FACILITY | %LPR | STRING | Two or more uppercase letters that indicate the facility to which the message refers (see Table 1-7). Facilities include hardware devices and protocols. A percent sign (%) must precede the facility name. |
SUB_FACILITY | CLAW | STRING | (optional) Two or more uppercase letters that indicate the sub-facility to which the message refers. Subfacilities refer to system software modules. |
SEVERITY | 1 | 0 - 7
| A single-digit code from 0 to 7 that indicates the severity of the message (see Table 1-8). The lower the number, the more serious the situation. |
MNEMONIC | XMIT_ERR | STRING | A code that uniquely identifies the message. |
message_text | System temperature OK | string | A description of the occurrence. |
Table 1-7 describes the facility types supported by log messages.
| Keyword | Description |
|---|---|
auth | Authorization system |
cron | cron facility |
daemon | System daemon |
kern | Kernel |
local0-7 | Reserved for user-defined messages (eight types, from local0 through local7, are available) |
lpr | line printer system |
mail system | |
news | USENET news |
syslog | system log |
uucp | UNIX-to-UNIX copy system |
Table 1-8 describes log message severity levels.
| Keyword | Level | Description | Syslog Definition |
|---|---|---|---|
emergency | 0 | System unusable | LOG_EMERG |
alert | 1 | Immediate action required | LOG_ALERT |
critical | 2 | Critical condition | LOG_CRIT |
error | 3 | Error condition | LOG_ERR |
warning | 4 | Warning condition | LOG_WARNING |
notification | 5 | Normal but significant condition | LOG_NOTICE |
informational | 6 | Information—no action required | LOG_INFO |
debugging | 7 | Debugging message | LOG_DEBUG |
|
Note Not all messages indicate problems. Some messages are purely informational, and others may help diagnose problems with communications lines, internal hardware, or the system software. To find out how to use system messages to identify and solve problems, see "System Troubleshooting Guidelines," and "Error Message Summary." |
The system typically sends log messages to the System Manager and to the system console. You can redirect these messages to other destinations such as buffers and UNIX hosts running a syslog server.
This section provides the following information about log configurations:
System IOS components ship with the default logging configuration shown in Table 1-9.
| Configuration Parameters | Default Setting |
|---|---|
System message logging to the console | Disabled |
System message logging to Telnet sessions | Disabled |
Log server | Disabled |
Syslog server IP address | None configured |
Server facility | LOCAL7 |
Server severity | Warnings (4) |
Logging buffer size | 500 |
Logging history size | 1 |
Timestamp option | Disabled |
 |
Tips To view the state of syslog error and event logging, including host addresses and whether console logging is enabled, enter the show logging command at the CLI. |
Before you can send log messages to a UNIX syslog server, you must configure the syslog daemon on the UNIX server. To configure the syslog daemon, log in as root and include a line such as the following in the file syslog.conf:
facility.level /syslog_path/myfile.logwhere
The syslog daemon (syslogd) sends messages at the level specified in syslog.conf, provided that the file exists, and that syslogd has permission to write to it.
To change syslog server logging behavior, use the following global configuration commands:
Task | Command |
|---|---|
|
|
|
|
|
|
|
|
|
Note For detailed information about IOS commands related to logging, refer to the Configuration Fundamentals Command Reference publication. |
Posted: Mon Oct 2 13:42:46 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.