Radisys Seg-100 Instruction Manual

Administration Guide

SECURITY GATEWAY

SEG-100

SOFTWARE RELEASE 1.1

February 2012 007-03416-0003

Revision history

Version Date Description

-0000 August 2011 First edition.

-0001 September 2011 Second edition. Updated to include new authentication profiles, RADIUS authentication, and I-WLAN solution.

Added information on local user databases, CLI scripting, statistics, and log receivers. Made significant

updates to the NAT and SAT sections, and made other corrections and clarifications.

-0002 January 2012 Third edition. Updated for the 1.1.1 software release. Added information to the SCP, licensing, and backup

and restore sections. Added IPv6 information. Made other corrections and clarifications.

-0003 February 2012 Fourth edition. Updated for the 1.1.2 software release. See What’s new in this manual on page 6 for a

description of changes in this edition.

©2011‐2012byRadiSysCorporation.Allrightsreserved.

RadisysisaregisteredtrademarkofRadiSysCorporation.AdvancedTCA,ATCA,andPIGMGareregisteredtrademarksofPCIIndustrial

ComputerManufacturersGroup.

Allothertrademarks,registeredtrademarks,servicemarks,andtradenamesarethepropertyoftheirrespectiveowners.

Table of Contents

Preface ................................................................................................................................................ 6

About this manual........................................................................................................................................6

What’s new in this manual...........................................................................................................................6

Where to get more product information.......................................................................................................6

Related documents......................................................................................................................................7

Notational conventions................................................................................................................................7

Chapter 1: Overview........................................................................................................................... 8

SEG overview..............................................................................................................................................8

SEG architecture.........................................................................................................................................8

Chapter 2: Management................................................................................................................... 12

Management access .................................................................................................................................12

Date and time............................................................................................................................................33

Licensing...................................................................................................................................................37

Backup and restore ...................................................................................................................................39

Crashdumps..............................................................................................................................................42

Statistics....................................................................................................................................................44

Events and logging....................................................................................................................................47

Chapter 3: Addressing..................................................................................................................... 54

Interfaces...................................................................................................................................................54

ARP...........................................................................................................................................................58

Address books...........................................................................................................................................63

IPv6 support..............................................................................................................................................66

DNS...........................................................................................................................................................70

Chapter 4: Address Translation...................................................................................................... 73

Overview....................................................................................................................................................73

NAT...........................................................................................................................................................73

SAT ...........................................................................................................................................................78

Chapter 5: Routing .......................................................................................................................... 86

Principles of routing ..................................................................................................................................86

Static routing..............................................................................................................................................91

Chapter 6: Firewall........................................................................................................................... 96

IP rules......................................................................................................................................................96

Services...................................................................................................................................................103

Access rules............................................................................................................................................107

Internet access........................................................................................................................................110

Chapter 7: IPsec VPN .................................................................................................................... 113

Overview..................................................................................................................................................113

IPsec components...................................................................................................................................117

Setting up IPsec tunnels .........................................................................................................................135

NAT traversal...........................................................................................................................................138

CA server access....................................................................................................................................140

IPsec troubleshooting .............................................................................................................................143

Chapter 8: Authentication.............................................................................................................. 153

Authentication profiles.............................................................................................................................153

RADIUS authentication ...........................................................................................................................154

The radiussnoop command ....................................................................................................................156

Chapter 9: High Availability........................................................................................................... 157

Overview .................................................................................................................................................157

HA mechanisms .....................................................................................................................................159

Setting up HA .........................................................................................................................................161

HA issues ...............................................................................................................................................166

Chapter 10: Advanced Settings .................................................................................................... 168

Flow timeout settings ..............................................................................................................................168

Length limit settings ................................................................................................................................169

Fragmentation settings ...........................................................................................................................171

Local fragment reassembly settings .......................................................................................................176

Chapter 11: I-WLAN........................................................................................................................ 177

I-WLAN overview ....................................................................................................................................177

GTP tunnels.............................................................................................................................................178

Interface stitching....................................................................................................................................181

Using IP rules .........................................................................................................................................182

Adding client routing................................................................................................................................182

Certificates with I-WLAN .........................................................................................................................183

Support for multiple GGSNs....................................................................................................................184

I-WLAN use case ....................................................................................................................................184

Appendix A: Glossary of Terms.................................................................................................... 185

Appendix B: OSI Model.................................................................................................................. 197

Overview .................................................................................................................................................197

Preface

About this manual

ThismanualdescribestheRadisysSEG,ahighlyscalablesecuritygatewayoptimizedforLong

TermEvolution(LTE)deployments.ThismanualintroducesSEGsoftwareconceptsandserves

asareferenceforproceduralandusageinformation.

Thetargetaudienceforthismanualisadministratorswhoareresponsibleforconfiguringand

managingtheSEGanditsoperatingsystem.Itisassumedthattheadministratorshavebasic

knowledgeofnetworksandnetworksecurity.

What’s new in this manual

•AddedtroubleshootingwithICMPpingonpage25.

• Changedthetypesofauthenticationavailableonpage153.

• UpdatedverifyingHAsynchronizationonpage165.

Where to get more product information

VisittheRadisyswebsiteatwww.radisys.comforproductinformationandotherresources.

Downloads(manuals,releasenotes,software,etc.)areavailableat

www.radisys.com/downloads.

SeethefollowingresourcesforinformationontheSEGnotdescribedinthismanual:

•TheSEG‐100GettingStartedGuidedescribeshowtosetuptheSEG‐100modulesandthe

SEG‐11002system,andhowtoconfiguretheSEGsoftwareforinitialuse.

•TheSEG‐100CommandLineInterfaceReferencedescribestheSEGcommandline

interfaceandservesasareferenceforcommandsyntaxandoptions.

•TheSEG‐100LogReferencedescribesalllogmessagesgeneratedbytheSEG.

•TheSEG‐100StatisticsReferencedescribesallstatisticalvaluesandassociatedparameters

thataremaintainedbytheSEG.

•TheSEG‐100TTGInterfaceReferencedescribestheinterfacesfortheSEGTunnel

TerminatingGateway(TTG).

Preface

Related documents

RFC791,InternetProtocol,IETF,September1981.

RFC1191,PathMTUDiscovery,IETF,November1990.

RFC1305,NetworkTimeProtocol(Version3),IETF,March1992.

RFC1321,TheMD5Message‐DigestAlgorithm,IETF,April1992.

RFC1777,LightweightDirectoryAccessProtocol,IETF,March1995.

RFC1918,AddressAllocationforPrivateInternets,IETF,February1996.

RFC2030,SimpleNetworkTimeProtocol(SNTP)Version4forIPv4,IPv6andOSI,IETF,

October1996.

RFC2138,RemoteAuthenticationDialInUserService(RADIUS),IETF,April1997.

RFC2139,RADIUSAccounting,IETF,April1997.

RFC2251,LightweightDirectoryAccessProtocol(v3),IETF,December1997.

RFC2401,SecurityArchitecturefortheInternetProtocol,IETF,November1998.

RFC2406,IPEncapsulatingSecurityPayload(ESP),IETF,November1998.

RFC2460,InternetProtocol,Version6(IPv6)Specification,IETF,December1998.

RFC3947,NegotiationofNAT‐TraversalintheIKE,IETF,January2005.

RFC4306,InternetKeyExchange(IKEv2)Protocol,IETF,December2005.

RFC5905,NetworkTimeProtocolVersion4:ProtocolandAlgorithmsSpecification,IETF,June

2010.

Notational conventions

Thismanualusesthefollowingconventions

Allnumbersaredecimalunlessotherwisestated.

ItalicText File,function,andutilitynames.

MonoText Screentextandsyntaxstrings.

BoldMonoText Acommandtoenter.

ItalicMonoText Variableparameters.

Brackets[] Commandoptions.

Curlybraces{}Agroupedlistofparameters.

Verticalline|An“OR”inthesyntax.Indicatesachoiceofparameters.

Chapter

Overview

SEG overview

TheRadisysSEGisarobusttelecomsecuritygatewaybasedonNetworkDomainSecurity

(NDS)standardsthatprovidesstatefulfirewallingandIPsectunnelinginasingleplatform.The

SEGcanbeusedtosecureanylargeIPbasednetwork.Initsfirstrelease,theSEGistargeted

foruseasasecuritygatewaybetweeninfrastructureelementsinLTEAccess/BackhaulandLTE

EvolvedPacketCorenetworks.Insubsequentreleases,theSEGwillsupportcurrent

generation(2G/3G)wirelessoffloadapplicationslikeI‐WLAN,UMA/GANandFemtocellthat

areevolvingtoLTE.Itisalsoideallysuitedforhighperformanceandnext‐genfirewalling

scenarios.

TheRadisysSEGisbuiltaroundthecarrier‐gradeAdvancedTelecommunicationsComputing

Architecture(ATCA),andoffersworld‐classsecurityfeatureswithmulti‐gigabitthroughput

andperformance.ThemaincomponentoftheRadisysSEGistheSEG‐100securitymodule,a

fullycontainedsecuritygatewayresidingonanATCAmodule.TheSEG‐100canbedeployedin

astandaloneSEG‐11002system,orintegratedintootherATCAbasednetworkelements.Both

standaloneandintegratedconfigurationssupportcarriergradehighavailabilitywith

redundanthardwareandsophisticatedfaulttolerantsoftware.

TheSEG‐11002isa2U,2‐slotATCAsystem,ideallysuitedforinitialtrialsandsmall‐to‐

mediumsizedeployments.ItcontainsoneortwoSEG‐100modules,andcanbeconfiguredas

ahighavailabilitysystem,withactiveandpassiveSEG‐100sprovidingfullstatefulredundancy

forIPsectunnelsandpacketflows.

TheSEGsecuritysoftwareisbasedonaproprietaryoperatingcorewithasmallattacksurface,

makingtheapplicationprocessinghighlysecureandefficient.Thesoftwareprocessesmillions

ofconcurrentIPpacketflowsinrealtime,whileapplyingarichsetoffirewallingrulesand

routingpolicies.ItalsosetsupVPN/IPsectunnels,usingsecurekeysandapplyingadvanced

dataintegrityandencryptiontechniques.

SEG architecture

TheSEGarchitectureiscenteredontheconceptofflows.TraditionalIProutersorswitches

commonlyinspectallpacketsandthenperformforwardingdecisionsbasedoninformation

foundinthepacketheaders.Withthisapproach,packetsareforwardedwithoutanysenseof

context,whicheliminatesanypossibilitytodetectandanalyzecomplexprotocolsandenforce

correspondingsecuritypolicies.

Overview

Stateful inspection

TheSEGemploysatechniquecalledstatefulinspectionwhichmeansthatitinspectsand

forwardstrafficonaper‐flowbasis.TheSEGdetectswhenanewflowbetweenasourceand

destinationisbeingestablished,andkeepsinformationabouttheflowoveritslifetime.By

doingthis,theSEGisabletounderstandthecontextofnetworktraffic,enablingittoperform

avarietyofimportantfunctions.

Thestatefulinspectionapproachadditionallyprovideshighthroughputperformancewiththe

addedadvantageofadesignthatishighlyscalable.TheSEGsubsystemthatimplements

statefulinspectionissometimesreferredtoastheSEGstate‐engine.

Allflowshaveaspecifiedidlelifetime,afterwhichtheyareremovedfromtheflowtable.

Basic building blocks

Fromtheadministrator’sviewpoint,thebasicSEGbuildingblocksare:

•InterfacessuchasphysicalEthernetinterfacesorlogicalVPNtunnels.

•LogicalobjectsthatareindividuallogicaldefinitionswithintheSEG.Forexample,Address

objectscanbedefinedintheAddressBooktogivelogicalnamestoIPandothertypesof

addresses.

•Rulesetsthatmakeupthesecuritypoliciesthatyouwanttoimplement.TheseincludeIP

rules.

Thesethreetypesofbuildingblocksarediscussednext.

Interfaces

Interfacesarethedoorwaysthroughwhichnetworktrafficentersorleavesthesecurity

gateway.Withoutinterfaces,anSEGsystemhasnomeansforreceivingorsendingtraffic.

ThefollowingtypesofinterfacearesupportedintheSEG:

•Physicalinterfaces

ThesecorrespondtotheactualphysicalEthernetinterfaceportsthroughwhichtraffic

arrivesandleavesthehardwareplatformrunningtheSEG.

• Tunnelinterfaces

UsedforreceivingandsendingtrafficthroughVPNtunnels.Thesearetreatedaslogically

equivalenttophysicalinterfaceswhenyouconfiguretheSEG.Forexample,arouteinan

SEGroutingtablecouldspecifyeitheraphysicalortunnelinterfaceasthedestinationfor

aparticularnetwork.

TheSEGinterfacedesignissymmetric,meaningthattheinterfacesofthedevicearenotfixed

asbeingonthe“insecureoutside”or“secureinside”ofanetworktopology.Thenotionof

whatisinsideandoutsideiscompletelyforyoutodefine.

Overview

Logical objects

Youcanconsiderlogicalobjectstobepredefinedbuildingblocksforuseinrulesets.For

example,theaddressbookcontainsnamedobjectsrepresentinghostandnetworkaddresses.

Anotherexampleoflogicalobjectsareservicesthatrepresentspecificprotocolandport

combinations.

SEG rule sets

Finally,ruleswhicharedefinedbytheadministratorinthevariousrulesetsareusedfor

actuallyimplementingSEGsecuritypolicies.ThemostfundamentalsetofrulesaretheIP

Rules,whichareusedtodefineLayer3IPfilteringpolicies.

Basic packet flow

ThissectionoutlinesthebasicflowforpacketsreceivedandforwardedbytheSEG.The

followingdescriptionissimplifiedandmightnotbefullyapplicableinallscenarios,however,

thebasicprincipleswillbevalidforallSEGdeployments.

1. AnEthernetframeisreceivedononeoftheEthernetinterfacesinthesystem.Basic

Ethernetframevalidationisperformedandthepacketisdroppediftheframeisinvalid.

2. TheIPdatagramwithinthepacketispassedontotheSEGconsistencychecker.The

checkerperformsanumberofconsistencychecksonthepacket,includingvalidationof

checksums,protocolflags,packetlengthandsoon.Iftheconsistencychecksfail,the

packetgetsdroppedandtheeventislogged.

3. TheSEGnowtriestolookupanexistingflowbymatchingparametersfromtheincoming

packet.Anumberofparametersareusedinthematchattempt,includingthesource

interface,sourceanddestinationIPaddresses,andIPprotocol.Ifamatchcannotbe

found,aflowestablishmentprocessstarts.

4. TheAccessRulesareevaluatedtofindoutifthesourceIPaddressofthenewflowis

allowedonthereceivedinterface.IfnoAccessRulematchesthenareverseroutelookup

willbedoneintheroutingtables.

Inotherwords,bydefault,aninterfacewillonlyacceptsourceIPaddressesthatbelongto

networksroutedoverthatinterface.Areverselookupmeansthatalookupisdoneinthe

routingtablestoconfirmthatarouteexiststhatwouldroutetrafficdestinedfortheIP

addressoverthatinterface.

IftheAccessRulelookupdeterminesthatthesourceIPisinvalid,thepacketisdropped

andtheeventislogged.

5. Aroutelookupismadeusingtheroutingtable.Thedestinationinterfacefortheflowhas

nowbeendetermined.

Overview

6. TheIPrulesarenowsearchedforarulethatmatchesthepacket.Thefollowing

parametersarepartofthematchingprocess:

•Sourceanddestinationinterfaces

•Sourceanddestinationnetwork

•IPprotocol(forexampleTCP,UDP,ICMP)

•TCP/UDPports

•ICMPtypes

•Pointintimeinreferencetoapredefinedschedule

Ifamatchcannotbefound,thepacketisdropped.

Ifaruleisfoundthatmatchesthenewflow,theActionpropertyoftheruleisusedto

decidewhattheSEGshoulddowiththeflow.IftheactionisDrop,thepacketisdropped

andtheeventisloggedaccordingtothelogsettingsfortherule.

7. IftheactionisAllow,thepacketisallowedthroughthesystem.Acorrespondingflowwill

benotedbytheSEGformatchingsubsequentpacketsbelongingtothesameflow.The

allowedtrafficisalsobidirectionalsothatthesameIPrulealsopermitspacketstoreturn

fromthedestinationnetwork.

Finally,theopeningofthenewflowwillbeloggedaccordingtothelogsettingsofthe

rule.Thedefaultisforloggingtobeenabled.

8. Eventually,thepacketwillbeforwardedoutonthedestinationinterfaceaccordingtothe

flow.Ifthedestinationinterfaceisatunnelinterface,additionalprocessingsuchas

encryptionorencapsulationmightoccur.

Chapter

Management

Management access

ThissectionprovidesdetailsofhowtoworkwiththeSEGmanagementinterfaces.The

followinginterfacesareavailable:

•Commandlineinterface(CLI)

TheCommandLineInterface(CLI)isaccessibleeitherlocallyviaacomputer’sserial

consoleportorremotelyusingtheSecureShell(SSH)protocol.Itprovidesfine‐grained

controloverallparametersintheSEG.

ThisfeatureisdescribedfurtherinCommandlineinterfaceonpage15.

•SNMP

ASecureNetworkManagementProtocol(SNMP)clientcanconnecttotheSEGand

provideread‐onlyaccesstothecurrentSEGconfiguration.Thisfeatureisdescribed

furtherinSNMPmonitoringonpage31.

File transfer with secure copy

SecureCopy(SCP)isawidelyusedcommunicationprotocolforfiletransfer.SCPisa

complementtotheCLIandprovidesasecuremeansoffiletransferbetweenthe

administrator'sexternalmanagementworkstationandtheSEG.Variousfilesusedbythe

SEG,suchasconfigurationbackups,canbebothuploadedanddownloadedusingSCP.

NospecificSCPclientisprovidedwithSEGdistributions.However,thereisawide

selectionofthird‐partySCPclientsfornearlyallworkstationplatforms.

ThisfeatureisdescribedfurtherinSecurecopyonpage30.

Local user databases

Bydefault,theSEGprovidesadefaultLocalUserDatabaseobjectthatisusedtoauthenticate

managementlogins.Thisdatabasecontains,atminimum,onepredefineduseraccount:

Username:admin



Password:admin

Thisaccounthasfulladministrativeread/writeprivilegestoallconfigurationdataandis

alwaystheaccountusedforinitialSSHlogin(consoleaccessdoesnotrequirelogininthe

defaultconfiguration).

Important:Forsecurityreasons,itisrecommendedtochangethepasswordforthedefault

accountassoonaspossiblefollowingtheinitialconfigurationoftheSEG.

Management

Displaying local user databases

WiththeSEGCLI,thenameofthepredefinedlocaluserdatabasecanbedisplayedwiththe

command:

Device:/>showLocalUserDatabase

Name

‐‐‐‐‐‐‐‐‐‐

AdminUsers

ThecontentsofthiscanbedisplayedbyfirstchangingtheCLIcontexttobethedatabase:

Device:/>ccLocalUserDatabaseAdminUsers

TheCLIpromptwillchangetoindicatethenewcontextandthedatabasecontentscanbe

displayed:

Device:/LocalUserDatabase/AdminUsers>show

User

NameGroupsComments

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

adminAdministrators<empty>

Here,theGroupmembershipissignificantsincethisdeterminestheprivilegesthatauserhas.

Finally,returntothedefaultcontext:

Device:/LocalUserDatabase/AdminUsers>cc

Device:/>

Creating Auditor accounts

Extrauseraccountsinthelocaluserdatabasecanbecreatedasrequiredwitharbitrary

usernamesandpasswords.IfthegroupisspecifiedasAdministrators,ithasfullaccess

privileges.

If,however,thegroupisspecifiedasthetextstringAuditors,theuserwillonlyhaveread‐only

privilegesandwillnotbeabletomakeconfigurationchanges.Thefollowingcommands

createanauditoraccountwithausernameofauditandapasswordofaudit:

Device:/>ccLocalUserDatabaseAdminUsers

Device:/LocalUserDatabase/AdminUsers>addUseraudit

Password=audit

Groups=Auditors

Management

Acompletelistingofthisdatabasewillshowthenewaccount:

Device:/LocalUserDatabase/AdminUsers>show

User

NameGroupsComments

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

adminAdministrators<empty>

+auditAuditors<empty>

Device:/LocalUserDatabase/AdminUsers>cc

Device:/>

Here,thegroupnameAuditorsisatextstringanditsmeaningispredefinedintheSEG.The

plussign“+”nexttothenewuserauditindicatesthatthisobjecthasnotyetbeencommitted

totheconfiguration.

Linking logins to the database

Thelocaluserdatabaseisreferredtoduringaloginbecausetherelevantaccessobjectpoints

toanAuthenticationProfile,whichthenpointstothedatabasethatstoresthecredentials.

Forexample,SSHloginsarecontrolledbyaRemoteMgmtSSHobject.Thisobjectreferstoan

AuthenticationProfileobjectthatthenreferstothedatabasetobeusedforauthentication.

AuthenticationProfileobjectsarediscussedfurtherinAuthenticationonpage153.The

diagrambelowillustratestherelationshipbetweenthevariouscomponents.

Figure 1. Local user database usage with SSH

Management

Command line interface

TheCLIprovidesacomprehensivesetofcommandsthatallowthedisplayandmodificationof

aSEGconfiguration.ThissectionprovidesonlyasummaryforusingtheCLI.Foracomplete

referenceforallCLIcommands,seetheSEG‐100CommandLineInterfaceReference.

CLI access methods

TheCLIisaccessibleinoneoftwoways:

•RemotelythroughanetworkconnectiontoanEthernetinterfaceonthehardware

platform,usingtheSecureShell(SSH)protocolfromanSSHclient.

SSHaccessiscontrolledbyapredefinedRemoteMgmtSSHconfigurationobject.

•LocallythroughtheRS232serialconsoleconnectionportofaSEG,usingaconsoleor

consoleemulator.

AccessiscontrolledbyapredefinedComPortAccessconfigurationobjectcalledCOM1.

Controlling SSH access

TheSecureShell(SSH)protocolcanbeusedtoaccesstheCLIoveranetworkfromaremote

hostviaoneoftheEthernetinterfaces.SSHisenabledbydefaultonthedefaultmanagement

Ethernetinterface.

SSHisaprotocolprimarilyusedforsecurecommunicationoverinsecurenetworks,providing

strongauthenticationanddataintegrity.SSHclientsarefreelyavailableforalmostall

hardwareplatforms.TheSEGsupportsversion2oftheSSHprotocol.

ApredefinedRemoteMgmtSSHobjectcontrolsinitialSSHaccessonthedefaultmanagement

interface.AsingleRemoteMgmtSSHobjectexistsbydefaultinaSEGconfigurationandcanbe

displayedwiththeCLIcommand:

Device:/>showRemoteManagementRemoteMgmtSSH

ThefollowingoutputconfirmsthatSSHaccesshasbeenabledonthesfp1interfacefromthe

sfp1_netnetwork.

NameInterfaceNetwork

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

ssh_mgmtsfp1sfp1_net

AuthenticationforSSHaccessiscontrolledbytheAuthProfilepropertyofthe

RemoteMgmtSSHobject.BydefaultthisissettoapredefinedAuthenticationProfileobject

calledMgmtAuthProfile.Thisprofilepointstothepredefinedlocaluserdatabasethat

containsadefaultadministratoraccountwiththecredentials:

•Username:admin

•Password:admin

Toremoveusername/passwordauthenticationforSSH,theauthenticationprofilemustbeset

tonothingandthecommandwouldbe:

Device:/>setRemoteManagementRemoteMgmtSSHssh_mgmtAuthProfile=

Management

Toaddbacktheoriginalauthentication:

Device:/>setRemoteManagementRemoteMgmtSSHssh_mgmt

AuthProfile=MgmtAuthProfile

TheSourcepropertyoftheMgmtAuthProfilewillbeassignedthenameofthelocaluser

databasetouseforauthentication.

Troubleshooting SSH access problems

IftheSSHconsoleistimingoutwhenattemptingSSHaccess,thereareanumberofpossible

reasons:

•UsethelocalconsoleCLItocheckthattheSEGSSHserverisrunning:

Device:/>sshserver

SSHServerPortConnectedclientsStatus

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

ssh_allnets221Running

Intheoutputshown,theserverisclearlyrunning.IfthestatuswasnotRunningorifthe

commandreturnedanewCLIpromptwithnooutput,therewasmostlikelyaproblem

withtheinitialconfigurationoftheSSHserver.

•ChecktheconfigurationoftheRemoteMgmtSSHobject.Ifthisobjectisincorrectly

specifiedoninitialstartup,theSSHservermaynotrun.CheckthattheRemoteMgmtSSH

isenabledandthatavalidauthenticationprofilehasbeenspecifiedandthattheprofile

pointstoavaliddatabasecontainingauserwiththelogincredentialsexpected.

ARemoteMgmtSSHobjectwithanexamplenameofssh_allnetscanbedisplayedwiththe

command:

Device:/>showRemoteManagementRemoteMgmtSSHssh_allnets

Controlling console access to the CLI

TheCLIcanalsobeaccessedusingaconsoleterminalconnecteddirectlytoanRS232porton

thesecuritygatewayhardware.Accessthroughaconsoleportiscontrolledbyapredefined

COMPortAccessconfigurationobjectnamedCOM1.Thiscanbedisplayedwiththecommand:

showCOMPortAccess

PortBpsDatabitsParityStopbitsFlowcontrolRowsCols

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

COM11152008None1None4080

AnAuthenticationProfileisassociatedwiththeComPortAccessobjecttospecify

authentication.Inthedefaultconfiguration,noprofileisspecifiedsothereisno

username/passwordpairrequiredforconsolelogin.ThesameprofileusedbydefaultforSSH

couldbeassociatedwithconsoleaccessbyusingthecommand:

Device:/>setCOMPortAccessCOM1AuthProfile=MgmtAuthProfile

Management

Frequently used commands

ThefollowingcommandswillprobablybethemostoftenusedwiththeCLItomanipulate

differentSEGobjects:

•add:Addsanobject,suchasanIPaddressorarule,toaSEGconfigurationalongwitha

setofrequiredpropertiesfortheobject.

•set:Setsoneormoreconfigurationobjectpropertiestogivenvalues.Forexample,setting

thesourceinterfaceforagivenIPrule.

•show:Displaysthecurrentvaluesofaparticularobjectorsetofconfigurationobjects.

•delete:Deletesaspecificconfigurationobject.

CLI command structure

CLIcommandscommonlyhavethestructure:

<command><object_category><object_type><object_name>

Forexample,todisplayanIPaddressobjectcalledmy_address,enter:

Device:/>showAddressIPAddressmy_address

TheobjectcategoryinthiscaseisAddressandthetypewithinthiscategoryisIPAddress.

Iftheobjecttypeisunique,itscategorycanbeomitted.Thesameexampleasabovecouldbe

shortenedto:

Device:>showIPAddressmy_address

Inthiscase,theobjectcategoryAddressisomittedsinceIPAddressisauniqueobjecttype.

Note:Tabcompletionwillnotworkuntiltheentireobjecttypeisenteredwhenomittingthe

objectcategory.

Thesameobjectnamecouldbeusedwithintwodifferentcategoriesortypes,althoughthisis

bestavoidedinordertoavoidambiguitywhenreadingconfigurations.

Note:Thetermcategoryisalsosometimesreferredtoasthecontextofanobject.

Acommandsuchasaddcanalsoincludeobjectproperties.ToaddanewIPAddressobject

withanIPv4addressof10.49.02.01,thecommandwouldbe:

Device:/>addAddressIPAddressmy_addressAddress=10.49.02.01

Management

Tab completion displays allowed properties only

Therearesomeimportantprinciplestounderstandwhenusingtabcompletionforobject

properties:

•Thepropertiesofanobjectareeitherrequiredoroptional.Whenusingtabcompletion,

optionalpropertiesarenotdisplayeduntilallrequiredpropertieshavebeenassigneda

value.

•Anoptionalproperty’susecandependonthevaluespecifiedforanotherproperty.For

example,inanIPsecTunnelobject,theoptionalProxyARPpropertycanbeusedonlywhen

theAddRouteToRemoteNetworkpropertyhasbeensettoYes.

Thetabcompletionfeatureisawareofthesedependenciesandwillnotdisplayaproperty

ifitisdependentonanotherpropertythathasnotyetbeenassignedavalue.Lookingat

theIPsecTunnelexampleagain,tabcompletionwilldisplaytheProxyARPpropertyonlyif

theAddRouteToRemoteNetworkpropertyhasbeenalreadybeenassignedavalueofYes.

CLI help

TheCLIhelpcommandwillshowallavailablecommandoptions.Typinghelpfollowedbya

commandnamewillshowhelpinformationforthatcommand,providingdetailsaboutthe

command'sfunctionanditsoptions.

Forexample:

Device:/>helptime

COMMAND

time(t).Displayandsetcurrentsystemtime.

"

TypingthisCLIcommandprovidesinformationaboutthehelpcommanditself:

Device:/>helphelp

Configuration object help

Asecondhelpcommand,helpconfig,providesinformationaboutaparticularobjecttypeor

categoryofobjects.

CLI command history

JustlikeacommandconsoleinmanyversionsofMicrosoftWindows™,theupanddown

arrowkeysenableyoutomovethroughthelistofcommandsintheCLIcommandhistory.For

example,pressingtheuparrowkeyoncewillmakethelastcommandexecutedappearatthe

currentCLIprompt.Afteracommandappears,itcanbere‐executedinitsoriginalformor

changedfirstbeforeexecution.

Management

Tab completion

Rememberingaswellastypingcommandsandtheiroptionscanbedemanding.TheSEG

providesafeaturecalledtabcompletion,whichmeansthatpressingtheTabkeywillcause

automaticcompletionofthecurrentpartofthecommand.Ifcompletionisnotpossible,

pressingtheTabkeywilldisplaytheavailablecommandoptions.

Tabcompletiondisplaystherequiredobjectpropertiesfirst,andthenshowsanyoptional

propertieswhenallthemandatoryoneshavebeencompleted.

Specifying the default value

Theperiod(.)characterbeforeatabcanbeusedtoautomaticallyfillinthedefaultvaluefor

anobjectproperty.Forexample:

addLogReceiverLogReceiverSysloglog_example

Address=example_ipLogSeverity=.(tab)

WillfillinthedefaultvalueforLogSeverity:

addLogReceiverLogReceiverSysloglog_exampleAddress=example_ip

LogSeverity=Emergency,Alert,Critical,Error,Warning,Notice,Info

Thisseveritylistcanthenbeeditedwiththebackarrowandbackspacekeys.Adefaultvalueis

notalwaysavailable.Forexample,theActionofanIPrulehasnodefault.

Anotheruseoftheperiodcharacterbeforeatabistoautomaticallyfillinthecurrentvalueof

anobjectpropertyinacommandline.Forexample,youmighttypetheunfinishedcommand:

setAddressIPAddressInterfaceAddresses/sfp1_ip=

Ifyounowtype“.”followedbyatab,theSEGwilldisplaythecurrentvaluefortheAddress

property.Forexample,ifthevalueis10.6.58.10,theunfinishedcommandlinewill

automaticallybecome:

setAddressIPAddressInterfaceAddresses/sfp1_ip=10.6.58.10

TheSEGautomaticallyinsertsthecurrentvalueof10.6.58.10,whichcanthenbechanged

withthebackspaceorbackarrowkeysbeforecompletingthecommand.

Object categories and tab completion

Asmentionedabove,objectsaregroupedbytype,forexample,IPAddress.Typesthemselves

aregroupedbycategory.ThetypeIPAddressbelongstothecategoryAddress.Categoriesare

usedbytabcompletionwhensearchingfortherightobjecttypetouse.

IfyouenteracommandsuchasaddandpresstheTabkey,theSEGdisplaysalltheavailable

categories.BychoosingacategoryandthenpressingtheTabkeyagain,alltheobjecttypesfor

thatcategoryaredisplayed.Usingcategoriesmeansthatthereisasimplewaytospecifywhat

kindofobjectisbeingspecified,andthatamanageablenumberofoptionsaredisplayedafter

pressingtheTabkey.

Management

Selecting object categories

Withsomecategories,itisnecessarytofirstchooseamemberofthatcategorywiththecc

(changecategoryorcontext)commandbeforeindividualobjectscanbemanipulated.Thisis

thecase,forexample,withroutes.Therecanbemorethanoneroutingtable,sowhenadding

ormanipulatingaroute,youmustfirstusethecccommandtoidentifywhichroutingtable

youareinterestedin.

Supposearouteistobeaddedtotheroutingtablemain.Thefirstcommandwouldbe:

Device:/>ccRoutingTablemain

Device:/RoutingTable/main>

Noticethatthecommandpromptchangestoindicatethecurrentcategory.Youcannowadd

theroute:

Device:/RoutingTable/main>addRouteInterface=sfp1

Network=sfp1_netName=new_route1

Todeselectthecategory,thecommandiscconitsown:

Device:/RoutingTable/main>cc

Device:/>

Thecategoriesthatrequireaninitialcccommandbeforeobjectmanipulationhavea“/”

characterfollowingtheirnameswhendisplayedbyashowcommand.Forexample:

RoutingTable/.

Inserting into rule lists

RulelistssuchastheIPrulesethaveanorderingthatisimportant.Withtheaddcommand,

thedefaultistoaddanewruletotheendofalist.Whenplacementataparticularpositionis

crucial,theaddcommandcanincludetheIndex=propertyasanoption.Insertingatthefirst

positioninalistisspecifiedwithIndex=1inanaddcommand,thesecondpositionwith

Index=2andsoon.

Referencing by name

YoucanoptionallynamesomeobjectsusingtheName=propertywiththeaddcommand.An

object,suchasanIPrule,willalwayshaveanIndexvaluethatindicatesitspositionintherule

listbutcanoptionallybeallocatedanameaswell.Subsequentmanipulationofsucharule

canbedoneeitherbyreferringtoitbyitsindex(listposition)orbyusingitsassignedname.

TheSEG‐100CommandLineInterfaceReferenceliststheoptionsavailableforeachSEG

object,includingName=andIndex=.

Tomakereadingconfigurationseasier,itisstronglyadvisedtoalwaysaddauniquenameto

importantobjectsinanSEGconfiguration.Forexample,IPrulesshouldalwayshavean

appropriatenamespecifiedsothattheirpurposecanbeimmediatelyunderstood.

UsingduplicatenamesfortheNameoptionisallowedbutnotrecommended.

Table of contents

Other RadiSys Gateway manuals

RadiSys

RadiSys PM6264S ONT User manual

Popular Gateway manuals by other brands

ICP DAS USA

ICP DAS USA GRP-540M quick start

Zycoo

Zycoo G Series user guide

Tekon

Tekon PA160410220 product manual

Aristel

Aristel NEOS3001-3G01 operating manual

VRmagic

VRmagic VRmNet quick start guide

Samsung

Samsung SMG-3200 user guide

Zte

Zte ZXHN H267N user manual

Emerson

Emerson 1410S quick start guide

SSS Siedle

SSS Siedle Smart Gateway Professional Commissioning instructions

SharkRF

SharkRF openSPOT3 user manual

Gigaset

Gigaset SE565 user guide

ABB

ABB Cassia X1000 installation manual

SMC Networks

SMC Networks SMC8414-2PD-SIP Specification sheet

Juniper

Juniper SRX550 Hardware guide

hilscher

hilscher netTAP NT 151-CCIES-RE user manual

DCB

DCB Ether Series user guide

Avaya

Avaya Media Gateway G250 Administration

Moore Industries

Moore Industries HES user manual

RadiSys SEG-100 Instruction Manual

Popular Gateway manuals by other brands