O N E O S

V 5 . 2

A D M I N U S E R G U I D E

( E D I T I O N 2 1 )
ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

OneAccess Networks
Pentagone Plaza

381, Avenue du Général de Gaulle

92140 Clamart

FRANCE

The law of 11 March 1957, paragraphs 2 and 3 of article 41, only authorizes, firstly, "copies and reproductions strictly reserved for use by copyists

and not for general use" and, secondly, "analyses and short quotations for the purpose of example and illustration". Therefore, "any representation

or reproduction, entire or partial, made without the consent of the author or his representatives is illegal” (paragraph 1 of article 40).

Any such representation or reproduction, made in any manner whatsoever, would therefore constitute an infringement of the law as sanctioned by

articles 425 and in accordance with the penal code.

Information contained in this document is subject to change without prior notice and does not constitute any form of obligation on the part of
OneAccess.

OneAccess and the distributors can in no case be held responsible for direct or indirect damage of any kind incurred as a result of any error in the

software or guide.

Every care has been taken to ensure the exactitude of information in this manual. If however you discover an error, please contact OneAccess

After Sales Service division.

Twenty-first edition: April 2016

Admin User Guide Page 1.1-2 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

1 I N T R O D U C T I O N

This edition of the OneOS Book corresponds to the V5.2 software releases. It is also available for all
previous software releases of OneOS according to the features matrix described hereafter.

The OneOS software developed for use with the ONE product range offers an extensive range of features
designed to provide a complete & highly powerful range of multi-service access routers:
• Full IP router with NAPT, Security, and Quality of Service management
• Support of voice for analog and ISDN S0/T0 terminals using Voice over IP and Voice over ATM
• Interworking of data protocols (FR, X.25, PAD, XOT, X.31)
• Application layer management tools (WAN Optimization)
• Advanced management tools based on CLI (Command Line Interface), SNMP, FTP/TFTP

This document is the OneOS user guide for admin functions of the OneOS-based range products.
Eight other user guides and two global indexes are available:
o OneOS – Bridging & LAN User Guide
o OneOS – Basic IP User Guide
o OneOS – Advanced IP User Guide
o OneOS – WAN User Guide
o OneOS – VoIP User Guide
o OneOS – VoATM & CES User Guide
o OneOS – IBC User Guide
o OneOS – Applications User Guide
o Index of OneOS User Guides (global table of contents)
o Index of CLI of OneOS User Guides (global list of CLI commands)

Admin User Guide Page 1.1-3 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

1.1 FEATURE MATRIX

The following table is a resource providing, edition by edition, the released features. The table was done
as of the V3.5R2E3 software release. For simplification, the indicated software release shows the
presence of a feature in a given software release starting with V3.5R2E3. It should be noted that most
features were available in earlier versions.
The table also shows in which edition of the OneOS book a feature was added to the User Guide, starting
with Edition 16.

Present at Added in
Main Function Feature
least in: UG:
File system Checking downloaded SW and boot integrity V3.5R2E3
Dual SW image boot V3.5R2E3
File transfer via FTP client V3.5R2E3
File transfer via TFTP client V3.5R2E3
TFTP server for file uploading V4.1R5E6
Download and extract a TAR archive in file system V3.7R11E14
HTTP client over IPv6 V5.1R2E5
Limit the transfer from authorized TFTP servers by means V5.1R5 Edition 16
of an access list
When copying files to the file system, file name must be Edition 17
less than 39 characters.
File encryption / decryption commands added; refer to V5.2R1 Edition 21
2.3.3.1 Management of files and directories.
General Command output filtering with the ‘|’ command V3.5R2E3
management Command for checking integrity of a downloaded boot or V3.5R2E3
functions software image
Password recovery V3.5R2E3
Delayed reboot V3.5R2E3
Restore factory settings command V3.5R2E3
Banner (before/after logging in) up to 230 characters V3.5R2E3
Banner (before/after logging in) up to 9200 characters V4.3R2E2
Global statistics screen V3.5R2E3
CPU load statistics V4.2R5E6
show ip interface brief command V3.5R2E3
Logging to a syslog server V3.5R2E3
Syslog message at startup V4.3R4E24
Blacklist management (console, tshell, telnet, SSH, web) V4.2R5E2
Command blacklist attempts added V5.2R1E1
Limiting broadcast, multicast, unknown unicast traffic V5.2R1E1
Displaying CPU and memory usage per system task V5.1R5 Edition 16
Restore factory settings while preserving saved V5.2R1 Edition 16
configuration
Limiting broadcast, multicast, unknown unicast traffic by V5.2R1 Edition 16
percentage of bandwidth
List of managed events added in Annex A V5.2R1 Edition 16
CPU load statistics for every CPU core individually V5.2R1 Edition 16
User passwords are encrypted and stored in a more secure V5.2R1 Edition 17
way. Refer to 2.20 User Management.

Admin User Guide Page 1.1-4 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Present at Added in
Main Function Feature
least in: UG:
Monitoring the level of free memory. V5.2R1 Edition 18
Refer to 2.4.4 Monitoring of Free memory.
power redundancy-mode command to activate dual V5.1R5 Edition 19
power supply function, on devices with 2 power inputs;
refer to 7 Power Redundancy.
Date/Time Manual date/time setting V3.5R2E3
Clock offset based on time zone and summer time V3.5R2E3
Synchronization with an NTP server (broadcast mode or V3.5R2E3
not)
Setting of SNTP source address (in non-broadcast mode) V3.5R2E3
SNTP server V4.2R3E6
IPv6 SNTP client V5.1R2E5
Added source option to the sntp-server unicast V5.2R1 Edition 18
command; refer to 2.24.5 SNTP Server.
Configuration Check SIP gateway registration to trigger configuration V3.7R10E3
Recovery recovery
Check ping status to trigger configuration recovery V3.7R10E3
SNMP Version 1, version 2C V3.5R2E3
Multiple read-write communities V3.5R2E3
Restricting SNMP access via IPv4 access-lists V3.5R2E3
Setting of SNMP source address V3.5R2E3
SNMP v3: DES/3DES/no encryption, SHA/MD5 V3.5R2E3
authentication
SNMP views V3.5R2E3
SNMP informs (acknowledged traps in SNMP v3) V3.5R2E3
Configuration of SNMP chassis-id, contact and location V3.5R2E3
Restricting SNMP access via IPv6 access-lists V5.1R5E4
SNMP MIBs: check OneOS software release notes V5.1R2E5
SNMP v3 user creation: AES128|192|256,3DES encryption V5.1R5 Edition 16
SNMP v3 user storage: in snmpv3_users.log or at the end V5.1R5 Edition 19
of the configuration
Traces and Event function (logging of state changes) to a syslog V3.5R2E3
logging server, SNMP traps, console/file logging
Logging of configuration history V3.5R2E3
Trace and debug function (logs: buffered, syslog, console, V3.5R2E3
file)
Possible to generate a log and send syslog messages for V5.2R1 Edition 17
successful and failed login attempts.
Refer to 2.12.6 Reporting login attempts.
Ping/traceroute Ping with source address setting V3.5R2E3
Extended ping V3.5R2E3
Ping for IPv6 V5.1R2E5
Traceroute with source address setting V3.5R2E3
Traceroute for IPv6 V.5.1R2E5
Device can reboot if a ping is not answered; V4.3R4 Edition 18
refer to 2.6.8 Reboot on no answer to a ping.
Telnet Telnet client. Configurable port and source address V3.5R2E3
Clear session of another user V3.5R2E3
Setting up an access-list to restrict access to the V3.5R2E3
embedded server
Telnet client over IPv6 V5.1R2E5
Telnet server: configurable timeout, attachment to one or V3.5R2E3
more interface and telnet server access restriction by an
ACL

Admin User Guide Page 1.1-5 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Present at Added in
Main Function Feature
least in: UG:
Telnet server over IPv6 V5.1R2E5
Possibility to disable Telnet completely V5.2R1E1
SSH SSH server version 2 V3.5R2E3
Configurable DSA signature length V3.5R2E3
Enabling/disabling the SSH server V3.5R2E3
Attaching the SSH server to one or more interfaces V3.5R2E3
Attaching the SSH server to an ACL for access restriction V3.5R2E3
SSH remote "exec telnet" command V4.2R5E15
SSH local port forwarding V4.3R2E2
Initiating a SSH session as SSH client V5.1R5 Edition 16
SSH server can handle any CLI command inside a SSH V5.2R1 Edition 17
session; refer to 2.15.1.5 Handling CLI commands entered
remotely.
SSH client: optional destination port, source interface and V5.2R2 Edition 21
VRF added in command; refer to 2.15.2.12 Initiating a SSH
session as SSH client.
Web HTTP server V3.5R2E3
Configurator HTTPS server V4.2R2E2
Web downloading/uploading restriction V4.2R2E2
HTTP proxy V4.2R3E6
HTTPS certificate management V4.2R4E2
Command http-server user add expanded: V5.1R5 Edition 19
possibility to use serial number as password
Packet Filter and log packets of an interface V3.5R2E3
capturing Saved captured packets in a pcap file V3.5R2E3
Capture of 802.11 frames V4.2R3E6
Send captured packets to a remote capture server V5.1R5 Edition 16
AAA, Local Configuration of local users V3.5R2E3
user database Support of 15 privilege levels V3.5R4E3
and role-based
Modification of default command privilege level (‘privilege’ V3.5R2E3
CLI
command)
RADIUS based user authentication V3.5R2E3
RADIUS over IPv6 V5.1R2E5
TACACS+ based user authentication V3.5R2E3
Command authorization via TACACS+ servers V3.5R2E3
TACACS+ accounting (start-stop signal for commands, V3.5R4E3
stop-only signal for exec session)
TACACS+ over IPv6 V5.1R2E5
Vendor ID included in AAA authentication request to a V5.2R1 Edition 17
RADIUS server. Refer to 2.23AAA (Authentication,
Authorization and Accounting).
Possibility to use a maximum key length of up to 55 V5.2R1 Edition 18
characters;
refer to 2.23.3.1 TACACS+ Client Configuration.
Possibility to show and clear statistics per configured V5.1R5 Edition 19
TACACS+ server; refer to 2.23.5 Show and Debug
Functions.
SIP TLS SIP TLS - Show certificates; refer to 2.28 Certificates V5.2R1 Edition 17
Certificates management.
Public Key Infrastructure (PKI) V5.2R1 Edition 17
Self-signed server certificate V5.2R1 Edition 17
Certificate signing request V5.2R1 Edition 17
Certificate import V5.2R1 Edition 17
Revocation checking V5.2R1 Edition 17

Admin User Guide Page 1.1-6 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Present at Added in
Main Function Feature
least in: UG:
Certificates Show certificates V4.2R5E2
Public Key Infrastructure (PKI) V4.2R5E6
Self-signed HTTPS server certificate V4.2R5E6
Certificate signing request V4.2R5E6
Certificate import V4.2R5E6
Use of a trust-point for revocation checking V4.3R3E2
Performance ICMP echo probe: measuring RTT and packet loss V3.5R2E3
Measurement ICMP echo configuration via CLI or SNMP V3.5R2E3
Probe (SLA
Path echo probe (configuration by CLI and SNMP) V3.5R2E3
Monitor)
Path jitter probe (configuration by CLI) V3.5R2E3
RTR responder V3.5R2E3
History of the last measurements V3.5R2E3
Measurement result distribution to form statistics V3.5R2E3
Reaction triggers V3.5R2E3
RTR Probe based on UDP echo added V5.2R1 Edition 16
Auto-update DHCP method: Automatic software download V3.5R4E3
DHCP method: Automatic configuration download V3.5R4E3
Auto-update via http V3.7R11E14
DHCP option 160 for software, configuration, file and TAR V5.2R1 Edition 16
file auto-update
Possibility to enter username and password for V5.2R1 Edition 21
configuration, software and file update;
refer to 3.2Auto-update Configuration
EEM applet execution after successful completion of V5.2R1 Edition 21
resource update: post-update-action applet <id>;
refer to 3.2.3 File Update and 3.2.4 TAR File Update.
Section added: 3.1.7 Behavior with a HTTPS server. V5.2R1 Edition 21
CWMP (TR-69) Download RPC: configuration, OS, web pages V4.2R2E2
Configuration download in add-in or overwrite mode
Upload RPC V4.2R2E2
Inform trigger events: periodic, boot, bootstrap, request V4.2R2E2
download
Reboot RPC V4.2R2E2
Factory Reset RPC V4.2R2E2
Get RPC Methods RPC V4.2R2E2
Schedule Inform RPC V4.2R2E2
TR-69 Pass-Through (TR-111) V4.2R2E2
STUN client configuration V4.2R2E2
Netbooster update via TR069; refer to 4.1.4.1.4. V5.2R1 Edition 21
Event-driven Object tracking function V5.1R5E1
CPE Tracking of the state of an RTR probe, of the IP routing V5.1R5E1
configuration state of an interface, of the state of a VRRP instance
Tracking of a list of objects V5.1R5E1
Embedded Event Manager (EEM) V5.1R5E1
EEM initial delay configuration V5.1R5E1
EEM applets V5.1R5E1
Dimensioning of EEM increased V5.2R1 Edition 16
-Up to 99 objects can be tracked simultaneously.
-Up to at least 30 EEM applets can be configured
simultaneously.
-At least 60 CLI commands are allowed within an applet.

Admin User Guide Page 1.1-7 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Present at Added in
Main Function Feature
least in: UG:
EEM v2-Phase 1; applet exec on timer event, pattern V5.2R1 Edition 17
matching in CLI output, condit. exec within an applet).
Refer to 6.5 Embedded Event Manager Configuration.
EEM v2-Phase 2; applet exec on cron entry; applet exec V5.2R1 Edition 18
on syslog event; Regular Expression matching updated;
sending syslog message in applet, ....
Refer to 6.5 Embedded Event Manager Configuration.
Tracking of the state of an IP route; V5.2R2 Edition 20
refer to 6.4.5 Tracking the state of an IP route.
Sending an email notification in case of a LTE event; V5.2R2 Edition 21
refer to section 6.5.2.9.
Tracking the state of a MEP; V5.2R1 Edition 21
refer to 6.4.6 Tracking the state of a MEP.
RMON RMON mechanism added; refer to 2.11 RMON Mechanism V5.2R2 Edition 21

Admin User Guide Page 1.1-8 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

1.2 TABLE OF CONTENTS

1 INTRODUCTION ....................................................................................................................................... 1.1-3

1.1 Feature Matrix ................................................................................................................................ 1.1-4
1.2 Table of Contents........................................................................................................................... 1.2-9
2 SYSTEM MANAGEMENT ...................................................................................................................... 1.2-15
2.1 Introduction to System Management ........................................................................................... 2.1-15
2.1.1 Preliminary Instructions .................................................................................................... 2.1-15
2.1.2 Getting Started ................................................................................................................. 2.1-15
2.2 Console Port Settings .................................................................................................................. 2.2-17
2.2.1 Default Settings ................................................................................................................ 2.2-17
2.2.2 Console Port Inactivity Timeout ........................................................................................ 2.2-17
2.2.3 Disabling Console Port ..................................................................................................... 2.2-17
2.2.4 Detecting Console Cable Disconnection........................................................................... 2.2-17
2.3 File system ................................................................................................................................... 2.3-18
2.3.1 Introduction ....................................................................................................................... 2.3-18
2.3.2 File Systems Layout ......................................................................................................... 2.3-18
2.3.3 File System Commands.................................................................................................... 2.3-19
2.3.3.1 Management of files and directories ...................................................................... 2.3-19
2.3.3.2 Copying files to and from the OneOS device......................................................... 2.3-20
2.3.3.3 Examples............................................................................................................... 2.3-22
2.4 Getting Router Hardware, Software, CPU and Memory Information ............................................ 2.4-23
2.4.1 Hardware Information ....................................................................................................... 2.4-23
2.4.2 Software Information......................................................................................................... 2.4-23
2.4.3 CPU and Memory Information .......................................................................................... 2.4-25
2.4.4 Monitoring of Free memory............................................................................................... 2.4-26
2.5 Start-Up ....................................................................................................................................... 2.5-27
2.6 Configuration of Management Functions ..................................................................................... 2.6-28
2.6.1 Starting a Telnet Session.................................................................................................. 2.6-28
2.6.2 Configuration Session....................................................................................................... 2.6-28
2.6.3 Enabling Multiple Configuration Sessions......................................................................... 2.6-29
2.6.4 Saving the Configuration on a Permanent Disk ................................................................ 2.6-29
2.6.5 Automatic and Periodic Backup of the Configuration........................................................ 2.6-30
2.6.5.1 Automatic and periodic backup ............................................................................. 2.6-30
2.6.5.2 Preserving the saved configuration after a restore ................................................ 2.6-30
2.6.6 Editing a Configuration File............................................................................................... 2.6-31
2.6.7 Scheduled Reboot ............................................................................................................ 2.6-32
2.6.8 Reboot on no answer to a ping ......................................................................................... 2.6-32
2.6.9 Reboot and Test a New Configuration or Software Image................................................ 2.6-32
2.6.10 Management of reboot log files ........................................................................................ 2.6-33
2.6.11 Reset of Device Configuration .......................................................................................... 2.6-33
2.6.12 Restoring Factory Settings ............................................................................................... 2.6-33
2.6.13 Syslog Message at Startup ............................................................................................... 2.6-34
2.7 Software Upgrade of a Router ..................................................................................................... 2.7-35
2.8 Password Recovery ..................................................................................................................... 2.8-37
2.9 Configuration Recovery ............................................................................................................... 2.9-38
2.9.1 Introduction ....................................................................................................................... 2.9-38
2.9.2 Configuration Commands ................................................................................................. 2.9-38
2.9.3 Statistics ........................................................................................................................... 2.9-39
2.10 SNMP Based Management ........................................................................................................2.10-40
2.10.1 SNMP v1/v2 .....................................................................................................................2.10-41
2.10.1.1 When using IPv4 ..................................................................................................2.10-41
2.10.1.2 When using IPv6 ..................................................................................................2.10-41
2.10.2 View-Based SNMP Access Control .................................................................................2.10-42
2.10.3 SNMP v3 .........................................................................................................................2.10-43
2.10.3.1 Basic Configuration ..............................................................................................2.10-43
2.10.3.2 SNMP v3 Informs .................................................................................................2.10-46
2.10.3.3 SNMP v3 User Storage ........................................................................................2.10-47
2.10.4 IPv6 Access Lists ............................................................................................................2.10-48

Admin User Guide Page 1.2-9 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.5 Miscellaneous ..................................................................................................................2.10-48

2.10.6 Event Managers ..............................................................................................................2.10-49
2.10.7 Adapting SNMP Traps .....................................................................................................2.10-49
2.10.8 Debugging SNMP ............................................................................................................2.10-49
2.10.9 SNMP Statistics ...............................................................................................................2.10-50
2.11 RMON Mechanism......................................................................................................................2.11-52
2.11.1 Introduction ......................................................................................................................2.11-52
2.11.2 Configuration Examples...................................................................................................2.11-52
2.11.2.1 Absolute Example ................................................................................................2.11-52
2.11.2.2 Delta Example ......................................................................................................2.11-53
2.11.3 Statistics ..........................................................................................................................2.11-53
2.12 Traces and Events ......................................................................................................................2.12-54
2.12.1 Introduction ......................................................................................................................2.12-54
2.12.2 Event Filters.....................................................................................................................2.12-54
2.12.3 Logging NAT sessions via Syslog ...................................................................................2.12-55
2.12.4 Logging the IPsec IKE state via Syslog ...........................................................................2.12-56
2.12.5 Showing and removing filters...........................................................................................2.12-56
2.12.6 Reporting login attempts ..................................................................................................2.12-57
2.12.7 Reading the Events .........................................................................................................2.12-58
2.12.8 System Logging ...............................................................................................................2.12-59
2.12.9 Configuration History .......................................................................................................2.12-62
2.13 Ping & Traceroute .......................................................................................................................2.13-63
2.13.1 IPv4 Ping .........................................................................................................................2.13-63
2.13.2 IPv6 Ping .........................................................................................................................2.13-63
2.13.3 Xping (Extended Ping) .....................................................................................................2.13-64
2.13.4 Trace Route .....................................................................................................................2.13-64
2.13.5 IPv6 Trace Route .............................................................................................................2.13-65
2.14 TELNET, TFTP, SCP Servers / Telnet, TFTP, FTP Clients ........................................................2.14-66
2.14.1 Telnet Client ....................................................................................................................2.14-66
2.14.2 Telnet Server ...................................................................................................................2.14-66
2.14.2.1 Attaching the Telnet Server to an Interface ..........................................................2.14-67
2.14.2.2 Restricting Telnet Access to a Pool of Hosts ........................................................2.14-68
2.14.2.3 Using a designated VRF.......................................................................................2.14-69
2.14.2.4 Configuring the Telnet Server Timeout.................................................................2.14-69
2.14.2.5 Disconnecting a Telnet User ................................................................................2.14-69
2.14.2.6 Logging the Telnet Connections ...........................................................................2.14-69
2.14.3 TFTP Client .....................................................................................................................2.14-70
2.14.4 TFTP Server ....................................................................................................................2.14-71
2.14.5 FTP Client........................................................................................................................2.14-71
2.14.6 SFTP Client .....................................................................................................................2.14-72
2.14.7 SCP Server......................................................................................................................2.14-73
2.15 SSH – Secure SHELL .................................................................................................................2.15-74
2.15.1 Features ..........................................................................................................................2.15-74
2.15.1.1 Secure Encrypted Communications .....................................................................2.15-74
2.15.1.2 Strong Security .....................................................................................................2.15-74
2.15.1.3 Strong Authentication ...........................................................................................2.15-74
2.15.1.4 Remote "exec telnet" commands and local port forwarding .................................2.15-75
2.15.1.5 Handling CLI commands entered remotely ..........................................................2.15-76
2.15.2 Configuration ...................................................................................................................2.15-76
2.15.2.1 Generating the Authentication Keys .....................................................................2.15-76
2.15.2.2 Starting the SSH daemon .....................................................................................2.15-76
2.15.2.3 Stopping the SSH daemon ...................................................................................2.15-77
2.15.2.4 Configuring the SSH Server Timeout ...................................................................2.15-77
2.15.2.5 Configuring the SSH Server Authentication Method.............................................2.15-77
2.15.2.6 Configuring the SSH Server Authentication Timeout............................................2.15-77
2.15.2.7 Configuring the SSH Server Authentication Retries .............................................2.15-77
2.15.2.8 Attaching the SSH Server to an Interface .............................................................2.15-77
2.15.2.9 Restricting SSH Access to a Pool of Hosts ..........................................................2.15-78
2.15.2.10 Using a designated VRF.......................................................................................2.15-78
2.15.2.11 Configuring the maximum number of sessions.....................................................2.15-78
2.15.2.12 Initiating a SSH session as SSH client .................................................................2.15-79
2.15.3 Statistics ..........................................................................................................................2.15-80
2.15.4 Configuration example .....................................................................................................2.15-80
2.16 Capturing Packets.......................................................................................................................2.16-81
2.16.1 Defining one or more filters..............................................................................................2.16-81

Admin User Guide Page 1.2-10 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.16.2 Defining a logical device ..................................................................................................2.16-82

2.16.3 Starting, displaying, storing the traffic capture .................................................................2.16-83
2.17 Intercepting Packets ...................................................................................................................2.17-85
2.18 System Indicators .......................................................................................................................2.18-86
2.18.1 Checking CPU load .........................................................................................................2.18-86
2.18.2 Checking Memory & Flash spaces ..................................................................................2.18-93
2.18.3 Checking Reboot Causes ................................................................................................2.18-94
2.19 Statistics .....................................................................................................................................2.19-96
2.19.1 Interfaces Statistics..........................................................................................................2.19-96
2.19.2 Global Statistics ...............................................................................................................2.19-96
2.19.2.1 Summary Screen ..................................................................................................2.19-96
2.19.2.2 IP Routes..............................................................................................................2.19-97
2.19.2.3 WAN Detailed Screen ..........................................................................................2.19-97
2.19.2.4 PVC Screen..........................................................................................................2.19-97
2.20 User Management ......................................................................................................................2.20-98
2.20.1 Introduction ......................................................................................................................2.20-98
2.20.2 Adding a user ..................................................................................................................2.20-99
2.20.3 Examples .........................................................................................................................2.20-99
2.20.4 Removing a user .............................................................................................................2.20-99
2.20.5 Changing a password ....................................................................................................2.20-100
2.20.6 Access Right Management ............................................................................................2.20-100
2.21 Configuration of Command Accessibility per User Privilege .....................................................2.21-101
2.22 Banner ......................................................................................................................................2.22-103
2.23 AAA (Authentication, Authorization and Accounting) ................................................................2.23-105
2.23.1 Introducing AAA.............................................................................................................2.23-105
2.23.2 RADIUS .........................................................................................................................2.23-106
2.23.2.1 RADIUS Client Configuration .............................................................................2.23-106
2.23.2.2 RADIUS Server Configuration ............................................................................2.23-107
2.23.3 TACACS+ ......................................................................................................................2.23-108
2.23.3.1 TACACS+ Client Configuration ..........................................................................2.23-108
2.23.3.2 TACACS+ Server Configuration .........................................................................2.23-110
2.23.3.2.1 With Enable Passwords ..........................................................................2.23-110
2.23.3.2.2 With Pre-Defined User Privileges ............................................................2.23-110
2.23.4 AAA Configuration .........................................................................................................2.23-111
2.23.5 Show and Debug Functions...........................................................................................2.23-113
2.24 Date/Time Synchronization .......................................................................................................2.24-115
2.24.1 Showing Current Date/Time ..........................................................................................2.24-115
2.24.2 Setting Date/Time ..........................................................................................................2.24-115
2.24.3 Setting Time-zone and Summer Time ...........................................................................2.24-115
2.24.4 SNTP Client ...................................................................................................................2.24-116
2.24.4.1 Broadcast Server Mode ......................................................................................2.24-116
2.24.4.2 Mode with Specified Server ................................................................................2.24-116
2.24.4.3 SNTP Client Service Removal............................................................................2.24-117
2.24.5 SNTP Server .................................................................................................................2.24-117
2.25 SYSLOG Client .........................................................................................................................2.25-119
2.25.1 Adding a SYSLOG Server .............................................................................................2.25-119
2.25.2 SYSLOG Server Removal .............................................................................................2.25-119
2.25.3 SYSLOG Server List ......................................................................................................2.25-120
2.25.4 SYSLOG Server Configuration ......................................................................................2.25-120
2.26 Performance Probe (PPA-PM & RTR) ......................................................................................2.26-121
2.26.1 Performance Probe Agent – Path Measurement (PPA-PM) ..........................................2.26-121
2.26.1.1 Introduction.........................................................................................................2.26-121
2.26.1.2 Configuring PPA-PM Responder ........................................................................2.26-122
2.26.1.3 Configuring PPA-PM Sender ..............................................................................2.26-122
2.26.1.4 Configuration Example .......................................................................................2.26-123
2.26.1.5 Statistics .............................................................................................................2.26-124
2.26.2 Response Time Reporter (RTR) ....................................................................................2.26-125
2.26.2.1 Configuration of a Probe via the CLI ..................................................................2.26-125
2.26.2.2 Probe Scheduling via CLI ...................................................................................2.26-127
2.26.2.3 PPA Statistics .....................................................................................................2.26-127
2.26.2.4 Advanced Features ............................................................................................2.26-128
2.27 HTTP(S) Server ........................................................................................................................2.27-132
2.27.1 Installing a Set of Web Files ..........................................................................................2.27-132
2.27.2 Configuring HTTP Server ..............................................................................................2.27-132

Admin User Guide Page 1.2-11 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.27.3 HTTP Proxy ...................................................................................................................2.27-136

2.27.4 Web Page Access Restriction .......................................................................................2.27-136
2.27.4.1 Restriction File Format .......................................................................................2.27-136
2.27.4.2 Assign access level to a new page.....................................................................2.27-137
2.27.4.3 Delete access level entry for a page ..................................................................2.27-137
2.27.4.4 Display access level settings ..............................................................................2.27-137
2.27.5 Download/Upload File Restriction..................................................................................2.27-138
2.27.6 Debugging HTTP Server ...............................................................................................2.27-138
2.28 Certificates management ..........................................................................................................2.28-139
2.28.1 Showing the content of the certificates ..........................................................................2.28-142
2.28.2 Configuring the certificates to be generated ..................................................................2.28-143
2.28.2.1 Subject Distinguished Name attribute ................................................................2.28-143
2.28.2.2 Subject Alternative Name attribute .....................................................................2.28-144
2.28.2.3 Key length and cipher type attribute ...................................................................2.28-144
2.28.2.4 Key usage attribute ............................................................................................2.28-144
2.28.2.5 Certificate enrollment .........................................................................................2.28-145
2.28.2.6 Miscellaneous commands ..................................................................................2.28-147
2.28.3 Creating the certificates .................................................................................................2.28-147
2.28.3.1 Self-signed HTTPS server certificate .................................................................2.28-147
2.28.3.2 Certificate signing request ..................................................................................2.28-148
2.28.3.3 Certificate import ................................................................................................2.28-148
2.28.4 Certificate matching against criteria...............................................................................2.28-149
2.28.4.1 Configuring the criteria to which a certificate must comply .................................2.28-149
2.28.4.2 Matching the criteria ...........................................................................................2.28-150
2.28.5 Certificate revocation checking ......................................................................................2.28-150
2.28.5.1 Configuring a trust-point to check the revocation of the certificate .....................2.28-150
2.28.5.2 Checking the revocation .....................................................................................2.28-151
2.28.6 Enrollment Procedure using SCEP and Trustpoints ......................................................2.28-152
2.29 Blacklist management ...............................................................................................................2.29-154
2.30 Limiting broadcast, multicast and unknown unicast traffic ........................................................2.30-155
2.30.1 Method 1 – Setting a Threshold Value...........................................................................2.30-155
2.30.1.1 Configuring .........................................................................................................2.30-155
2.30.1.2 Bridging by a physical switch..............................................................................2.30-156
2.30.1.3 Checking the configuration .................................................................................2.30-156
2.30.2 Method 2 – Setting a Percentage of the Available Bandwidth .......................................2.30-157
2.31 Management of OneOS Software Licenses ..............................................................................2.31-158
2.31.1 Default Availability of Software Licenses .......................................................................2.31-158
2.31.2 Activating Software Licenses .........................................................................................2.31-158
2.31.3 Updating the Possibly Activated Licenses for Already Shipped Products......................2.31-159
3 AUTO-UPDATE ...................................................................................................................................2.31-160
3.1 Introduction to Auto-update .........................................................................................................3.1-160
3.1.1 Auto-update Sequencer ...................................................................................................3.1-160
3.1.2 Software Update ..............................................................................................................3.1-161
3.1.3 Configuration Update .......................................................................................................3.1-162
3.1.4 File Update ......................................................................................................................3.1-162
3.1.5 TAR File Update ..............................................................................................................3.1-162
3.1.6 Contents on HTTP Server ...............................................................................................3.1-162
3.1.7 Behavior with a HTTPS server ........................................................................................3.1-163
3.2 Auto-update Configuration ..........................................................................................................3.2-164
3.2.1 Software Update ..............................................................................................................3.2-166
3.2.2 Configuration Update .......................................................................................................3.2-167
3.2.3 File Update ......................................................................................................................3.2-168
3.2.4 TAR File Update ..............................................................................................................3.2-169
3.3 Auto-update Example .................................................................................................................3.3-171
3.4 Auto-update Debug and Statistics...............................................................................................3.4-171
4 CPE WAN MANAGEMENT PROTOCOL (CWMP - TR-69) ..................................................................3.4-172
4.1 CWMP Feature Description ........................................................................................................4.1-172
4.1.1 CWMP Transport Layer ...................................................................................................4.1-172
4.1.2 INFORM RPC: Triggering Events and Content ...............................................................4.1-172
4.1.3 Initiating TR-069 Sessions from ACS ..............................................................................4.1-173
4.1.3.1 Connection Requests ...........................................................................................4.1-173
4.1.3.2 Scheduled INFORM .............................................................................................4.1-173
4.1.4 RPC invoked by ACS.......................................................................................................4.1-174

Admin User Guide Page 1.2-12 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.1.4.1 Download RPC .....................................................................................................4.1-174

4.1.4.1.1 Firmware Update.......................................................................................4.1-174
4.1.4.1.2 Configuration Update ................................................................................4.1-174
4.1.4.1.3 Web Configurator, IBC Packages or Default Configuration File Update ...4.1-175
4.1.4.1.4 Netbooster update via TR069 ...................................................................4.1-176
Reboot RPC ..........................................................................................................................4.1-177
4.1.4.2 FactoryReset RPC ...............................................................................................4.1-177
4.1.4.3 Upload RPC .........................................................................................................4.1-177
4.1.4.4 GetRPCMethods ..................................................................................................4.1-177
4.1.4.5 Managed Objects RPC .........................................................................................4.1-177
4.1.5 TR-69 Scenarios behind a NAT Gateway (TR-111, TR-69 Pass-through) ......................4.1-177
4.2 Configuring CWMP .....................................................................................................................4.2-178
4.3 CWMP Data Model .....................................................................................................................4.3-181
4.4 Enabling TR-111/TR-69 Pass-Through.......................................................................................4.4-185
4.5 Manual CWMP Operations .........................................................................................................4.5-187
4.6 CWMP Statistics and Troubleshooting........................................................................................4.6-188
4.7 CWMP Configuration Example ...................................................................................................4.7-188
5 AUTOCONFIGURATION .......................................................................................................................4.7-189
5.1 Autoconfiguration Features .........................................................................................................5.1-190
5.2 Autoconfiguration Configuration Commands ..............................................................................5.2-191
5.2.1 Enabling Autoconfiguration ..............................................................................................5.2-191
5.2.2 Method-1-Specific Autoconfiguration Parameters ...........................................................5.2-192
5.2.2.1 Voice Autoconfiguration........................................................................................5.2-192
5.2.2.2 Software Image Download ...................................................................................5.2-192
5.2.2.3 Configuration Example .........................................................................................5.2-193
5.2.3 Method-2-Specific Autoconfiguration Parameters ...........................................................5.2-194
5.2.3.1 Voice Autoconfiguration........................................................................................5.2-194
5.2.3.2 Downloading Configuration and Software ............................................................5.2-194
5.2.4 Method-3-Specific Autoconfiguration Parameters ...........................................................5.2-196
5.2.4.1 Voice Autoconfiguration........................................................................................5.2-196
5.2.4.2 Enabling test calls ................................................................................................5.2-196
5.2.5 Method-4 Autoconfiguration.............................................................................................5.2-196
5.3 Autoconfiguration Statistics .........................................................................................................5.3-198
5.4 Autoconfiguration Debug and Trace ...........................................................................................5.4-198
6 EVENT-DRIVEN CPE CONFIGURATION .............................................................................................5.4-199
6.1 Event-driven CPE configuration overview ...................................................................................6.1-199
6.2 Object tracking function overview ...............................................................................................6.2-199
6.3 Embedded Event Manager overview ..........................................................................................6.3-200
6.4 Object tracking Configuration ......................................................................................................6.4-201
6.4.1 Tracking the state of an RTR probe .................................................................................6.4-201
6.4.2 Tracking the IP routing state of an interface ....................................................................6.4-202
6.4.3 Tracking the state of a VRRP instance ............................................................................6.4-203
6.4.4 Tracking the state of a list of objects ...............................................................................6.4-204
6.4.5 Tracking the state of an IP route......................................................................................6.4-205
6.4.6 Tracking the state of a MEP ............................................................................................6.4-206
6.5 Embedded Event Manager Configuration ...................................................................................6.5-207
6.5.1 Initial delay configuration .................................................................................................6.5-207
6.5.2 Embedded Event Manager Applet configuration .............................................................6.5-207
6.5.2.1 Defining the EEM applet .......................................................................................6.5-207
6.5.2.2 Defining the event tracking for which the applet is run .........................................6.5-208
6.5.2.3 Defining the timing event for which the applet is run ............................................6.5-209
6.5.2.4 Defining the syslog event for which the applet is run............................................6.5-210
6.5.2.5 Defining the CLI commands to be executed when the event occurs ....................6.5-211
6.5.2.6 Matching a Regular Expression in $_cli_result .....................................................6.5-212
6.5.2.6.1 Regular Expression ...................................................................................6.5-212
6.5.2.6.2 Usage of variables in applet ......................................................................6.5-213
6.5.2.6.3 Setting value to a variable .........................................................................6.5-214
6.5.2.6.4 Mathematical operation with variable ........................................................6.5-214
6.5.2.6.5 Displaying the value of a variable..............................................................6.5-215
6.5.2.7 Using the results of regexp matching ...................................................................6.5-216
6.5.2.8 Sending a syslog message into an applet ............................................................6.5-216

Admin User Guide Page 1.2-13 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.9 Sending an email notification in case of a LTE event ...........................................6.5-217

6.5.2.10 Sending an alarm as a trigger action using applet................................................6.5-219
6.5.2.11 Sending a RMON trap ..........................................................................................6.5-220
6.5.2.12 Action if-alarm based on alarm computation ........................................................6.5-220
6.5.2.13 Terminating the applet configuration ....................................................................6.5-220
6.6 Event-driven CPE configuration statistics and debug .................................................................6.6-221
6.7 Event-driven CPE configuration examples..................................................................................6.7-225
7 POWER REDUNDANCY .......................................................................................................................6.7-227
8 ANNEX A – LIST OF MANAGED EVENTS.............................................................................................. 6.7-1
8.1 Table 1 – Sys (System).................................................................................................................. 8.1-1
8.2 Table 2 – Adm (Management) ....................................................................................................... 8.2-6
8.3 Table 3 – WAN (data interfaces) .................................................................................................... 8.3-8
8.4 Table 4 – IP.................................................................................................................................. 8.4-13
8.5 Table 5 – Vox (Voice) .................................................................................................................. 8.5-14

Admin User Guide Page 1.2-14 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2 S Y S T E M M A N A G E M E N T

2.1 INTRODUCTION TO SYSTEM MANAGEMENT

OneOS offers an embedded file system for software and configuration files. It is possible to save several
software releases and configuration files. When the device is started up, the boot software reads the
application software file (via the file system), decompresses this software image and launches the
application software and the configuration file.
The OneOS-based router provides interfaces for device management:
• Console Port: Asynchronous port, used primarily for access to the Command Line Interface (CLI) for
configuration and management, and optionally for using embedded debugging.
• Ethernet Port: Enables connection of a PC for configuration via Telnet or the downloading/uploading
of files with TFTP/FTP. The IP address of the port is configurable with the CLI. It is also possible to
manage configuration or file transfers via the second Ethernet port or remotely via IP over ATM.

2.1.1 Preliminary Instructions

• The device configuration is not case-sensitive.

• Keywords in commands are written in the following style keyword. Parameters, which are user-
defined, are not bolded in the command line.
• User-defined parameters are written inside the < > expression and are not written in bolded
characters. Example: <ip-address>.
• Optional instruction parts are written between the following characters [ ]. Example: [optional-
instruction-set].
• When several alternatives are possible, they are written between braces. The | character is the
separator between the alternative instruction sets provided between braces. Example:
{ instruction-set-1 | instruction-set-2 | ... }.

• Ranges of discrete values are provided as follows: <lowest-number..highest-number> or

<lowest-highest>. Example: <1..30> is the same as <1-30>.

2.1.2 Getting Started

Note: for security reasons, it is strongly recommended that you change the default username and
the default password on the first connection to the device (refer to 2.20).
The device is delivered with OneOS software and a default configuration file. Two methods can be used to
enter into the configuration CLI:

1 – Connect to the console port (default factory settings):

• Serial parameters: 9600 bps, 8 bits data, No parity, 1 Stop bit, No flow control
• Reboot the device, after the reboot enter the default username then the default password as follows:

Admin User Guide Page 2.1-15 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Username: admin
Password: admin
CLI>

Note: unauthorized connection attempts are subject to blacklisting (see 2.29).

2 – Connect to the FastEthernet 10/100 port (or to Ethernet 10Base-T port of ONE400). For routers with an
embedded switch, use the Fast Ethernet (port 0/0) on the right-hand side (port 0 on left-hand side for
ONE60) and use a Telnet client with the following default factory settings:
• IP address: 192.168.1.10
• Username = admin Password = admin
Note: unauthorized connection attempts are subject to blacklisting (see 2.29).

While entering CLI mode it is possible to read, modify or create a configuration and access the file system
(see next paragraphs).

The prompt (CLI in the example) can be changed using the following command:
CLI> hostname <newname: string 1..64>

Warning: the prompt may be truncated, depending on the context, when the hostname string gets a
high length.

Admin User Guide Page 2.1-16 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.2 CONSOLE PORT SETTINGS

2.2.1 Default Settings

The console port is enabled and functions with the following parameters: 9600 bps, 8 bit-encoding, No
parity check, 1 Stop bit, No flow control.

2.2.2 Console Port Inactivity Timeout

After an inactivity period, the user is prompted to enter its login and password again. By default, the
timeout is 10 minutes. To configure the console timeout, the command in global configuration mode is:
CLI(configure)> console timeout <seconds>

To restore the default timeout, use:

CLI(configure)> default console timeout

2.2.3 Disabling Console Port

For security reason, it is sometimes desirable to forbid access to the system console port. From the
management center, we can use "telnet" or "FTP" to change the device configuration and disable the
console port with the following command:
CLI> console disable-input

To re-enable the console port, use the following command (via Telnet for example):
CLI# console enable-input

2.2.4 Detecting Console Cable Disconnection

Warning: this function is only available on selected devices and needs a specific console cable to
work properly. Refer to OneAccess Customer Support for more information.
By default, the console session is not automatically logged out when the console cable is disconnected.
To enable automatic logging out of the console session when the console cable is disconnected, use the
following command in global configuration mode:
CLI(configure)> console loop-check enable

To disable the function, use the following command in global configuration mode:
CLI(configure)> console loop-check disable

Admin User Guide Page 2.2-17 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.3 FILE SYSTEM

2.3.1 Introduction

• Two file systems are available:

o The ramdisk file system identified by ramdisk:/, which is volatile. It is used only by the
system.
o The disk file system named as flash:/, which is permanent. It includes software and
configuration files.
• The file systems are pre-formatted at the factory.
• The ramdisk content is erased on power on (not after a reboot).

2.3.2 F i l e S ys t e m s L a yo u t

• The ramdisk contains:

o The tmp directory for saving temporary files.
o The history-config file: a text file that contains the CLI commands used to build the
current configuration.
• The permanent disk contains:
o A BSA directory including:
 binaries: the sub-directory that contains execution files (i.e. OneOs).
 config: the sub-directory that contains configuration files (i.e. bsaStart.cfg).
 dump: the sub-directory for log and debugging purposes.
 bsaBoot.inf: a text file that contains the current location and name of the software
file as well as the current location and name of the configuration file.
o Events files (log messages).

Admin User Guide Page 2.3-18 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.3.3 F i l e S ys t e m C o m m a n d s

Note that, when copying files to the file system of a OneOS device, the file name must be less than 39
characters.

2.3.3.1 Management of files and directories

• CLI commands are available for the management of files and directories on the disk file system.
• The following commands can be entered in exec mode as well as in configuration mode.

• Without parameter, the following command displays the drive in use (flash or ramdisk).
With parameter, the user can change the current device:
CLI> devs [flash | ramdisk]

• To display the current working directory, initialized when a CLI session is started to the root of the
current device, use the following command:
CLI> pwd

• To change the working directory, use the following command:

CLI> cd <directory-path>

• To create a new directory inside the current directory, use the following command:
CLI> mkdir <directory-name>

• To list files and directories inside the current directory, use the following command:
CLI> ls

• To list the content of a (text) file, use the following command:

CLI> cat [<file-path>]<file-name>

• To execute a CLI script, use the following command:

CLI> exec [–echo] <file-name> [-history] [-stop-on-error]

• To remove a file, use the following command:

CLI> rm [<file-path>] <file-name>

• To remove a directory and all files and sub-directories, use the following command:
CLI> rmtree <directory-path>

• To rename a file, use the following command:

CLI> mv [<file-path1>] <file-name1> [<file-path2>]<file-name2>

• To verify if the file system is corrupted, and optionally to correct the detected errors, use the following
command:
CLI> chkdsk { flash: | ramdisk: } [ -silent | -verbose | -v ]
[ -f | -check_only ]

• To display the available devices and optionally their status, use the following command:
CLI> show device [status { flash: | ramdisk: }]

Admin User Guide Page 2.3-19 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To encrypt a file on the file system of the device, use the following command:
CLI> encrypt <source_file> <target_file> aes [key <key>]

o AES-CBC-128 is used as encryption algorithm.

o Optionally, an encryption key can be added.

To decrypt a file, use the following command:

CLI> decrypt <source_file> <target_file> aes [key <key>]

2.3.3.2 Copying files to and from the OneOS device

• The following command is only available in exec mode.

CLI> copy [<file-path1>] <file-name1> [<file-path2>] <file-name2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

The source file and / or the destination file can be a local file, or a file on a TFTP server, or a file on a
FTP server, or a file on a HTTP server, as described below.
• To copy local file1 toward local file2:
CLI> copy <file1> <file2> [<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

TFTP server

• To download file1 from a TFTP server and save it under local file2:
CLI> copy tftp://<tftp_server>/<file1> <file2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

o Example: copy tftp://10.20.30.2/OneOs OneOs.new loopback 1

• To download TAR file1 from a TFTP server and save it under local file2:
CLI> copy tftp://<tftp_server>/<file1>.tar <file2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

• To upload local file1 to a TFTP server and save it as file2 on the server:
CLI> copy <file1> tftp://<tftp_server>/<file2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

FTP server

• To download file1 from a FTP server and save it under local file2:
CLI> copy ftp://<login>:<password>@<server_IP-address>/<file1> <file2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

o Example: copy ftp://mylogin:[email protected]/new.ZZZ OneOs

• To upload local file1 to a FTP server and save it as file2 on the server:
CLI> copy <file1> ftp://<login>:<password>@<server_IP-address>/<file2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

• To download a file from an IPv4 HTTP server (if you need to include the "?" character in the URI, the

Admin User Guide Page 2.3-20 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

URL must be included between quotes):

CLI> copy http://<ipv4-or-name>[:<port>]/<file1> <file2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

o Example: copy “http://1.2.1.1/test.cgi?var=1” myfile.txt

Admin User Guide Page 2.3-21 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

HTTP server

• To download a file from an IPv6 HTTP server (warning: the HTTP URI is encoded with IPv6 address
between brackets as explained in RFC 2732):
CLI> copy http://<ipv6-in-brackets>[:<port>]/<file1> <file2>
[<source-interface> <unit> | <IP-source>]
[silent] [vrf <vrf-name>]

o Example: copy http://[2000:0234]:8080/file.txt myfile.txt

2.3.3.3 Examples

CLI> cd /
CLI> pwd
/
CLI> ls
Listing the directory /
BSA/ 2048
ibc/ 2048
CWMP2.log 615
telnet2.log 3723
snmpv3_engine.log 51
telnet1.log 3612
password 43
CWMP1.log 188
CLI> cat snmpv3_engine.log
engine = 12 8000338703000012ef417f97
boots = 66.0.0 Atm 0.1

Example for downloading a new software release:

1. Read the bsaBoot.inf file to read the current location and name of the software:
CLI> cd BSA
CLI> cat bsaBoot.inf
flash:/BSA/binaries/OneOs
flash:/BSA/config/bsaStart.cfg

2. Run a TFTP server on a PC (IP address IP = 10.10.10.1) and enter the following command:
CLI> cd BSA/binaries
CLI> copy OneOs OneOs.sav
CLI> copy tftp://10.10.10.1/c:\temp\OneOs.ZZZ OneOs

3. After the file transfer, reboot the device:

CLI> reboot

Admin User Guide Page 2.3-22 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.4 GETTING ROUTER HARDWARE, SOFTWARE, CPU AND MEMORY

INFORMATION

2.4.1 Hardware Information

To display details of the router hardware, enter the following command:

CLI> show system hardware

To display additional details of the router hardware, enter the following command:
CLI> show product-info-area

2.4.2 Software Information

To show the current running software version:

CLI> show version

To show the software version of an OneOS image in flash:

CLI> show soft-file info <path/name>

Usually the command must be the following:

show soft-file info /BSA/binaries/OneOs

To show the actual configuration (the running-config) of the OneOS-based router, enter the following
command:
CLI> show running-config

This command, like all show commands, can be used with filtering parameters to limit the number of lines
that will be displayed.
Use the following command to display only the lines that contain word (in that case the string word must
follow immediately the pipe character – with no space in between):
CLI> show running-config |<word>

Use the following forms of the command to use more filtering possibilities (in that case a space must follow
the pipe character).
CLI> show running-config | {begin|beginat <n>|include|exclude} <word>

Use | begin <word> to display starting from the first line that contains word.
th
Use | beginat <n> <word> to display from the first line that contains the n occurrence of word.
Use | include <word> to display only the lines that contain word.
Use | exclude <word> to display only the lines that do not contain word.

Admin User Guide Page 2.4-23 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

The running configuration is by default displayed in its shortest format with no extra lines.
Use the following command in global configuration mode to add separators (!) between logical groups of
commands (see an example below):
CLI> configure terminal
CLI(configure)> config-management
CLI(config-management)> [no] add-separator
CLI(config-management)> exit
CLI(configure)> exit
CLI>

Use the no form of the command to display again the shortest format.

Example:
Without separator (no add-separator) (default) With separator (add-separator)
show running-config show running-config
Building configuration... Building configuration...

Current configuration: Current configuration:

console timeout 10800 !

no reboot recovery-on-error console timeout 10800
logging buffered size 16364 no reboot recovery-on-error
hostname CLI !
interface GigabitEthernet 0/0 logging buffered size 16364
ip address dhcp !
exit hostname CLI
interface GigabitEthernet 0/1 !
exit interface GigabitEthernet 0/0
interface GigabitEthernet 0/2 ip address dhcp
exit exit
interface GigabitEthernet 0/3 interface GigabitEthernet 0/1
exit exit
interface GigabitEthernet 1/0 interface GigabitEthernet 0/2
exit exit
no snmp set-write-community private interface GigabitEthernet 0/3
no snmp set-read-community public exit
voice-default interface GigabitEthernet 1/0
end exit
!
no snmp set-write-community private
no snmp set-read-community public
!
voice-default
!
!
!
config-management
add-separator
exit
!
end

Admin User Guide Page 2.4-24 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.4.3 CPU and Memory Information

To display the CPU and memory usage per system task, use the following command:
CLI> show system tasks <delayReport>

• This command reports CPU and memory task usage during 5s (default value).
• <delayReport> is the sampling period for the task monitoring, expressed in seconds; the default
value is 5 seconds.
The following is an example of what the show system tasks command displays:
vxTarget>show system tasks
Waiting 5s ... collecting tasks activities informations
vxTarget>
NAME ENTRY TID PRI total % (ticks) delta % (ticks)
-------- -------- ----- --- --------------- ---------------
tLogTask 7bebf00 0 0% ( 0) 0% ( 0)
tYieldTask 7b31d30 0 0% ( 0) 0% ( 0)
tNetSTask 7b31350 0 0% ( 0) 0% ( 0)
tMNTTask 7b23420 0 0% ( 0) 0% ( 0)
tMSTTask0 7225b60 0 0% ( 0) 0% ( 0)
tMSTTask1 72238d0 0 0% ( 0) 0% ( 0)
tMSTTask2 7221640 0 0% ( 0) 0% ( 0)
tMSTTask3 7057520 0 0% ( 0) 0% ( 0)
tExcTask 7bee890 0 0% ( 0) 0% ( 0)
VOICEwd 7189928 1 0% ( 0) 0% ( 0)
tShowTask 7dcd118 5 0% ( 1) 0% ( 1)
oaMontNet 7b30970 10 0% ( 0) 0% ( 0)
oaOamRun 70b7138 48 0% ( 0) 0% ( 0)
tPolTask 7be75b8 49 0% ( 0) 0% ( 0)
tNetTask 7b2e6e0 49 0% ( 0) 0% ( 0)
tSnmpTrap 721d698 49 0% ( 0) 0% ( 0)
tPoll oaSysPollT 7bfefb8 50 0% ( 0) 0% ( 0)
802.3ah OAM 7bf6d48 50 0% ( 1) 0% ( 1)
SALTask 7b28bb8 50 0% ( 0) 0% ( 0)
tTelnetd 728a6d0 50 0% ( 0) 0% ( 0)
SYS_PPP_D_1 7282008 50 0% ( 0) 0% ( 0)
SYS_PPP_C_1 727d550 50 0% ( 0) 0% ( 0)
PPPOE_FRWK_D 725cb80 50 0% ( 0) 0% ( 0)
PPPOE_FRWK_C 72580c8 50 0% ( 0) 0% ( 0)
DSL_SYS_FRWK 72456f0 50 0% ( 0) 0% ( 0)
DSL_SYS_FRWK 7240c38 50 0% ( 0) 0% ( 0)
tAtmMgmtTask 7229e20 50 0% ( 0) 0% ( 0)
tSnmpTmr 721f258 50 0% ( 0) 0% ( 0)
tSnmpd 7219408 50 0% ( 0) 0% ( 0)
tSnmpd6 720ebc0 50 0% ( 0) 0% ( 0)
tISM 7174610 50 0% ( 0) 0% ( 0)
SM 70d5800 50 0% ( 0) 0% ( 0)
NSCC 70d1000 50 0% ( 0) 0% ( 0)
PHDL 70cc800 50 0% ( 0) 0% ( 0)
V5 70c8000 50 0% ( 0) 0% ( 0)
APPL 70c4800 50 0% ( 0) 0% ( 0)
PPP_HDLC_D_4 70868a0 50 0% ( 0) 0% ( 0)
PPP_HDLC_C_4 7081e00 50 0% ( 0) 0% ( 0)
tMpSendQ 7072d80 50 0% ( 0) 0% ( 0)
tMpRxQ 706cb00 50 0% ( 0) 0% ( 0)
oacTelnetD 7066648 50 0% ( 0) 0% ( 0)
rtd 7007828 50 0% ( 0) 0% ( 0)
trLogTask 6fdea68 50 0% ( 0) 0% ( 0)
trShowTask 6fd8590 50 0% ( 0) 0% ( 0)
trMemTask 6fd20b8 50 0% ( 0) 0% ( 0)
trSlogTask 6fcbbe0 50 0% ( 0) 0% ( 0)
evLogTask 6fba1a0 50 0% ( 0) 0% ( 0)
evShowTask 6fb4958 50 0% ( 0) 0% ( 0)
evMemTask 6faf110 50 0% ( 0) 0% ( 0)
evSmsTask 6fa98c8 50 0% ( 0) 0% ( 0)
evTrapTask 6fa4080 50 0% ( 0) 0% ( 0)
evStartTask 6f9e838 50 0% ( 0) 0% ( 0)
evStopTask 6f98ff0 50 0% ( 0) 0% ( 0)
evSlogTask 6f937a8 50 0% ( 0) 0% ( 0)
L2TP 6f8dae0 50 0% ( 0) 0% ( 0)
oaAdslAmazon 6f82bd8 50 0% ( 0) 0% ( 0)
tRnis 6f72ad8 50 0% ( 0) 0% ( 0)

Admin User Guide Page 2.4-25 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

tMLPPP 6f6c598 50 0% ( 0) 0% ( 0)
Telnetd 6f1c3f8 50 0% ( 0) 0% ( 0)
CONSOLE 6ef77e8 50 0% ( 0) 0% ( 0)
paad 6eeb288 50 0% ( 0) 0% ( 0)
tEEMTask 6f61978 50 0% ( 0) 0% ( 0)
tPstn 6ebadc8 50 0% ( 0) 0% ( 0)
PDSTASK 626eb78 50 0% ( 0) 0% ( 0)
CMS2 slot 6f8a548 55 0% ( 0) 0% ( 0)
tMpSendQ 726b860 80 0% ( 0) 0% ( 0)
tMpRxQ 7266d78 85 0% ( 0) 0% ( 0)
tTffsPTask 7be7fc8 100 0% ( 0) 0% ( 0)
tDcacheUpd 71d2f10 250 0% ( 0) 0% ( 0)
DataCollecti 6f7db28 250 0% ( 0) 0% ( 0)
tIdle oaSysIdleT 7bffdb0 255 99% ( 494) 99% ( 494)
KERNEL 0% ( 0) 0% ( 0)
INTERRUPT 0% ( 1) 0% ( 1)
IDLE 0% ( 0) 0% ( 0)
TOTAL 100% ( 497) 100% ( 497)

2.4.4 Monitoring of Free memory

By adding the following CLI in the configuration file, the router will monitor the level of free memory:
CLI (configure)> memory free low-watermark <threshold_low>
<threshold_high>

• <threshold_low> and <threshold_high> are integer values that set the memory threshold in
percentage of free memory.

________________ 100% of free memory

-------- Threshold high

-------- Threshold low

________________ 0% of free memory

• When the available memory falls below this threshold, a syslog notification message is triggered:
RAM usage low watermark [Class: System]
• When the available memory rises above this threshold, a syslog notification message is triggered:
RAM usage high watermark [Class: System]

The event generation can be disabled with the following command:

CLI (configure)> no memory free low-watermark

Admin User Guide Page 2.4-26 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.5 START-UP

A file, bsaBoot.inf in directory BSA is used on start-up to load and execute the OneOS software and to
run the startup configuration file.
For example, in the bsaBoot.inf file 2 lines are written:
flash:/BSA/binaries/OneOs
flash:/BSA/config/bsaStart.cfg

The first line (OneOs) is the application software image file and the second line (bsaStart.cfg) is the
configuration file used on start up.
It is possible to change the content of the bsaBoot.inf file by using the following commands.
To change in the bsaBoot.inf file the application software image file name:
CLI> boot software image <full-pathname-OneOS>

To change in the bsaBoot.inf file the configuration file name:

CLI> boot configuration <full-pathname-config>

If the startup configuration file is not present the device starts up with a default configuration.

Note: the software image file and the configuration file can be uploaded / downloaded to and from a server
using the file system commands depicted in 2.3.

Admin User Guide Page 2.5-27 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.6 CONFIGURATION OF MANAGEMENT FUNCTIONS

The Command Line Interface enables the user to configure and to fully manage the OneOS-based router
with an easy-to-use interface. Modifications made to the parameters are applied immediately after
checking parameter consistency and validity. The CLI is accessed via a Telnet session (locally or
remotely) or via the Console serial port.
A shell/debug interface is accessible from the console interface by entering the command tshell on the
CLI (after entering the shell interface, the CLI command can be used to return to the CLI). The shell/debug
interface is outside the scope of this document and its usage is only intended for OneAccess support and
development team.
Note: unauthorized connection attempts are subject to blacklisting (see 2.29).

2.6.1 Starting a Telnet Session

The configuration session is accessible via a Telnet client session from a PC (or from a UNIX station) or
from another connected OneOS-based router (see 2.14.1 for more information) using the following
command:
CLI> telnet { <ipv4-address> | <ipv6-address> | <name> }[<port>]
[<interface> <unit>] [vrf <vrf-name>][ipv4|ipv6]
[unset-crlf]

• Warning: name resolution is not currently supported in IPv6. The keywords ipv4 and ipv6 are
meant to force name resolution in either IPv4 or IPv6.
• If the optional arguments <interface> <unit> are provided, the source address of sent Telnet
packets will be forced to the IPv4/IPv6 address of the selected interface (depending of IP address
format or DNS resolution).
• With unset-crlf added to the command, the Telnet session uses CR as end of line delimiter.
Without unset-crlf, the Telnet session uses CRLF as end of line delimiter.
• When first configuring the device, it is recommended to connect a PC to the 10/100base-T interface of
the OneOS-based router (or the 10base-T interface of the ONE400) and use as target its
corresponding IP address with default value (factory setting) 192.168.1.10. The user and password
defined by default are admin and admin. (If the Telnet client is run from a PC under Microsoft
Windows, it is best to select terminal options as "VT100 arrow").
• By default, on the target, the Telnet server is attached to any interface with an IP address. To restrict
the access to the target (see 2.14.2 for more information), a bind command must be entered.
• Note: unauthorized connection attempts are subject to blacklisting (see 2.29).

2.6.2 Configuration Session

• After logging in and entering a CLI session the CLI offers a similar interface as a "UNIX shell" with a
hierarchically defined tree of commands. It offers history and command editing, i.e.:
o CTRL-n or upper arrow: get next command
o CTRL-p or lower arrow: get previous command
o CTRL-b or left arrow: move cursor left
o CTRL-f or right arrow: move cursor right
o CTRL-d or delete key: delete a character
o ESC-b: move one word backward
o ESC-f: move one word forward

Admin User Guide Page 2.6-28 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The configuration commands are available after entering the configure terminal command that
makes the CLI enter in global configuration mode. To return to the initial CLI state, either enter exit
when the CLI is in global configuration mode or enter end at any stage of the device configuration.

• For each command there is an associated help string using the “?” character. The “?” character can
also be typed in a command to display command arguments.
For example:
CLI> configure terminal
CLI(configure)> interface loopback 1
CLI(config-if)> ?
bandwidth - Set bandwidth informational parameter
crypto - Encryption/Decryption commands
default - Set a parameter to its default value
description - Interface specific description
exit - Exit from interface configuration mode
ip - Interface IP configuration commands
ipv6 - Configure IPv6
no - Negate a command
service-policy - Configure QoS service policy
shutdown - Shutdown the interface
<cr>
CLI(config-if)>

2.6.3 Enabling Multiple Configuration Sessions

By default only one configuration session (under configure terminal) is allowed at a time.
To allow more than one configuration session at a time (up to 10, one local console session plus 9 other
sessions e.g. 9 Telnet sessions), use the following command in global configuration mode:
CLI(configure)> set multiple-conf-sessions enable

To return to the default behavior and disallow multiple configuration sessions at a time:
CLI(configure)> set multiple-conf-sessions disable

2.6.4 Saving the Configuration on a Permanent Disk

The user can save the running configuration (volatile storage) into the startup file for boot specified in the
file bsaBoot.inf, or into a specific file when specified with the CLI save command (after leaving CLI
configuration mode):
CLI> save running-config [to <filename>]

This command has the same effect as the write mem command.
An event message can be triggered when saving the running configuration using the following command in
global mode (refer to 2.12.2 for more information about event filters):
CLI> event filter add adm config config-upd <action>

Admin User Guide Page 2.6-29 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.6.5 Automatic and Periodic Backup of the Configuration

2.6.5.1 Automatic and periodic backup

To program an automatic and periodic backup of the saved configuration file (see above) and optionally of
the IBC database files (see "OneOS – IBC User Guide" document), use the following commands in global
configuration mode:
CLI(configure)> config-management
CLI(config-management)> backup-copy [configuration-and-database]
{ daily | weekly | monthly } <HH:MM> [on-save]
CLI(config-management)> exit
CLI(configure)>

o The configuration file and optionally the IBC database files will be backed up in the
/BSA/config directory every day or week (every 7 days) or month (every 30 days) at time
HH:MM.
The backup command can be entered up to three times (daily + weekly + monthly) for
each option (configuration file only – default – or configuration and IBC database files).
Only one backup file (the last one) is kept per time period. It is a .bck text file for the
configuration file only and a .tar file for configuration and database backup. See example
below.
o on-save. This option has been implemented in order to preserve the saved configuration after
a restore:

2.6.5.2 Preserving the saved configuration after a restore

To automatically create a backup copy of the configuration when it is saved, use the following command
CLI(config-management)> backup-copy on-save

The backup-copy on-save command will copy the configuration that is saved by any process (such as
the 'save running config' command, or CWMP, or ...) to the backup location that has been set with the
path command, described next.
The file is saved with a name containing the date and time.
Up to 10 backup copies can be saved. When 10 copies are saved, the 11th save operation removes the
oldest saved backup copy.
To stop the creation of a backup copy with each save operation use the following command:
CLI(config-management)> no backup-copy on-save

To set the location where the backup copies must be saved, use the following command:
CLI(config-management)> path <path-name>

The <path name> can for instance be /factory-backup, or any other directory.
The default path name is /BSA/config. To return to the default setting, use the following command:
CLI(config-management)> default path

Two additional commands are available that can be used as information when retrieving the backed up
files (these commands appear in the backed up configuration file):
CLI(config-management)> compatibility-index <0-255>
CLI(config-management)> web-compatibility-index <0-255>
Example:
CLI> ls
Listing the directory /BSA/config
. 0
.. 0
Auto1-Yesterday-310710-09h15am.bck 1032
Auto2-Lastweek-280710-09h15am.bck 1032
Auto3-Lastmonth-270710-09h15am.bck 1032
bsaStart.cfg 1032
CLI>

Admin User Guide Page 2.6-30 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.6.6 Editing a Configuration File

The following is recommended for efficient configuration of an OneOS-based device:

1. First, build the configuration in a text file on a PC using notepad.exe
2. Open a Telnet session with the device
3. Copy the configuration lines in the notepad window
4. Paste the lines into the Telnet window
5. Save the configuration with the save running-config command if the configuration is to be used
for the next reboot
A second method consists of using the command copy. It is possible to upload the configuration on a PC,
modify the configuration file with a simple editor such as notepad.exe, and download the configuration file.
Example for uploading:
CLI> copy /BSA/config/bsaStart.cfg tftp://193.1.1.2/c:\config.txt

Example for downloading:

CLI> copy tftp://193.1.1.2/c:\config.txt /BSA/config/bsaStart.cfg

Admin User Guide Page 2.6-31 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.6.7 Scheduled Reboot

After modifying a configuration it may be necessary to reinitialize the device:

CLI> reboot [ after <seconds>
| at <dd>/<mm>/<yy> <hh>:<mm>:<ss>
| after no-voice-calls ]

• This is similar to a power down / power up procedure except that the ramdisk device is not cleared.
• If no argument is provided, the device reboots immediately.
• When using the after <seconds> argument, a reboot is scheduled when the number of seconds
has elapsed.
• at argument schedules a reboot at the provided date and time.

• In both cases a warning message scheduled reboot in 60 seconds ... is displayed 60

seconds before the actual reboot (only when configured delay is more than 60 seconds).
• after no-voice-calls argument schedules a reboot as soon as there is no voice call in process.

• When a scheduled reboot is in progress, a warning message Reboot is scheduled in <xx>

seconds will be shown when logging in.

If you wish to cancel a scheduled reboot, use the following command:

CLI> reboot cancel

2.6.8 Reboot on no answer to a ping

The router can be configured to reboot if a ping is not answered. Use the following command:
CLI> reboot unreachable interface <interface_name> host <IPaddr>
delay <time> max-fail <maximum>

o interface <interface_name>. This is the interface through which the pings are sent. This
interface must exist on the device, but it can be down; the router tries to send pings even if the
interface is down.
o host <IPaddr>. This is the destination IP address of the pings.
o delay <time>. This is the time interval between two pings, expressed in seconds. It can be
set between 60 seconds and 3 hours, in steps of 60 seconds.
o max-fail <maximum>. This is the number of consecutive failed pings that are allowed,
before the device reboots.
If for instance after 4 consecutive failed pings, the fifth one is OK, then the process starts again
from 0, i.e. it means that the router must have 5 consecutive failed pings again to reboot.

2.6.9 Reboot and Test a New Configuration or Software Image

You may want to test a new configuration file or test a new software image. For that purpose, a special
reboot command enables you to define a configuration file and a software image that are not the same as
those contained in the /BSA/bsaBoot.inf file (default start parameters). With this command, the router
reboots using the software image and configuration file and will re-use the default software image and
configuration file at the next reboot, thus enabling you to check whether the new files are satisfying or not.
The command line is the following:
CLI> reboot-check [at <hh>:<mm>:<ss>] <sw-image> <config-file>

at argument schedules a reboot at the provided time. If you wish to cancel a scheduled reboot, use the
following command:
CLI> reboot-check cancel

Admin User Guide Page 2.6-32 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.6.10 Management of reboot log files

When the device is going to reboot, a first log file is generated (except when reboot is due to power fail).
Because the device can be in an "instable" situation following the reboot cause, this first log file contains
information about the reboot in a raw format. This is done in order to secure its creation and use as few as
possible system resources. After the reboot, a second log file is generated that contains the complete set
of information that will allow off line debugging.
The first log file is called a rawlog file also known as a secure-crashlog file while the second log file is
called a crashlog file.
The generation of the secure-crashlog file is enabled by default. The following command in global
configuration mode allows disabling the generation of the secure-crashlog files.
CLI(configure)> no system enable-secure-crashlogs

Use the following command to restore the default behavior.

CLI(configure)> system enable-secure-crashlogs

Use the following command in global mode to display the number of secure-crashlog files that are
actually stored in the /BSA/dump directory and sub-directories (maximum 5 files).
CLI> show system secure-crashlog count

Use the following command in global mode to display the content of the last secure-crashlog file.
CLI> show system secure-crashlog

Use the following command in global mode to erase all the crashlog files that are stored in the
/BSA/dump directory. Use the –force argument to erase the files without asking for confirmation.
CLI> system clean-crashlogs [-force]

2.6.11 Reset of Device Configuration

When using a device, it might be tedious to destroy the configuration. The following command simply
erases the current configuration file and reboots immediately the device to take the default configuration
enter in effect:
CLI> erase saved-config

2.6.12 Restoring Factory Settings

This function enables to reload a router as if it was coming from the factory. OneAccess factories can load
a set of custom default files in the flash of the router (to be discussed with OneAccess sales).
Note that it is possible to preserve saved configurations when restoring the factory settings, as explained in
section 2.6.5 Automatic and Periodic Backup of the Configuration.
As a first step, the restore-factory settings checks if flash:/BSA/binaries/OneOs exists and if it is a
valid binary. In case of error, the restore factory settings function fails and an error message is displayed.
If the above mentioned condition is met, the following actions are carried out:
• Remove all files except certain system files:
o flash: /BSA/bsaBoot.inf
o flash: /BSA/binaries/OneOs
o flash: /BSA/config/bsaStart.cfg
o flash: /factory-backup/ (and all files found under that directory)
o flash: /ibc (and all files found under that directory)
o flash: /tftpboot (and all files found under that directory)

Admin User Guide Page 2.6-33 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Restore certain system files based on specific security policies:

o Regenerate password file flash: /password
o Regenerate file flash: /BSA/bsaBoot.inf

• Restore certain content, based on "factory backup" content:

o if flash:/factory-backup/default-bsaStart.cfg exists, copy
flash:/factory-backup/default-bsaStart.cfg to current configuration file
(bsaStart.cfg)
o if flash:/factory-backup/default-bsaStart.cfg does not exist, erase the start
configuration (as given in flash:/BSA/bsaBoot.inf)
o if flash:/factory-backup/default-web.tar exists, untar the file
flash:/factory-backup/default-web.tar in flash:/webroot/
(use the clean-up options; as the command: untar <file> <dest> clean-up all-sub-dir)
o if flash:/factory-backup/default.wcfaccounts.ini exists, copy
flash:/factory-backup/default.wcfaccounts.ini in
flash:/.wcfaccounts.ini; otherwise, erase .wcfaccounts.ini
o if flash:/factory-backup/default-password exists,
copy flash:/factory-backup/default-password into flash:/password

The following command restores factory settings and reboots the OneOS-based router:
CLI> restore factory-setting

2.6.13 S ys l o g M e s s a g e a t Sta rt u p

This function enables the router to send a SYSLOG message once it has (re-)started. This message is
sent after the configuration is fully applied. It can optionally be delayed so as the SYSLOG server(s) are
reachable. The SYSLOG client must be configured as described in 2.25.
To enable the sending of the message, use the following command in global mode:
CLI> event filter add sys startup all syslog

To remove the sending of the message:

CLI> event filter remove <index>

To delay in seconds the sending of the message, use the following command in global configuration mode:
CLI(configure)> syslog delayed-start <0-3600>

To remove the delay:

CLI(configure)> no syslog delayed-start

Admin User Guide Page 2.6-34 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.7 SOFTWARE UPGRADE OF A ROUTER

Note that, when copying files to the file system of a OneOS device, the file name must be less than 39
characters.

There are several ways to upgrade a router with a new software release.
It is advised to use the following steps.
• Prior to making a software upgrade, it is strongly advised to read the information about the file system
in the following sections:
o 2.3 File system
o 2.6 Configuration of Management Functions
• First, you should verify that the file bsaBoot.inf has content shown below; the verification can be
done as follows:
CLI> cd /BSA
CLI> cat bsaBoot.inf
flash:/BSA/binaries/OneOs
flash:/BSA/config/bsaStart.cfg

The content of bsaBoot.inf, as listed above, conforms to OneAccess standard factory settings.
• Before downloading the new software to the device, check that the flash disk provides enough space
for the new file.
CLI> show device status flash

• The new software that will be downloaded to the device must be stored in the directory
/BSA/binaries. To go to this location and check the content, use the following commands:
CLI> cd /BSA/binaries
CLI> ls

• If needed, remove older software with the rm command.

• The new software, stored on the PC with for instance file name OneOs.ZZZ, must be downloaded to
the device via FTP or TFTP. Here is an example with TFTP:
CLI> copy tftp://193.1.1.2/c:\tftp\OneOs.ZZZ OneOs.new

This command copies the new software, named OneOs.ZZZ on the pc, to the device as OneOs.new.
Optionally, a source IP address can be provided (like loopback 1) for the TFTP transfer as follows:
CLI> copy tftp://193.1.1.2/c:\tftp\OneOs.ZZZ OneOs.new loopback 1

• The content of the directory can be checked again with the ls command:
CLI> ls
OneOs
OneOs.new
..

This example shows that there are 2 softwares on the device: OneOs and OneOs.new.

Admin User Guide Page 2.7-35 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To verify the downloaded OneOS checksum, use the following commands:

CLI> verify soft-file [<path>/]<filename>

Or:
CLI> show soft-file info [<path>/]<filename>

For example:
CLI> verify soft-file OneOs.new
file is OK

• Finally, rename the files with the mv command:

CLI> mv OneOs OneOs.old
CLI> mv OneOs.new OneOs

The current software running on the device, OneOs, is renamed to OneOs.old.

The new software, OneOs.new, is renamed to OneOs.
• Finally, reboot the device. This will activate the new software.

Note that the file system is case sensitive. In other words, if OneOs is mistyped (wrong capital letters), the
boot software will not start any software (e.g.: Oneos is wrong).

Admin User Guide Page 2.7-36 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.8 PASSWORD RECOVERY

Password recovery is needed when local passwords stored on the router are lost. With the password
recovery procedure, all users/passwords in flash memory are deleted and the admin/admin login/password
then become valid. However, a full restore of factory settings is done, meaning that the router configuration
is also deleted.
To learn more about restoring the factory settings, refer to 2.6.12 Restoring Factory Settings.
Password recovery is done by entering the following key sequence:
• <ESCAPE>, then
• <CTRL>+Y, and finally
• <CTRL>+N

Admin User Guide Page 2.8-37 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.9 CONFIGURATION RECOVERY

2.9.1 Introduction

The router boots up with a default startup-configuration that could be loaded at factory and guarantees that
the network can be reached. A new configuration is imported on the router flash and the router is rebooted
with that new configuration. In the event of the new configuration is not satisfactory, the router should
reboot with the configuration specified by the recovery mechanism. The new configuration must have the
configuration recovery mechanism configured using the CLI detailed in this chapter.
Telling that a configuration is not satisfactory is a generic term. The criteria to define a configuration as
being invalid must be well defined; they are:
• configuration causing the router to crash;
• configuration causing the router not to reach a specific IP address (that should be the network
management IP address; if this IP can be reached, we consider that the NOC (Network Operations
Center) can still fix the configuration remotely in case of incomplete configuration execution);
• SIP gateway registration fails.
When the backup-configuration is set, bsaBoot.inf points to the backup-filename as long as the above
backup criteria are not met. The backup instructions appear at the top of the show running-config; in
other words, the configuration backup is done potentially before a faulty CLI command is executed.
The backup-filename must fulfill the following conditions:
• backup-filename exists, is not empty and has a file size that is less than 100 Kbytes
• The file contains only valid ASCII characters (A-Z, a-z, 0-9, \r\n\t, all punctuation marks)
• backup-filename contains the string configure terminal. That’s just a small check in order to
make sure the backup file looks like a configuration file.
The connection status is verified using ICMP echoes with a default timeout of 3 sec and/or the SIP
registration. At the first successful ping, the ping test stops. After the configured backup-configuration
criteria are all met, /BSA/bsaBoot.inf is restored and points again to the running-config.
If no successful ping is realized or no sip-gateway registration is realized or if the router crashes during
configuration loading, the router reboots with backup-configuration. A notification message is generated to
tell the final result of the "backup-configuration" test.

2.9.2 Configuration Commands

First, the criteria to reboot with backup configuration must be defined within a check list:
CLI(configure)> [no] check-list <name>
CLI(config-chk-list)>

Sending a ping to a destination can serve as backup criterion: if the ping fails, the router reboots with
backup configuration. If the ping criterion is used, the next command must be entered
CLI(config-chk-list)> ping target <ip-address>

All the following parameters are optional. The initial delay before sending the first ping is by default
60 seconds. To modify this value, enter:
CLI(config-chk-list)> ping init-delay <seconds>

Every ping is sent every 10 seconds; to choose another interval:

CLI(config-chk-list)> ping retries-interval <seconds>

By default, the source IP of ping packets takes the IP of the output interface. To force this IP:
CLI(config-chk-list)> ping source <interface> <unit>

Admin User Guide Page 2.9-38 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

The timeout to consider a ping test failed is 3 seconds. To remove the ping criterion:
CLI(config-chk-list)> no ping

To use SIP gateway registration status as backup criterion, the command is:
CLI(config-chk-list)> [no] sip-gw-registration

Then, enter exit:

CLI(config-chk-list)> exit

The check list is an object whose status is OK or KO (the overall status is OK only if sip-gateway
registration and ping tests are OK). The check list is then attached to a backup configuration element. If
the checklist is not OK at the backup configuration timeout, the router reboots with the backup filename as
start configuration. The configuration of backup configuration is as follows:
CLI(configure)> backup configuration
CLI(cfg-backup)>

The checklist is attached / detached with the next commands:

CLI(cfg-backup)> checklist <name>
CLI(cfg-backup)> no checklist

The default timeout is 180 seconds:

CLI(cfg-backup)> timeout <seconds>

The backup filename is entered with the command below:

CLI(cfg-backup)> filename <path/name>

Example:
configure terminal
! Start by setting the backup configuration
backup configuration
filename /BSA/config/mylastgood.cfg
timeout 240
check-list mylist
exit
! Then set the check-list configuration
check-list mylist
ping target 10.10.10.1
ping init-delay 30
ping retries-interval 30
ping source bvi 3
sip-gw-registration
exit
! Continue with my nominal equipment configuration
(...)
exit

2.9.3 Statistics

CLI> show system backup configuration

overall status: {not configured|test in progress|no configuration backup needed}
check-list name: mylist
[check-list status: {not existing|not configured|pending|unsuccessful| successful}]
CLI> show check-list [<check-list-name>]
check-list: mylist
- ping init-delay: 30
- ping retries-interval: 30
- ping source: bvi 3
- ping target: 10.10.10.1
- ping status: {not configured|pending|unsuccessful|successful}
SIP gateway registration status: {not configured|pending|unsuccessful| successful}

Admin User Guide Page 2.9-39 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10 SNMP BASED MANAGEMENT

The device is manageable via the SNMP protocol, by means of its embedded SNMP agent.
The device can be managed using three security models: SNMP v1, SNMP v2C or SNMP v3 protocol. The
first two protocols provide a lower level of security, the latter offers the ability to authenticate and encrypt
SNMP messages.
• By default, the IP source address of SNMP messages is the IP address of the outgoing interface used
by these SNMP messages.
To set another SNMP IP source address, use the following command in global configuration mode:
CLI(configure)> snmp source { <interface> | any }

Use any to return to the default interface.

• SNMP source is by default in the default VRF. Use the following command to set the VRF manually:
CLI(configure)> [no] snmp vrf <vrf-name>

Use the no form of this command to return to the default VRF.

• By default, the IP source address of SNMP traps is the IP address of the outgoing interface used by
these SNMP traps.
To set another SNMP trap IP source address, use the following command in global configuration
mode:
CLI(configure)> snmp trap-source { <interface> | any }

Use any to return to the default interface.

• SNMP trap source is by default in the default VRF. Use the following command to set the VRF
manually:
CLI(configure)> [no] snmp trap-source vrf <vrf-name>

Use the no form to return to the default VRF.

• By default, OneOS provides, for the MIB2 IfDescr MIB, names of physical interfaces with the suffix
_physical (e.g. "bri0/0_physical").
To remove the suffix as in CLI commands (i.e. "bri0/0"), the next command is available:
CLI(configure)> [no] snmp mib-ifdescr short

Use the no form to return to the default behavior.

• By default OneOS provides, for the MIB2 IfDescr MIB, interface names with no space between
interface and unit (e.g. "fastEthernet0/0"). To add a space as in CLI commands (i.e.
"fastEthernet 0/0"), the next command is available:
CLI(configure)> snmp config ifdescr-with-space

Use the following command to return to the default behavior (with no space).
CLI(configure)> snmp config ifdescr-no-space

Admin User Guide Page 2.10-40 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.1 SNMP v1/v2

2.10.1.1 When using IPv4

To restrict access to device management data by using SNMP v1/v2, community names can be defined in
global configuration mode:
• The following command sets the community for read only access:
CLI(configure)> snmp set-read-community <ro-community> [<encryption>]
[<acl-name>] [v2group <group-name>]

o <ro-community> is the read-only community string.

o <encryption> is optional. When set to 0, the password is entered in clear text.
When set to 1, the password is entered already encrypted using the encryption algorithm #1.
o <acl-name> is the name of an IPv4 access list. This option allows using an IPv4 access list to
filter traffic.
o <group-name> is the name of an SNMP group.
• The following command sets the community with the read+write access:
CLI(configure)> snmp set-write-community <rw-community> [<encryption>]
[<acl-name>] [v2group <group-name>]

• By default, public community is used for read-only access, while private community is used for
read-write access.
• To remove SNMP v1 and SNMP v2 access, use the following commands:
CLI(configure)> no snmp set-read-community <ro-community>
CLI(configure)> no snmp set-write-community <rw-community>

Note that the <ro-community> and <rw-community> can be omitted when using the no
commands.
• SNMP v1 and v2 traps are configurable, provided that event managers are configured.
For more information, go to the next chapter on traces and events.

2.10.1.2 When using IPv6

When using IPv6, the commands are similar to when using IPv4, except that an IPv6 access list must be
used:
• The following command sets the community for read only access:
CLI(configure)> snmp set-read-community <ro-community> [<encryption>]
[ipv6 <acl-name>] [v2group <group-name>]

o <acl-name> is the name of an IPv6 access list. This option allows using an IPv6 access list to
filter traffic.
• The following command sets the community with the read+write access:
CLI(configure)> snmp set-write-community <rw-community> [<encryption>]
[ipv6 <acl-name>] [v2group <group-name>]

• To remove SNMP v1 and SNMP v2 access, use the following commands:

CLI(configure)> no snmp set-read-community <rw-community>
CLI(configure)> no snmp set-write-community <ro-community>

Note that the <ro-community> and <rw-community> can be omitted when using the no
commands.

Admin User Guide Page 2.10-41 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.2 View-Based SNMP Access Control

SNMP views can be configured to allow certain users to read, write or be notified for only certain parts of
the MIB tree. SNMP views are typically configured when a telecom operator wants to access all MIB while
allowing its customers to only see part of the MIB tree (e.g. counters related to the LAN/WLAN interface).
The default views are the following:
• v1default: all MIBs except the OID 1.3.6.1.6, i.e. the SNMP v3 objects
• v3default: all MIBs
To configure an SNMP view, use the following command line:
CLI(configure)> snmp view <view-name> <oid> { included | excluded }

CLI(configure)> no snmp view <view-name> [<oid>]

• oid stands for the root Object ID in the MIB tree (is in the form a.b.c.d…). For example, the 1.3.6
OID stands for access to the whole Internet MIB.
• included indicates that the objects part of this sub-tree are part of the view.
• excluded means they are not visible.
• You can combine included and excluded sub-trees for the same view-name. It enables to define sub-
trees that are globally visible, except few items in the sub-tree.
SNMP groups give access-rights and authorization to a group of users. A group tells the minimum security
level to use for users belonging to this group. To configure a SNMP group, use the following command:
CLI(configure)> snmp group <group-name> {v1 | v2c | v3 | v3auth | v3priv}
[read <view-name>] [write <view-name>]
[notify <view-name>] [acl <acl-name>]

CLI(configure)> no snmp group <group-name> {v1 |v2c |v3 |v3auth |v3priv}

Then, the group is required when configuring SNMP v3 users (see next paragraph).
To apply the SNMP view on a read/write v2C community, use the following command:
CLI(configure)> snmp { set-read-community | set-write-community }
<community> [<acl-name>] v2group <group-name>

Admin User Guide Page 2.10-42 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.3 SNMP v3

SNMP v3 manages three levels of security:

• The lowest level of security provides the same level of security as in v1 or v2. A user name
authenticates SNMP packets.
• A medium level of security provides authentication using one authentication algorithm: MD5 or SHA1.
This technique ensures data integrity and data origin authentication.
• The high level of security, in addition to authentication, provides encryption with the following possible
algorithms: DES, AES128, AES192, AES256, 3DES. This permits privacy of management flows.

2.10.3.1 Basic Configuration

• To configure access to device management data by using SNMP v3, user names can be defined.
Prior to configuring users, a unique engine ID must be defined. By default, engineId is based on the
MAC address of the Ethernet interface.
To configure a new engineId, use the following command in configuration mode:
CLI(configure)> snmp engine-id <engineId>

Warning: As user security parameters are associated with local engineId, a change in the
engineId automatically removes all configured users.

• To reset the default engineId, use the following command in configuration mode.
CLI(configure)> default snmp engine-id

• As key material is tightly related to the engineId, all users declared prior to the change, have the
wrong key material. It is strongly advised to reconfigure passwords for each user, so that user
configurations become valid.

Admin User Guide Page 2.10-43 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Creating users

• As of OneOS V5.1R5 software release: to create an SNMP v3 user, use the following command in
configuration mode:
CLI(configure)> snmp user <user-name> <group-name> v3
[ auth { md5 | sha } <auth-password>
| priv {des | aes{ 128 | 192 | 256} | 3des } <enc-password>]

If nor authenticated nor encrypted accesses are chosen when configuring a user, then the lowest
security level is configured for that user. The chosen group security profile must match the user’s
one: a group configured with only the attribute auth can only be associated with users' v3
authentication (without encryption).
If it is required to activate authentication and encryption, two commands must be entered; for
example:
CLI(configure)> snmp user username groupname v3 auth md5 auth-password
CLI(configure)> snmp user username groupname v3 priv aes256 enc-password

• Prior to OneOS V5.1R5 software release: to create an SNMP v3 user, use the following command in
configuration mode:
CLI(configure)> snmp user <user-name> <group-name> v3
[ auth { md5 | sha } <auth-password>
| priv des <enc-password>]

If nor authenticated nor encrypted accesses are chosen when configuring a user, then the lowest
security level is configured for that user. The chosen group security profile must match the user’s
one: a group configured with only the attribute auth can only be associated with users' v3
authentication (without encryption).
If it is required to activate authentication and encryption, two commands must be entered; for
example:
CLI(configure)> snmp user username groupname v3 auth md5 auth-password
CLI(configure)> snmp user username groupname v3 priv des enc-password

• Prior to OneOS V5.1R2E2 software release: to create an SNMP v3 user, use the following command
in configuration mode:
CLI(configure)> snmp user <user-name> <group-name> v3
[ auth { md5 | sha } <auth-password>
| encrypted auth { md5 | sha } <enc-password>]

• To remove a user, use the following command in configuration mode:

CLI(configure)> no snmp user <user-name> v3

• SNMP v3 traps are configurable, using event managers. However, users need to be declared so that
the necessary security level is retrieved inside the agent.

Admin User Guide Page 2.10-44 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Allowed characters for passwords

When configuring authentication and privacy passwords as described above, the following characters can
be used for the passwords:
• all letters of the alphabet, including capital letters
• all numerical characters
• all special characters, except:
o exclamation mark, !
o question mark, ?
o space
However, it is possible to use these three special characters by placing the entire string between quotation
marks (") or between apostrophes (').

Allowed characters for group names

When configuring users as described above, the following characters can be used for the <group-name>:
• all letters of the alphabet, including capital letters
• all numerical characters
• special character: underscore, _
All other characters are not allowed.

Example

snmp group v3grp v3priv read view_all write view_all

snmp view view_all 1.3 included
snmp user v3user v3grp v3 auth md5 v3useruser
snmp user v3user v3grp v3 priv des v3useruser

Under Linux, the SNMP Walk command is:

snmpwalk -v 3 -u v3user -a MD5 -A v3useruser -x DES -X v3useruser 10.100.30.1 1.3

Admin User Guide Page 2.10-45 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.3.2 SNMP v3 Informs

• To send SNMP v3 informs, remote users and remote entities need to be known.
Inform requests are notifications that have to be acknowledged by the remote SNMP v3 entity (the
manager where informs are sent). When sending an inform request, the manager answers to the
device management with a response PDU. This reply ensures the emitting OneOS-based routers that
the notification reached its intended destination.
SNMP v3 informs are sent with the associated security parameters of the remote manager, i.e. the
remote engineId, and the associated user security parameters.
• There are several ways to know the remote engine ID. To retrieve the engineId, and its timing
parameters from a remote IP address, use the following command in global configuration mode:
CLI(configure)> snmp discover remote-agent <A.B.C.D>

This command triggers a discovery process that sends SNMP get request packets and waits for
SNMP get responses from the remote entity.
• It is also possible to manually configure an engineId associated with an IP address with the
following command in configuration mode:
CLI(configure)> snmp engine-id <engineId> remote <A.B.C.D>
[ max-msg-size <0-8192>]

• If the above commands are successful, the retrieved engineId is saved in a local configuration
datastore (LCD).
The LCD can be filled in dynamically when triggering the discovery process by sending an SNMP v3
inform, or by configuring an SNMP v3 user.
• To delete a remote engineId from the local configuration datastore, use the following command in
configuration mode:
CLI(configure)> no snmp engine-id <engineId> remote <A.B.C.D>

• The command below creates a SNMP v3 user with its remote IP address. A discovery process will
retrieve the remote engineId to get authentication or encryption keying material.
CLI(configure)> snmp user <user-name> <group-name> v3
remote ip-address <A.B.C.D>
[ auth { md5 |sha } <auth-password>
| encrypted auth { md5 |sha } <priv-password>]

Refer to 2.10.3.1 Basic Configuration for a description of allowed characters in passwords and group
names.
• To configure a user without triggering the discovery process, you can associate a user to the remote
engineId by using the following configuration command:
CLI(configure)> snmp user <user-name> <group-name> v3
remote engine-id <engineId>
[ auth { md5 | sha } <auth-password>
| encrypted auth { md5 | sha } <priv-password>]

Refer to 2.10.3.1 Basic Configuration for a description of allowed characters in passwords and group
names.

Admin User Guide Page 2.10-46 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To remove a remote user from the local configuration datastore, use the following configuration
command:
CLI(configure)> no snmp user <user-name> v3 remote engine-id <engineId>
CLI(configure)> no snmp user <user-name> v3 remote ip-address <A.B.C.D>

• Use the following configuration command to define, in seconds, the timeout for informs responses.
Use the no form of the command to use the default value (15s).
CLI(configure)> [no] snmp informs timeout <2-60>

• Use the following configuration command to define the number of retries for informs sending.
Use the no form of the command to use the default value (3).
CLI(configure)> [no] snmp informs retry-count <0-255>

2.10.3.3 SNMP v3 User Storage

• By default, the SNMPv3 users are stored in the file snmpv3_users.log on the file system of the device;
note that the username/password details are always stored in encrypted form, never as clear text.
• The following command gives the possibility to store the SNMP v3 users in a separate file (default) or
in the configuration:
CLI(configure)> snmp user-store <storage-type>

o <storage-type> can either be file or configuration.

o When the configuration keyword is configured, the SNMP v3 user details and credentials
will be stored at the end of the configuration, in encrypted form.
o When the file keyword is configured, which is the default setting, the SNMP v3 user details
and credentials will be stored in the file snmpv3_users.log, also in encrypted form.
Note that this setting will not be shown when running the show running-config command.
• Keep the following in mind:
Since the SNMP v3 users and passwords are generated using engine-id as key, moving the
configuration with encrypted passwords to a router with different engine-id will not serve the
purpose: the usernames need to be re-configured.
So when replacing the OneOS router with a new device, just putting the same configuration file on the
new device is not enough to restore the SNMPv3 functionality.

Admin User Guide Page 2.10-47 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.4 IPv6 Access Lists

An IPv4 access list can be attached to either SNMP communities (SNMP V1/v2) or to SNMP group (SNMP
v1/v2/v3). The SNMP manager is enabled de-facto when IPv6 is enabled in the OneOS-based router. An
IPv6 access-list can be bound to the SNMP manager to prevent unwished access from specified sources.
The ACL binding is configured as follows under global configuration mode:
CLI(configure)> bind snmp acl ipv6 <ipv6-acl>

2.10.5 Miscellaneous

At any stage of the configuration, information about the SNMP agent can be modified. To configure the
location of the device, use the following command line:
CLI(configure)> [no] snmp location <text: 1-255 char>

To configure the person to contact, for managing the device, use the following command line:
CLI(configure)> [no] snmp contact <text: 1-255 char>

To configure a string that uniquely identifies the device, use the following command line:
CLI(configure)> [no] snmp chassis-id <text: 1-255>

By default, chassis-id is a MIB variable given by the manufacturer; this identifier is made up of the type of
equipment followed by a serial number.
In order to avoid IP fragmentation, the SNMP v1, v2 and v3 agent provides a command line to limit the
maximum SNMP message packet size. Thus, if forged SNMP messages are greater than the configured
packet size, an SNMP 'too big' message is sent to the manager.
CLI(configure)> snmp max-message-size <size: 484-8192>

SNMP v3 agent uses this maximum value to limit the size of outgoing SNMP packets. In addition, this
maximum message size is sent in SNMP v3 queries, as the remote entity is not allowed to respond with
messages greater than the size requested by initiator.
To restore the default values, use the no form of the command:
CLI(configure)> no snmp max-message-size

Admin User Guide Page 2.10-48 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.6 Event Managers

To add a SNMP manager (up to 10), use the following command in global configuration mode:
CLI(configure)> event manager { <A.B.C.D> | <X:X:X::X> | <hostname> }
[<port>]
[v1 | v2 | v3 | v3auth | v3priv]
[<name>] [<encryption>] [informs]

• port is the destination port for sending traps.

• v1 and v2 are for sending SNMP traps V1 and V2.
• V3, v3auth and v3priv are for sending SNMP traps V3 respectively without authentication, with
authentication, and with authentication and privacy.
• name is the community string for SNMP V1 and V2, and the username for SNMP V3.
• encryption (only available for SNMP V1 and V2) is set to 0 to have the community string entered in
clear text then encrypted, and set to 1 to have the community string entered already encrypted.
• informs (only available for SNMP V3) is used to sent inform messages to the manager.
If neither port, nor version, nor name is chosen, then a manager will be created with the given address,
with the community string "public", version 2, and destination port 162.
To remove a SNMP manager, use the following command:
CLI(configure)> event no manager { <A.B.C.D> | <X:X:X::X> | <hostname> }
[<port>]
[v1 | v2 | v3 | v3auth | v3priv]
[<name>] [<1:encrypted>] [informs]

To display the configured event managers, use the following command line:
CLI> show event manager
10.1.2.1:162 V2 "public"
10.1.2.1:162 V3 "admin" authPriv

2.10.7 Adapting SNMP Traps

By default, a SNMP trap is sent for the following events: cold/warm start, link up/down, authentication
failures (bad SNMP communities).
To enable/disable such standard SNMP traps, use the following command:
CLI(configure)> [no] snmp traps { standard | acl | bgp | ipsec | isakmp
| isdn | nat | pstn | vrrp }

2.10.8 Debugging SNMP

You can use the following command to help you debug configuration issues with SNMP:
CLI> debug snmp [packet | info | inform | error]

The options provide the following information:

• packet: source/destination IP addresses of SNMP packets
• info: detailed information of SNMP packets
• inform: details about SNMP informs
• error: protocol errors and warning

Admin User Guide Page 2.10-49 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.10.9 SNMP Statistics

• At any stage of the configuration, information about SNMP can be displayed. To display the statistics
related to SNMP, use the following command line:
CLI> show snmp statistics
SNMP statistics:
IN: 120 total
0 bad version, community error: 0 bad name, 0 bad uses
0 ASN parse errors, trap authentication enabled
0 bad types, 0 too big, 0 no such name, 0 bad values
0 read only, 0 gen error, 120 total req, 0 total set
0 get requests, 120 get next, 0 set requests, 0 get responses
0 unknown security models
0 invalid, 0 unknown PDU handler, 0 unavailable context, 0 unknown context
0 unsupported sec level, 0 unknown engine Id, 0 wrong digest, 0 decryption error
OUT: 126 total
0 too big, 0 no such name, 0 bad values
0 read only, 0 gen error
0 traps, 120 get responses

• Use the following clear command in global configuration mode to reset SNMP counters:
CLI> clear snmp statistics

• To display the SNMP v1 and v2 configuration elements, use the following command:
CLI> show snmp community
no SNMP write community configured
SNMP read community: public

• To display the configured managers, use the following command :

CLI> show snmp managers
10.1.2.1:162 V3 "guest1" noAuthNoPriv
10.1.2.1:162 V3 "admin" authPriv

• To display the configured SNMP v3 engine ID, use the following command:
CLI> show snmp engine-id
Local SNMP engineId:
80003387030008005101001b

• To display the configured SNMP v3 users, use the following command:

CLI> show snmp users
user group EngineId active
admin private 80003387030008005101001b yes
guest1 public 80003387030008005101001b yes

Admin User Guide Page 2.10-50 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To display the configured SNMP v3 groups, use the following command:

CLI> show snmp groups
groupname: public security mode:v3 no auth
read view: all write view: <none>
notify view: all state: active [nonvolatile]

groupname: private security mode:v3 auth

read view: all write view: all
notify view: all state: active [nonvolatile]

• To display SNMP views configured, use the following command:

CLI> show snmp view
snmp view all 1.3.6 included - active [nonvolatile]
snmp view v1default 1.3.6 included - active [nonvolatile]
snmp view v1default 1.3.6.1.6 excluded - active [nonvolatile]

• SNMP traps can be shown when running the show running-config command,
with option include snmp trap:
CLI(configure)> show running-config | include snmp trap

Example output:
CLI(configure)> show running-config | include snmp trap
snmp traps acl
no snmp traps standard
snmp traps config
snmp trap-source vrf VRF_3
snmp traps shdsl
snmp traps vrrp
snmp set-write-community "private"
snmp set-read-community "public"
snmp traps cfm
snmp traps ether-oam

Admin User Guide Page 2.10-51 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.11 RMON MECHANISM

2.11.1 Introduction

• RMON is a feature similar to Simple Network Management Protocol (SNMP), that can generate
alarms.
• The RMON alarm generation mechanism can be realized using the following three actions:
o action alarm for computation of alarms and to raise the alarms; refer to
6.5.2.10 Sending an alarm as a trigger action using applet.
o action rmon-trap for generating RMON traps; refer to
6.5.2.11 Sending a RMON trap.
o action if-alarm for combining generation of e-mail/syslog based on alarm computation; refer to
6.5.2.12 Action if-alarm based on alarm computation.

2.11.2 Configuration Examples

2.11.2.1 Absolute Example

event manager applet falling-alarm

event timer watchdog time 10
action "1.0" cli "show interfaces g 1/0"
action "1.1" regexp "IN: ([0-9]) +packets" "$_cli_result" "match10"
"IN_packets"
action "1.2" alarm "120" "$IN_packets" "absolute" rising 20 "falling"
"10" owner "Delta-Falling-LB10-InPackets"
action "1.3" rmon-trap "120" ".1.3.6.1.2.1.31.1.1.1.11.114.564"
action "1.4" if-alarm 114 "rising"
action "1.5" syslog server "100.0.0.2" severity "alerts" msg "Alarm
Falling" facility 23
action "1.6" end

o Following are the threshold values.

30 40 5 6 12 25
 Rising traps will be generated for values 30 and 25.
 Falling trap will be generated for value 5.

Admin User Guide Page 2.11-52 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.11.2.2 Delta Example

event manager applet falling-alarm

event timer watchdog time 10
action "1.0" cli "show interfaces g 1/0"
action "1.1" regexp "IN: ([0-9]) +packets" "$_cli_result" "match10"
"IN_packets"
action "1.2" alarm "114" "$IN_packets" "delta" rising 20 "falling" "10"
owner "Delta-Falling-LB10-InPackets"
action "1.3" rmon-trap "114" ".1.3.6.1.2.1.31.1.1.1.11.114.564"
action "1.4" if-alarm 114 "rising"
action "1.5" syslog server "100.0.0.2" severity "alerts" msg "Alarm
Falling" facility 23
action "1.6" end

o Following are the threshold values.

40 65 70 60 50 72
 Rising traps will be generated at 65 and 72.
 Falling trap will be generated at 70
 Syslog messages will be generated at 65, 70 and 72

2.11.3 Statistics

• Use the following command to show the alarm history of a specific applet:
CLI> show event manager alarm history <applet-name>

For example:
CLI> show event manager alarm history app5
Alarm History of applet app5
---------------------------------------------------------------------------------------------
AlarmIndex Method Type Threshold AlarmValue Time Of Alarm Owner

112 absolute rising 80 1367 2016-01-01 00:08:08 owner1

112 absolute falling 60 7 2016-01-01 00:11:14 owner1
112 absolute rising 80 199 2016-01-01 00:12:30 owner1

• Use the following command to show the complete alarm history:

CLI> show event manager alarm history

Admin User Guide Page 2.11-53 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.12 TRACES AND EVENTS

2.12.1 Introduction

The device can provide event information about the interfaces and protocols on the CLI, console port, in a
log file managed by the file system, and it can be sent to a syslog server. Some events can also generate
SNMP traps.

2.12.2 Event Filters

• To read the events, filters must be defined. Each filter defines a family of events, a severity code and
the output device (CLI, Console, file, SNMP trap, syslog).
o CLI: displays the filtered events on the CLI session, from which the filters were created.
o File: records the filtered events in a file.
o Console: shell/debug interface on the serial port.
o SNMP trap: upon occurrence of the selected events, the information will be sent to the SNMP
manager as an SNMP trap. This mechanism permits the user to select specific events, which
shall be monitored in the SNMP management system.
o Syslog: the event is sent to a syslog server.
• Several filters can be defined simultaneously. When an event is matched by one the filters, the event
is recorded.
• To add a filter, use the following command:
CLI> event filter add <group> <family> { all | <subfamilies> }
[<type>] [<severity>]
[argument <argument>] <action list>

o A list of managed events can be found in Annex A – List of Managed Events.

o group. sys (for system), adm (management), wan (data interfaces), ip, ipsec, vox (voice).
o family. Depends on the selected group.
o subfamilies. Depends on the selected family & group.
o type. This optional item may be: info, warning, error, fatal, event.
o severity. This optional item can be 1 up to 8.
o argument.
o action list: List of possible actions are (several actions can be configured simultaneously):
 drop: Event is suppressed.
 log: Event is recorded in a file.
 show: Event is output on the console port (shell).
 mem: Event is stored in memory to be displayed on the CLI interface.
 trap: Generation of SNMP v1 traps towards a SNMP manager that must be configured
(see below).
 syslog: Generation of events to a SYSLOG server that must be configured.

Admin User Guide Page 2.12-54 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Example:
CLI> event filter add sys GSHDSL ALL SHOW MEM LOG TRAP

2.12.3 L o g g i n g N AT s e s s i o n s vi a S ys l o g

• Any NAT session can be logged and sent to a syslog server using the following command:
CLI> event filter add ip nat { all | <subfamilies> } [<type>]
[<severity>] [argument <argument>] <action list>

With:
o A list of managed events can be found in Annex A – List of Managed Events.
o type: (optional) may be info, warning, error, fatal, event.
o severity: (optional) may be 1 up to 8.
o action list: use syslog to send the logging information to a syslog server.

• Records are sent for each session (between the local address and the global address to which the
local address is translated), and when sessions are created and destroyed.
• Records are sent to a syslog server in ASCII format.
• The activation of the NAT logging does not disable the Software Programmable Forwarding path
(SP-FWD)
• The NAT logging records include:
o Source IP address
o Destination IP address
o Translated source IP address
o Translated destination IP address
o Original source port
o Original destination port
o Translated source port
o Translated destination port
o VRF ID
o Protocol
o Timestamp

Admin User Guide Page 2.12-55 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.12.4 L o g g i n g th e I Ps e c I KE s ta te vi a S ys l o g

• An event can be generated when an IKEv1 or IKEv2 tunnel is created or deleted, and it can be sent to
a syslog server, using the following command:
CLI> event filter add ipsec ikev1 [<subfam>] [<type>]
[<severity>] <action list>

CLI> event filter add ipsec ikev2 [<subfam>] [<type>]

[<severity>] <action list>

With:
o subfam: all, phase1 or phase2 can be entered here.
o type: (optional) may be info, warning, error, fatal, event.
o severity: (optional) may be 1 up to 8.
o action list: use syslog to send the logging information to a syslog server.

2.12.5 Showing and removing filters

• To show the current filters, use the following command:

CLI> show event filters
Filter 1: g:SYS f: +GSHDSL, sf: ALL, sever: All,
type: All,action LOG+SHOW+MEM+,argument NONE

• To remove all the filters, use the following command:

CLI> event filter remove all

• To remove a specific filter (for example #2), use the following command:
CLI> event filter remove 2

Admin User Guide Page 2.12-56 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.12.6 Reporting login attempts

• It is possible to generate a log and send syslog messages for successful and failed login attempts,
through:
o Telnet
o SSH
o Serial (VTY)

• To generate a log and send syslog messages for successful login attempts, use the following
command:
CLI> login on-success log

• To generate a log and send syslog messages for failed login attempts, use the following command:
CLI> login on-failure log

• The syslog messages are also buffered to memory and passed to the console.
• The syslog messages contain the following elements:
o TimeStamp; this is the time of syslog sending.
o Facility number 4 (auth).
o Severity 5 for Success, 4 for Failed.
o Message description including:
 Short description of the event: LOGIN_SUCCESS or LOGIN_FAILED.
 Hostname of the Device; for example Vxworks.
 User identification; this is the username that is used for the connection attempt.
 Management channel (VTY / SSH / Telnet).
 Source IP address.
 Destination port.
 Timestamp when the login succeeded or failed.

Examples of syslog messages

Jul 23 21:43:35 10.4.33.141 One100D-CPE : #WARN# LOGIN_FAILED for Telnet user 'admin' from
Source IP Address '10.20.30.40' Local Port '23' at 21:43:32 IST Wed July 23 2014

Jul 23 22:01:45 10.4.33.141 One100D-CPE : #WARN# LOGIN_FAILED for SSH user 'admin' from Source
IP Address '10.20.30.50' Local Port '22' at 22:01:45 IST Wed July 23 2014

Jul 23 21:41:30 10.4.33.141 One100D-CPE : #WARN# LOGIN_FAILED for VTY user 'admin' from Local
Serial at 21:41:28 IST Wed July 23 2014

Jul 23 21:44:48 10.4.33.141 One100D-CPE : #NOTIFY# LOGIN_SUCCESS for Telnet user 'admin' from
Source IP Address '10.20.30.60' Local Port '23' at 21:44:47 IST Wed July 23 2014

Jul 23 22:05:22 10.4.33.141 One100D-CPE : #NOTIFY# LOGIN_SUCCESS for SSH user 'admin' from
Source IPv6 Address '2001::230:eff:fe30:22a9' Local Port '22' at 22:05:22 IST Wed July 23 2014

Jul 23 21:41:52 10.4.33.141 One100D-CPE : #NOTIFY# LOGIN_SUCCESS for VTY user 'admin' from
Local Serial at 21:41:49 IST Wed July 23 2014

Admin User Guide Page 2.12-57 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.12.7 Reading the Events

• The events are formatted as follows:

<time> <date> <type> <group> <family> <subfamily> <text>

Examples of events on a DSL uplink:

15:21:48 28:09:2044 Info SYS GSHDSL EVT10 1 Gshdsl if=0 new internal state ST_TIME
15:21:58 28:09:2044 Info SYS GSHDSL EVT10 1 Gshdsl if=0 new internal state ST_STRT
15:22:31 28:09:2044 Event SYS GSHDSL EVT11 1 Gshdsl if=0 UP

• If the SHOW action is selected, the events appear immediately on the console/debug interface.
• If the MEM action is selected, the events are recorded in memory and can appear on the CLI interface.
The following command must be entered to view the events:
CLI> monitor events

The screen is cleared before the events appear and it is no more possible to enter a CLI command.
To return to CLI mode, enter ESC.
• If the LOG action is selected, the events are recorded in the file system (ramdisk device) in two files:
event1.log and event2.log (event1.log is used first and event2.log is used when
event1.log is full, etc.). The files can be uploaded in a TFTP server.
CLI> devs ramdisk:
CLI> ls
Listing the directory /
tmp/ 512
event1.log 3021
running-config 664
event2.log 840

• To recover the events recorded in memory (filter defined with MEM action) after a crash and to display
them on the CLI, enter:
CLI> event recover show

• To recover from memory and save the events in a file (for example: tr1.log) after a crash, enter:
CLI> event recover file tr1.log

Admin User Guide Page 2.12-58 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.12.8 S ys t e m L o g g i n g

• The system logging is based on the same mechanism as the events mechanism explained above.
The following command activates the traces and determines the media where the traces are
redirected (under configuration terminal):
CLI(configure)> [no] logging { buffered | console | file | syslog }
{ alerts | critical | errors | warnings | notifications | informational
| debug }

• The first argument, logging, sets the destination of the traces:

o console. the traces are sent to the console interface.
o buffered: the traces are stored in device memory. They can be displayed afterwards using
the show logging command. This is the fastest procedure for redirecting traces, thus
impacting the device performances less.
When remotely connected using telnet, the monitor trace command allows viewing the
traces on the fly at the same time when they are buffered.
o file: the traces are recorded under ramdisk:/. First, traces are dumped into the file named
trace1.log. When trace1.log is full, trace2.log is used. When trace2.log is full,
trace1.log is erased then re-created and new traces are written in this file.
o syslog: the traces are sent to a syslog server. The syslog client configuration must be done.
To insert a line-feed automatically for every syslog message, use the following command:
CLI(configure)> [no] logging syslog split-CRLF

• The second argument refers to the severity level and provides the level of details to filter traces,
alerts being the least detailed filter and debug providing the most traces.
But note that messages with a lower numerical severity value have a higher practical severity than
those with a numerically higher value.
Numerical code Severity
1 alerts - action must be taken immediately
2 critical - critical conditions
3 errors - error conditions
4 warnings - warning conditions
5 notifications - normal but significant condition
6 informational - informational messages
7 debug - debug-level messages

For debugging purposes, severity level 7 or debug should be used.

Further details about severity can be found in section 6.2.1 of RFC 5424 - The Syslog Protocol.

Admin User Guide Page 2.12-59 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The following is a short extract from a trace output when debugging a cellular connection:
CLI> configure terminal
CLI(configure)> logging buffered debug
CLI(configure)> exit
CLI> debug ip route all
CLI> debug usb
CLI> debug sierra
CLI> debug dialup
CLI> monitor trace
cellularRadioTesting>01:01:21.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:21.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:21.380 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:21.382 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:22.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:22.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:22.381 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:22.382 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:23.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:23.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:23.381 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:23.383 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:24.300 RIP: sending RESPONSE(v2) to 224.0.0.9 via FastEthernet 0/0 (192.168.1.1)
01:01:24.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:24.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:24.380 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:24.382 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:24.720 PDS-LV3: PDS SCRIPT_RQ script called
01:01:24.720 PDS-LV3: PDS SCRIPT_RQ accepted
01:01:24.720 PDS-LV4: PDS-AUT [1][0] st [_ini] ev [USR_SCRIP] nature [SCRIPT]
01:01:24.721 PDS-LV4: PDS-AUT [1][0] new state [_sou]
01:01:25.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:25.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:25.380 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:25.382 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:25.720 SierraResetFSM: Current State = KeepInReset, Event = TimerOff
01:01:25.720 SierraResetFSM: New State = WaitForUsbDetection
01:01:25.720 PDS-LV4: open modem type 2 rate 17
01:01:25.720 PDS-LV4: oaPds : Vxx ModemConnect failed (ret=-4)
01:01:25.720 PDS-LV3: PDS-T01 [1][0] open COM PORT result=0x2
01:01:25.720 PDS-LV3: PDS SCRIPT_RQ clbk Result=0xfffffffa Cause=0x2
01:01:25.720 PDS-LV4: PDS-T01 [1][0] released
01:01:25.720 PDS-LV4: PDS-AUT [1][0] st [_sou] ev [TSK_TIMER]
01:01:25.720 PDS-LV4: PDS-AUT [1][0] new state [_ini]
01:01:26.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:26.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:26.380 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:26.382 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:27.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:27.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:27.380 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:27.382 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:28.360 ARP: arptfree for 0x30d43e0 (@ = 192.168.1.4): rt_refcnt = 0
01:01:28.360 IPR: deleted 192.168.1.4/32, FastEthernet 0/0, link
01:01:28.360 ARP: arptfree for 0x32698e8 (@ = 192.168.1.111): rt_refcnt = 2
01:01:28.361 IPR: added 192.168.1.4/32, FastEthernet 0/0, link
01:01:28.361 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:28.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:28.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:28.380 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:29.380 VR: ID 5, advertisement sent via 192.168.1.1 (prio=100)
01:01:29.380 VR: ID 4, advertisement sent via 192.168.1.1 (prio=100)
01:01:29.381 VR: ID 3, advertisement sent via 192.168.1.1 (prio=100)
01:01:29.382 ARP: sent who-has 192.168.1.4 tell 192.168.1.1 (MAC: 00:12:ef:60:17:be) on
FastEthernet 0/0
01:01:29.848 USB device detected: Sierra Wireless, Incorporated/MC8705/hip
01:01:29.856 USB device detected: Sierra Wireless, Incorporated/MC8705/at
01:01:29.857 SierraResetFSM: Current State = WaitForUsbDetection, Event = Detected
01:01:29.857 SierraResetFSM: New State = WaitForSierraSettled

Admin User Guide Page 2.12-60 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Another example is the following: a user wishes to view on the fly the debug traces for NAT from a
telnet session.
The commands to enter are:
CLI> configure terminal
CLI(configure)> logging buffered debug
CLI(configure)> exit
CLI> debug ip nat
CLI> monitor trace

• To show the current logging options and to display the buffered logs, use the following command:
CLI(configure)> show logging
Console logging: level debug, 35 messages logged
Buffered logging: disabled
File logging: disabled
Syslog logging: level alerts, 0 messages logged

• The memory buffer size can be increased/decreased if necessary (the default size is 16364 bytes),
using the following command:
CLI(configure)> logging buffered size <16364..131072 bytes>

Note that the default value is nevertheless displayed in show running-configuration.

• The log file size can be increased/decreased if necessary (the default size is 20000 bytes), using the
following command:
CLI(configure)> trace logging max-filesize <200..20000 bytes>

• Every trace can be generated with the device date and time, or the current time, or the device up time:
CLI(configure)> [no] logging timestamp { datetime [msec] [timezone]
| time | uptime}

o With datetime the optional msec argument adds the milliseconds to the actual date and time,
and the optional timezone argument adds the time zone.
o With time only the actual time is displayed.
o With uptime the displayed time is related to the device up-time.

• The memory buffer can be cleared (erased) on request using the following command:
CLI> clear buffered-logging

Admin User Guide Page 2.12-61 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.12.9 Configuration History

• This facility records all passed configuration commands since the router has rebooted. This logging is
activated by default (stored in RAM memory).
• The history file size can be increased/decreased if necessary (default size 128 Kbytes), using the
following command:
CLI(configure)> logging config-history max-size <10..256 Kbytes>

• Use the following command to de-activate the logging. Note that this command empties the history
file.
CLI(configure)> no logging config-history

Use the following command to re-activate the configuration logging:

CLI(configure)> logging config-history enable

• Use the following command to display the history of configuration commands file:
CLI> show command-config

Admin User Guide Page 2.12-62 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.13 PING & TRACEROUTE

2.13.1 IPv4 Ping

It is possible to ping a device from the CLI:

CLI> ping [-t] <target> [<source-address>] [<options>] [vrf <vrf-name>]

• -t (optional) enables a periodical ping, which can be stopped by entering ESCAPE.

• source-address is optional. If not provided the IP source address is the primary IP address of the
ping output interface.
• The options for the ping command are the following:
o -l: size of ICMP packet (between 64 and 20,000 bytes) used for ping. Note that the
corresponding IP packet will have 20 bytes length more (100 bytes ICMP + IP header i.e. 120
bytes by default)
o size: size of IP packet used for ping (exclusive from -l option)
o -n: number of packets (between 1 and 10,000) used for ping (5 packets by default)
o -v: type of service: no-tos, low-delay, throughput, reliability, min-cost (no-tos by default)
o dscfield: set the Differentiated Services field value (between 0 and 255) according to
RFC 2474. Note that this option overwrites the -v option.
o -f: set don't fragment flag (DF bit not set by default)
o -w: timeout in seconds (between 1 and 60 seconds) to wait for each reply (3 seconds by
default).
-w 0 can be entered for special use. In that case packets are sent one after the other without
waiting for the response (in that case -t is not allowed and -n is limited to 100 packets).
• vrf-name is also optional. If not provided the default VRF is used.

Example:
CLI> ping 220.13.1.3 20.13.0.10

Type escape sequence to abort.

Sending 5 100-byte ICMP echos to 220.13.1.3 from 20.13.0.10, timeout is 3 seconds:
.....
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
CLI>

2.13.2 IPv6 Ping

The IPv6 ping command syntax is the following:

CLI> ping6 <destination-ipv6> [size <bytes>] [repeat <ntimes>]
[timeout <seconds>] [source <src-addr>] [traffic-class <class>] [-t]

The options are the following:

• size: size of the ICMP packet.
• repeat: number of sent ICMP echoes.
• timeout: number of seconds to consider that an ICMP echo is not replied.

Admin User Guide Page 2.13-63 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• source: source IPv6 address of ICMP echo.

• traffic-class: value of IPv6 traffic class (equivalent of IPv4 TOS).
• -t: endless ping (until interrupted via ESCAPE key).

2.13.3 Xping (Extended Ping)

The xping command may be used to initiate several ping sessions for different targets.
The command measures the minimum, average, round trip jitter and maximum ping response time.
Command for creation of a new xping session:
CLI> xping <session-name>
CLI(xping)>

Then, the xping session (called session-name) must be then configured. The following parameters are
available:
CLI(xping)> ?
activate - Activate xping session.
address - Set target ip address.
data-size - Set datagram size for the icmp packet.
deactivate - Deactivate a session.
df-flag - Sets the DF flag on outgoing packets.
dsfield - DS field for IPv4.
exit - Exit xping mode.
frequency - Set ping frequency (interval in seconds).
ip-data-size - Set size for the IP packet (refer to size of IPv4 ping).
life-time - The amount of time the session remains active (in minutes).
probe-count - Set the number of packets sent for each ping.
show - Display xping session configuration.
source - Set source address.
target - Set target host name.
timeout - Set request time out (for 0 refer to –w option of IPv4 ping).
vrf - Use VRF
<cr>
CLI(xping)>

The source address is optional but must be a valid IP address if it has been specified. This command must
be entered to view all the declared sessions in real time:
CLI> monitor xping

The screen is cleared and shows real-time statistics for all the configured sessions. To return to the CLI
mode, enter ESC.
The xping sessions are removed with the command:
CLI> no xping <session-name>

2.13.4 Trace Route

The list of IP nodes from the device to a destination can be traced:

CLI> traceroute <target> [<source-address>] [<options>] [vrf <vrf-name>]
[icmp]

source-address is optional. If not provided the source IP address is the primary IP address of the
traceroute output interface. vrf-name is optional. If not provided the default VRF is used. icmp keyword
is also optional. Use it to make traceroute use ICMP "echo" packets (instead of UDP packets by default).
Advanced options are available:
-l - Payload size
-i - Time to live

Admin User Guide Page 2.13-64 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

-v - Type of service: [no-tos],low-delay,throughput,reliability,min-cost

-f - Set don't fragment flag
-w - Timeout in seconds to wait for each reply
size – Total IP packet size (exclusive from –l option)

The available range for the packet size is from 64 to 1500. The number of packets is restricted between 1
and 15. The timeout can be configured between 1 and 60 seconds.
Example:
CLI> traceroute 220.13.1.3 20.13.0.10

Type escape sequence to abort.

Tracing the route to 220.13.1.3 from 20.13.0.10
1 20.13.1.3 2 msec * 2 msec

2.13.5 IPv6 Trace Route

The IPv6 traceroute command syntax is the following:

CLI> traceroute6 <destination-ipv6> [size <bytes>] [timeout <seconds>]
[source <src-addr>] [max-hops <num-of-hops>]

The options are the following:

• size: size of the used packet.
• timeout: number of seconds to consider that the used packet is not replied.
• source: source IPv6 address of the used packet.
• max-hops: maximum number of hops to discover.

Admin User Guide Page 2.13-65 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.14 TELNET, TFTP, SCP SERVERS / TELNET, TFTP, FTP CLIENTS

Note that, when copying files to the file system of a OneOS device, the file name must be less than 39
characters.

2.14.1 Telnet Client

• A Telnet client is embedded in the OneOS for contacting another device:

CLI> telnet { <ipv4-address> | <ipv6-address> | <name> [ipv4|ipv6] }
[<port>] [<interface> <unit>] [vrf <vrf-name>]

o <name> is only supported for IPv4 names.

o A source address can be provided via the optional parameters <interface> <unit> that
must refer to a valid declared interface.
o The <vrf-name> is also optional. If not provided the default VRF is used (note that VRF is
only supported with IPv4).

• Example:
CLI> telnet 20.13.0.3
Trying 20.13.0.3...
Connected to 20.13.0.3.
Exit character is '^]' or '^$'.

User Access Verification

Password:

2.14.2 Telnet Server

• A Telnet server is embedded in the OneOS to be contacted from another device.

• By default, the Telnet server is enabled. For security reasons, it is possible to disable the Telnet
server using the following command:
CLI(configure)> ip telnet disable

To re-enable the Telnet server, use the following command:

CLI(configure)> ip telnet enable

Admin User Guide Page 2.14-66 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.14.2.1 Attaching the Telnet Server to an Interface

• By default, the Telnet server is always on. Its source address is the one of the IP interface, primary or
secondary, where the packets are routed.
• For example, if a Telnet client connects via the LAN interface, the IP source address of the Telnet
server can be the primary or secondary IP address of the LAN interface. Refer to the following
examples:
A telnet server is attached to interface G0/0 with:
o primary IP address 20.20.20.1
o secondary IP address 10.10.10.1

Case 1

o If the telnet request comes from Host1, the reply packets come from the address 10.10.10.1,
i.e. the secondary address.
o If host 2 makes a telnet request, the reply packets come from 20.20.20.1, i.e. the primary
address.

Case 2

o If the host makes a telnet request to IP address 20.20.20.1, the replies come from the primary
address.
o If the host makes a telnet request to IP address 10.10.10.1, the replies come from the
secondary address.

Admin User Guide Page 2.14-67 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• By default, the Telnet server can be accessed through any declared IP address.
To restrict access to the IP address of a specific IP interface, use the following command in global
mode:
CLI> [no] bind telnet <interface>

o <interface> can be any IP interface such as: ethernet 0/0, fastethernet

<intf>/<port>, gigabitethernet <intf>/port>, atm 0.x, loopback <id>, etc.
o This command can be entered several times.
o Use the no form to remove one interface from the list.
To return to the default settings (Telnet server accessed from any interface), enter the following
command:
CLI> bind telnet any

Example

To allow Telnet only on the IP address of the virtual IP address 0 (loopback 0), use the following
command:
CLI> bind telnet loopback 0

After having entered the command, the Telnet server and CLI are only accessible using the IP
address of the selected loopback interface.

2.14.2.2 Restricting Telnet Access to a Pool of Hosts

It is possible to restrict access to telnet clients by using a list of addresses standing for the list of permitted
source IP addresses. Use the following command in global configuration mode:
CLI(configure)> [no] bind telnet acl <acl-name>

Restricted access can be activated for a certain amount of seconds using the following command:
CLI(configure)> bind telnet temp-acl <acl-name> <timeout: 10-100000>

Restricted access can be activated at boot for a certain amount of seconds using the following command:
CLI(configure)> bind telnet boot-acl <acl-name> <timeout: 10-100000>

Telnet server is enabled by default when IPv6 is enabled in the OneOS-based router. An IPv6 access-list
can be bound to the telnet server to prevent unwished access from specified sources. The ACL binding is
configured as follows under global configuration mode:
CLI(configure)> [no] bind telnet acl ipv6 <ipv6-acl>

Admin User Guide Page 2.14-68 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.14.2.3 Using a designated VRF

Use the following command to use a designated VRF different from the default VRF:
CLI(configure)> [no] bind telnet vrf <vrf-name>

2.14.2.4 Configuring the Telnet Server Timeout

If a connected telnet client is inactive during a certain time, it is disconnected. By default, any inactive
telnet client is disconnected after 10 minutes. (Warning: previous OneOS releases used to have a 60-
minute timeout).
To change the telnet timeout, use the following command:
CLI(configure)> telnet timeout <seconds>

To restore the default timeout, use the following command:

CLI(configure)> default telnet timeout

2.14.2.5 Disconnecting a Telnet User

This procedure functions for console, telnet and SSH users. First, you must retrieve the session ID of the
host you want to be logged off. To get the session IDs of all connected users:
CLI> who

Then, enter the following command to disconnect the user (you need to have the admin user level):
CLI> clear vty-session <session-id>

2.14.2.6 Logging the Telnet Connections

Remote connections to the telnet server can be logged using the following command in global
configuration mode:
CLI(configure)> logging telnet enable

For each connection, the user name (login), the originating IP address, the connection date and time, the
disconnection date and time and the disconnection cause (logout or timeout) are logged.
To stop logging the telnet connections use the following command in global configuration mode:
CLI(configure)> no logging telnet

The telnet logging is recorded under flash:/. First, logs are dumped into the file named telnet1.log.
When telnet1.log is full, telnet2.log is used. When telnet2.log is full, telnet1.log is erased
then re-created and new logs are written in this file.
The log file size can be increased/decreased if necessary (default size 8200 bytes):
CLI(configure)> logging telnet max-filesize <82..8200 bytes>

Admin User Guide Page 2.14-69 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.14.3 TFTP Client

A standard TFTP client is embedded in the OneOS, which enables the downloading and uploading of files
from/to a remote TFTP server using the following command in global mode:
CLI> copy <source-file> <destination-file>
[{ <source-address> | <source-interface> <unit> }]
[vrf <vrf-name>]

The vrf-name is optional. If not provided the default VRF is used.

Either the source file or the destination file can be of the form:
tftp://<tftp-server>/<filename>

The source address used in the TFTP messages can be:

o A defined IP address using source-address.
o The IP address of the referenced interface using source-interface unit.
o The IP address of the referenced interface using the global source address configuration
command (see below) if none of the 2 addresses above is defined.
o The IP address of the interface used by the TFTP protocol if none of the 3 addresses above is
defined.
In all cases the IP address must be known by the device.
To define a global source address, use the following command in global configuration mode:
CLI(configure)> [no] ip tftp source-interface <source-interface> <unit>

Use the no form of the command to remove the global source address.

Use the following command in global configuration mode to limit the number of TFTP servers from/to which
files can be transferred; this can be done by means of an access list, in which a list of authorized TFTP
servers can be set:
CLI> configure terminal
CLI(configure)> snmp-server tftp-server-list <acl-name>

o <acl-name> is the name of access list that contains the IP addresses of the authorized TFTP
servers.
o This command allows to limit the TFTP servers, used via SNMP controlled TFTP operations
(saving and loading configuration files), to the servers specified in the access list.
Use the no form of the command to remove the access list:
CLI(configure)> no snmp-server tftp-server-list

Refer to the copy command whose examples are described in this guide.

Admin User Guide Page 2.14-70 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.14.4 TFTP Server

A TFTP server is embedded in the OneOS, only to upload files to another device. By default, files to
upload have to be located in the /tftpboot directory. The TFTP server can act as a TFTP relay to
upload a file that is located on another TFTP server.
The TFTP server is disabled by default. To enable the TFTP server, use the following command in global
configuration mode:
CLI(configure)> [no] tftp-server [<root-dir>] [address <interface><unit>]

• Use the optional parameter address to limit the access to a specific interface.

• root-dir defines the root directory where are located the files to upload (tftpboot by default).
• Use the no form of the command to disable the TFTP server.

The TFTP server is available from a non-default VRF. Use the following command to set the VRF:
CLI(configure)> tftp-server vrf <vrf-name>

The TFTP relay is disabled by default. To enable the TFTP relay and define the address of the other
server, use the following command in global configuration mode:
CLI(configure)> [no] tftp-relay server { <IP-address> | <hostname> }

Use the no form of the command to disable the TFTP relay.

Note that the TFTP server must be enabled to have the TFTP relay working.

2.14.5 FTP Client

A standard FTP client is embedded in the OneOS, which enables the downloading and uploading of files
from a remote host FTP server.
Command:
CLI> ftp { <host-ipv4-address> | <host-ipv6-address> | <host-name> }
[<source-address> | <source-interface>]
[ vrf <vrf-name>] [ipv4|ipv6]

Warning: name resolution is not currently supported in IPv6. The keywords ipv4 and ipv6 are meant to
force name resolution in either IPv4 or IPv6.
The source address used in the FTP messages can be:
• A defined IP address using source-address.
• The IP address of the referenced interface using source-interface.
• The IP address of the referenced interface using the global source address configuration command
(see below) if none of the 2 addresses above is defined.
• The IP address of the interface used by the FTP protocol if none of the 3 addresses above is defined.
In all cases the IP address must be known by the device.
To define a global source address, use the following command in global configuration mode:
CLI(configure)> [no] ip ftp source-interface <source-interface> <unit>

Use the no form of the command to remove de global source address.

Admin User Guide Page 2.14-71 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Example:
CLI> ftp 200.13.0.1
username: admin
password:
CLI(ftp session)>

Note: username and password are strings of 40 characters long at most.

The following FTP commands are available:

• bye - quit ftp session
• cd - change remote directory
• ls - list remote directory
• get - download file
• lcd - change local directory
• lls - list local directory
• put - upload file
• pwd - current directory

2.14.6 SFTP Client

SFTP stands for Secure File Transfer Protocol. SFTP consists of tunneling the FTP protocol within SSH
that adds an encryption layer to FTP, thus ensuring data confidentiality and integrity.
As pre-requisite to use SFTP, a DSA private / public key pair must be computed as described in 2.15.2.1
below.
The generated DSA key pair must be computed once and can be used for both SSH and SFTP.

A file upload on an SFTP server is executed with the following command:

CLI> copy <local-filename> sftp://<login>:<password>@<ip-or-name>/<path>
[<interface> <unit>]

• ip-or-name is either an IPv4 address or a host name that will be resolved as an IPv4 address.
• <interface> <unit> is optional and forces the source IP address of SFTP packets from OneOS to
match the IP address of the selected interface. If <interface> <unit> is forced, the packets are
routed through the VRF of the selected interface.
Similarly, a file download is performed as follows:
CLI> copy sftp://<login>:<password>@<ip-or-name>/<path> <local-filename>
[<interface> <unit>]

Admin User Guide Page 2.14-72 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.14.7 SCP Server

• A SCP server is embedded in OneOS; it is disabled by default.

• The SCP server goes together with the SSH server: if the SSH server is enabled, the SCP server is
also enabled. Section 2.15.2.2 Starting the SSH daemon shows how to enable the SSH server.
• In case of SCP, the OneOS device is server. The transfer must be initiated by a (PC) client, like pscp
(windows, putty SCP) or scp (linux, openssh based).
• It is possible to both upload and download files.
• The default path is /, i.e. the root directory.
• SCP is part of the SSH protocol; SSH can only distinguish between SCP and other channel types (e.g.
tty) after authentication.
• Since SCP is possible when SSH is enabled, binding it to an interface follows the binding of the SSH
server.
• SCP is available on VRFs.
• SCP client is not foreseen, since as of OneOs 5.x, SFTP client is supported, which provides a similar
functionality.

Admin User Guide Page 2.14-73 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.15 SSH – SECURE SHELL

2.15.1 Features

2.15.1.1 Secure Encrypted Communications

Secure shell or SSH is both a computer program and an associated network protocol designed for logging
into and executing commands on a networked computer. SSH design was aimed at replacing the earlier
rlogin, telnet and rsh protocols by a secure protocol providing encrypted communications between two
hosts over an insecure network.
OneOS SSH server is compatible with the version 2.

2.15.1.2 Strong Security

The SSH daemon supports 3DES and AES as encryption algorithms.

While 3DES is a proven and well-understood ciphering algorithm, AES is a higher performance block
ciphering algorithm created by the US Federal Information Processing Standard (FIPS), and developed as
a replacement for DES.

2.15.1.3 Strong Authentication

Strong authentication using public keys protects against several security problems, such as IP spoofing,
fakes routes, and DNS spoofing. Authentication of the SSH peers is realized via public DSA keys. DSA
keys were introduced in SSH version 2. But the user authentication at login time is done like any telnet
session: based on the local password database, or through RADIUS or TACACS+ servers.
Note: unauthorized connection attempts are subject to blacklisting (see 2.29 Blacklist management).

Admin User Guide Page 2.15-74 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.15.1.4 Remote "exec telnet" commands and local port forwarding

Telnet

The SSH server of a OneOS device supports remote "exec telnet" commands in compliance with
RFC 4254 - The Secure Shell (SSH) Connection Protocol.
An SSH client can open an SSH session to the OneOS-based router, which in its turn relays the data in
this SSH session to another device, via a local telnet session between the OneOS-based router and the
other device.
This is typically used to manage a device behind the access router via a secure SSH connection over the
Internet, e.g. an IP telephone. As the IP telephone has a private LAN address, it is not directly reachable
over the Internet (except when specifically configured in NAT). The SSH remote command is a very useful
tool to manage such devices over the network without needing to change the access router configuration.
So the SSH server of a OneOS device can handle and execute a telnet command when it is sent inside a
SSH session; this can be configured through the following command:
ssh <user>[:<passwd>]@<host> -t telnet <telnet_destination>

With:
o <user>. This is the username of the user/administrator that wants to login.
o <password>. This is the password of the user/administrator that wants to login.
o <host>. This is the host through which the user is connecting.
o <telnet_destination>. This is the IP address of the remote device the user wants to
connect to.

Remote SSH illustration, using Telnet

The following shows how to connect from a UNIX machine to the device with (local) address 192.168.1.4
behind a router with address 170.20.52.58.

At the SSH client console (UNIX machine):

#ssh [email protected] -t telnet 192.168.1.4
[email protected]'s password: <- SSH authentication
Trying 192.168.1.4 ... Open

Password: ******* <- telnet authentication

<Device identification>
SIP Phone> <- telnet prompt

Local port forwarding

The SSH server supports local port forwarding in compliance with RFC 4254 - The Secure Shell (SSH)
Connection Protocol.
The OneOS-based router accepts multiple applications running on different channels inside a single SSH
tunnel. The router gets where to forward the session traffic via the channel message (IP address and port
number). Multiple channels are supported per session.

Admin User Guide Page 2.15-75 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.15.1.5 Handling CLI commands entered remotely

Similarly to handling the telnet command, described above, the SSH server of a OneOS device can handle
any CLI command inside the SSH session, via the following command:
ssh <user>[:<passwd>]@<host> -t <CLI command>

With:
o <user>. This is the username of the user/administrator that wants to login.
o <password>. This is the password of the user/administrator that wants to login.
o <host>. This is the host the user is connecting to.
o <CLI command>. This can be any CLI command, for example
show version, show running-config, ter len 0, show debug,
ping -t <addr>, show tech-sup, show ip interface brief, …

2.15.2 Configuration

2.15.2.1 Generating the Authentication Keys

As the SSH daemon requires a public key to authenticate versus a remote host, it is mandatory to
generate a public key pair. Use the following command in global configuration mode to create a Digital
Signature Algorithm (DSA) key; the last argument is the key length in bits:
CLI(configure)> crypto key generate dsa { 256 | 512 | 1024 | 2048 }
[no-confirm]

Warning: because keys with less than 512 bits are no longer considered safe, a 512-bit long key is
generated in both cases when requesting a 256 or a 512-bit long key.
Note: Generation of a 2048-bit DSA key may take several minutes (up to 10 minutes on entry level
devices). Meanwhile no other CLI commands can be executed.
By default the above command prompts the user for confirmation.
SSH: key generation is time-consuming, especially for big keys. Do you want to continue ? (Y/N):

Use the no-confirm optional parameter to execute the key generation without confirmation message i.e.
in silent mode. Always use the no-confirm option when this command is used in a web interface.
Note that to make the generated DSA key being taken into account, the SSH daemon has to be
stopped (disable) then restarted (enable) as described below.
To remove the generated DSA key, use the following command:
CLI(configure)> crypto key zeroize

2.15.2.2 Starting the SSH daemon

SSH is disabled by default. To start the SSH daemon, use the following command in configuration mode:
CLI(configure)> ip ssh enable

Admin User Guide Page 2.15-76 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.15.2.3 Stopping the SSH daemon

To stop the SSH daemon, use the following command in configuration mode:
CLI(configure)> ip ssh disable

2.15.2.4 Configuring the SSH Server Timeout

If a connected SSH client is inactive during a certain time, it is disconnected. By default, any inactive SSH
client is disconnected after 600 seconds (10 minutes).
To change the SSH timeout in seconds, use the following command:
CLI(configure)> ip ssh timeout <120-4294967295>

2.15.2.5 Configuring the SSH Server Authentication Method

By default, password-based and public/private key-pair authentication methods are supported.

To define the supported authentication methods, use the following command. To allow both methods
(default behavior) use the keyword all. To allow only one method, use either password or publickey;
in this case, requests with the non-allowed method are simply denied. It is also possible to use the
automatic mode where authentication depends on presence of key file.
CLI(configure)> ip ssh auth-method { all | password | publickey
| automatic }

2.15.2.6 Configuring the SSH Server Authentication Timeout

If an SSH client is in the authentication phase and it is inactive during a certain time, it is disconnected. By
default, any inactive SSH client doing an authentication is disconnected after 120 seconds (2 minutes).
To change the SSH authentication timeout in seconds, use the following command in configuration mode:
CLI(configure)> ip ssh auth-timeout <5-120>

2.15.2.7 Configuring the SSH Server Authentication Retries

By default, the authentication retries number is 3. To change this value, use the following command in
global configuration mode:
CLI(configure)> ip ssh auth-retries <1-3>

Note that the number of retries covers both authentication using username/password and authentication
using public/private key pair.

2.15.2.8 Attaching the SSH Server to an Interface

To attach the SSH server to a specific interface use the following command:
CLI(configure)> [no] bind ssh <interface>

To permit SSH access from any interface, which is the default configuration, use the following command in
global configuration mode:
CLI(configure)> bind ssh any

Admin User Guide Page 2.15-77 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.15.2.9 Restricting SSH Access to a Pool of Hosts

It is possible to restrict access to SSH clients by using a list of addresses standing for the list of permitted
source IP addresses. Use the following command in configuration line:
CLI(configure)> [no] bind ssh acl <acl-name>

Use the no form of the command to remove the access list:

CLI(configure)> no bind ssh acl

Restricted access can be activated for a certain amount of seconds using the following command:
CLI(configure)> bind ssh temp-acl <acl-name> <timeout: 10-100000>

Restricted access can be activated at boot for a certain amount of seconds using the following command:
CLI(configure)> bind ssh boot-acl <acl-name> <timeout: 10-100000>

Use the no form of the command to remove the access list at boot:
CLI(configure)> no bind ssh boot-acl

2.15.2.10 Using a designated VRF

Use the following command to use a designated VRF different from the default VRF:
CLI(configure)> [no] bind ssh vrf <vrf-name>

Use the following command to use the default VRF:

CLI(configure)> [no] bind ssh vrf default-router

2.15.2.11 Configuring the maximum number of sessions

By default, the maximum number of SSH sessions is limited to 5 but configurable between 1 and 5;
the maximum number of channels (for local port forwarding) per SSH session is by default 10.
To set the maximum number of SSH sessions (including local port forwarding sessions), use the following
command in global configuration mode:
CLI(configure)> ip ssh max-sessions <1-5>

To set the maximum number of channels per session, use the following command in global configuration
mode:
CLI(configure)> ip ssh max-session-channels <1-10>

Admin User Guide Page 2.15-78 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.15.2.12 Initiating a SSH session as SSH client

• To initiate a SSH session as SSH client, use the following command:

CLI> ssh [user[:password]@]{<hostname>|<ipv4_address>}
[<port>] [<interface> <unit>] [vrf <vrf-name>]

o user. This is the username of the user/administrator that wants to login.

o password. This is the password of the user/administrator that wants to login.
o <hostname>. This is the hostname of the remote device the user wants to connect to. The
hostname will be resolved by DNS.
o <ip_address>. This is the IP address of the remote device the user wants to connect to.
o <port>. Optionally, the destination port that the SSH session will use, can be specified; the
default port is port 22.
o <interface> <unit>. Optionally, the source interface that will be used for the SSH session,
can be specified.
o vrf <vrf-name>. If required, a different VRF than the default VRF can be used.

• There are three possibilities to enter the username and password:

As a first possibility, the command can be used without including the username and password;
the user/administrator will be prompted to enter the username and password after entering the
command:
o When the username and password are not provided, the prompt is displayed to invite the
user/administrator to login.
o After entering the username, the console returns the prompt to enter the password. When
entering the password, the password characters are not displayed (same behavior as for telnet
or console access).
o Example:
CLI> ssh 193.252.36.9
Username: mylogin
Password: (mypassword)

• It is also possible to provide the username as part of the command:

o In this case, after the command has been entered, the prompt is displayed to invite the
user/administrator to enter the password. When entering the password, the password
characters are not displayed (same behavior as for telnet or console access).
o Example:
CLI> ssh [email protected]
Password: (mypassword)

• A third possibility is to enter both the username and password as part of the command, as illustrated
in the following example:
CLI> ssh mylogin:[email protected]

Admin User Guide Page 2.15-79 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.15.3 Statistics

Use the following show command to display the list of current SSH sessions and related parameters:
CLI> show ssh
Connection Remote port Username Algorithm used
192.168.2.133 2345 admin dsa-3des

Use the following show command to display the SSH server state and related parameters:
CLI> show ip ssh
SSH Enabled
Authentication timeout 120 secs, retries 3
Session timeout 600 secs
Maximum number of sessions 5
Maximum number of channels per session 10
Authorized public keys: none

Use the following debug command to enable [disable] SSH debug:

CLI> [no] debug ip ssh

2.15.4 Configuration example

The following example show the process to create a host DSA public key, followed by the running of SSH
daemon.
configure terminal
crypto key generate dsa 512
ip ssh enable
ip ssh timeout 600
ip ssh auth-timeout 30
ip ssh auth-retries 2

Admin User Guide Page 2.15-80 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.16 CAPTURING PACKETS

• The capture feature enables the user to observe and to decode incoming and outgoing traffic on
logical devices; a logical device is a list of filters – up to 8 – applied on one interface.
• Capturing packets consists of three steps:
o First, one or more filter(s) must be configured to determine the protocols to decode.
o Then, the filter(s) must be attached to an interface, giving a logical device.
o And finally, the decoding can be started.

2.16.1 Defining one or more filters

• To define the filters and the devices, enter in capture mode:

CLI> capture
CLI(capture)>

• To define a filter, use one of the following commands:

CLI(capture)> [no] filter { all | arp | rarp } [caplen <bytes>]

CLI(capture)> [no] filter icmp [src <src-address>] [dst <dest-address>]

[type <icmp-type>] [reflexive] [caplen <bytes>]

CLI(capture)> [no] filter ip [src <src-address>] [dst <dest-address>]

[reflexive] [caplen <bytes>]

CLI(capture)> [no] filter { tcp | udp }

[src <src-address> [sport <src-port>]]
[dst <dest-address> [dport <dest-port>]]
[reflexive] [caplen <bytes>]

o To limit the performance impact of capturing, the captured packets are truncated to the
caplen value and displayed and stored that way in the capture file (the caplen ranges from
32 to 2048 bytes; the default value is 68 bytes).
o When reflexive is set, the capturing is done in both directions.

Admin User Guide Page 2.16-81 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The capture tool makes it possible to capture the 802.11 frames:

CLI(capture)> [no] filter dot11 [<macaddr1> [<macaddr2>]]
[data | control | management]
[caplen <bytes>]

CLI(capture)> [no] filter dot11 [exclude <type> <sub-type>]

o The exclude parameter is optional and can be set to exclude some frames based on their
type and sub-type values; for example:
 Beacon frames: type=0, subtype=8.
 Probe requests: type= 0, subtype=4.
 Probe responses: type=0, subtype=5.
o The filter matches all the options (<macaddr1>, <macaddr2>, and frame type) that are
presents. If the frame type (data, control, or management) is not present, all frames are
captured.
Example:
CLI(capture)> filter dot11 11:22:33:44:55:66 data
CLI(capture)> filter dot11 exclude 0 8

• When a filter is created, it is identified by a number. To show the list of filter-id, use the following
command:
CLI(capture)> show filters

2.16.2 Defining a logical device

• To define a logical device by attaching the previously defined filter(s) to an interface, use the following
command:
CLI(capture)> [no] attach <filter-list> <interface-type> <port>

The filter list can either be one filter number, or several filter numbers separated by space characters.
o Example 1: the following defines two devices, each with one filter, that can be monitored
separately:
attach 1 fastethernet 0/0
attach 2 fastethernet 0/0

o Example 2: the following defines one device, with two filters, that will monitor the two filters
together.
attach 1 2 fastethernet 0/0

• The logical device is identified by a number. To show the list of device-id, use the command:
CLI(capture)> show devices

Admin User Guide Page 2.16-82 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.16.3 S ta rt i n g , d i s p l a yi n g, s to ri n g t h e t ra f fi c c a p tu re

• To start and optionally display the traffic capture, use the following command in global mode:
CLI(capture)> exit
CLI> monitor capture <device-id>
[console | file <fname> [max-size <64-192000>] | console
file <fname> [max-size <64-192000>]] [verbose <0-3>]
[capture-server <server-ipv4-address | server-ipv6-adress
| domain-name> <server-port>
[interface <interface-type> <unit>] [vrf <vrf-name>]]

o By default, the captured packets are displayed on console. Use the ESC key to stop the
monitoring.
o Use the file keyword to have the captured packets written to a file (only, or on console also).
o The output file fname is in pcap format, compatible with TCPDump and other protocol analysis
tools such as Ethereal.
o Use the optional parameter max-size to change the maximum size of the file (15000 bytes by
default).
o Use the capture-server keyword to have the captured packets sent to a remote server, for
example, a Netcat server, as illustrated in Example 2 following next:
 server-ipv4-address. This is the IPv4 address of the remote capture server.
 server-ipv6-adress. This is the IPv6 address of the remote capture server.
 domain-name. Instead of entering an IPv4 or IPv6 address, the remote capture
server's domain name can be entered.
 server-port. This is the destination port on the remote capture server. It can be set
to any value between 1 and 65535.
 interface <interface-type> <unit>. Optionally, an interface can be set
through which the remote capture server can be reached.
 vrf <vrf-name>. Optionally, a VRF name can be entered.

o The verbosity of the capture decoder can be:

 0 (normal):
02:15:14.378757 192.168.1.1 > 192.168.1.10 icmp: echo request

 1 (detailed):
02:15:37.259654 192.168.1.1 > 192.168.1.10 icmp: echo request (ttl 128, id 21740, len 60)

 2 (hexadecimal normal):
02:15:56.102409 192.168.1.1 > 192.168.1.10 icmp: echo request (ttl 128, id 21751, len 60)
0x0000 45 00 00 3c 54 f7 00 00 80 01 62 6e c0 a8 01 01 E..<T.....bn....
0x0010 c0 a8 01 0a 08 00 3d 5c 03 00 0d 00 61 62 63 64 ......=\....abcd
0x0020 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 efghijklmnopqrst
0x0030 75 76 77 61 uvwa

 3 (hexadecimal detailed):
02:16:19.261415 192.168.1.1 > 192.168.1.10 icmp: echo request (ttl 128, id 21757, len 60)
0x0000 45 00 00 3c 54 fd 00 00 80 01 62 68 c0 a8 01 01 E..<T.....bh....
0x0010 c0 a8 01 0a 08 00 39 5c 03 00 11 00 61 62 63 64 ......9\....abcd
0x0020 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 efghijklmnopqrst
0x0030 75 76 77 61 uvwa

Admin User Guide Page 2.16-83 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Example 1

capture
filter arp
filter all
show filters
1. arp [caplen=68]
2. all [caplen=68]
attach 1 fastethernet 0/1
attach 2 fastethernet 0/1
show devices
1. arp on FastEthernet 0/1 [caplen=68]
2. all on FastEthernet 0/1 [caplen=68]
exit
monitor capture 2 console verbose 1
13:15:03.239326 200.13.0.1.1135 > 200.13.0.10.23 . [tcp sum ok] ack 8912395 win 7597 (DF)
(ttl 128, id 47965, len 40)
...
<ESC>
CLI>

Example 2 – Capturing SIP and real time traffic on the LAN side (trunk between PABX and SIP-
server); captured packets sent to a Netcat server:

capture
no attach all
no filter all
!
filter udp sport 5060 dport 5060 reflexive caplen 1500
filter udp src 192.168.1.10 reflexive caplen 1500
attach 1 2 FastEthernet 0/1
exit
monitor capture 1 capture-server ipbx.lab-oa.net 20223

o Use the ESC key to stop the capturing.

o Captured packets are sent to a remote host, running a Netcat server, and stored in pcap file
format with the following command:
nc -l -u -p 20223 > analyse.pcap

o The Netcat server can be run on Linux using the UDP protocol. Output of this can be redirected
to Wireshark directly or can be stored in pcap format file, using following commands:
nc -l -u -p <port number> | wireshark -k -i
nc -l -u -p <port number> > remote.pcap

o Communication between capture client and server is based on the UDP Protocol, which does
not support retransmission or ACK based services. So, if the server is not started before the
capture tool starts sending captured packets, packets will not be retransmitted again.

Admin User Guide Page 2.16-84 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.17 INTERCEPTING PACKETS

The interceptor feature is meant to provide a simple way to test an IP link that terminates on an interface of
the OneOS-based router.
The interceptor feature enables the user to activate a TCP or UDP packet interceptor on a specified IP
interface or sub-interface and on a specified TCP or UDP port. The intercepted packet can be either
"absorbed" or "reflected". When absorbed the packet is discarded (not routed anywhere) but taken into
account in IP statistics (that can be retrieved by several means including SNMP). When reflected the
packet is sent back to the sender as a "regular" packet (received source address and port become new
destination address and port; conversely received destination address and port become new source
address and port). Configured IP services (routing, QoS…) apply as usual to the packet.

To start an interceptor session, use the following command in global configuration mode:
CLI(configure)> ip pkt-interceptor <if-type> <number/sub-if>[.index]
{ tcp | udp } <port> { absorb | reflect } [<acl-name>]

TCP/UDP port number must be between 1024 and 65535. The optional access-list acl-name must
already exist if used.
The above command can be entered only one time. To modify the interceptor session, first delete the
actual session using the command below then start a new session.
CLI(configure)> no ip pkt-interceptor

Use the following command in global mode to display the interceptor statistics:
CLI> show ip pkt-interceptor statistics
Listening on interface : FastEthernet 0/0
Interface address is : 192.168.1.10
Protocol : udp
Port : 1999
Mode : reflect
Filter :
Nb packet filtered : 0
Task Id : 0x80e204d0
Nb bytes in : 80
Nb bytes out : 80
No client connected

The above statistics result of the following example:

ip pkt-interceptor fastethernet 0/0 udp 1999 reflect

Five UDP packets with 16 bytes of data each have been sent to IP/port address 192.168.1.10:1999 of
FastEthernet 0/0 interface.

Use the following command in global mode to debug the interceptor session:
CLI> debug ip pkt-interceptor

Admin User Guide Page 2.17-85 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.18 SYSTEM INDICATORS

2.18.1 Checking CPU load

Current system load

Use the following command to check the current system load.

CLI> show system status

The output of this command displays the CPU load for every CPU core, for one second, and for one
minute. The non-critical tasks are the non-real time tasks like SNMP, Web server, etc.
The output of this command has the following form:
System Informations for device <MotherboardType> S/N <SerialNumber>

Software version : <ONEOS_version>

Software created on : dd/mm/yy hh:mm:ss
License token : <token>
Boot version : <BOOT_version>
Boot created on : dd/mm/yy hh:mm:ss

Boot flags : <flags>

Current system time : dd/mm/yy hh:mm:ss

System started : dd/mm/yy hh:mm:ss
Start caused by : <StartCause>
Sys Up time : xd yyh zzm wws
System clock ticks : nnnn

[ for i =0, n-1 HW cores]

Core <i>, <Core_Type>, CPU load for 1 second: xx% (Critical xx%, Non Critical yy%),one minute
yy%

With:
o <i>. This is the number of the CPU core for which the CPU load is displayed.
o <core_Type>. This can have the following values: mixed | control | forwarding
|application
The following is a practical example of the output of the show system status command:
System Informations for device MB90Ss0UFPE0SNWsd+ S/N L1207008997000890

Software version : ONEOS90-VOIP_SIP_11N_FT-V5.2R1E1_NB93250_T3

Software created on : 03/12/14 01:43:14
License token : None
Boot version : BOOT90-STD-V5.2R2E14
Boot created on : 20/03/13 09:53:02

Boot flags : 0x10000008 0x80

Current system time : 01/01/00 00:00:35

System started : 01/01/00 00:00:00
Start caused by : Power Fail detection
Sys Up time : 0d 0h 0m 35s
System clock ticks : 1817

Core 0, control, CPU load for 1 second: 48.5% (Critical 12.7% Non Critical 35.8%), one minute
69.8%
Core 1, forwarding, CPU load for 1 second: 28.0% , one minute 30.0%

Admin User Guide Page 2.18-86 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

System load history

Use the following command to display the system load history. It is possible to:
• display the global CPU load, or
• the CPU load of an individual CPU core, by optionally adding the CPU core number to the command:

CLI> show processes cpu history [<i>]

o <i> is the number of the CPU core for which the CPU load is displayed.

The CPU load is given for the last minute, the last hour and the last three days:
o GLOBAL CPU LOAD CORE <i> <Core_Type> (last 60 Seconds)
o CRITICAL CPU LOAD CORE <i> <Core_Type> (last 60 Seconds)
o NON CRITICAL CPU LOAD CORE <i> <Core_Type> (last 60 Seconds)
o GLOBAL CPU LOAD CORE <i> <Core_Type> (last 60 Minutes)
o CRITICAL CPU LOAD CORE <i> <Core_Type> (last 60 Minutes)
o NON CRITICAL CPU LOAD CORE <i> <Core_Type> (last 60 Minutes)
o GLOBAL CPU LOAD CORE <i> <Core_Type> (last 72 Hours)
o CRITICAL CPU LOAD CORE <i> <Core_Type> (last 72 Hours)
o NON CRITICAL CPU LOAD CORE <i> <Core_Type> (72 Hours)
With:
 <i>. This is the number of the CPU core for which the CPU load is displayed.
 <core_Type>. This can have the following values: mixed | control | forwarding
|application
 For the last hour and the last three days, the maximum and average values are given.

The examples following next are a practical example of the output of this command:

Example 1 – for CPU core 0

CLI> show processes cpu history 0

################################################################################

**** GLOBAL CPU LOAD CORE 0 control (last 60 Seconds)

*****************************************

974974944983974973975962973973974975949947858669498459488589
646723633312624866630724093575639734772722722916008053352042

100
90 | | | | | | | | | | | | | || | | | |
80 | | | || | | | | | | | | | || | | | || | || ||
70 || || | || || || || | || || || || | || || | | || | || ||
60 || || | || || || || || || || || || | || || |||| || | || ||
50 || || | || || || ||||| || || || |||| || ||||||| || || |||||
40 ||||||||||| ||||| ||||| || || ||||||||||||||||||||||||||||||
30 ||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||
20 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
10 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
0 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
0....0....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5 0 5

CPU load % per second during the last 60 seconds

**** CRITICAL CPU LOAD CORE 0 control (last 60 Seconds)

***************************************

Admin User Guide Page 2.18-87 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

11121 1 121111121111121 11 1111112111121111 1111111111111111

742158482270842260842148729450742161710604194226098116087265

100
90
80
70
60
50
40
30
20 | | | | | |
10 ||||| | ||||||||||||||| || |||||||||||||||| ||||||||||||||||
0 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
0....0....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5 0 5

CPU load % per second during the last 60 seconds

**** NON CRITICAL CPU LOAD CORE 0 control (last 60 Seconds)

***********************************

753753833762753762753741762862753754837835746547277247366367
893665151242771606887685374025897662062118638789910846375776

100
90
80 | | | |
70 | | | | | | | | | | | | | || | | || | |
60 | | | || | || | | || || | | | || | | | || | || ||
50 || || | || || || || | || || || || | || || || | || | || ||
40 || || | || || || || || || || || |||| || ||||||| || || || ||
30 ||||||||||| ||||| ||||| || || |||||||||||||||||| || ||||||||
20 ||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||
10 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
0 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
0....0....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5 0 5

CPU load % per second during the last 60 seconds

################################################################################

**** GLOBAL CPU LOAD CORE 0 control (last 60 Minutes)

*****************************************

73641
avg 027900000000000000000000000000000000000000000000000000000000

100
90 ||||
80 ||||
70 #|||
60 #|#||
50 #|#||
40 #|##|
30 ####|
20 ####|
10 #####
0 #####
0....0....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5 0 5

CPU load % per minute during the last 60 minutes

(| = maximum % / # = average %)

**** CRITICAL CPU LOAD CORE 0 control (last 60 Minutes)

***************************************

1 11
avg 484270000000000000000000000000000000000000000000000000000000

100
90
80
70
60 |
50 |
40 |
30 |
20 |||||
10 #|##|
0 #####
0....0....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5 0 5

Admin User Guide Page 2.18-88 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

CPU load % per minute during the last 60 minutes

(| = maximum % / # = average %)

**** NON CRITICAL CPU LOAD CORE 0 control (last 60 Minutes)

***********************************

5253
avg 543720000000000000000000000000000000000000000000000000000000

100
90
80 | ||
70 ||||
60 ||||
50 #|#|
40 #|#|
30 #|##
20 ####|
10 ####|
0 #####
0....0....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5 0 5

CPU load % per minute during the last 60 minutes

(| = maximum % / # = average %)

################################################################################

**** GLOBAL CPU LOAD CORE 0 control (last 72 Hours)

*******************************************

avg 000000000000000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0
0....0....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0 5 0

CPU load % per hour during the last 72 hours

(| = maximum % / # = average %)

**** CRITICAL CPU LOAD CORE 0 control (last 72 Hours)

*****************************************

avg 000000000000000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0
0....0....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0 5 0

CPU load % per hour during the last 72 hours

(| = maximum % / # = average %)

**** NON CRITICAL CPU LOAD CORE 0 control (72 Hours)

******************************************

avg 000000000000000000000000000000000000000000000000000000000000000000000000

100
90
80

Admin User Guide Page 2.18-89 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

70
60
50
40
30
20
10
0
0....0....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0 5 0

CPU load % per hour during the last 72 hours

(| = maximum % / # = average %)

Example 2 – CPU load for all cores (<i> is left unfilled)

The following is an example of the information that is displayed:

CLI> show processes cpu history

System Informations for device One100 S/N F0601000008

############## GLOBAL CPU LOAD (last 60 Seconds) ################

1 25 12 164 1
444434443354335444444344633363333384424122204120000000000030

100
90
80
70
60 *
50 * *
40 * **
30 * **
20 ** * **
10 * * **** ** *** *
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5

CPU% per second (last 60 seconds)

************** CRITICAL CPU LOAD (last 60 Seconds) **************

1 25 12 164 1
222222222222223222222222522242222070124011204120000000000030

100
90
80
70
60 *
50 * *
40 * **
30 * **
20 ** * **
10 **** ** *** *
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5

CPU% per second (last 60 seconds)

************** NON CRITICAL CPU LOAD (last 60 Seconds) **********

111111111121112111111111111111111314200000000000000000000000

100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5

CPU% per second (last 60 seconds)

Admin User Guide Page 2.18-90 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

############## GLOBAL CPU LOAD (last 60 Minutes) ################

000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5

CPU% per minute (last 60 minutes)

* = maximum CPU% # = average CPU%

************** CRITICAL CPU LOAD (last 60 Minutes) **************

000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5

CPU% per minute (last 60 minutes)

* = maximum CPU% # = average CPU%

************** NON CRITICAL CPU LOAD (last 60 Minutes) **********

000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5

CPU% per minute (last 60 minutes)

* = maximum CPU% # = average CPU%

################## GLOBAL CPU LOAD (last 72 Hours) ###################

000000000000000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0

CPU% per hour (last 72 hours)

* = maximum CPU% # = average CPU%

******************* CRITICAL CPU LOAD (last 72 Hours) *******************

Admin User Guide Page 2.18-91 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

000000000000000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0

CPU% per hour (last 72 hours)

* = maximum CPU% # = average CPU%

******************* NON CRITICAL CPU LOAD (72 Hours) *******************

000000000000000000000000000000000000000000000000000000000000000000000000

100
90
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0

CPU% per hour (last 72 hours)

* = maximum CPU% # = average CPU%

Admin User Guide Page 2.18-92 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.18.2 Checking Memory & Flash spaces

The system memory can be viewed with the following command:

CLI> show memory

===============================================
| Memory status report | Kbytes | |
===============================================
| Ram size | 65 536 | |
| :..Program | 27 186 | |
| : :..code | 18 476 | |
| : :..data | 8 709 | |
| :..Static buffers | 192 | |
| :..Dynamic total | 34 974 | |
| : : used | 13 909 | 39.7% |
| : : free | 21 065 | 60.2% |
| : :..System total | 19 806 | |
| : : used | 5 610 | 28.3% |
| : : free | 14 196 | 71.6% |
| : :..Data total | 15 167 | |
| : used | 8 299 | 54.7% |
| : free | 6 868 | 45.2% |
| :..Ram disk total | 1 011 | |
| used | 5 | 0.5% |
| free | 1 006 | 99.6% |
| | | |
| Flash size | 2 048 | |
| :..Boot | 1 024 | |
| :..Static areas | 48 | |
| | | |
| Extended Flash size | 32 768 | |
| :..Flash disk total | 32 306 | |
| used | 9 408 | 29.1% |
| free | 22 898 | 70.8% |
===============================================

Note that prior to the V3.6R10E3 OneOS software release, the output of this command was as follows:
CLI> show memory
Total memory : 8440536 bytes
Allocated : 3503648 bytes (41%)
Free : 4936888 bytes (58%)

o Total memory represents what is now called System total;

o Allocated represents what is now called System used;
o Free represents what is now called System free.

Admin User Guide Page 2.18-93 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.18.3 Checking Reboot Causes

• To check the reasons why the router did reboot, some commands are available. The following
command provides the last reboot cause (warning: under certain circumstances, the reboot cause
may not be determined):
CLI> show reboot cause

Possible reboot causes are:

Reboot cause Description (Reboot because …)

Reboot on hardware reset Hardware failure (being transient or permanent).
Power fail detection Power failure (Power off / Power on).
Formerly "Power Off (Dying Gasp)".
System defense – reboot after crash Software failure detected by defense software
(complementary cause provided by defense).
Generic software reboot request Unknown software failure (no complementary
Formerly "Unidentified software reboot". cause provided by defense).

Administrator requested reboot Use of reboot CLI.

Administrator requested delayed reboot Use of reboot at or after CLI.
Administrator requested Power On reboot Use of power-on-reboot CLI.
Administrator requested no-voice-calls reboot Use of reboot after no-voice-calls CLI.
Reboot after Auto-Update Use of reboot parameter in Auto-Update
feature.
Reboot after restoring factory settings Use of restore factory-settings CLI.
Reboot after erasing configuration file Use of erase saved-config CLI.
Reboot after loading an invalid software The OneOS image is not dedicated to the device
or corrupted.

• To check the reboot counters per cause:

CLI> show reboot counters

Admin User Guide Page 2.18-94 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To clear the reboot counters, use the following command:

CLI> clear reboot counters

When running this command, the following counters are cleared:

o Reboot on hardware reset
o Power Fail detection
o Total Software Requested Reboots
o Generic software reboot request
o Reboot after AutoUpdate
o System defense - reboot after crash
o Administrator requested reboot
o Administrator requested delayed reboot
o Administrator requested Power On reboot
o Administrator requested no-voice-calls reboot
o Reboot after restoring factory settings
o Reboot after erasing configuration file
o Reboot after erasing password file
o Reboot after loading an invalid software
o Reboot after loading an invalid software

Admin User Guide Page 2.18-95 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.19 STATISTICS

OneOS provides two types of statistics: interfaces statistics and global statistics.

2.19.1 Interfaces Statistics

Interfaces statistics are displayed on request using the following command in global mode:
CLI> show interfaces [<if-type> [<if-number>[/<sub-if>[.<index>]]]]

Refer to the various chapters describing the interfaces for more information about the displayed items.
Among these items some are mean values that are by default calculated over the last 4 seconds. To
change the period of time over which statistics are calculated, use the following command in global
configuration mode:
CLI(configure)> load-interval mean-rate <4-4294967295 seconds>

To revert to the default value (4 seconds), use the following command in global configuration mode:
CLI(configure)> load-interval mean-rate default

2.19.2 Global Statistics

An embedded tool is provided to display global statistics (in "real time") with a refresh period of one
second. The CLI command is:
CLI> monitor global-statistics

This command opens a first summary screen. The navigation between the screens is done by typing keys
shown at the bottom of each screen, i.e.:
<Q>: to quit
<R>: to go to the IP routing screen
<W>: to access the PVC screens
<ESC>: to quit or to go back to the previous screen
<1 - 2>: to access detailed screen for PVC number 1 or 2

Several screens are defined:

• Summary screen: The top screen displays information about CPU load, memory availability, and
status of ATM and Ethernet ports.
• IP route screen: It shows the IP routing table.
• WAN information screen: It shows the ATM traffic on the G.SHDSL and also a summary of the
declared PVC.
• PVC detailed screen: It shows details for each declared PVC.

2.19.2.1 Summary Screen

01/02/2000 07:25:50 Uptime: 0 days 07:25:47 one60_13 CPU 3%

System memory: 8301kB total 3425kB( 41%) allocated 4876kB( 58%) free
Reserved memory: 7999kB total 4664kB( 58%) allocated 3335kB( 41%) free
FastEthernet0
up IP not configured
0kB/s in 0kB/s out 2pkt/s in 2pkt/s out
Atm0
up configured G.SHDSL up CONN Data Rate: 2304kb/s
4cells/s in 4cells/s
IP forwarding enabled 7 total routes 3 static routes

Admin User Guide Page 2.19-96 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

[ESC],[Q]-Quit [R]-IP routing table [W]-WAN information

2.19.2.2 IP Routes

01/02/2000 07:26:02 Uptime: 0 days 07:25:58 one60_13 CPU 6%

Proto Destination Mask Gateway Interface
C 0.0.0.1 255.255.255.255 Null0
C 20.14.1.3 Loopback0
C 20.14.1.4 Atm0.2
C 127.0.0.1 Loopback0
C 200.13.0.0 255.255.255.0 FastEthernet0
C 200.13.0.0 255.255.0.0 FastEthernet0
C 200.19.0.0 255.255.0.0 Atm0.2
[ESC]-Back [Q]-Quit

2.19.2.3 WAN Detailed Screen

01/02/2000 07:26:15 Uptime: 0 days 07:26:12 one60_13 CPU 6%

Atm0
up configured
Traffic(cells/s): now: 4 in 4 out
1-min: 14 in 7 out
Total cells: 363277 in 196322 out 0 discarded 0 HEC errors
G.SHDSL up CONN Data Rate: 2304kb/s adaptive (192-2304 K)
MIB status:noDefect
Noise mrg: 38,4 dB Tx power: 8,5 dB Rx gain: 5,2 dB
IF VCI VPI Type Status Encaps QOS PCR SCR MBS in out
kbps kbps cells kbps kbps
1. 20201 0 33 pppoa up aal5/mux UBR 2300 0 0
[1 - 1] - PVC [ESC]-Back [Q]-Quit

2.19.2.4 PVC Screen

01/02/2000 07:26:17 Uptime: 0 days 07:26:13 one60_13 CPU 3%

Atm0
up configured
Traffic(cells/s): now: 4 in 4 out
1-min: 14 in 7 out
Total cells: 363281 in 196326 out 0 discarded 0 HEC errors
G.SHDSL up CONN Data Rate: 2304kb/s adaptive (192-2304 K)
MIB status:noDefect
Noise mrg: 37,7 dB Tx power: 8,5 dB Rx gain: 5,2 dB

IF VCI VPI Type Status Encaps QOS PCR SCR MBS in out
kbps kbps cells kbps kbps
1. 20201 0 33 pppoa up aal5/mux UBR 2300 0 1
[1 - 1] - PVC [ESC]-Back [Q]-Quit

Admin User Guide Page 2.19-97 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.20 USER MANAGEMENT

2.20.1 Introduction

• An embedded database is provided to declare the users allowed to access the device and to define
their access rights.
• Each user has a username, a password, and belongs to a group. The username is a 15-character
long string; the password is a 32-character long string. Both can contain any character, except "?", "!"
and "space".
Note that it is possible to use the above-mentioned characters by placing the character string between
quotation marks (") or between apostrophes (') if the quotation mark is part of the string.
• Three groups are pre-defined and map three levels of access rights:
o User (level 0): only access to elementary show functions or diagnostics functions such as ping
(configuration in read-only mode).
o Manager (level 7): access to all show functions, traces and configuration functions.
o Administrator (level 15): access to all functions including shell (for system debugging).
• As of OneOS V5.2, the newly created passwords are by default encrypted with the PKBDF2 algorithm
(= type 2), which is a robust, industry standard password encryption, whereas passwords used to be
encrypted with a weaker hash method in previous versions (= type 1).
The password is stored under hashed format on the device; whatever the user, whenever entering the
same password, the stored hash is different for each user.
• Type 2 is the default encryption algorithm, but OneOS V5.2 and onwards will accept passwords
created with older OneOS versions.
• With the new or enhanced encryption, a unique salt can be added for each user. This is a 32 byte
string that is unique for each user and completely random, and used in the hashing of the password.
• The user database is managed via CLI commands.

• If type 2 encrypted passwords are stored, and the router is downgraded to a OneOS version only
supporting type 1, the passwords will not be interpreted correctly.
So before downgrading, the user must first create type 1 passwords. The following sub-sections
explain how to do so.
• Note that passwords that have been stored in encrypted form, will always be displayed in encrypted
form, for instance when retrieving the running configuration of the device.
It is not possible anymore to view the passwords in unencrypted form.

Admin User Guide Page 2.20-98 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.20.2 Adding a user

• To add a user, use the following command in global configuration mode; also refer to the examples
below.
CLI> user add <username> <password> { user | manager | administrator
|<level: 0..15> }
[type 1 | encrypted | encrypted type 2 <salt>]

With:
o <username> <password> { user | manager | administrator |
<level: 0..15> }. Each username and password has a corresponding privilege level.
The privilege level of the user to be created is either a predefined group level, or a given level
between 0 (lowest privilege) and 15 (highest privilege).
o type 1. Add this option to set that the password must be encrypted according to the old or
basic encryption; this can be set for backward compatibility.
o encrypted. Add this option to set that the password is already MD5 encrypted, i.e. with the
old or basic encryption.
o encrypted type 2 <salt>. Add this option to set that the password is already encrypted
according to the new or enhanced encryption, with <salt> being a random string that is used
in the hashing of the password.

2.20.3 Examples

CLI> user add user1 password1 manager

o This adds user user1 with password1, with privilege level manager or 7; the password will
be encrypted with the PKBDF2 algorithm (= type 2).
CLI> user add user456 password456 15

o This adds user user456 with password456, with privilege level administrator or 15;
the password will be encrypted with the PKBDF2 algorithm (= type 2).
CLI> user add user123 password123 15 type 1

o This adds user user123 with password123, with privilege level administrator or 15;
the password will be encrypted with the old or basic encryption method.
CLI> user add usertest “passwordtest” 0 encrypted

o This adds user usertest with already encrypted password “passwordtest”, with privilege
level user or 0; the password has been encrypted with the old or basic encryption method.
CLI> user add userAdmin “passwordAdmin” 15 encrypted type 2 saltstring

o This adds user userAdmin with already encrypted password “passwordAdmin”,with

privilege level administrator or 15; the password has been encrypted with the PKBDF2
algorithm (= type 2), with random string saltstring.

2.20.4 Removing a user

To remove a user, use the following command in global configuration mode.

CLI> user delete <username>

Example:
user delete user1

Admin User Guide Page 2.20-99 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.20.5 Changing a password

Changing your own password

• A user can change his own password with the following command:
CLI> user password <new-password> [type 1]

o By default, the password will be encrypted with the PKBDF2 algorithm (= type 2).
o By adding type 1, the password will be encrypted with the with the old or basic encryption
method.

Changing the password of a specific user

• To change the password of a specific user, use the following command:

CLI> user change-password <username> <new-password>
[type 1 | encrypted type 2 <salt>]

o By default, the password will be encrypted with the PKBDF2 algorithm (= type 2).
o By adding option type 1, the password will be encrypted with the with the old or basic
encryption method.
o Adding option encrypted type 2 <salt> means that the password has already been
encrypted with the PKBDF2 algorithm (= type 2), with random string <salt>.

• Examples:
CLI> user change-password user5 password555

o This command changes the password of user user5 to password555, which will be
encrypted with the new or enhanced type of encryption.
CLI> user change-password userAdmin “passwordAdmin”
encrypted type 2 saltstring

o This command changes the password of user userAdmin to “passwordAdmin”, with

privilege level administrator or 15; the password has already been encrypted with the
PKBDF2 algorithm (= type 2), with string saltstring.

2.20.6 Access Right Management

• The group (access rights level) may be changed for a given user:
CLI> user change-access <username> { user | manager | administrator
| <level:0..15> }

Example:
user change-access user2 manager

• The access level can also be dropped to a lower access rights level for the current user during the
current session with the command:
CLI> user drop { user | manager | administrator | <level:0..15> }

Example:
user drop manager

Admin User Guide Page 2.20-100 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.21 CONFIGURATION OF COMMAND ACCESSIBILITY PER USER

PRIVILEGE

The purpose of this feature is to allow an administrator to customize the list of commands that can be
accessed by a non-administrator user. By default, three user privilege levels are defined and mapped to
TACACS+ privilege levels: user (TACACS+ privilege level = 0), manager (7) and administrator (15). Each
CLI command has its own privilege level. If the user privilege level is greater than or equal to the command
privilege, the user is allowed to use the command. For example, the "ping" command has by default the
privilege 0. If this privilege is raised to a higher value, a user having the privilege level "user" (i.e. privilege
level = 0) cannot access the "ping" command.

In configuration mode, the privilege level of a global mode command is defined as follows:
CLI(configure)> privilege exec level <level> <command-string>

level is an integer, ranging from 0 to 15 representing the new privilege of the command (0 being the
lowest privilege and 15 being the highest privilege).
command-string is the keyword that designates a command or the beginning of a command whose
privilege level is modified. This command applies on commands found outside configure terminal.
To reset the default privilege level, use the following command:
CLI(configure)> privilege exec reset <command-string>

Similarly, the following two commands apply only on commands listed under configure terminal.
To configure the privilege level of a "configure" mode command:
CLI(configure)> privilege configure <level> <command-string>

To reset its level, use the next command:

CLI(configure)> privilege configure reset <command-string>

Lastly, there are configuration-commands that are duplicated under several leafs of the CLI tree. That is
especially the case of interfaces configuration commands. To configure accessibility of specified
commands under an interface type, use the following command:
CLI(configure)> privilege { if-adsl | if-atm | if-bri | if-dot11radio
| if-efm | if-ethernet | if-fastethernet | if-gigabitethernet
| if-l2tunnel | if-loopback | if-pri | if-pstn | if-serial | if-tunnel
| if-va | if-vt | dhcp | router-bgp | router-ospf | router-rip | rtr
| sip-gateway | voice-port } <level> <command-string>

CLI(configure)> privilege { if-adsl | if-atm | if-bri | if-dot11radio

| if-efm | if-ethernet | if-fastethernet | if-gigabitethernet
| if-l2tunnel | if-loopback | if-pri | if-pstn | if-serial | if-tunnel
| if-va | if-vt | dhcp | router-bgp | router-ospf | router-rip | rtr
| sip-gateway | voice-port } reset <command-string>

Note: if-va stands for interface virtual-access and if-vt for interface virtual-template.

Example: to allow a user of level 0 to change the IP address of the Fast Ethernet ports.
privilege exec level 0 configure terminal
privilege configure level 0 interface fastethernet
privilege if-fastethernet level 0 ip address

Admin User Guide Page 2.21-101 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

To view the current privilege level of the logged user, use the following command in global mode:
CLI> show privilege

Example:
CLI> show privilege
Current privilege level is: 15
CLI>

To view the current and the default privilege level of a given CLI command, use one of the following
commands in global mode:
CLI> show privilege command exec <command-string>

CLI> show privilege command configure <command-string>

CLI> show privilege command { if-adsl | if-atm | if-bri | if-dot11radio

| if-efm | if-ethernet | if-fastethernet | if-gigabitethernet
| if-l2tunnel | if-loopback | if-pri | if-pstn | if-serial | if-tunnel
| if-va | if-vt | dhcp | router-bgp | router-ospf | router-rip | rtr
| sip-gateway | voice-port } <command-string>

Example:
CLI> show privilege command exec configure
level (current / default): command node
------------------------------------------
7 / 7: configure
------------------------------------------
CLI>

Admin User Guide Page 2.21-102 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.22 BANNER

A banner is a text that is displayed when a user:

• Attempts to login: a text (the message of the day – motd) is displayed before the prompt for login and
password is shown.
• Has successfully logged in: another text (exec) information can be displayed
The configuration syntax is the following, beginning in global configuration mode:
CLI(configure)> banner { motd | exec } *<string>*

motd is for the text displayed when attempting to log in, whereas exec is for the text displayed when
logged in.
The string is delimited by stars and contains any character and can be up to 230 characters long.
Carriage return must be entered as \r\n.
For an example, see below.

As of V4.3R2E2 software release, for longer banner (up to 9200 characters – 40 lines of 230-char long),
use the following command in global configuration mode:
CLI(configure)> banner { motd | exec } sequence <1-40> *<string>*

For example, the following command lines:

banner exec sequence 1 *##############################\r\n\r\n*
banner exec sequence 2 * OneOs-based Router \r\n\r\n*
banner exec sequence 3 *##############################*

Will output:
##############################

OneOS-based Router

##############################

Note: because this banner is less than 230 characters long, it can also be configured as follows:
CLI(configure)> banner exec *##############################\r\n\r\n
OneOs-based Router \r\n\r\n##############################*

To remove the banner (or banner line) use the no form of the command:
CLI(configure)> no banner { motd | exec } [sequence <1-40>]

As of V4.3R4E17 software release and for backward compatibility, for long banner (up to 8800 characters
– 40 lines of 220-char long), use the following command in global configuration mode:
CLI(configure)> banner_extension { motd|exec } sequence <1-40> *<string>*

Note that this command will silently truncate the banner string when more than 220 characters are entered.

Admin User Guide Page 2.22-103 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

To remove the banner (or banner line) use the no form of the command:
CLI(configure)> no banner_extension { motd | exec } [sequence <1-40>]

Note that when all forms of banner commands are used together, the banners are displayed in the
following order:
1. First, the banner entered by the banner command used without the sequence keyword.
2. Second, the banner lines entered by the banner_extension command.
3. And last, the banner lines entered by the banner command used with the sequence keyword.

Important remark:
Owing to CLI syntax limitation, the number of "words" in a banner is de facto limited.
• A banner entered without the sequence keyword is limited to 30 words.
• A banner line entered with the sequence keyword is limited to 28 words.
A "word" is a group of consecutive characters all different from the space character and separated from
another "word" by one or more space characters.

Admin User Guide Page 2.22-104 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.23 AAA (AUTHENTICATION, AUTHORIZATION AND ACCOUNTING)

2.23.1 Introducing AAA

Instead of maintaining usernames and passwords inside the device, usernames and passwords can be
centrally managed in a database. Whenever a user needs to log in, the database server is queried and
authenticates the users’ login. Either the RADIUS or the TACACS+ protocol can be used to securely send
login/password in access requests and return authentication.

Three steps

A user can access the device configuration interface in three steps:

1. Authentication: the user login/password is checked in the RADIUS/TACACS+ database. The login
and password are provided at the beginning of the telnet/console CLI session. If an access is granted,
the user gets a user privilege (if configured on the server). The privilege can be increased by using the
"enable" command. Entering this command will make the router query the AAA server again.
2. Authorization: when a command is entered, the CLI looks up the command privilege. If the
configuration is such that this privilege requires authorization the command is submitted to the AAA
server for authorization. The AAA server returns an access authorization or deny.
3. Accounting: authenticated users and entered commands can be logged on the AAA server using
the accounting feature of OneOS.

Access rights

Three levels of access rights have been defined:

o User: this only gives access to elementary show functions or diagnostics functions as ping
(configuration in read-only mode). User has the privilege level 0.
o Manager: this gives access to all show functions and configuration functions. Manager has the
privilege level 7.
o Administrator: this gives access to all functions including debug. Administrator has the privilege
level 15.

AAA configuration

AAA configuration can be divided in two steps:

1) Configure the list of RADIUS or TACACS+ servers, as described in:
o 2.23.2 RADIUS
o 2.23.3 TACACS+
If you configure one or more servers of the same type, you may not have to configure any
"AAA" commands: by default, the device is then configured to authenticate and authorize any
login from the console or telnet access via the configured TACACS+ or RADIUS server(s).
2) For further advanced AAA functions, refer to the explanation in 2.23.4 AAA Configuration.

Admin User Guide Page 2.23-105 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

AAA authentication request

• The OneOS device sends, within its AAA authentication request to a RADIUS server, a Vendor ID that
identifies the device and allows the RADIUS server to apply the correct privileges to the user.
• The Vendor ID that is included in the AAA authentication request, is of type 26, as defined by
RFC 2138 - Remote Authentication Dial In User Service (RADIUS).
• The String field of attribute 26 contains attribute 32, which is the NAS-Identifier; also refer to
RFC 2138 - Remote Authentication Dial In User Service (RADIUS) for further details.
• The Vendor ID value is 13191.
• Note that, if the Vendor ID would not be available in the AAA authentication request, the user would
only be assigned the privileges associated with level 7.

2.23.2 RADIUS

The RADIUS (Remote Access Dial-In User Service) protocol allows securely transmitting user names and
passwords, and authenticating the user by means of a RADIUS server. This maintains a list of users with
their access rights. The embedded RADIUS client is configured with following CLI commands.

2.23.2.1 RADIUS Client Configuration

• Prior to configuring the RADIUS client, enter the global configuration mode:
CLI> configure terminal

Then, to define the server the client will use, use the following command in global configuration mode:
CLI(configure)> radius-server { <ipv4-address> | < ipv6-address>
| <host-name> } <shared-key>
[clear-text | encrypted] [<interface> <unit>]
[<auth-UDP-port>] [retransmit <1-100>]
[timeout <1-600>] [vrf <vrf-name>]

o Note that name resolution is not currently supported in IPv6.

o <interface> <unit> parameters provide the source address.
o auth-UDP-port is the port number used for authentication (default is 1812).
o retransmit (default is 3 times) and timeout (default is 5 seconds) are used for the
supervision of the transactions (see below).
The main parameter for the supervision of the transactions is a non-configurable delay of 15 seconds.
The following describes how retransmit and timeout parameters are used to help tuning their
values.
1. At startup, OneOS waits up to retransmit+1 times delay, for the route to the Radius server to
go up. When the route does not go up during this time, the transaction is abandoned.
2. As soon as the route is up, triggered by the delay timer, OneOS sends the Accounting-On
message and waits for the Accounting-Response message during timeout seconds. On no
response from the server, the sending is retried so that the message is sent retransmit times.
3. If the response message is still not received after the expiry of the last timeout timer, the delay
timer is applied then the process described in step 2 is restarted.
4. The process ends either when a response is received or when the delay timer is unsuccessfully
started for the retransmit+2 times. In the latter case, the transaction is abandoned.
Example:
radius-server 120.1.4.5 key23 clear-text 1813

Admin User Guide Page 2.23-106 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The following command enables to view the settings that are used to connect to the RADIUS server:
CLI> show radius-server
List of Radius server -----

IP address Port number Secret Key Interface

120.1.4.5 1813 342c83f0db93a2d1bbb3

• To disable the RADIUS client, use the no form of the command:

CLI(configure)> no radius-server { <address> | <host> } [<auth-port>]
[vrf <vrf-name>]

• Example:
no radius-server 120.1.4.5 1813

2.23.2.2 RADIUS Server Configuration

The RADIUS server must be configured to define users and access rights (user, manager, and
administrator).
The example given below shows the configuration files for the FreeRadius server (www.freeradius.org):
• In the file /usr/local/etc/raddb/dictionary,
add the line: $INCLUDE dictionary.oneaccess.
• In the directory /usr/local/etc/raddb/,
create the file dictionary.oneaccess, which contains the access right definition:
VENDOR OneAccess 13191
ATTRIBUTE OA-User-Level 1 integer OneAccess
VALUE OA-User-Level user 0
VALUE OA-User-Level manager 7
VALUE OA-User-Level administrator 15

• The levels must be respected to properly work with the client.

• In the file /usr/local/etc/raddb/users, add the users as follows:
"user" Auth-Type := Local, Cleartext-Password := "user"
OA-User-Level=user
"manager" Auth-Type := Local, Cleartext-Password := "manager"
OA-User-Level=manager
"admin" Auth-Type := Local, Cleartext-Password := "admin"
OA-User-Level=administrator

• Then, configure the passwords required by the enable command. For example, for the administrator
level:
$enab15$ Auth-Type := Local, User-Pasword == "password"
OA-User-Level=administrator

• In the file /usr/local/etc/raddb/clients.conf, add the following lines in order to identify the
client (e.g. an OneOS-based router with 192.168.2.60 as IP address) and the shared secret key:
client 192.168.2.60 {
secret = key23
shortname = OA-radius
}

Admin User Guide Page 2.23-107 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.23.3 TACACS+

TACACS+ (Terminal Access Controller Access Control System +) is an authentication protocol based on
TCP, which allows a network access server to offload the user administration to a central server, which
maintains a users list with their access rights as for a Radius server. When a user logs in the device (using
telnet), the login/password couple is sent to that server using the TACACS+ protocol. If the user name and
password are found in the TACACS+ server database, the access is granted to that user. In addition to
that authentication service, the TACACS+ server can respond with additional parameters, including access
rights.
Three levels of access rights have been defined:
• User: this only gives access to elementary show functions or diagnostics functions as ping
(configuration in read-only mode).
• Manager: this gives access to all show functions and configuration functions.
• Administrator: access to all functions including debug.
TACACS+ is not compatible with other protocols of the TACACS family such as TACACS or XTACACS.
The embedded TACACS+ client is configured by means of CLI commands.

2.23.3.1 TACACS+ Client Configuration

Key length of up to 46 characters

To configure the TACACS+ client, use the following command in global configuration mode to define the
server:
CLI(configure)> tacacs-server { <ipv4-address> | <ipv6-address>
| <host-name> } [<auth-port>]
[<key>] [clear-text | encrypted] [timeout <1-600>]
[<interface> <unit>] [vrf <vrf-name>]

o Note that name resolution is not currently supported in IPv6.

o auth-port is the port used by TACACS+ (default 49).
o key is the shared key that can be entered in clear-text or already encrypted. Note that
the maximum key length is 46 characters. If a longer key is required, refer to the explanation
further down.
o The timeout parameter is the time in seconds to wait for the server to reply (default 3s).
o interface and unit define the source address used.

Admin User Guide Page 2.23-108 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Key length of up to 55 characters

If more than 46 characters are required, the tacacs-server command must be used differently:
• The index option must be added to the command. This is a number between 1 and 99, referring to
the tacacs-server key command.
• The key option must be omitted.
CLI(configure)> tacacs-server { <ipv4-address> | <ipv6-address>
| <host-name> } [<auth-port>]
[timeout <1-600>]
[<interface> <unit>] [vrf <vrf-name>]
[index <index>]

• The tacacs-server key command must be set, with the index number that was added in the
tacacs-server command above, and the key:
CLI(configure)> tacacs-server key <index> [<key>]
[clear-text | encrypted]

o index. This is the index number that was added in the tacacs-server command, so this
links the tacacs-server key command to the tacacs-server command.
o key. This is the shared key that can be entered in clear-text or already encrypted.
In this case, the key length can have a maximum length of 55 characters.

Example

CLI(configure)> tacacs-server 1.2.3.4 477 iopme

CLI(configure)> tacacs-server 1.2.3.5 iopmeu
CLI(configure)>

The following command enables to view the settings that are used to connect to the TACACS+ server:
CLI> show tacacs-server
----- List of TACACS+ server -----

IP address Port number Secret Key Source address

1.2.3.4 477 3c3271f791ddb3bc86e684e0
1.2.3.5 49 493dafb9b8b6bbb4e488e282e094
CLI>

To remove the server and disable the TACACS+ client, use the no form of the above command:
CLI(configure)> no tacacs-server <host> [<auth-port>] [vrf <vrf-name>]

Example - continued

CLI(configure)> no tacacs-server 1.2.3.4 477

CLI(configure)> no tacacs-server 1.2.3.5
CLI(configure)> exit
CLI> show tacacs-server
No TACACS+ server declared
CLI>

When the user enters enable or enable 15, an authentication for enable is sent. This message contains
the username and the desired privilege level. The server should prompt for a password and compare the
response with the password configured for the user $enab15$. The username is by default the username
provided at login. But it could be changed so that username is $enab15$. To force the use of the
username:
CLI(configure)> no tacacs use-username

Use the following debug command to enable [disable] TACACS+ debug:

CLI> [no] debug tacacs

Admin User Guide Page 2.23-109 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.23.3.2 TACACS+ Server Configuration

2.23.3.2.1 With Enable Passwords

The TACACS+ server must be configured to define users and access rights (user, manager, and
administrator).
On the free TAC_PLUS server, the configuration looks so for a user login:
user = henry {
login = cleartext mypassword
}

Then, you can configure the passwords for level 0 (user), level 7 (manager), level 15 (administrator).
User = $enab0$ {
login cleartext ********
}

User = $enab7$ {
login cleartext ********
}

User = $enab15$ {
login cleartext ********
}

2.23.3.2.2 With Pre-Defined User Privileges

A major issue with the configuration method presented before is the lack of security and flexibility: the
enable 15 password is shared among all users. It is more desirable that each user gets a unique
password and that a privilege level be associated to that user.
Example 1 with TAC_PLUS:
user = henry {
login = cleartext mypassword
service = exec {
priv-lvl = 7
}
}

Example 2:
user = henry {
login = cleartext mypassword
member = admingroup
}

user = antoine {
login = cleartext otherpasswd
member = admingroup
}

group = admingroup
service = exec {
priv-lvl = 15
}
}

Admin User Guide Page 2.23-110 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.23.4 AAA Configuration

• If no TACACS+ or RADIUS servers are configured, the local password file is used.
• As long as no AAA commands have been entered, the OneOS device does not try to reach any
defined TACACS+ nor RADIUS servers.
• If TACACS+ or RADIUS servers are configured, according AAA configuration (AAA authentication,
AAA authorization) behavior may be the following:
o If at least one of them is reachable, authentication is done with the AAA server(s) when logging
in, command authorization is done or not.
o If none of them is reachable, authentication is done using the local password file, command
authorization is possible or not.

Authentication

• To configure user authentication with AAA, use the following command in global configuration mode:
CLI(configure)> [no] aaa authentication login
{ default | console | network }
[radius | tacacs] [<group-name>]

o If default is used, all accesses via console or network (Telnet/SSH) are controlled using the
configured AAA servers; otherwise only the accesses from the designated means are
controlled.
o If the radius keyword is entered, all the RADIUS servers are used in the order they are
configured.
o If the tacacs keyword is entered, all the TACACS+ servers are used in the order they are
configured.
o If a group-name is entered, the servers from that AAA server group are used. See
configuration hereafter.

• To configure the servers for enabling authentication (i.e. the servers that are queried when the user
enters the enable command), use the following command:
CLI(configure)> [no] aaa authentication enable
{default | console | network }
{ radius | tacacs | <group-name>}

• To configure a message that will be displayed when no AAA server is reachable for authentication,
use the following command in global configuration mode:
CLI(configure)> [no] aaa authentication banner [sequence <1-40>] <string>

Refer to 2.22 Banner for more information about the banner format and an example.

• To configure an AAA server group, first create the server group as follows:
CLI(configure)> [no] aaa group server { radius | tacacs } <group-name>

Then enter the list of servers:

CLI(config-sg-tacacs)> [no] server { <A.B.C.D> | <X:X:X::X>
| <server-hostname> }
CLI(config-sg-radius)> [no] server { <A.B.C.D> | <X:X:X::X>
| <server-hostname> }

Admin User Guide Page 2.23-111 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Use the following command to use a designated VRF different from the default VRF:
CLI(config-sg-tacacs)> [no] ip vrf forwarding <vrf-name>
CLI(config-sg-radius)> [no] ip vrf forwarding <vrf-name>

• Then exit the AAA server group configuration as follows:

CLI(config-sg-tacacs)> exit
CLI(configure)>
CLI(config-sg-radius)> exit
CLI(configure)>

Authorization

• To enable AAA authorization (TACACS+ servers only) for a given privilege level:
CLI(configure)> [no] aaa authorization command <level> [default]
{ tacacs+ | <group-name> } [none]

o The <level> parameter represents a command privilege. Once this command is entered,
every command having the same privilege level must be authorized by the AAA server.
o The default parameter is not used.
o If the tacacs+ keyword is entered, all the TACACS+ servers are used in the order they are
configured.
o If a <group-name> is entered, the servers from that AAA server group are used.
o The none parameter is used when the AAA server is unreachable to indicate that no
authorization must be performed in that case (related commands are therefore authorized).
When the none parameter is not used (default value) the related commands are not authorized
when the AAA server is unreachable.
• In some cases, one wants to enter straightaway in exec mode (i.e. with the highest privilege level)
without entering the enable command. To do so, use the following command:
CLI(configure)> [no] aaa authorization exec default if-authenticated
tacacs+

Accounting

• The last "A" of AAA stands for accounting. TACACS+ permits the accounting of configuration
sessions. AAA accounting is only supported with TACACS+ servers. To inform TACACS+ server(s)
about users logging in and out of the router, use the following command in global configuration mode:
CLI(configure)> aaa accounting exec default start-stop
{ tacacs+ | group <group-name> }

To disable CLI session accounting, enter the following command:

CLI(configure)> no aaa accounting exec

• The AAA command accounting feature logs any entered command by a user on a TACACS+ server.
The AAA command accounting is activated for commands of a given privilege level:
CLI(configure)> aaa accounting commands <level> default stop-only
{ tacacs+ | group <group-name> }

To disable command accounting:

CLI(configure)> no aaa accounting commands <level>

Admin User Guide Page 2.23-112 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The AAA system accounting feature logs the system-level events (shutdown, reboot) on a TACACS+
or RADIUS server. To inform a TACACS+ or RADIUS server(s), use the following command in global
configuration mode:
CLI(configure)> aaa accounting system default start-stop
{ radius | tacacs+
| group <group-name> }

To disable system accounting:

CLI(configure)> no aaa accounting system

2.23.5 Show and Debug Functions

• Use the following command to display AAA configuration:

CLI> show aaa
aaa authentication login default tacacs
aaa authentication enable default tacacs
tacacs-server 192.168.18.101 5c4e97d3dd87abcd81af68c94de5b182 interface Loopback 64

• Use the following command to display RADIUS statistics:

CLI> show statistics radius
Auth.
Maximum inQ length: NA
Maximum waitQ length: NA
Maximum doneQ length: NA
Total responses seen: 0
Packets with responses: 0
Packets without responses: 0
Average response delay(ms): 0
Maximum response delay(ms): 0
Number of Radius timeouts: 0
Duplicate ID detects: 0

• Use the following command to display TACACS+ statistics:

CLI> show statistics tacacs
TACACS+ Statistics
------------------
Number of access requests: 10684
Number of access deny responses: 15
Number of access allow responses: 10624

Admin User Guide Page 2.23-113 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Use the following command to display statistics per configured TACACS+ server:
CLI> show tacacs [vrf <vrfname>]

When adding a vrf, only the servers associated with this VRF will be displayed.
When omitting the vrf, the servers associated with the default VRF will be displayed.
The following is an example output:
CLI> show tacacs
Tacacs+ Server: 194.250.187.200
Server port: 49
Socket opens: 12
Socket closes: 12
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 20
Total Packets Recv: 20

Tacacs+ Server: 194.250.187.201

Server port: 49
Socket opens: 0
Socket closes: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0

Counters description:
o Tacacs+ Server: IP address of the TACACS+ server.
o Socket opens: Number of TCP sockets opened to connect to the TACACS+ server.
o Socket closes: Number of TCP sockets closed.
o Socket errors: Any other socket-read or -write errors, such as incorrect packet format and
length.
o Socket Timeouts: Will be incremented only when the server is not reachable, while initiating the
AAA request.
o Failed Connect Attempts: Number of failed TCP connections to the TACACS+ server.
o Total Packets Sent: Number of packets sent to the TACACS+ server.
o Total Packets Recv: Number of packets received from the TACACS+ server.

• Use the following command to clear the TACACS+ statistics related to the
show statistics tacacs command:
CLI> clear statistics tacacs

• Use the following command to clear the TACACS+ statistics related to the
show tacacs command:
CLI> clear tacacs [vrf <vrfname>]

When adding a vrf, only the TACACS+ statistics associated with this VRF will be cleared.
When omitting the vrf, the TACACS+ statistics associated with the default VRF will be cleared.

• Use the following command to enable or disable AAA debugging, respectively:

CLI> debug aaa

CLI> no debug aaa

Admin User Guide Page 2.23-114 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.24 DATE/TIME SYNCHRONIZATION

2.24.1 Showing Current Date/Time

• To show the current date, use the following command:

CLI> date

• To show the current time, use the following command:

CLI> time

2.24.2 Setting Date/Time

• The date is set as follows:

CLI> date <dd>/<mm>/<yy>

• The device time is set as follows:

CLI> time <hh>:<mm>:<ss>

2.24.3 Setting Time-zone and Summer Time

• Time synchronization protocols such as SNTP provide a clock that is referenced on the international
reference (GMT). To adapt the GMT time to the local time, it can be necessary to adjust the time zone
and the seasonal time (summer time).
They are configured as follows, beginning under configuration terminal:
CLI(configure)> clock timezone <name> <-23..+23>

o Where <-23..23> is the hour offset you want to apply on the GMT time.

• The summer time period is set as follows:

CLI(configure)> clock summer-time recurring <name>
{ <1-4> | first | last } <day> <month> <time>
{ <1-4> | first | last } <day> <month> <time>

o name is an arbitrary string that can ease readability (for example: CET, Paris, GMT …).
The first part designates when the summer time starts. The second part is for winter time.
Where the arguments have the following meaning:
o 1-4 | first | last: designates the week when the summer/winter time starts
o day: is the day of the week when the summer/winter time starts (Sunday for example)
o month: is the month when the summer/winter time starts (March for example)
o time: is the time when the summer/winter time starts (02:00 for example)

Admin User Guide Page 2.24-115 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.24.4 SNTP Client

• The SNTP protocol (Simple Network Time Protocol) enables to synchronize time via a connection to a
NTP server.
• The SNTP client is configured with CLI commands either in broadcast mode (to accept NTP packets
from any NTP broadcast server), or via a specific connection to a known server (to request NTP
packets from the known NTP server).
• The command show sntp gives the status of the SNTP client.

2.24.4.1 Broadcast Server Mode

• To configure the SNTP client in broadcast mode, to accept NTP packets from any NTP broadcast
server, use the following command (use the VRF option for a non-default VRF):
CLI(configure)> sntp broadcast client [vrf <vrf-name>]

• Use the show command to display SNTP status:

CLI> show sntp
SNTP server Stratum Version Last Receive
200.19.0.1 10 3 00:00:11 Synced
Broadcast client mode is enabled

2.24.4.2 Mode with Specified Server

• When the broadcast mode is not used, to configure the SNTP client to request NTP packets from a
specified NTP server, use the following command (use the VRF option for a non-default VRF):
CLI(configure)> sntp server <ipv4-address> [version <1-4>]
[<source-if> <unit>] [vrf <vrf-name>]

CLI(configure)> sntp server <ipv4-address> [version <1-4>]

[vrf <vrf-name>] [<source-IP-address>]

CLI(configure)> sntp server <ipv6-address> [<source-if> <unit>]

CLI(configure)> sntp server <ipv6-address> [<source-IP-address>]

o If <source-IP-address> is used, it must be a valid IP address of an interface; if not, the

command displays an error message.
o If <source-if> <unit> is used, it must be a valid interface with a valid IP address; if not,
the IP address of the output interface is silently used.
It is possible to configure multiple SNTP servers. OneOS always polls every server.
Then, it selects the clock from the responding server with the best stratum (stratum 1 means best
clock quality). If multiple servers answer with equal stratum, OneOS will synchronize with one of them.
• Use the following command to configure, in seconds, the duration between two requests sent to the
NTP server when synchronized (default 64 seconds):
CLI(configure)> sntp poll-interval <16-86400>

• Use the show command to display SNTP status:

CLI> show sntp
SNTP server Stratum Version Last Receive
200.19.0.1 10 3 00:00:37 Synced
Broadcast client mode is not enabled

Admin User Guide Page 2.24-116 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.24.4.3 SNTP Client Service Removal

• The SNTP service client SNTP is stopped with the next commands:
CLI(configure)> no sntp broadcast client

Or
CLI(configure)> no sntp server 200.19.0.1

2.24.5 SNTP Server

The OneOS SNTP server can be enabled to provide date/time synchronization to LAN devices such as IP
phones.
• The following command configures the SNTP Server to send packets in broadcast or multicast mode
where the following parameters can be set:
CLI(configure)> sntp-server broadcast <intf-name> <intf-index>
[<multicast-addr>] [src-port <src-port>]
[dst-port <dest-port>] [poll <poll>] [ttl <ttl>]

o <intfname> <intfindex>. This is the output interface, for example: fastEthernet 0/0.
o <multicast-addr>. This is the destination multicast address (for multicast); if not set, the
interface broadcast address is used.
o <src-port>. This is source port of the output packets; the default port is 123.
o <dest-port>. This is the destination port of the output packets; the default port is 123.
o <poll>. This is the sending interval, expressed in seconds; the default is 64 seconds.
o <ttl>. This is the Time-To-Live of the output packets; the default is 64 seconds.
Use the no form of the command to disable the SNTP server previously configured.
CLI(configure)> no sntp-server broadcast …

• The following command specifies that the onboard SNTP server shall use the synchronization of the
embedded SNTP client to send broadcast packets. If the command is enabled and the SNTP client is
not synchronized, the SNTP Server does not send any broadcast packet and it responds to SNTP
requests by setting the 'stratum' field to '0' and 'Leap Indicator' to '3' (alarm condition - clock not
synchronized).
CLI(configure)> [no] sntp-server client-reference

The no form of the command disables the client-reference mode.

• The following command configures the SNTP server so that it responds to multicast requests.
CLI(configure)> sntp-server multicast <intfname> <intfindex>
<multicast-addr> [src-port <src-port>]

o <intfname> <intfindex>. This is the output interface, for example: fastEthernet 0/0.
o <multicast-addr>. This is the multicast address the device monitors.
o <src-port>. This is the port through which the device monitors for multicast requests. The
default port is 123.
Use the no form of the command to disable the multicast response mode.
CLI(configure)> no sntp-server multicast …

Admin User Guide Page 2.24-117 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The following command enables the unicast mode of the SNTP server so that it responds to unicast
requests.
CLI(configure)> sntp-server unicast [src-port <src-port>]
[source { ifname | ip }

o <src-port>. This is the port through which the device monitors for unicast requests. The
default port is 123.
o source { ifname | ip }. This is a source address that can be added to the command; it
can be an IP address, an interface, or a virtual interface (VRRP).
The following are 2 examples of how the command can be used:
sntp-server unicast source gigabitethernet 0/0.30
sntp-server unicast source 30.30.30.1

Use the no form of the command to disable the unicast response mode.
CLI(configure)> no sntp-server unicast [src-port <src-port>]

• The following command configures the SNTP Server to use the designated VRF:
CLI(configure)> [no] sntp-server vrf <vrf-name>

• The following debug command can be used for troubleshooting purpose.

CLI> [no] debug sntp-server

• The following command shows the current SNTP server configuration and statistics.
CLI> show sntp-server

Configuration Example

configure terminal
sntp-server client-reference
sntp-server unicast
exit

Admin User Guide Page 2.24-118 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.25 SYSLOG CLIENT

• The SYSLOG service allows to send events to several SYSLOG servers (maximum: 4).
The SYSLOG server can store/filter/process incoming messages, so that network administrator can
use standard, UNIX-based tools.
• This facility is enabled via CLI commands when configuring events, such as for example G.SHDSL:
CLI> event filter add sys gshdsl all syslog

2.25.1 Adding a SYSLOG Server

• One or more SYSLOG servers can be defined; use the following commands:
CLI> configure terminal
CLI(configure)> syslog server { <hostname> | <A.B.C.D> | <X:X:X::X> }
<0-23> [<interface><unit>] [vrf <vrf-name>]

o <hostname> | <A.B.C.D> | <X:X:X::X>. This is the server address; it can be a

hostname, IPv4 or IPv6 address.
o <0-23>. This is the facility number, ranging from 0 up to 23. It must be set according to the
server configuration.
Note that many manufacturers, for example Cisco, use 23 as default facility number.
o <interface><unit>. Optionally, the SYSLOG server can be bound to a specific source
interface.
For example:
CLI(configure)> syslog server hostn1 20 atm 0.1
CLI(configure)> syslog server hostn2 21 atm 0.2

o vrf <vrf-name>. Optionally, a VRF can be specified. If not provided, the default VRF is
used.

2.25.2 SYSLOG Server Removal

• To remove a SYSLOG server, use the following command:

CLI> configure terminal
CLI(configure)> no syslog server [<host-name> | <A.B.C.D> | <X:X:X::X>
[vrf <vrf-name>]]

Admin User Guide Page 2.25-119 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.25.3 SYSLOG Server List

• The following show command can be used to list all the defined SYSLOG servers:
CLI> show syslog servers
Server Facility Interface
Hostn1 20 Atm 0.1

2.25.4 SYSLOG Server Configuration

• The following information provides some hints for a Linux syslog server configuration:
o The standard UDP port 514 is used by the SYSLOG client to access the server.
o The configuration file "syslog.conf" must contain the name and the path of the text file to log
the messages according to the used facility:
local0.* /var/log/one400_evt

 local0 corresponds here to the facility number 16 (defined in syslog.h)

 If you edit the file "one400_evt", you are able to see the logged events:
Jun 18 18:43:30 222.222.222.222 vxTarget event: 18:43:30 18:06:2004 Event ATM
IPOA STATUS_12 1 Ipoa if=0 vpi=0 vci=34 pvc modification requested
Jun 18 18:45:27 222.222.222.222 vxTarget event: 18:45:27 18:06:2004 Event ATM
IPOA STATUS_12 1 Ipoa if=0 vpi=0 vci=34 pvc modification requested

Admin User Guide Page 2.25-120 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.26 PERFORMANCE PROBE (PPA-PM & RTR)

The performance probe agent (PPA) is embedded software that performs active monitoring of the network
performance.

2.26.1 Performance Probe Agent – Path Measurement (PPA-PM)

2.26.1.1 Introduction

PPA-PM manages probes sending test packets to a specified destination. The test packets must be
returned by the receiver after inserting additional information in packets. By means of this information, the
sender is able to calculate interesting quality metrics of the IP path from source to destination, including
packet loss, round trip delay and jitter.
PPA-PM requires a sender (emitting test traffic) and responder (looping test traffic back to sender). When
the responder loops a packet, the responder inserts a timestamp. Let us assume T(i,j) as the time
stamp for the ith packet, at the jth step.

Sender Responder

T(1,1)
T(1,2)

T(1,3)
T(1,4)

T(2,1)
T(2,2)
T(2,3)
T(2,4)

The sender and responder do not have the same time; their clocks are most probably not synchronized on
the same source (we assume an offset Toff exists between both clocks). Let us assume that the transit
delay for packet 1 is D.
Toff + T(1,2) = T(1,1) + D

The round trip delay (RTD) is:

RTD = T(N,4) – ( T(N,3) + Toff ) + ( T(N,2) + Toff ) - T(N,1)

If we assume that the processing delay in responder is negligible, we can simplify the formula with
T(N,2)=T(N,3). The formula is:
RTD = T(N,4) – T(N,1)

The jitter on one-way delay is the time difference between the one-way transit delays of two consecutive
packets. This jitter can be measured from source to destination and vice-versa.
JitterSD = T(N+1,2) + Toff – T(N+1,1) – (T(N,2) + Toff – T(N,1))

JitterSD = T(N+1,2) – T(N+1,1) – (T(N,2) – T(N,1))

Admin User Guide Page 2.26-121 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Similarly, jitter from destination to source:

JitterDS = T(N+1,4) – T(N+1,3) – (T(N,4) – T(N,3))

Every packet carries a sequence number, so that PPA-PM can identify packet loss ratio.
PPA-PM is configured to forge test packets in three ways:
• ICMP Timestamp Request: the sender emits ICMP packets whose type is 13 (Timestamp request).
The responder must respond with its own timestamp with ICMP packet type 14. This is a standard
requirement of the ICMP protocol. In other words, the responder can be any router type & make. This
allows to measure packet loss, round trip delay and one-way jitter.
• UDP Timestamp: the sender sends UDP packet in an OneAccess proprietary format. The responder
must listen to the appropriate port and respond with a timestamp included in UDP reply packet. This
allows to measure packet loss, round trip delay and one-way jitter.
• UDP Ping: the sender sends UDP packet in an OneAccess proprietary format. The responder must
listen to the appropriate port and respond with an appropriate UDP reply packet. This allows to
measure packet loss and round trip delay.

2.26.1.2 Configuring PPA-PM Responder

The PPA-PM responder must be configured on responding routers only if UDP ping or UDP timestamp
probes are needed.
The next command starts or restarts the PPA-PM Responder on a specified port and binds the Responder
on an IP address or on an interface if specified (binding means a received packet is accepted if it is
destined to the specified IP address or if it is received on the requested interface). If the Responder is
restarted, the statistics are reset.
CLI(configure)> ppa-pm responder port <port-number>
[address <inet-address> | interface <type> <unit>]

PPA-PM responder is available from a non-default VRF. Use the following command to set the VRF.
CLI(configure)> ppa-pm responder vrf <vrf-name>

To disable the PPA-PM responder (default state: disabled), enter the no form of the command:
CLI(configure)> no ppa-pm responder

2.26.1.3 Configuring PPA-PM Sender

A PPA-PM session must be created. A session is an object containing configuration information and
statistics of a probe. It is identified by a unique ID. To start configuring a PPA-PM session:
CLI(configure)> [no] ppa-pm session <session-id>
CLI(ppa-pm-cfg)>

The type of probe must be specified:

CLI(ppa-pm-cfg)> type { jitter-icmp-timestamp | jitter-udp-ping-timestamp
| jitter-udp-ping }

The target address must be defined (If the port parameter is not used the target port is the one specified by
the ppa-pm default udp port):
CLI(ppa-pm-cfg)> target address <inet-address> [port <port-number>]

The following session parameters are all optional.

PPA-PM session is available from a non-default VRF. Use the following command to set the VRF. Use the
no form to return to the default VRF.
CLI(ppa-pm-cfg)> [no] vrf <vrf-name>

The source address can be forced:

CLI(ppa-pm-cfg)> source { address <ip> | interface <type> <unit> }

Admin User Guide Page 2.26-122 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

An owner can be set for the probe:

CLI(ppa-pm-cfg)> owner <string>

The PPA-PM sends several packets during a measurement campaign. The number of packets within one
test campaign is defined as follows (default: 10 packets):
CLI(ppa-pm-cfg)> packet count <number>

The timeout for packet reply (enabling detection of packet loss) is set as follows (default: 5000 ms):
CLI(ppa-pm-cfg)> timeout <milliseconds>

The interval between two transmissions of packets is set as follows (default: 20 ms):
CLI(ppa-pm-cfg)> interval <milliseconds>

The DSCP (TOS) value is set in the IP packets as follows (default: 0):
CLI(ppa-pm-cfg)> tos <value>

Note about the TOS: if the user wants to study network packet loss based on packet precedence, the
proper TOS value should be selected. It is important to consider that red packets may be re-colored by
traffic policing. One should activate color-aware packet marking to avoid the precedence field to be
upgraded.
The size of the payload is set as follows (default: 32 bytes):
CLI(ppa-pm-cfg)> data-request size <bytes>

The time between two consecutive measurement campaigns is set as follows (default: 60 seconds):
CLI(ppa-pm-cfg)> frequency <seconds>

Note that the frequency (in seconds) should be greater than packet count times the interval value (which is
set in milliseconds).
Then complete session configuration with the following command:
CLI(ppa-pm-cfg)> exit

When not set in the PPA-PM session configuration, the destination can be set as follows (default: 7777):
CLI(configure)> ppa-pm default udp port <port-number>

To schedule a PPA-PM probe (i.e. to program the launch of measurement campaigns), use the command:
CLI(configure)> ppa-pm schedule <session-id> start { now | <HH:MM:SS> }

To stop the execution of a PPA-PM probe (i.e. to stop the measurement campaigns), use the command:
CLI(configure)> no ppa-pm schedule <session-id>

2.26.1.4 Configuration Example

Example with two routers connected back-to-back by fastEthernet 0/0.

Responder Side:
configure terminal
interface fastEthernet 0/0
ip address 10.10.10.1 255.255.255.0
exit
ppa-pm responder port 35000

Sender Side
configure terminal
interface fastEthernet 0/0
ip address 10.10.10.2 255.255.255.0
exit
ppa-pm session 1

Admin User Guide Page 2.26-123 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

type jitter-udp-ping-timestamp
target address 10.10.10.1 port 35000
exit
ppa-pm schedule 1 start now

2.26.1.5 Statistics

To show the status and statistics of the PPA-PM responder:

CLI> show ppa-pm responder
PPAPM Responder status for port 7777: running
received UDP-PING packets:0
received UDP-PING-TIMESTAMP packets:0
sent UDP-PING packets:0
sent UDP-PING-TIMESTAMP packets:0
received invalid packets:0
application specific errors:0
fatal errors:0

PPAPM Responder global statistics

received UDP-PING packets:0
received UDP-PING-TIMESTAMP packets:0
sent UDP-PING packets:0
sent UDP-PING-TIMESTAMP packets:0
received invalid packets:0
application specific errors:0
fatal errors:0

To show the configuration of a PPA-PM session (if session-number is not specified, all sessions are
shown):
CLI> show ppa-pm session [<session-number>] configuration
session/packet type: ICMP TIMESTAMP (ITS), UDP, UDP TIMESTAMP (UTS)
> session | target | packet | timeout(ms) | data size(B)
status | source | frequency(sec)| interval(ms)| tos
-------------------------------------------------------------------------
> 39 192.168.1.2 :7777 15 (UDP) 5000 32
active 192.168.1.1 60 20 0

To show the statistics of a PPA-PM session (if session-number is not specified, all sessions are shown):
CLI> show ppa-pm session [<session-number>] operational-state
session/packet type: ICMP TIMESTAMP (ITS), UDP, UDP TIMESTAMP (UTS)
PPA-PM session: 39 (active)
owner: ppa-pm-39
vrf: <undefined>
target: 192.168.1.2:7777
source: 192.168.1.1
packet: 15 (UTS)
frequency: 60sec
timeout: 5000ms
interval: 20ms
data size: 32bytes
tos: 0
completion status: ok
completion time: 2009.08.05 09:13:29 +01:00 UTC
executions count: 19
received packets: 15
.round-trip times: 3avg, 55sum, 1min, 36max
jitter S->D: 7num, 1sum, 2sum2, 1max, 7num, -1sum, 1sum2, -1max, 0dev
jitter D->S: 6num, 35sum, 1242sum2, 35max, 8num, -35sum, 1241sum2, -35max, 13dev
loss distribution: 0(S->D), 0(D->S)
loss: 0, OOS:0, TMO:0
used resources: 291bytes, 0UDP socket(s), 0task(s) running

In the example above: 15 packets have been received with an average round-trip delay of 3ms, the
minimum round-trip delay being 1ms, the maximum being 36ms and the sum of all round-trip delays being
55ms.
With regard to jitter values (differences between two consecutive round-trip delay values) in the direction
from source to destination (S->D), 7 have been positive (increased network latency) with the sum being
1ms, the maximum being 1ms and the sum of the squares being 2 while 7 have been negative (decreased
network latency) with the sum being -1ms, the maximum being -1ms and the sum of the squares being 1.
In the direction from destination to source (D->S), 6 jitter values have been positive with the sum being
35ms, the maximum being 35ms and the sum of the squares being 1242 while 8 have been negative with
the sum being --35ms, the maximum being -35ms and the sum of the squares being 1241.

Admin User Guide Page 2.26-124 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

The standard deviation is 0ms in the direction from source to destination (S->D) while it is 13 ms in the
direction from destination to source (D->S).
With regard to packet losses between round-trip, they are counted in each direction with distinction
between arrival out of sequence (OOS) and elapsed time-out (TMO).

2.26.2 Response Time Reporter (RTR)

RTR operates by generating and analyzing traffic to provide a set of performance measurements such as
network delay, packet loss, availability and jitter. The task of measuring a specific metric is called a
"probe".
Currently, the supported probes are:
• ICMP Echo, which performs a classic ping operation on a target.
• ICMP PathEcho, which performs a series of pings on every hop of the path from the source to the
target, like in a traceroute operation.
• pathJitter, which calculates round trip delays and a jitter measurement of the round trip delay on
the path.
• udpEcho, with configurable source and destination ports and IP addresses.
The probes can be scheduled to be executed continuously or for a determined period of time, starting
immediately or after a specific delay, or even triggered by events such as the failure of another probe.
The results of each probe can be analyzed by the PPA agent, filtered and eventually stored. Depending on
the values, the results can trigger events such as the start of another probe or notifications to a network
management system via SNMP traps.
The creation and scheduling of probes and retrieval of results can be done via CLI or SNMP.

2.26.2.1 Configuration of a Probe via the CLI

Probes are identified with a number in the 1-2147483647 range. In order to facilitate the management of
probes, they can have an "owner" string and a "tag" string attached.
To create the probe, use the following command, in global configuration mode:
CLI(configure)> rtr session <session-id>
CLI(conf-rtr)>

The CLI enters the rtr configuration mode, where the operational parameters of the probe, such as target
address, filtering options and data collection can be configured. A source address for the probe can be set
as well.
• Use the type command, to define the type of the operation and the target address.
o To create an ICMP Echo probe, use the following command:
CLI(conf-rtr)> type echo protocol ipIcmpEcho <target-address> [<source-
address>]

Example: ICMP echo probe, with the target address 193.168.0.10

CLI(conf-rtr)> type echo protocol ipIcmpEcho 193.168.0.10

o To create an ICMP EchoPath probe, use the following command:

CLI(conf-rtr)> type pathEcho protocol ipIcmpEcho <target-address>
[<source-address>]

Admin User Guide Page 2.26-125 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

o To create a PathJitter probe, use the following command:

CLI(conf-rtr)> type pathJitter dest-ipaddress <target-address>
[source-address <source-address>]
[number-of-packets <number>]
[interval <milliseconds>] [targetOnly]

The number-of-packets parameter (default: 10) designates the number of packets sent at each
measurement. They are sent every interval ms (default: 20 ms).
If the keyword targetOnly is used, the packets are sent directly to the destination address,
without probing the path.
o To create an udpEcho probe, use the following command:
CLI(conf-rtr)> type udpEcho dest-ipaddr <IP address>
dest-port <port number>
src-port <port number>
[src-ipaddr <IP address>]

A destination IP address and port must be set, as well as the source port; adding the source IP
address is optional.
• In order to facilitate the management of probes, an owner string can be set:
CLI(conf-rtr)> owner <string>

• In order to facilitate the management of probes, a tag string can be set:

CLI(conf-rtr)> tag <string>

• A timeout for the operation can be configured with the following command:
CLI(conf-rtr)> timeout <time-in-ms:0-604800000>

The timeout is the time the device will wait before considering the packet lost.
• The interval between successive executions of the probe can be configured with the following
command:
CLI(conf-rtr)> frequency <time-in-s:0-604800>

The frequency is the time interval between two consecutive measurement campaigns.
Note that the frequency, in seconds, should be greater than the timeout value, which is set in
milliseconds.
• The DSCP (TOS) value to be set in the IP packets can be configured with the following command:
CLI(conf-rtr)> tos <decimal-value:0-255>

If the user wants to study network packet loss based on packet precedence, the proper TOS value
should be selected. It is important to consider that red packets may be re-colored by traffic policing.
One should activate color-aware packet marking to avoid the precedence field to be upgraded. Refer
to "Traffic policing" section in "Quality of Service" chapter of "OneOS – Basic IP User Guide"
document.
• The size of the payload can be configured with the following command:
CLI(conf-rtr)> request-data-size <data-size-in-bytes:64-16384>

• Another important setting is the threshold value, which can be used for triggering events and
filtering the results with better granularity:
CLI(conf-rtr)> threshold <time-in-ms:0-2147483647>

For example, by setting the timeout to 300 ms and the threshold to 100ms, will enable the user to
be notified of a deterioration of the quality of service before this becomes a problem.

Admin User Guide Page 2.26-126 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• RTR is available from a non-default VRF. Use the following command to set the VRF
CLI(conf-rtr)> vrf <vrf-name>

Use the no form to return to the default VRF.

CLI(conf-rtr)> no vrf <vrf-name>

• To delete a probe, use the following command in global configuration mode:

CLI(configure)> no rtr session <session-id>

2.26.2.2 Probe Scheduling via CLI

Once the probe was created and all the parameters set, we can schedule the probe for execution using
the following command:
CLI(configure)> rtr schedule <entry-number> [ageout <0-2073600>]
[life <0-2147483647> | forever]
[start-time { now | pending | hh:mm[:ss] }]

We can start the probe immediately with the now option, at some specified time (hh:mm:ss) or leave it in
a pending state (default value), waiting to be triggered via an event.
We have the possibility to stop the probe after a determined interval with the life option (default 3600
seconds) or to have a permanent probe with the forever option.
For temporary probes we can set an ageout value (default 0=infinite). After the probe has been stopped,
and the specified number of seconds has elapsed, the probe will be deleted automatically.
Example: start the probe immediately, with a lifetime of 5 minutes:
CLI(configure)> rtr schedule 1 life 300 start-time now

Note that a scheduled probe cannot be modified. The rtr session command will display a warning
message if you attempt to reconfigure an active probe.
We can suppress a session scheduling with the following command:
CLI(configure)> no rtr schedule <entry-number>

2.26.2.3 PPA Statistics

The following command allows us to inspect the status of the probes, as well as the results:
CLI> show rtr ?
application - RTR Application
collection-statistics - RTR Statistic Collections
configuration - RTR configuration
distributions-statistics - RTR Statistic Distributions
history - RTR History
operational-state - RTR Operational State
reaction-trigger - RTR Reaction Trigger

Except for show rtr application, which displays general information on the PPA module, all show
rtr commands accept an optional parameter for displaying just one entry.
Example of output for a pathEcho probe:
CLI> show rtr configuration 999
Complete Configuration Table (includes defaults)
Entry Number: 999
Owner:
Tag:
Type of Operation to Perform: pathEcho
Reaction and History Threshold (milliseconds): 5000
Operation Frequency (seconds): 60
Operation Timeout (milliseconds): 5000
Verify Data: FALSE
Status of Entry (SNMP RowStatus): active
Protocol Type: ipIcmpEcho
Target Address: 192.168.0.1
Source Address: 0.0.0.0
Target Port: 0
Source Port: 0

Admin User Guide Page 2.26-127 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Request Size (Request/Response protocol data portion): 1

Response Size (Request/Response protocol data portion): 1
Control Packets: enabled
Loose Source Routing: disabled
LSR Path:
Type of Service Parameters: 0
Life (seconds): 3600
Next Scheduled Start Time: Pending Trigger
Entry Ageout: never
Connection Loss Reaction Enabled: FALSE
Timeout Reaction Enabled: FALSE
Threshold Reaction Type: never
Threshold Falling (milliseconds): 3000
Threshold Count: 5
Threshold Count2: 5
Reaction Type: never
Number of Statistic Hours kept: 2
Number of Statistic Paths kept: 5
Number of Statistic Hops kept: 16
Number of Statistic Distribution Buckets kept: 1
Statistic Distribution Interval (milliseconds): 20
Number of History Lives kept: 2
Number of History Buckets kept: 15
Number of History Samples kept: 16
History Filter Type: all

CLI> show rtr operational-state 999

Current Operational State
Entry Number: 999
Modification Time: *10:26:19.000 UTC THU JUN 24 2003
Diagnostics Text:
Last Time this Entry was Reset: Never
Number of Octets in use by this Entry: 19750
Connection Loss Occurred: FALSE
Timeout Occurred: TRUE
Over Thresholds Occurred: FALSE
Number of Operations Attempted: 60
Current Seconds Left in Life: 0
Operational State of Entry: inactive
Latest Completion Time (milliseconds): 23
Latest Operation Return Code: Ok
Latest Operation Start Time: *11:25:21.000 UTC THU JUN 24 2003
Latest: 192.168.0.1

2.26.2.4 Advanced Features

The PPA can be configured to analyze, filter and store the results of the probes, and to react to specific
conditions, either via CLI or via SNMP.
Storage of the results is enabled via the history facility, which can be configured to filter the samples
retained.
CLI(conf-rtr)> lives-of-history-kept <nb-of-history-kept:0-2>
CLI(conf-rtr)> filter-for-history { all| failures| overthresold| none }

By default, no history is kept (lives-of-history-kept 0 and filter-for-history none). The

filter "all" keeps all probe results, the filter "none" none of them, the filter "overThreshold" only probes
that have the result over the threshold (like the Round-Trip Time (RTT) for an echo operation) and the filter
"failures" only failed probes (like timed-out or unreachable).
The maximum number of history (depending on the type of probe) to keep can be limited:
CLI(conf-rtr)> buckets-of-history-kept <number-of-history-buckets:1-60>
CLI(conf-rtr)> samples-of-history-kept <number-of-history-samples:1-30>

To display the collected data:

CLI> show rtr history

Point by point History

Multiple Lines per Entry
Line 1
Entry = Entry Number
LifeI = Life Index
BucketI = Bucket Index
SampleI = Sample Index
SampleT = Sample Start Time

Admin User Guide Page 2.26-128 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

CompT = Completion Time (milliseconds)

Sense = Response Return Code
Line 2 has the Target Address

Entry LifeI BucketI SampleI SampleT CompT Sense

999 1 57 1 1088076141 1 1 C0 A8 0 1
999 1 58 1 1088076201 1 1 C0 A8 0 1
999 1 59 1 1088076261 1 1 C0 A8 0 1
999 1 60 1 1088076321 1 1 C0 A8 0 1

Entry is the RTR session identifier; LifeI is the index of the history kept; BucketI is the index of the
bucket (see below) in the history life; SampleI is the index of the sample in the bucket; SampleT is the
time of the sample (as the number of milliseconds since the last system boot up); CompT is the time within
the operation has bee completed; Sense is the return code of the operation (see next table).

Sense return code Description

1 OK
2 Disconnected
3 Over threshold
4 Timeout
5 Busy
6 Not connected
7 Dropped
others Error specific

Another feature is the possibility to store results in separate "buckets", according to the result of the probe.
The following commands will parse and store results in the categories:
CLI(conf-rtr)> distributions-of-statistics-kept <number-of-buckets:1-20>
CLI(conf-rtr)> statistics-distribution-interval <time-steps-in-ms:1-100>

For that example, for the following buckets: 0-4ms, 4-8ms, 8-12 ms, 12-16 ms, >16 ms
distributions-of-statistics-kept 5 ! 5 buckets
statistics-distribution-interval 4 ! 1 bucket=4ms interval

The maximum number of statistics (depending on the type of probe) to collect can be limited:
CLI(conf-rtr)> hops-of-statistics-kept <number-of-hops:1-20>
CLI(conf-rtr)> hours-of-statistics-kept <number-of-hours:0-25>
CLI(conf-rtr)> paths-of-statistics-kept <number-of-paths:1-128>

The following command will display the cumulated statistics for each of the defined buckets:
show rtr distributions-statistics 333

Captured Statistics
Multiple Lines per Entry
Line 1
Entry = Entry Number
StartT = Start Time of Entry (hundredths of seconds)
Pth = Path Index
Hop = Hop in Path Index
Dst = Time Distribution Index
Comps = Operations Completed
OvrTh = Operations Completed Over Thresholds
SumCmp = Sum of Completion Times (milliseconds)
Line 2
SumCmp2L = Sum of Completion Times Squared Low 32 Bits (milliseconds)
SumCmp2H = Sum of Completion Times Squared High 32 Bits (milliseconds)
TMax = Completion Time Maximum (milliseconds)
TMin = Completion Time Minimum (milliseconds)

Entry StartT Pth Hop Dst Comps OvrTh SumCmp SumCmp2L SumCmp2H TMax TMin
333 1088103929 1 1 1 0 0 0 0 0 1 1
333 1088103929 1 1 2 3 0 14 0 66 5 4
333 1088103929 1 1 3 2 0 17 0 145 9 8
333 1088103929 1 1 4 0 0 0 0 0 1 1
333 1088103929 1 1 5 0 0 0 0 0 1 1

Admin User Guide Page 2.26-129 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Entry is the RTR session identifier; StarT is the start time of the interval (as the number of milliseconds
since the last system boot up); Pth is the path index number (only valid for pathEcho probes otherwise
1); Hop is the hop index number in the path (only valid for pathEcho probes otherwise 1); Dst is the time
distribution index within the interval; Comps is the number of operations that have completed successfully;
OvrTh is the number of operations that have timed out; SumCmp is the sum of completed operation times
for all successful operations in the row (in milliseconds); SumCmp2L is the low-order 32 bits only of the sum
of the square roots of completion times (in milliseconds) for the successfully completed operations;
SumCmp2H is the high-order 32 bits only of the previous sum; TMax is the highest recorded completion
time per interval (in milliseconds); TMin is the lowest recorded completion time per interval (in
milliseconds).

The PPA can be configured to react to different conditions with specific actions, for each probe. One
example is starting a pathEcho operation in response to a timeout on an echo operation, in order to
determine the point of failure. Session 2 is recording only probes that go over the threshold of 40 msec.
Once the probes start timing out at 100ms, session 1 is started and all data is recorded.
rtr session 1
type pathEcho protocol ipIcmpEcho 10.0.0.1
distributions-of-statistics-kept 3
filter-for-history all
lives-of-history-kept 2
statistics-distribution-interval 20
paths-of-statistics-kept 1
hops-of-statistics-kept 1
samples-of-history-kept 1
buckets-of-history-kept 4
exit
rtr schedule 1 start-time pending
rtr session 2
type echo protocol ipIcmpEcho 10.0.0.1
distributions-of-statistics-kept 3
threshold 40
timeout 100
filter-for-history overThreshold
lives-of-history-kept 2
statistics-distribution-interval 20
paths-of-statistics-kept 1
hops-of-statistics-kept 1
samples-of-history-kept 1
exit
rtr reaction-configuration 2 action-type triggerOnly
rtr reaction-configuration 2 timeout-enable
rtr reaction-trigger 2 1
rtr schedule 2 start-time now

The exact syntax to trigger a session based on events requires the triggered session to be in pending state
(rtr schedule <session-id> start-time pending). Then the trigger must be enabled for the
"calling" session, this command:
CLI(configure)> rtr reaction-configuration <session-id> action-type
{ triggerOnly
| trapOnly
| trapAndTrigger
| none }

Warning: when trap action is required the timeout trigger must also be enabled (see below).
If the action is triggered by a timeout, use:
CLI(configure)> rtr reaction-configuration <session-id> timeout-enable

If the action is triggered by a threshold, the command is the following:

CLI(configure)> rtr reaction-configuration <session-id> threshold-type
{ average <1-16>
| consecutive <1-16>

Admin User Guide Page 2.26-130 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

| immediate
| never
| xOFy <x:1-16> <y:1-16> }

If average is selected, the action is triggered if the threshold is crossed on average of the configured
number of samples. If consecutive is selected, the action is triggered if the threshold is crossed as
much consecutive times as configured. If xOFy is selected, the action is triggered if the threshold is
crossed x times during the last y samples.
After that the action trigger is set, the session with an attached trigger must be associated with a session
that is called when the trigger is activated:
CLI(configure)> rtr reaction-trigger <calling-session> <called-session>

Then, the calling session must be scheduled to complete the configuration.

Admin User Guide Page 2.26-131 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.27 HTTP(S) SERVER

• The embedded Web server can use either HTTP or HTTPS or both protocols. However, it is always
called "HTTP Server" in all cases in the following explanation.
• The HTTP or HTTPS Server relies on the OneOS feature called "Web Configurator Factory" (WCF).
WCF is a framework allowing a user to load self-designed web pages on the router.
A separate document explains the WCF features and the web page implementation.
• This chapter only deals with HTTP or HTTPS Server activation and configuration.

2.27.1 Installing a Set of Web Files

• Web files can be installed one-by-one in the flash file system. To make an update easier, one can
upload a TAR file in flash and untar it. The TAR file should contain all html files, js, gif …
The untar operation overwrites existing files if already present in flash. However, before
decompressing the files, the untar function can remove all files of a directory and its sub-directories.
• First download the TAR file. For example, with TFTP:
CLI> copy tftp://myserver/webconfigurator.3.7r10.e3.tar web.tar

• Then, the command to clean/untar files is:

CLI> untar <source> <dest-directory> [clean-up [all-sub-dir]]

For example:
CLI> untar web.tar /webroot clean-up all-sub-dir

2.27.2 Configuring HTTP Server

• The HTTP protocol and the HTTPS protocol are both available by default.
To select HTTP only, or HTTPS only, or both protocols, use the following command in global
configuration mode:
CLI(configure)> http-server protocol { http-and-https | http-only
| https-only }

Note that, to use HTTPS, a valid certificate must be associated to the OneOS-based router.
Refer to chapter 2.28 Certificates management for more information.

• The HTTP server is disabled by default. To enable/disable the HTTP server, use the following
command in global configuration mode:
CLI(configure)> http-server { enabled [<path>] | disabled }

The <path> is the path of the root directory of the web pages, where the files logon.htm and
index.html are located. By default, the root path is flash://webroot.

Admin User Guide Page 2.27-132 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Users accessing the web pages must be authenticated. The user login and passwords are checked
from the local password file (flash://password file). To add a user, use the following command:
CLI> user add <webuser> <webpassword> <weblevel>

• By default users configured in the flash://password file can login on the Web Configurator. Those
users can also access the CLI.
It may be desirable to strictly separate CLI and web users.
To operate the web server in this mode (with web only users), first the HTTP server must be started
with an extra option:
CLI(configure)> http-server enabled <path> allow-web-users-only

Then a web-only user can be created via the following command:

CLI(configure)> http-server user add <username>
{ <password> | serial-number } <access-level>
[invite-password-change] [already-encrypted]
[if-match-password <password>]

o The <username> and the <password> are 64-character strings that can contain any
character except ":", "!", "?", "%", "&", "<", ">", "/", "[", "\", "]", "space", "apostrophe", "quotation
mark" and "tab".
o By using the keyword serial-number instead of <password>, it is possible to use the serial
number of the device as password for HTTP login. In this case, the password value will be set
with the string available in the serial number field of the PIA (Product Info Area). The serial
number in the PIA is an alphanumerical string of 17 characters.
o The <access-level> is a number ranging from 0 to 15 (0=user, 7=manager, 15=admin).
The access-level has the following functions: a page can be seen by a logged user if the page
has got the default access authorization level or if it is lower than or equal to logged-in user
level (refer to 2.27.3 HTTP Proxy). It is also used to check the executed CLI commands
through the web interface.
o The keyword invite-password-change sets a flag that will be used by the Web
Configurator to request a user to change his own password (so the web pages must support
this facility, which is fully optional on the web pages).
o The already-encrypted keyword tells that the password is already encrypted via MD5.
o By adding if-match-password <password>, the command is only valid if the existing
password is <password>.

Examples

o To configure the user admin, with the serial number as password, and with access level 7, use
the following command:
CLI(configure)> http-server user add admin serial-number 7

o To configure the user admin, with the serial number as password, and with access level 7, only
if the existing password is admin-passw, use the following command:
CLI(configure)> http-server user add admin serial-number 7
if-match-password admin-passw

o To configure the user admin, with the serial number as password, with access level 7, and with
the invite-password-change flag set, use the following command:
CLI(configure)> http-server user add admin serial-number 7
invite-password-change

Admin User Guide Page 2.27-133 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

If the command http-server user add … is executed for a username that already exists, the
following warning is displayed “User already exists; Taking new attributes into account”. In this case,
the user is internally deleted, then re-created with the new user parameters.
Note that it is possible to create web users from IBC. If the user was already created from IBC,
http-server user add <username> … will NOT overwrite the user parameters.

To delete a web-only user, use the following command:

CLI(configure)> http-server user delete <username>

• By default, the http server is reachable by any IP interface (atm, loopback, fastEthernet … IP
addresses). To attach the HTTP server to one or more interface, use the following command:
CLI(configure)> [no] http-server bind <interface> <unit>

To unbind the HTTP server from an interface, use the no form of the command:
CLI(configure)> no http-server bind <interface> <unit>

To unbind the HTTP server from any particular interface, i.e. attach it to all the interfaces, which is the
default setting, use the following command:
CLI(configure)> http-server bind any

• By default, the http server is associated to the default VRF. To associate the HTTP server to a non-
default VRF, use the following command:
CLI(configure)> http-server vrf <vrf-name>

To remove the HTTP server from a non-default VRF, use the no form of the command:
CLI(configure)> no http-server vrf [<vrf-name>]

• As security measure, it is also recommended to attach an access-list to the server. It prevents access
to the HTTP server from untrusted IP networks. To restrict access to the HTTP server for HTTP clients
matching an access-list, use the following command:
CLI(configure)> http-server acl <acl-name>

To detach the access-list:

CLI(configure)> no http-server acl

• The web configurator generates CLI commands from HTML forms and sends the CLI to the device. By
default, any command that is syntax-wise correct is accepted. However, OneOS can check that either
the entered CLI privilege level is not greater than a required level, or the CLI level is lower than or
equal to logged-user level (http-user). To do so, use the following command:
CLI(configure)> http-server wcf cli-exec-level { <l0-15> | http-user }

The outcome of applying changes on every HTML page is to create a set of CLI commands that is
executed immediately by the system when the HTML form is posted. If the changes must be saved,
the CLI commands must contain the command save running-config or write mem.

Admin User Guide Page 2.27-134 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Auto-configuration could be used. This feature updates the router configuration and software. In other
words, the downloaded configuration by auto-configuration eliminates changes made by the HTTP
server by overwriting the saved configuration. However, it is still possible to overcome this
incompatibility. The process runs as follows: first, CLI commands executed by the HTTP server are
saved in flash (in path). Then, auto-configuration downloads a new configuration and reboots the
router. If OneOS reads the command http-server wcf exec-web-cli, all the CLI files in path
are executed again, so that settings from HTTP server are again active. To enable/disable this
behavior (disabled as default), use the following command:
CLI(configure)> [no] http-server wcf exec-web-cli [<path>]

• To get the actual configuration, WCF emulates a "show running-config" command. Some
applications with a lot of HTML pages and specifically designed for this purpose can save time asking
WCF to read an existing file (generated by the HTML pages) rather than using the "show running-
config" command. Use the following command to have this behavior:
CLI(configure)> http-server wcf parse { running-config | saved-config }

Note: the above function is not available in the standard WCF/OneOS software.

• Users are automatically logged out after expiration of an inactivity timeout. By default, it is 1200
seconds. To set timeout, use the following command:
CLI(configure)> http-server timeout { default | <10-100000> }

Note that unauthorized connection attempts are subject to blacklisting

(refer to 2.29 Blacklist management).

Admin User Guide Page 2.27-135 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.27.3 HTTP Proxy

• When a LAN device is associated to a gateway, the HTTP proxy is implicitly enabled on the gateway.
During association, the gateway learns the LAN device name. The "short device name" is the device
name where "_" and subsequent parameters are stripped. All HTTP requests whose URL contains a
pattern matching the short device name is forwarded to the LAN device.
For more information, refer to the DHCP Device Association section in the Dynamic Host
Configuration Protocol chapter of the OneOS – Basic IP User Guide.
• The http server must be enabled on the LAN device in a special mode, because the HTTP protocol
between LAN device and gateway is authenticated in a special mode. To enable the HTTP server in
LAN device mode:
CLI(configure)> http-server enabled device-mode

2.27.4 Web Page Access Restriction

2.27.4.1 Restriction File Format

• Every logged user on the web server is associated with a user level. By default, all pages are
accessible.
It is possible though to display only pages for users whose level is greater than or equal to the page
level.
• Aim of this security issue for WCF is to control the access level of Web pages using one configuration
file placed in each folder. This can be easily done using some .ini files. These .ini files must be
named ".wcfaccess.ini". Access level is read & set at HTTP Server startup or when the following
command is triggered:
CLI(configure)> http-server wcf access-level reload

In order to implement the Access Level issue for WCF, the following format rules is used for the .ini
files: a section for each file must be created and inside it place a keyword called Access-level, as
follows:
[<resource-name>]
Access-level = <Access-Level-Value>

Example:
[index.html]
Access-level = 2

[WEPKeyConfig.html]
Access-level = 2

[WlanConfig.html]
Access-level = 9

• By default, when the HTTP Server is enabled, the logon.htm page always has access level set to 0
(even if a ".wcfaccess.ini" file modifies this level). One must take care that the user does not
change the access level of the logon.htm page. The rest of the files have their access level set to 1.
When the engine is triggered, if a file has a custom access level specified in a ".wcfaccess.ini"
file, its access level is changed to the specified one.
Since the use of ".wcfaccess.ini" files is not mandatory, the user can set the default access level
that will be assigned to the all files managed by the HTTP server. The following CLI allows doing this:
CLI(configure)> http-server wcf access-level default <default-level>

Example:
CLI(configure)> http-server wcf access-level default 15

Note that, if no default access level is set, the default level will be 1 (like in previous versions).

Admin User Guide Page 2.27-136 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.27.4.2 Assign access level to a new page

• Use the following command to assign a custom access level to a WEB page:
CLI(configure)> http-server wcf access-level assign
<absolute-resource-path> <access-level>

Note: custom access level can be assigned to any WEB Resource (html, css, js, jpg).
Note: when assigning/removing the access level for a resource, all actions are written in the .ini file.
In order to effectively set the new access level to WEB Resources, use the reload command or re-
enable the HTTP Server.

2.27.4.3 Delete access level entry for a page

• Use the following command to remove the entry for a specific WEB resource from the
“.wcfaccess.ini" file:
CLI(configure)> http-server wcf access-level delete
<absolute-resource-path>

Note that this command can be triggered at any moment (even if the HTTP Server is up or not).

2.27.4.4 Display access level settings

• Following show commands are available:

CLI> show http-server wcf access-level stored-access-level
[<location-path>]
CLI> show http-server wcf access-level default-access-level
CLI> show http-server wcf access-level current-access-level

Note: the index.html page is registered twice: as URL “\” and as URL “\index.html”.
On command show http-server wcf access-level current-access-level, it should
appear twice, once for each URL.
On command show http-server wcf access-level stored-access-level it should
appear once since we have one single file on flash.
CLI> show http-server wcf access-level <location-path>

• In order to display all access levels assigned (in specific .ini file) to all resources from a specific
WEB project, use the following command:
CLI> show http-server wcf access-level stored-access-level
[<location-path>]
Following format must be used to display information (like "ls" in Linux):
<absolute-resource-path> <access-level>

The path displayed is relative to <location-path>. All pages in the WEB project must be displayed,
even if they have no custom access level defined in the “.wcfaccess.ini”.
For resources defined in the .ini file, developer must display the access level specified in the
.wcfaccess.ini file.
For resources that are not defined in the .ini file, developer must display the default access level.
Parameter <location-path> is optional and can be a folder on the flash or a single file (WEB
Resource). If not provided, it will be the starting location of the HTTP Server (if up; if HTTP Server is
down, an error message must be displayed). Full path must be provided to the desired
folder/resource.

Admin User Guide Page 2.27-137 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• This following command displays the default access level.

CLI> show http-server wcf access-level default-access-level

This show command displays the current access-level status for all WEB Resources. In this case, the
access-level value is retrieved from HTTP Server's structures, not from the .ini files; i.e. the access-
level which is effectively set on a resource is displayed.
This command can be triggered only when HTTP Server is up and displays access-level for all WEB
resources as they are retrieved from the HTTP Server's resources list.

2.27.5 Download/Upload File Restriction

• As of V4.2R2E2 software release, downloading and uploading of files using WCF can be denied.

• To globally deny the downloading of files using WCF, use the following command:
CLI(configure)> http-server wcf download deny

To globally deny uploading of files using WCF, use the following command:
CLI(configure)> http-server wcf upload deny

• To allow the downloading of only certain files using WCF, use the following commands:
CLI(configure)> http-server wcf download permit
CLI(configure)> http-server wcf download path <path-1> [max-size <size>]
[user-level <lvl>]
CLI(configure)> …
CLI(configure)> http-server wcf download path <path-n> [max-size <size>]
[user-level <lvl>]
CLI(configure)> exit

o <path-i> can be either a file path or a folder path.

o <size> is the maximum size in KB that can be downloaded (0-4294967275; default
4294967275).
o <lvl> is the minimum user level requested to allow downloading (0-15; default 15).

To allow the uploading of only certain files using WCF, use the following commands:
CLI(configure)> http-server wcf upload permit
CLI(configure)> http-server wcf upload path <path-1> [max-size <size>]
[user-level <lvl>]
CLI(configure)> …
CLI(configure)> http-server wcf upload path <path-n> [max-size <size>]
[user-level <lvl>]
CLI(configure)> exit

2.27.6 Debugging HTTP Server

• To activate WCF traces, use the following command:

CLI> debug wcf

• WCF Simulation mode is intended to be used when testing WEB Pages. It can do the value matching
between HTML fields and a custom file ("flash://webroot/simconf.cfg"), instead of extracting
html field values from "show running-config". Also, it never executes the CLI generated - it will
only display the list of commands contained in the WEB page.
CLI(configure)> [no] http-server wcf simulation-mode

Admin User Guide Page 2.27-138 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28 CERTIFICATES MANAGEMENT

Note: the certificates management depicted below is not meant to deploy certificates on a large scale.

The OneOS-based router is able to manage up to five certificates:

• The HTTPS server certificate (always present).
• The TR-69 device certificate (always present only in some versions).
• The TR-69 root certificate (always present only in some versions).
• The IPsec/IKE (ISAKMP) root certificate (not always present).
• The IPsec/IKE (ISAKMP) client certificate (not always present).
• The Voice root certificate (not always present).
• The Voice device certificate (not always present).

Note: a default HTTPS server certificate is always present to assure the functioning of HTTPS .This
default HTTPS will however generate an HTTPS warning. It can be replaced by a customized one
(see below).

The following table shows the CLI commands and their associated purposes

CLI Commands Applicability

Auto IPSEC/IKE IPSEC/IKE

HTTPS TR-69 TR-69 update root Client SIP TLS SIP TLS
Server device Root Root certificate certificate root device
Sections description Certificate certificate certificate certificate (ISAKMP) (ISAKMP) certificate certificate
2.27.1 Display certificates

Command "show certificates"      

Command "show crypto pki
[sip-tls] ca [detail]"    
Command "show crypto pki
[sip-tls] certificates [detail]"        
Command "show crypto pki
device-certificates [detail]"   
Command "show crypto pki
https [detail]" 
Enter certificate control
2.27.2 mode

Command "certificate"   
2.27.2.1 Attributes
Subject Distinguished Name
Attribute   

Subject DN County field   

Subject DN State field   

Subject DN Locality field   

Subject DN Organization field   

Subject DN Organization Unit
field   
Subject DN Common Name
field   
Subject DN Email Address
field   

Admin User Guide Page 2.28-139 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Subject Alternative Name

2.27.2.2 Attribute
Subject Alternative Name
host name field   
Subject Alternative Name ip-
address   
Subject Alternative Name
user   
Key Lenghth and cipher
2.27.2.3 type Attribute
command "[no] key {rsa-1024
| rsa 512}   
command "[no] key {rsa-
2048| rsa-1536|rsa-1024|rsa-
512 } 

command "[no] key {ec... } 

2.27.2.4 Key usage Attribute
command '[no] key-usage
server-authentication" 
command '[no] key-usage
sip-tls" 
2.27.2.5 Certificate Enrollment
specify URL via SCEP -
command "[no] enrollment url
http://ip_address/scep_path"   
specify URL via TFTP -
command "[no] enrollment url
tftp://ip_address/filename" -
filename is {base-name} of
certificate or certificate-
request

specify URL as local file   

ISAKMP CA certificates must
be location in the /security/ca
directory 
ISAKMP trusted certificates
must be located in
/security/certs directory 
ISAKMP certificates
command "crypto pki reload"  
ISAKMP private keys must
be located in /security/private
directory 
SIPTLS certfiicates must be
located in /security/siptls
directory  
2.27.6.2 Miscellaneous commands
Remove a certificate
parameter/command        

Return to default settings        

Exit the certificate
configuration mode        
Create a Self-Signed
HTTPS or TLS server
2.27.3.1 certificate
To generate use command
"enroll self-signed {https | sip-
tls}"  
2.27.3.2 Certificate signing request
To generate CSR use
command "enroll signing-
request"   
2.27.3.3 Certificate Import
import CA certificate (.ca)
command "import ca
[purpose isakmp | sip-tls]"   
import signed certificate (.cer)
command "import certificate
[purpose isakmp]'   
import signed certificate in
PEM format (.pem)
command "import pem
[purpose https]'   
import PKCS12 package and
place in /security directory -
command "import    
import crl and place in
appropriate folder  

Admin User Guide Page 2.28-140 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

import certificate related files

directly using file system
commands       
Config the criteria to which
2.27.4.1 a certificate must comply
Command "crypto pki
certificate map <name>
<priority>" 
Remove certificate map -
command "no crypto pki
certificate map <name>
[<priority>]" 
Alternate subject name
criterion - command "[no] alt-
subject-name {co | nc | eq |
ne} <string>" 
Configure issuer name
criterion - command "[no]
issuer-name {co | nc | eq |
ne} <string>" 
Empty the list of criteria -
command "default" 
Finalize certificate map
confiuguration - command
"exit" 
2.27.4.2 Matching the criteria

Command "match certificate" 

Configure a trust point to
check the revocation of the
2.27.5.1 certificate
Enter PKI trust-point
configuration sub-level -
command "crypto pki
trustpoint <name>" 
Remove trust-point -
command "no crypto pki
trustpoint" 
Revocation check options -
command "[no] revocation-
check [crl] [ocsp] [none]" 
Return to default option -
command "default
revocation-check" 
OSCP URL - command "[no]
ocsp <url>" 
Return to default OSCP
option - command "default
ocsp" 
Finalize revocation check -
command "exit" 
2.27.5.2 Checking the revocation
Based on
/security/crls/ipsec.crl +
config in trustpoint 
Based on
/security/siptls/basename.crl 

Admin User Guide Page 2.28-141 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.1 Showing the content of the certificates

To show the content of all available certificates on the device, use the following command in global mode.
CLI> show certificates

Example with only the default HTTPS server certificate available:

CLI> show certificates
default HTTPS server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 302127474 (0x12021972)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=OneOS_Device, OU=OneAccess, C=FR
Validity
Not Before: Aug 29 09:27:31 2008 GMT
Not After : Mar 1 09:27:31 2037 GMT
Subject: CN=OneOS_Device, OU=OneAccess, C=FR
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b7:50:c4:85:3c:a8:33:25:e5:6c:fe:15:0e:02:
88:b7:91:d6:84:70:f9:2f:f9:8b:c9:b6:17:24:20:
ad:fe:39:fe:56:cf:62:d8:2f:74:01:6b:a1:57:53:
be:fe:1d:dc:4c:63:3c:77:c0:e0:34:cc:27:6f:89:
a8:60:4b:24:3f:ec:e7:13:84:3f:30:0e:da:02:57:
73:39:b9:86:f7:45:a5:0e:dc:1c:81:42:03:06:19:
b7:16:25:f2:3b:bd:4a:06:72:ef:74:7b:c2:2f:39:
0a:1b:8b:69:48:95:cd:b6:30:67:91:c3:58:cd:9c:
c3:4e:28:22:fe:8c:1b:62:e7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E4:39:DA:83:48:A2:02:83:96:21:29:BF:6D:03:B3:BB:A5:06:BA:61
X509v3 Authority Key Identifier:
keyid:E4:39:DA:83:48:A2:02:83:96:21:29:BF:6D:03:B3:BB:A5:06:BA:61

X509v3 Key Usage:

Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha1WithRSAEncryption
18:6e:c9:ac:18:95:43:7e:72:55:32:70:5e:86:c8:59:60:3d:
9a:bd:e2:11:2d:17:09:98:ae:c8:49:a7:c4:b0:29:20:1b:95:
96:69:26:0b:46:ea:ce:04:ec:de:a6:2d:cb:23:e8:9d:fa:cc:
69:3d:77:c1:ca:f7:30:17:dd:86:e9:fa:8b:7f:09:32:06:4e:
a7:05:d9:54:77:14:e3:33:88:96:62:13:8d:35:77:23:1b:75:
05:95:ea:e6:73:6b:da:c2:b7:6e:8e:70:32:47:7c:c8:97:4e:
89:7b:1e:29:06:f4:a7:6a:5d:85:9a:76:a4:4e:d2:49:59:e7:
88:e2

To display the content of all available certificates, use the following command lines. The detail optional
parameter adds the subject public key and the signature information to the output.

To display the list of the IPSEC CA certificates, use the following command line:
CLI> show crypto pki ca [detail]

To display the list of the IPSEC certificates, use the following command line:
CLI> show crypto pki certificates [detail]

To display the list of all available device certificates in the Secure Information Area (SIA) and the TR69
root certificate, use the following command line:
CLI> show crypto pki device-certificates [detail]

To display the list of all available HTTPS server certificates, use the following command line:
CLI> show crypto pki https [detail]

Admin User Guide Page 2.28-142 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

To display the list of SIP-TLS CA certificates, use the following command line:
CLI> show crypto pki sip-tls ca [detail]

To display the list of all available SIP-TLS device certificates, use the following command line:
CLI> show crypto pki sip-tls [detail]

2.28.2 Configuring the certificates to be generated

To configure the HTTPS server certificate or the IPsec Certificate Signing Request (CSR) that will be
generated (see below), first enter in certificate control mode; then use the configure command.
CLI> certificate
CLI(certificate)> configure
CLI(cert-conf)>

In this mode, a number of attributes can be changed before an HTTPS server certificate or an IPsec CSR
is generated.
The attributes that can be changed are described in the following paragraphs.

2.28.2.1 Subject Distinguished Name attribute

The Subject Distinguished Name (DN) attribute is a set of fields describing where the subject is
geographically and its role within an organization.
To set the Subject DN Country field, use the following command line:
CLI(cert-conf)> [no] subject C <name>

To set the Subject DN State field, use the following command line:
CLI(cert-conf)> [no] subject ST <name>

To set the Subject DN Locality field, use the following command line:
CLI(cert-conf)> [no] subject L <name>

To set the Subject DN Organization field, use the following command line:
CLI(cert-conf)> [no] subject O <name>

To set the Subject DN Organization Unit field, use the following command line:
CLI(cert-conf)> [no] subject OU <name>

To set the Subject DN Common Name field, use the following command line:
CLI(cert-conf)> [no] subject CN <name>

To set the Subject DN email address field, use the following command line:
CLI(cert-conf)> [no] subject email-address <name>

Note: for a self signed certificate, these fields will also be put in the Issuer DN field.

Admin User Guide Page 2.28-143 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.2.2 Subject Alternative Name attribute

The Subject Alternative Name extension allows various literal values to be included in the configuration
file. These include host name, IP address and other Name (user).
It is allowed to combine the 3 types of Subject Alternative Name.
To set the content of the Subject Alternative Name host name field, use the following command line:
CLI(cert-conf)> [no] alt-subject-name hostname <name>

To set the content of the Subject Alternative Name IP address field, use the following command line:
CLI(cert-conf)> [no] alt-subject-name ip-address <ip-address>

To set the content of the Subject Alternative Name user field, use the following command line; (note that
some browsers require that this field matches the host part of the URL of the HTTPS connection).
CLI(cert-conf)> [no] alt-subject-name user <name>

2.28.2.3 Key length and cipher type attribute

To set the key length and cipher type, use the following command line:
CLI(cert-conf)> [no] key { rsa-2048 | rsa-1536 | rsa-1024 | rsa-512 }

2.28.2.4 Key usage attribute

To set the extendedKeyUsage field to HTTPS server authentication or SIP-TLS

authentication, use the following command line; (note that some browsers require this to be set to use
the certificate for HTTPS).
CLI(cert-conf)> [no] key-usage { server-authentication | sip-tls }

Admin User Guide Page 2.28-144 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.2.5 Certificate enrollment

• Certificates can be obtained either using SCEP (Simple Certificate Enrollment Protocol) or using
TFTP.
• To specify the URL where to obtain the signed certificate via SCEP, use the following command:
CLI(cert-conf)> [no] enrollment url http://ip_address/scep_path

o ip_address is the IP address of the SCEP server.

o scep_path is the SCEP server specific path, depending on the SCEP implementation that is
used.
Example:
enrollment url http://10.0.28.1:80/cgi-bin/openscep
enrollment url http://10.0.28.1:80/certsrv/mscep/mscep.dll

• To specify the URL of the TFTP server where the request should be sent and where to obtain the
signed certificate, use the following command:
CLI(cert-conf)> [no] enrollment url tftp://ip_address/filename

o ip_address is the IP address of the TFTP server.

o filename is the {base-name} (without extension) of the certificate or certificate request.

• The PKI related files can be also put on the file system either directly using the command:
CLI(cert-conf)> [no] enrollment file <filename>

• The extensions ".key", ".ca", ".req", ".cer", ".p12" or ".pem" are automatically added to the
{base-name}, depending on the action taken in the import or enroll command.

Note that restrictions apply to the name of ISAKMP certificates. See below.

ISAKMP certificates conventions

• The ISAKMP CA certificates must be located in the /security/ca directory. The certificates in this
directory are used for the actual X.509 authentication.
The ISAKMP trusted certificates must be located in the /security/certs directory. These
certificates are required to have a subjectAltName extension containing the certificate holder
identity; usually ip-address, hostname (FQDN), or user-fqdn.
The ISAKMP certificates are loaded at boot-time or after entering the command:
CLI(configure)> crypto pki reload

• The ISAKMP private keys must be located in the /security/private directory.

This directory contains the private keys matching the public key of our certificate (which should be in
the /security/certs directory, and have an appropriate subjectAltName field).
The name of the file must be of the format: ip-address, hostname or user-fqdn.
The name of the key file must consist of the value of the self-identity (also called local identity) type
configured.
Examples:
o for self-identity type ip-address, the filename could be 172.31.10.1 (the IP address of the
egress interface)

Admin User Guide Page 2.28-145 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

o for self-identity type hostname, the filename could be router1.mydomain.com (the

hostname of the local router)
o for self-identity type user-fqdn, the filename could be [email protected] or user (the
email address or name of a local user)
• Note: if no local key file is found that matches the above described types, the file local.key is used
as the local key for the ISAKMP rsa-sig authentication. A certificate with a matching public key must
exist in the /security/certs directory.
• A certificate can only be validated if the time and date is set correctly on the router (see time, date
and sntp commands). If the time and date is not correct, the message certificate is not yet
valid will be displayed when the router tries to validate an ISAKMP certificate.

SIP TLS certificates conventions

• The files related to PKI (private key file, device certificate, CA certificates) will be stored in a folder on
the file system located at security/siptls directory. The different files are stored using a common
base name but with specific extensions from which the purpose of the file can be derived. This
basename is used to reference the set of PKI files from the Voice SIP TLS settings using the
pki-profile <basename> command. If it is not specified, a basename "default" is assumed.
For more details on this command, refer to the OneOS–VoIP User Guide.
• The PKI directory can contain:
o <basename>.p12: pkcs12 file which can contain a private key, a device certificate and a
number of ca certificates. This file is not required but can be used to import a set of PKI files.
o <basename>.cer: the device certificate file. This certificate must match the private key which is
in basename.key. If the device certificate is not signed directly by its root CA, this file may also
include the certificate verification chain. This file is required if the remote end requires the OA
device to authenticate itself.
o <basename>.key: the private key file - when the import command is used, this file will be
encrypted with a fixed password. It is also allowed to put a non-encrypted file here directly.
Encryption of this file with a user specified key is not supported.
o <basename>_ca0.cer: CA files - these can either be trusted root certificates or certificates
used to build the verification chain of the device certificate.
o Up to 5 optional additional CA files may be present: <basename>_ca1.cer,
<basename>_ca2.cer, <basename>_ca3.cer, <basename>_ca4.cer
• Each CA file may contain multiple root certificates. This file is required if this PKI profile is to be used
to authenticate the remote end:
o <basename>.crl : certificate revocation list file : if present, in addition to the standard certificate
checks, the device will validate whether the remote endpoint's certificate has been added to
this revocation list. This file may not contain a concatenation of multiple crls.
If it does contain a concatenation of multiple crls, the crls on the file will be ignored and the sip-
gateway will come up ignoring these crls and printing a warning message about the crls, like
"#Warning SIP-TLS# Problem loading CRL file flash:/security/siptls/basename.crl"

Admin User Guide Page 2.28-146 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.2.6 Miscellaneous commands

To remove a parameter from the certificate configuration, use the no form of the command line.

To return to the default setting for all fields, use the following command line. It can be preferable to use this
command first, prior configuring the fields, to ensure that the device starts with the known default
configuration.
CLI(cert-conf)> default

To exit the certificate configuration mode:

CLI(cert-conf)> exit
CLI(certificate)> exit
CLI>

2.28.3 Creating the certificates

2.28.3.1 Self-signed HTTPS server certificate

To generate a self-signed HTTPS server certificate or SIP-TLS device certificate, use the following
command in certificate control mode.
For the HTTPS purpose, the certificate will be placed in the /security/https_one.pem file.
For the SIP-TLS purpose, the certificate will be placed under the /security/siptls directory.
CLI(certificate)> enroll self-signed { https | sip-tls }

If a certificate already exists, it will be replaced. If no configuration has been done, a certificate with
CN=device serial number will be generated. The certificate serial number is also based on the device serial
number, but with a trailer to guarantee uniqueness if this action is performed multiple times.
Note: the "generate self-signed" command is deprecated and replaced by the "enroll self-
signed" command.

Admin User Guide Page 2.28-147 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.3.2 Certificate signing request

To generate a certificate signing request (CSR) and send the request to the URL configured in the
enrollment command, use the following command in certificate control mode. If TFTP is chosen to enroll, a
file with the name {base-name}.req will be transferred to the CA (Certificate Authority).
CLI(certificate)> enroll signing-request

2.28.3.3 Certificate import

• To import a CA certificate and place it in the /security directory with name {base-name}.ca
(with {base-name} being the actual file name of the certificate), use the following command:
CLI(certificate)> import ca [purpose { isakmp | sip-tls }]
[index <number>]

The keyword purpose isakmp should be added to the command line if the CA certificate is used for
ISAKMP crypto. In this way the CA certificate will be placed in the /security/ca directory.

• To import a signed certificate and place it in the /security directory with name {base-name}.cer,
use the following command:
CLI(certificate)> import certificate { isakmp | sip-tls }

The keyword purpose isakmp should be added to the command line if the certificate is used for
ISAKMP crypto. In this way the certificate will be placed in the /security/cert directory.

• To import a signed certificate in the privacy enhanced mail (PEM) format and place it in the
/security directory with name {base-name}.pem, use the following command:
CLI(certificate)> import pem [purpose { https | sip-tls }]

The keyword purpose https should be added to the command line if the .pem file contains an
HTTPS server certificate. In this case the .pem file should also contain the appropriate private key.

• To import a Public Key Cryptography Standards 12 (pkcs12) package and place it in the /security
directory with certificate name {base-name}.cer and private key name {base-name}.key, use
the following command:
CLI(certificate)> import pkcs12 <key> [purpose { isakmp | sip-tls }]

The key used for decrypting the package should be provided by the certificate authority. If the
certificate is used for ISAKMP crypto, then the keyword purpose isakmp should be added to the
command line. In this way the certificate will be placed in the /security/cert directory and the
private key will be placed in the /security/private directory.
• To import a private key, specified by the certificate -> configuration -> enrollment
command ,and place it in the /security directory, use the following command:
CLI(certificate)> import private key <key> [purpose { isakmp | sip-tls }]

<key> is the protection key of the private key. If the certificate is used for ISAKMP crypto, then the
keyword purpose isakmp should be added to the command.
The private key is stored in the file system encrypted.

Admin User Guide Page 2.28-148 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.4 Certificate matching against criteria

2.28.4.1 Configuring the criteria to which a certificate must comply

A crypto certificate map defines the criteria to which an X509 certificate must comply. To configure a PKI
certificate map entry, and enter in certificate map configuration sub-level, use the following command line:
CLI(configure)> crypto pki certificate map <name> <priority>
CLI(cert-map)>

name is the name of the certificate map; priority is the priority of the certificate map (0-10000).
When creating a new certificate map a priority is required. This priority will be taken into account when
matching a certificate to a certificate map; maps with the same name but different priorities will all be
checked starting with the map with the highest priority (lowest number).

To remove a certificate map, use the following command line:

CLI(configure)> no crypto pki certificate map <name> [<priority>]

The version of the command without the priority will delete all maps with the given name. When a priority is
supplied, only the map with the given priority will be deleted.

All criteria can be supplied in 4 different formats: contains (co), not contains (nc), equals (eq) and not
equals (ne). This means a certificate property must contain a certain string, not contain a string, be exactly
the same or different from a given string value, respectively. Several criteria can be applied to the same
property (e.g. co a / nc b / nc c / co d / ne da).
The certificate (map) is valid when all criteria match.

To configure one criterion for the subject name certificate property, use the following command:
CLI(cert-map)> [no] subject-name { co | nc | eq | ne } <string>

To configure one certificate alternate subject name criterion, use the following command:
CLI(cert-map)> [no] alt-subject-name { co | nc | eq | ne } <string>

To configure one certificate issuer name criterion, use the following command:
CLI(cert-map)> [no] issuer-name { co | nc | eq | ne } <string>

To remove a specific criterion for a specific certificate property, use the no form of the command.

To empty the list of criteria of a specific certificate property, use the default command:
CLI(cert-map)> default subject-name
CLI(cert-map)> default alt-subject-name
CLI(cert-map)> default issuer-name

To finalize the certificate map configuration:

CLI(cert-map)> exit

Admin User Guide Page 2.28-149 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.4.2 Matching the criteria

When certificates are used for authentication, a dedicated command allows verifying the contents of the
arbitrary fields of the peers’ certificate. This is accomplished by applying a certificate map to an ISAKMP
profile using the match certificate command (refer to "ISAKMP Profile" section in "IP Security"
chapter of "OneOS – Advanced IP User Guide").
Note that if both a certificate map and a trust-point (see below) are configured for an ISAKMP profile then
first the trust point revocation check will be performed. If the certificate has been revoked, no certificate
map rules will be verified.

2.28.5 Certificate revocation checking

2.28.5.1 Configuring a trust-point to check the revocation of the certificate

A trust-point encapsulates the certificate revocation check rules used to verify the validity of the certificate
used to set up a secure connection. To configure a PKI trust-point, and enter in trust-point configuration
sub-level, use the following command line:
CLI(configure)> crypto pki trustpoint <name>
CLI(trustpoint)>

o name is the name of the trust-point.

To remove a trust-point, use the following command line:

CLI(configure)> no crypto pki trustpoint <name>

The possible revocation check options are CRL (Certificate Revocation List), OCSP (Online Certificate
Status Protocol) and none (which is the default), in order of priority, with each option being optional. If the
CRL check fails, no OCSP check will be performed, even if the OCSP option has been configured.
CRL checks are performed first, because they are faster in that they don’t require any network transaction.
Any certificate listed in the CRL has been revoked and can never be valid again. Since the CRL is a local
file that has to be retrieved from the CA at regular time intervals (a CRL has its own validity timestamps),
this information can be out of date thus it’s possible the certificate is marked as valid while the CA has
already revoked it. But once a certificate that has been revoked, it will never be marked valid again. The
certificate revocation list should be stored in the /security/crls directory and be called ipsec.crl. If
no CRL file is present on the file system the revocation check will fail, unless the option none is provided
(an IPsec INFO message will be logged – regardless of debug output settings – reporting the accepted
error condition).
In order to have the most recent certificate status, OCSP checks can be used. The drawback of this option
is this requires more time compared to the CRL check because of the network traffic involved. In the trust-
point the OCSP URL has to be provided before the first use (in the format http://server:port). If the
OCSP server fails to respond (timeout), an error occurs in the response (invalid response), no connection
to the OCSP server could be established (server down or wrong OCSP server configured) or a certificate
not issued by this particular CA is verified (certificate status unknown), the check will fail, unless the none
option was provided (as with the CRL check, an IPsec INFO message will be logged reporting the
accepted error condition). OCSP uses a caching mechanism to cache OCSP responses and the content of
this cache will be refreshed automatically on a daily basis. This has been done to improve ISAKMP setup
latency.
Simply setting the revocation check to none (thus not in conjunction with the CRL or OCSP options) or
leaving it to default will not perform any verification on the validity of the certificate.

To configure the revocation check options, use the following command:

CLI(trustpoint)> [no] revocation-check [crl] [ocsp] [none]

Admin User Guide Page 2.28-150 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Use the no form of the above command or the following one to return to the default option (none):
CLI(trustpoint)> default revocation-check

To configure the OCSP URL (in the format http://server:port), use the following command:
CLI(trustpoint)> [no] ocsp <url>

Use the no form of the above command or the following one to return to the OCSP default option (empty
URL string):
CLI(trustpoint)> default ocsp

Deleting a trust-point, deleting the revocation check criteria or clearing the OCSP URL will delete all
cached information for that trust-point. Changing the revocation criteria or setting them to default will
trigger an update of the revocation check information for the certificate. Setting the OCSP URL will
retrigger lookups for the trust-point.
Note: setting the same revocation check can be done to trigger an update, without actually changing the
criteria and without having to wait for the auto update timeout.

To finalize the revocation check options configuration:

CLI(trustpoint)> exit

2.28.5.2 Checking the revocation

In case of IPSEC/IKE Client, when certificates are used for authentication, a dedicated command allows
checking the revocation of the certificate prior to the certificate matching. This is accomplished by
activating a trust-point in an ISAKMP profile using the trustpoint command (refer to "ISAKMP Profile"
section in "IP Security" chapter of "OneOS – Advanced IP User Guide" document).

Regarding the SIP TLS in case of authentication usage, the certificate revocation list should be stored in
the /security/siptls directory and be called <basename>.crl.

Admin User Guide Page 2.28-151 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.28.6 Enrollment Procedure using SCEP and Trustpoints

• Step 1: go into certificates configuration mode.

CLI> certificate
CLI(certificate)> configure
CLI(cert-conf)>

• Step 2: Configure the enrollment URL, either SCEP (HTTP) or TFTP.

CLI(cert-conf)> enrollment url <url>
CLI(cert-conf)>

o The URL format determines whether the enrollment will be done via SCEP (http) or directly
from a TFTP server (tftp).
o For SCEP, use as <url>: http://<ipaddress>/<path to scep server>
o With a Cisco SCEP server, the necessary URL for SCEP enrollment is :
http://<ip address of server>/cgi-bin.
The path to the SCEP server depends on the server used.

• Step 3: Define the other parameters of the certificate, such as common name, country, etcetera, by
successively using the following commands.
CLI(cert-conf)> subject { C <country> | CN <common name> |
OU <organisation unit> ... }
CLI(cert-conf)> key { rsa-2048 | rsa-1536 | rsa-1024 | rsa-512 }
CLI(cert-conf)>

• Step 4: Exit the certificate configuration mode.

CLI(cert-conf)> exit
CLI(certificate)>

• Step 5: It is possible now to display the certification configuration:

CLI(certificate)> show config
current certificate configuration:
enrollment url http://212.1.1.2:80/cgi-bin/pki/scep/scep
subject email-address [email protected]
subject CN ONE540AV2
subject OU test
subject L lab
subject C DE
subject serialNumber L1424001234567890
alt-subject-name hostname L1424001234567890
key rsa-2048
challenge test
CLI(certificate)>

o Note that this certificate configuration does not belong to the router's configuration file and
therefore it is not saved with save-running-config.
After a reboot the certification configuration is lost.

Admin User Guide Page 2.28-152 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Step 6: Now, first enroll the CA certificate. Without having the CA certificate, the device certificate
cannot be enrolled:
CLI(certificate)> import ca purpose { isakmp | sip-tls }
importing ca certificates ...
CLI(certificate)> received 2 certificates in the pkcs7
scep CA/RA import successful

• Step 7: If the CA enrollment was successful, the device certificate can be enrolled:
CLI(certificate)> enroll signing-request
generating certificate signing request
building key-pair ...
writing private key to flash:/security/private/local.key ...
writing certificate request to flash:/security/csr/local.csr ...
enrolling ...
CLI(certificate)> scep signing request succeeded

Admin User Guide Page 2.28-153 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.29 BLACKLIST MANAGEMENT

In order to protect the OneOS-based router as much as possible against brute force attacks, a blacklisting
process has been implemented for console, tshell, telnet, SSH, and web connections (login).
The blacklisting process can be configured using the following command:
CLI(configure)> blacklist attempts <n> quarantine-delay <seconds>

• <n> is the number of allowed attempts with rejected password.

By default, this is 3. The value ranges from 3 to 1000.

• <seconds> is the number of seconds the user must wait before logging in is possible again.
By default, this is 60 seconds. The value ranges from 1.to 600 seconds.

Console and tshell connections

For console and tshell connections, a counter is created for each service.
If the entered password is correct, the counter is reset to zero.
If the password is incorrect, the message "Unauthorized access! Check username and password!" is
displayed and the counter is incremented.
When the counter becomes greater than or equals <n>, the message "Your access to the … is blocked for
the moment" and the answer to password submission is delayed by the number of configured seconds,
<seconds>.

Telnet, SSH, and web connections

For telnet, SSH, and web connections, at each failed connection attempt, the source IP address of the
request is recorded in a table.
After <n> successive failed connection attempts from a given IP address, the blacklisted flag is set and a
timer of <seconds> seconds is started. Any following connection attempt from a black listed IP is
immediately rejected for the three services (without even offering authentication).
After the timer expires, the IP address is flushed from the table. Any successful connection attempt flushes
the IP from the table.
A black list table is created for each service (telnet, SSH, web). Each table has the size that corresponds
to the maximum number of sessions for the corresponding service.
If the table is full, any extra connection is rejected immediately without even offering authentication.
Note: this behavior means that when one service is blacklisted, only the show blacklist of this specific
service lists the blacklisted IP address. But, the three services (telnet, SSH, web) are blacklisted.

Displaying blacklisted services

The services that have been blacklisted are stored in two circular log files called blacklist1.log &
blacklist2.log; each file is limited to 70 lines.
To display the services that have been blacklisted, use the following command in global mode:
CLI> show blacklist log
---------------------------------------------------
Date | Service | IP Address
---------------------------------------------------
2009.03.17 09:41:03 | Telnet | 192.168.1.2
2009.03.17 09:42:37 | Tshell | 192.168.1.9
2009.03.17 09:52:52 | Tshell | 192.168.1.7
2009.03.17 10:40:34 | Tshell | n/a
2009.03.17 15:31:51 | Telnet | 192.168.1.9

To display the currently blocked connections for a particular service, use the following command:
CLI> show blacklist { console | tshell | telnet | ssh | http-server }
IP Address Attempt Count
=========================================
192.168.1.7 2
192.168.1.9 3 (blocked)

Admin User Guide Page 2.29-154 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.30 LIMITING BROADCAST, MULTICAST AND UNKNOWN UNICAST

TRAFFIC

There are 2 ways to limit broadcast, multicast and unknown unicast traffic:
• Method 1: by setting a threshold value, expressed in packets per second.
• Method 2: by setting a percentage of the available bandwidth, on Fast Ethernet and Gigabit Ethernet
interfaces.
Both methods are described next.
Unknown unicast traffic is unicast traffic sent to a destination MAC address that has not been learned by
the bridge.

2.30.1 Method 1 – Setting a Threshold Value

2.30.1.1 Configuring

This section explains how to protect against a storm of broadcast, multicast and/or unknown unicast traffic,
by setting a threshold above which the protection is activated.
The defense against a storm of broadcast, multicast and/or unknown unicast traffic can be activated using
the following command in global configuration mode:
CLI(configure)> system deny-of-service {broadcast | multicast | unknown}
{enable | disable}

o By default, this feature is disabled.

o When enabled, all the interfaces of the bridge are protected from excessive flooding in case of
a high traffic rates.

The threshold, at which the protection is actually activated, can be set with the following command:
CLI(configure)> system deny-of-service {broadcast | multicast | unknown}
threshold <value>

o <value> is the number of packets per second above which the protection is activated.
By default, this is 1000 pps.
o To return to the default value, use the following command:
CLI(configure)> system deny-of-service {broadcast | multicast | unknown}
threshold default

Note that:
• when enabled, and the threshold is reached, a warning message is printed to inform that some
packets can be dropped. However, this message is not printed for each dropped packet to prevent
flooding.
• this protection mechanism does not interfere with bridge learning: the learning is done at the input,
before the protection is executed.
So, once a packet has been received, the source MAC address of the packet is added to the cache,
even if this source is sending broadcast, multicast and/or unknown unicast traffic that exceeds the
threshold.

Admin User Guide Page 2.30-155 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.30.1.2 Bridging by a physical switch

When two Fast Ethernet or Gigabit Ethernet interfaces from a switch are bridged, the bridging process is
done by the physical switch itself.
Therefore, it is important to know that, in this case, using the system deny-of-service commands
described above, do not prevent exceeded broadcast, multicast and/or unknown unicast traffic from being
bridged; because the bridging was already done in the hardware switch.
To bypass this limitation and deactivate the hardware bridging in the switch, use the following command:
CLI(configure)> no bridge-group hardware-bridging

To reactivate the hardware bridging, use the following command:

CLI(configure)> bridge-group hardware-bridging

2.30.1.3 Checking the configuration

The configuration can be checked with the following command:

CLI(configure)> show system tuning

show system tuning

Current System UpTime : 810893
Icmp error NEED-FRAG count = 0
netTaskCountDelay = 20
netTask CONFIG :
netTaskCountDelay = 20 (nb loop between taskDelay(0))
set [netTaskCountDelaySet] get [netTaskCountDelayGet]
netTask STATS :
netTaskStatNbActJob (job started)=64942582
netTaskStatNbDelay (taskDelay )=3092503
netTaskStatNbRngJob (current nbr)=0
netTaskStatNbRngJobMax(max nbr )=4
netTaskStatRngFull (ring full )=0
--------------------------
list of current Jobs (routines) :
0x35fcb8 1
0xc934d4 2
0x18346c 1
--------------------------
Polling CONFIG :
netPolTaskMaxFrame (max loop on BD's) = 90
set [netPolTaskMaxFrameSet] get [netPolTaskMaxFrameGet]
netPolTickValue (polling frequency) = 2000
set [netPolTickValueSet] get [netPolTickValueGet]
netPolInterruptCount = 32408719
netPolEthCount = 32408719
netPolAtmCount = 0
netPolAdslCount = 0
netPolWifiCount = 4051090
netPolBriCount = 0
netPolVxxCount = 16204360
netPolTaskEthPollingAll = 0x00181E3C
netPolTaskAtmPollingAAL5 = 0x00000000
netPolTaskVxxPolling = 0x00D94F80
netPolTaskWifiPolling = 0x00000000
tNetDrive Prio Nrm has been set = 0000000000
tNetDrive Prio Nrm = 0000000000
tNetDrive Prio Nrm request-Low = 0000000000
tNetDrive Prio Nrm wait-Low = 0000000000
tNetDrive Prio Low has been set = 0000000000
tNetDrive Prio Low = 0000000000
tNetDrive Prio Low request-Nrm = 0000000000
tNetDrive Prio Low wait-Nrm = 0000000000
DoS Defense CONFIG
DoS broadcast is enabled
DoS multicast-unknown_unicast is disabled
HighBcThreshold = 1000 pps
HighMcThreshold = 1000 pps
HighUnThreshold = 1000 pps
DOS period is = 100 ms
DOS nb polling = 162043

Admin User Guide Page 2.30-156 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

When the protection has been configured, a new counter defense hits can be seen under command:
CLI(configure)> show bridge-group

The counters can be reset with the following command:

CLI(configure)> clear bridge-group counters

To debug, use the following command:

CLI(configure)> debug bridge

2.30.2 Method 2 – Setting a Percentage of the Available Bandwidth

This section explains how to protect against a storm of broadcast, multicast and/or unknown unicast traffic,
by setting a percentage of the available bandwidth; i.e., this type of traffic will be limited to the configured
percentage of bandwidth.
Note that this method applies to Fast Ethernet and Gigabit Ethernet interfaces.
The defense against a storm of broadcast, multicast and/or unknown unicast traffic can be activated using
the following command in interface configuration mode:
CLI(configure)> interface {fastethernet | gigabitethernet} <module/port>
CLI(config-if)> storm-control {broadcast | multicast | unicast}
level <level>

o The threshold value <level> is a percentage of the port bandwidth, and can be set to a value
between 0 and 100, i.e. 0% and 100%:
 0 means that all trafic is suppressed.
 100 means that the storm-control protection is not activated.
o This type of storm control is disabled by default.

To stop the protection, use the no form of the command:

CLI(config-if)> no storm-control {broadcast | multicast | unicast}

The following show command allows monitoring the status of configured storm control:
CLI(config-if)> show interfaces [interface] counters storm-control

The information is displayed as follows:

Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards

o UcastSupp %, McastSupp %, BcastSupp % are the configured values.

o TotalSuppDiscards counts the number of frames suppressed.

Admin User Guide Page 2.30-157 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.31 MANAGEMENT OF ONEOS SOFTWARE LICENSES

2.31.1 Default Availability of Software Licenses

• For all OneOS based products with software versions V5.1 or above, the license information is stored
separately from the OneOS binary. It is put in the device Software License Area (SLA) during
manufacturing. The SLA is a read-only area of the router flash and cannot be changed by the
customer. By default:
o All units ordered without further instructions are shipped with an empty SLA. This means that
no license can be enabled.
o All units ordered with a license are shipped with an SLA containing only the list of ordered
licenses.

• To view the license information in the SLA, use the following command:
CLI> show system sla

2.31.2 Activating Software Licenses

• If a customer wants to enable a software license, having the license(s) enabled in the SLA is not
enough. The services associated with the license can only be enabled if the license is explicitly
activated, thus proving he is aware that the features are subject to software licensing.
• The following command must be entered to use the software under license:
CLI(configure)> license activate <name of the license>

The following is an example with the ASIP license:

CLI(configure)> license activate asip
--------------------------------------------------------------
End-User License Agreement
--------------------------------------------------------------
You are only allowed to use the features covered by this
license, if OneAccess has granted permissions to you or your
company. The features covered by the license are:
-ezVPN server, GET VPN, Zone based Firewall
By using one of the above mentioned features, you acknowledge
that you got these permissions.
--------------------------------------------------------------
This license also covers feature : com-port-server
By using the above mentioned feature, you acknowledge
that you got that permission.
--------------------------------------------------------------
'asip' license successfully enabled.

Admin User Guide Page 2.31-158 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

2.31.3 Updating the Possibly Activated Licenses for Already Shipped

Products

• After signing a software license agreement, the customer will be allowed to upgrade the product
deployed in its network.
This will be done by use of a license key to be put in the configuration file of the router.
• Once installed in the router, the requested software license will be unblocked.
• A software license key is composed of:
o A License type ID, describing what the actual purpose of the license is.
o A 5 letter customer identifier, explicitly identifying the owner of the license, along with a 2 letter
license contract number for that customer.
o An encrypted key with 5 blocks of 5 characters - consisting of capital letters and numbers
excluding O,0,I,1 to avoid confusion - whose structure is an encryption of license key
parameters.

• Installing or removing a license key consists in adding or removing such license key from the
configuration. It can be done centrally from an ACS, and thus there is no need to deploy specific
license servers.
license key add xxxx-yyyyy01-zzzzz-zzzzz-zzzzz-zzzzz-zzzzz
license key del xxxx-yyyyy01

• The presence of a license on the product can be checked using the show license key command:
CLI> show license key
***********************************************
******* OA Software Licence Information *******
* xxxxx-yyyyy01-zzzzz-zzzzz-zzzzz-zzzzz-zzzzz *
***********************************************
* Customer ID : yyyyy01 *
* Equipment : All equipments granted *
* Rights : All features granted *
* Recomputed Software Licence Information *
* xxxxx-yyyyy01-zzzzz-zzzzz-zzzzz-zzzzz-zzzzz *
***********************************************

• The license key also appears in show system status and in show tech sup as well:
CLI> show system status
System Informations for device MB90Ss0UFPE0SNWsd+ S/N L1207008997000890

Software version : ONEOS90-VOIP_SIP_11N_FT-V5.2R1E1_NB93250_T3

Software created on : 03/12/14 01:43:14
License token : * xxxxx-yyyyy01-zzzzz-zzzzz-zzzzz-zzzzz-zzzzz
Boot version : BOOT90-STD-V5.2R2E14
Boot created on : 20/03/13 09:53:02

Boot flags : 0x10000008 0x80

Current system time : 01/01/00 01:30:58

System started : 01/01/00 00:00:00
Start caused by : Power Fail detection
Sys Up time : 0d 1h 30m 58s
System clock ticks : 272921

Current CPU load : 3.9%

Admin User Guide Page 2.31-159 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3 A U T O - U P D A T E

3.1 INTRODUCTION TO AUTO-UPDATE

• This section describes the auto-update features of OneOS.

• Auto-update enables to automatically acquire configuration parameters and update software/web
Configurator or any file stored in the OneOS-based router flash file system.
• The objective of such function is primarily to optimize deployment and maintenance costs of a large
installed base of routers. This function is the cornerstone to realize zero-touch service activation.
• Note that this function is an alternative to another OneOS feature called autoconfiguration;
refer to chapter 5 Autoconfiguration. Autoconfiguration uses DHCP, TFTP and FTP protocols whereas
auto-update uses HTTP.
• Autoconfiguration and auto-update are mutually exclusive. The advantages of auto-update are: easier
to implement (no firewall issues caused by DHCP) and more open for web Configurator upgrade.

3.1.1 Auto-update Sequencer

• The auto-update sequencer is a state machine managing the execution of auto-update jobs.
Auto-update jobs can be:
o Software update.
o Configuration update.
o Single file update.
o Update of a set of files via TAR archive download and extraction.
• The sequencer starts the auto-update operation further to auto-update triggers, namely:
o The user entered an auto-update command requesting the start of auto-update.
o A monitored interface went up.
o The auto-update periodic timer elapsed.
• Following a trigger, the auto-update sequence is started. It means that the sequencer initiates each
update job sequentially (they are ordered with a sequence ID). When done, the sequencer examines
the returned job execution status (can be “update successful”, “no error, no update”, and “failure”). For
every job, the sequencer is informed (per configuration) of the next step to execute depending on the
returned status (can be “stop auto-update sequence”, “continue”, “reboot”).
When every job is executed, the sequencer looks if there was at least one update. If one update
happened, a configuration parameter indicates if the router shall reboot or not.
• The status of auto-update is displayed on the AUX LED:
o Orange, blinking: auto-update in progress
o Green, steady: auto-update successfully completed
o Red, blinking: auto-update failure(s)

Admin User Guide Page 3.1-160 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The auto-update sequencer state machine is represented in the following figure:

Start
Start min-interval
timer
Start min-interval
timer
IDLE

monitored
Auto-Update manual
interface(s)
periodic timer start
going UP

min-update
No
interval timer
expired?

Yes

sequenceid:=1
start_update_job(sequenceid)

job_status=last_update_job_status()
next=get_next_job(job_status,sequenceid)
Reboot

No
Yes next == Yes => reboot
Must reboot in case of "reboot"?
at least one update

No No

Yes
next == Yes
All Jobs completed?
"stop"?

No (next=continue)

sequenceid:=sequenceid+1
start_update_job(sequenceid)

3.1.2 Software Update

• Before downloading the OneOS software, the router queries the software version that should be used,
by sending an HTTP GET to index-url URL.
This current OneOS version is compared with the running version indicated by the show version
command. If it is different from the OneOS version returned by index-url, the OneOS file is
downloaded.
After download, software integrity is checked. If the check is passed, the new OneOS replaces the
current OneOS in flash.

Admin User Guide Page 3.1-161 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3.1.3 Configuration Update

• Before downloading the configuration, the router may query the configuration index (a kind of version
for the configuration, optional in the configuration), by sending an HTTP GET to index-url URL.
If the router does not query the configuration index, the configuration file is downloaded directly and
compared with the configuration download during the last auto-update sequence.
If they are different, OneOS continues configuration update.
• This current configuration index is saved in the router flash. If it is different from the configuration
version in the server, the configuration file is downloaded.
• After configuration download, two behaviors are possible:
o Executing the configuration. If no error in execution is detected, the upgrade is considered
successful. If successful, the running version is saved. If not successful, the router saves the
configuration index in flash and reboots.
o The configuration index is saved in flash. The router replaces the current configuration with the
new one and reboots.

3.1.4 File Update

• Before downloading the file, the router queries a file index (a kind of file version), by sending an HTTP
GET to index-url URL. The current index is saved in the router flash. If it is different from the file
index returned by index-url, the file is downloaded. The file update is needed when one file needs
to be updated.

3.1.5 TAR File Update

• Before downloading the TAR, the router queries a TAR index (a kind of TAR file version), by sending
an HTTP GET to index-url URL. The current index is saved in the router flash. If it is different from
the TAR index returned by index-url, the TAR file is downloaded and extracted. The TAR file
update is needed when many files need to be updated.

3.1.6 Contents on HTTP Server

• Configuration index: integer positive number (1-65535).

• Configuration: content of a text configuration file (carriage return is \n or \r\n).
• OneOS: content of the *.ZZZ binary file (example: ONEOS4-VOIP_SIP-V3.7R11E15.ZZZ).

• OneOS index: exact version name, as displayed by show version. Example: ONEOS4-VOIP_SIP-
V3.7R11E15 (1-63 characters).
• TAR index: integer positive number (1-65535).
• TAR file: valid TAR file.

Admin User Guide Page 3.1-162 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3.1.7 Behavior with a HTTPS server

• In case of a HTTPS server, the root certificate of the HTTPS server should be stored on the router to
enforce the additional HTTPS server authentication.
• The root certificate must be stored as a file with name auto-update-root.cert in the /security
directory.
• Consider several cases:
o If the root certificate file is not present, the HTTPS server certificate will be accepted.
However, a warning message will be sent to the console port:
"No root certificate found in /security folder: cannot validate https
server identity."
o If the root certificate file is present and the router is synchronized with a NTP/SNTP server, the
certificate validity is checked (time between 'Valid from' and 'Valid until' field values) and the
server certificate's signature is checked.
o If the root certificate file is present and the router is not synchronized with a NTP/SNTP server,
only the server certificate's signature is checked (no validity check).
• Note: the SubjectAltName field of the certificate is NOT checked in any case.
• In order to preserve the auto-update server root certificate in case of a factory restore, you must also
put the auto-update-root.cert file in the /factory-backup directory.

Admin User Guide Page 3.1-163 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3.2 AUTO-UPDATE CONFIGURATION

• To start configuring auto-update, enter in global configuration mode and enter the following command:
CLI> configure terminal
CLI(configure)> [no] auto-update
CLI(auto-update)>

• Auto-update can use a VRF different from the default VRF:

CLI(auto-update)> [no] vrf <vrf-name>

• Then, the auto-update sequence trigger must be defined. It can be a periodic timer or the UP event of
a monitored interface. Triggers are not mutually exclusive.
CLI(auto-update)> trigger daily-restart-timer <StartHour> <EndHour>
[<days>]
CLI(auto-update)> trigger monitored-interface <interface> <unit>
[delayed-start <seconds>]

o The daily restart timer schedules a trigger days in days within a random hour between
StartHour and EndHour. For example, trigger daily-restart-timer 01:00:00
02:30:00 2, schedules a trigger between 1:00 and 2:30 every two days.
o One monitored interface can be configured with a configurable timer (by default: no
delayed-start timer). Example: trigger monitored-interface atm 0.1.
o To remove the triggers, use the following commands:
CLI(auto-update)> no trigger daily-restart-timer
CLI(auto-update)> no trigger monitored-interface <interface> <unit>

o If a trigger happens too quickly, auto-update ignores it. In other words, as long as a min-
interval timer has not expired, the trigger events do not start the update sequence. By
default, the timer is 30 minutes long and can be set as follows:
CLI(auto-update)> min-interval <minutes>

• After completing the update sequence, you may force auto-update to reboot the router or not in the
event one successful update occurred.
If at least one update happened at the end of the sequence, the router reboots by default.
By choosing stop, the router will not reboot and just wait for next trigger.
CLI(auto-update)> on any-update { reboot | stop }

• Auto-update packets take as source address the IP address of the outgoing interface, but it can be
forced with the following command:
CLI(auto-update)> source-interface <type> <unit>
CLI(auto-update)> no source-interface

Admin User Guide Page 3.2-164 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The HTTP server may return different data (e.g. a different configuration file), when querying the same
URL from different routers. In order to discriminate the GET requests from the different routers, every
router can insert extra GET parameters.
For example, it can query the following URL:
http://server/version.php?ppplogin=value&mac=00:A0:FE:12:B8:59&firmware=xxx
x&serial=xxxxx&cpe_version=xxxxx&cpe_type=xxxxx&hardware=one100&event=1&fau
lt_code=0.
In order to insert this parameter list (ppplogin=value&mac=00:A0:FE:12:B8:59...), the
following command is needed:
CLI(auto-update)> [no] http-get-extra-parameters 1

The fault_code parameter in the above mentioned URL can have the following values:
o 0: no error during the last auto-update, or just initial boot.
o 1: download of software index has failed.
o 2: download of software has failed.
o 3: the downloaded software did not pass the integrity check.
o 4: not enough space on the flash to terminate the software download.
o 10: download of configuration index has failed.
o 11: download of configuration has failed.
o 12: the downloaded configuration execution has failed.
o 13: the downloaded add-in configuration is known to fail with current OS.

Admin User Guide Page 3.2-165 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3.2.1 Software Update

• To perform a software update, enter the following commands. <sequence-id> is the step for the
auto-update sequencer. The sequence number is intended to configure if software update must be
done before or after configuration update (it is recommended to choose 1; the software should always
be updated first).
To enter the URL for software and software (index) version:
CLI(auto-update)> software-update <sequence-id>
CLI(sw-update)> [no] index-url http://<path>/<software-version>
[current-sw-version <suffix>]
CLI(sw-update)> [no] url http://<path>/<software-version>
[current-sw-version <suffix>]
CLI(sw-update)> [no] url option-160 http://<software-version>
[current-sw-version <suffix>]

o If the current-sw-version parameter is present, the URL is a concatenated string from

URL + running software name (such as ONEOS4-VOIP_SIP-V3.7R11E15) + the suffix.
o If the option-160 keyword is added for the url, this means that the <path> must come from
the DHCP option 160 field. Option 160 will have a 32 character field containing the <path>
part of the URL coded in ASCII format.
Note that the option 160 will be requested to the DHCP server by the DHCP client only if an
option-160 attribute is present in the configuration.
• If a username and password are required to perform the software update, use the following command
to enter them:
CLI(sw-update)> username <username> password <password>

• Before replacing the running software image file by the new one, auto-update saves the new OneOS
under a temporary file. If it is valid, the temporary file replaces the running OneOS; the running
OneOS is then saved as a backup image in flash. The backup filename is by default:
flash://BSA/binaries/OneOs.old.
To use another name, use the following command:
CLI(sw-update)> [no] backup-software <path/filename>

• If the software is successfully updated, by default, the auto-update sequence continues; but the
behavior can be changed as follows:
CLI(sw-update)> on update-success { continue | stop | reboot }

• If an error occurs during software update, by default, the auto-update sequence stops and wait for
next trigger; but the behavior can be changed as follows:
CLI(sw-update)> on update-failure { continue | stop | reboot }

• To complete the process, use the following command:

CLI(sw-update)> exit

• To remove the software update, use the following command:

CLI(auto-update)> no software-update

Admin User Guide Page 3.2-166 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3.2.2 Configuration Update

• To perform a configuration update, enter the following commands. <sequence-id> is the step for the
auto-update sequencer. To enter the URL for configuration and configuration index version:
CLI(auto-update)> config-update <sequence-id>
CLI(cfg-update)> [no] index-url http://<path>/<config-version>
[serial-number <suffix>]
CLI(cfg-update)> [no] url http://<path>/<config-file>
[serial-number <suffix>]
CLI(cfg-update)> [no] url option-160 http://<config-file>
[serial-number <suffix>]

o If the serial-number parameter is present, the URL is a concatenated string from URL +
serial number + the suffix.
o If the option-160 keyword is added for the url, this means that the <path> must come from
the DHCP option 160 field. Option 160 will have a 32 character field containing the <path>
part of the URL coded in ASCII format.
Note that the option 160 will be requested to the DHCP server by the DHCP client only if an
option-160 attribute is present in the configuration.
• One can choose between these behaviors:
o The current configuration file is overwritten by the new one (if they are different), then the auto-
update sequence continues (in this case the downloaded configuration replaces the current
one); this is the default setting.
o The new configuration is added to the current configuration (if the add-in is different from the
previous one). The downloaded configuration add-in is first executed in a temporary file, and if
it is successful, it is saved in another file. Then, the save running-config command is
executed. If not successful, the behavior depends on the auto-update configuration.
The behavior can be configured with the following command:
CLI(cfg-update)> download-behaviour { overwrite | add-in }

• If a username and password are required to perform the configuration update, use the following
command to enter them:
CLI(cfg-update)> username <username> password <password>

• If the configuration is successfully updated, by default, the auto-update sequence continues; but the
behavior can be changed as follows:
CLI(cfg-update)> on update-success { continue | stop | reboot }

• If an error occurs during configuration update, by default, the auto-update sequence stops and wait for
next trigger; but the behavior can be changed as follows:
CLI(cfg-update)> on update-failure { continue| stop |reboot }

• To complete the process, use the following command:

CLI(cfg-update)> exit

• To remove configuration update, use the following command:

CLI(auto-update)> no config-update

Admin User Guide Page 3.2-167 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3.2.3 File Update

• To perform a file update, enter the following commands. <sequence-id> is the step for the auto-
update sequencer. To enter the URL for file and file index version:
CLI(auto-update)> resource-update <sequence-id>
CLI(res-update)> [no] index-url http://<path>/<file-version>
[current-sw-version <suffix>]
CLI(res-update)> [no] url http://<path>/<file>
[current-sw-version <suffix>]
CLI(res-update)> [no] url option-160 http://<file>
[current-sw-version <suffix>]

o If the current-sw-version parameter is present, the URL is a concatenated string from

URL, running software name (such as ONEOS4-VOIP_SIP-V3.7R11E15) and the suffix.
o If the option-160 keyword is added for the url, this means that the <path> must come from
the DHCP option 160 field. Option 160 will have a 32 character field containing the <path>
part of the URL coded in ASCII format.
Note that the option 160 will be requested to the DHCP server by the DHCP client only if an
option-160 attribute is present in the configuration.
• A target file must be specified using the following command (the file is erased):
CLI(res-update)> [no] target <local-file>

• A target index file must be specified using the following command (the file is erased):
CLI(res-update)> [no] index <local-index-file>

• If a username and password are required to perform the file update, use the following command to
enter them:
CLI(res-update)> username <username> password <password>

• The file update can be used for various purposes.

o With the following command, the actions to execute before downloading the file can be
specified; the file update may require a restart of the HTTP server or IBC shutdown.
CLI(res-update)> [no] pre-update-action { http-server-disable |
ibc-shutdown} <order-id>

 http-server-disable. This allows disabling the HTTP server before the file update.
 ibc-shutdown. This allows shutting down the IBC before the file update.

o With the following command, the actions to execute after downloading the file can be specified;
the HTTP server or IBC can be restarted, or an applet can be run.
CLI(res-update)> [no] post-update-action { http-server-enable |
ibc-noshutdown | applet <id>} <order-id>

 http-server-enable. This allows restarting the HTTP server after the file update.
 ibc-noshutdown. This allows restarting the IBC after the file update.
 applet <id>. This executes an EEM applet after successful completion of the file
update. For the time being, the EEM applet named auto-update is always called and the
<id> parameter is a dummy parameter with no effect.

Admin User Guide Page 3.2-168 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• If the file is successfully updated, by default, the auto-update sequence continues; but the behavior
can be changed as follows:
CLI(res-update)> on update-success { continue | stop | reboot }

• If an error occurs during file update, by default, the auto-update sequence stops and wait for next
trigger; but the behavior can be changed as follows:
CLI(res-update)> on update-failure { continue | stop | reboot }

• To complete the process, use the following command:

CLI(res-update)> exit

• To remove file update, use the following command:

CLI(auto-update)> no ressource-update <id>

3.2.4 TAR File Update

• To perform a TAR file update, enter the following commands. <sequence-id> is the step for the
auto-update sequencer. To enter the URL for TAR and TAR index version:
CLI(auto-update)> tar-resource-update <sequence-id>
CLI(tar-res-update)> [no] index-url http://<path>/<tar-version>
[current-sw-version <suffix>]
CLI(tar-res-update)> [no] url http://<path>/<tar-file>
[current-sw-version <suffix>]
CLI(tar-res-update)> [no] url option-160 http://<tar-file>
[current-sw-version <suffix>]

o If the current-sw-version parameter is present, the URL is a concatenated string from

URL, running software name (for example ONEOS4-VOIP_SIP-V3.7R11E15) and the suffix.
o If the option-160 keyword is added for the url, this means that the <path> must come from
the DHCP option 160 field. Option 160 will have a 32 character field containing the <path>
part of the URL coded in ASCII format.
Note that the option 160 will be requested to the DHCP server by the DHCP client only if an
option-160 attribute is present in the configuration.
• A target directory must be specified. With the option clean-up, the files of this directory are erased.
If the option clean-up all-sub-dir is used, the target directory is erased including all its sub-
directories.
CLI(tar-res-update)> [no] target <TargetDir> [clean-up [all-sub-dir]]

• A target TAR index file must be specified using the following command (the file is erased):
CLI(tar-res-update)> [no] index <local-TAR-index-file>

• If a username and password are required to perform the file update, use the following command to
enter them:
CLI(tar-res-update)> username <username> password <password>

Admin User Guide Page 3.2-169 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The TAR resource update can be used for various purposes.

o With the following command, the actions to execute before downloading the TAR file can be
specified; the TAR file update may require a restart of the HTTP server or IBC shutdown.
CLI(tar-res-update)> [no] pre-update-action { http-server-disable |
ibc-shutdown} <order-id>

 http-server-disable. This allows disabling the HTTP server before the TAR file
update.
 ibc-shutdown. This allows shutting down the IBC before the TAR file update.

o With the following command, the actions to execute after downloading the TAR file can be
specified; the HTTP server or IBC can be restarted, or an applet can be run.
CLI(tar-res-update)> [no] post-update-action { http-server-enable |
ibc-noshutdown | applet <id>} <order-id>

 http-server-enable. This allows restarting the HTTP server after the TAR file
update.
 ibc-noshutdown. This allows restarting the IBC after the TAR file update.
 applet <id>. This executes an EEM applet after successful completion of the TAR
file update. For the time being, the EEM applet named auto-update is always called and
the <id> parameter is a dummy parameter with no effect.

• If the TAR is successfully updated, by default, the auto-update sequence continues; but the behavior
can be changed as follows:
CLI(tar-res-update)> on update-success { continue | stop | reboot }

• If an error occurs during TAR update, by default, the auto-update sequence stops and wait for next
trigger; but the behavior can be changed as follows:
CLI(tar-res-update)> on update-failure { continue | stop | reboot }

To complete the process, use the following command:

CLI(tar-res-update)> exit

To remove TAR update, use the following command:

CLI(auto-update)> no tar-ressource-update <id>

Admin User Guide Page 3.2-170 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

3.3 AUTO-UPDATE EXAMPLE

configure terminal
auto-update
trigger monitored-interface Atm 0.1
trigger daily-restart-timer 01:00:00 02:00:00 1
source-interface loopback 4
http-get-extra-parameters 1
software-update 1
index-url http://autoupdate.com/sw-index/ current-sw-version .idx
url http://autoupdate.com/sw/ current-sw-version .ZZZ
backup-software /BSA/binaries/myOneOs.old
exit
config-update 2
index-url http://autoupdate.com/config-index/ serial-number .idx
url http://autoupdate.com/config/ serial-number .cfg
download-behaviour overwrite
exit
tar-resource-update 4
target /webroot/html clean-up all-sub-dir
index-url http://autoupdate.com/tar-index/ current-sw-version .idx
url http://autoupdate.com/tar/ current-sw-version .tar
pre-update-action http-server-disable 1
post-update-action http-server-enable 1
exit
exit
exit

3.4 AUTO-UPDATE DEBUG AND STATISTICS

• To start auto-update manually:

CLI> auto-update start

• To stop auto-update manually (i.e. auto-update completes the current update job but does not carry
out the next step):
CLI> auto-update stop

• To activate debug traces for auto-update:

CLI> debug auto-update

• Some auto-update history information is kept in circular files:

CLI> cat flash://auto-update1.log
CLI> cat flash://auto-update2.log

• To show auto-update statistics:

CLI> show auto-update statistics

• To show auto-update configuration:

CLI> show auto-update setup

Admin User Guide Page 3.4-171 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4 C P E W A N M A N A G E M E N T P R O T O C O L ( C W M P - T R - 6 9 )

4.1 CWMP FEATURE DESCRIPTION

OneOS implements the CPE WAN Management Protocol (CWMP) specified by the specification TR-069 of
the Broadband Forum (formerly DSL Forum). This feature is introduced as of V4.2 and allows updating
OneOS routers firmware, configuration file and additional files.
The CWMP is structured in different layers, from IP connectivity to RPC calls (Remote Procedure Calls)
encoded in SOAP. It is required that the OneOS router is pre-configured in such a way that IP/DNS
connectivity and ACS URL (Auto Configuration Server) are known. (ACS URL or IP cannot be auto-
configured as depicted in TR-44 or TR-46).

4.1.1 CWMP Transport La yer

CWMP requires http/https as transport layers for RPC; the following transport layer characteristics are
implemented in OneOS:
• The destination port is configurable (default: 7547).
• If HTTP is used, authentication via pre-shared key is optional (cf. RFC 2617, MD5-hashed digest or
BASIC authentication).
• The ACS can be designated by an IP address or a hostname.
• HTTPS is optional. HTTPS requires that the product is loaded with appropriately signed certificates.
• The source IP address of CWMP packets sent by the router cannot be forced to use a specific IP
address of a router interface.
• If the server sets cookies, the cookie is persistent in further HTTP requests.

4.1.2 INFORM RPC: Triggering Events and Content

When the CPE boots or upon specific events, the CPE indicates to the ACS that it is willing to establish a
TR-69 session by sending an INFORM RPC.
The INFORM RPC contains an event to indicate the trigger type of the INFORM RPC. They are:
• “0 BOOTSTRAP”: first product installation.
• “1 BOOT”: theoretically speaking, it means the router has rebooted. In reality, this event is fired when
a monitored interface is going up. Typically, the BOOT INFORM is sent when ATM 0.1 interface is
going up. OneOS CWMP module keeps track of past operations using the file /BSA/persist/cwmp.ini.
OneOS takes the decision by reading this file to use the BOOT or BOOTSTRAP event. At first
installation, this file does not exist and BOOTSTRAP is the used event. A delay timer prevents to send
INFORM requests too early at boot time so that SNTP server can be synchronized.
• “2 PERIODIC”: the ACS can configure that the CPE periodically sends an INFORM RPC. Enabling
this mode and periodicity is set by the ACS. The periodic INFORM parameters can be manipulated via
the SetParameterValue and GetParameterValue RPC.
• “4 VALUE CHANGED”: in case the ACS URL is updated in CPE configuration or if the IP address of
the monitored interface has been renewed.

Admin User Guide Page 4.1-172 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• “9 REQUEST DOWNLOAD”: a CLI command (or Web configurator of the CPE) may issue an
INFORM with that event code. The ACS will look up if there is a new OS / Web / config for the CPE.
The following inform event codes are supported for informs triggered further to an ACS request:
• “3 SCHEDULED”: caused by the SCHEDULED INFORM RPC
• “6 CONNECTION REQUEST”
The INFORM RPC contains certain fields, for which a small explanation is given hereafter:
• MaxEnvelopes=1
• Sub-objects of DeviceId:
o Manufacturer: OneAccess_Networks
o OUI: By default taken from the MAC address #0 (0012EF or 70FC8C, depending on product or
manufacturing date).
o ProductClass: if the product is loaded with a X.509 certificate, the ProductClass is
derived from the common subject name of the certificate (cf. line CN: …). If there is no
certificate, ProductClass is taken from the product info area in read-only system area (see
further ahead the CLI command product-class-specification).
• Sub-objects of ParameterList:
o InternetGatewayDevice.DeviceInfo.HardwareVersion: see show product-info-
area CLI, at line Manufacturing file reference
o InternetGatewayDevice.deviceSummary
o InternetGatewayDevice.DeviceInfo.SpecVersion (dumb value: empty)
o InternetGatewayDevice.DeviceInfo.SoftwareVersion: same string as provided by
show version command
o InternetGatewayDevice.ManagementServer.ConnectionRequestURL
o InternetGatewayDevice.ManagementServer.ParameterKey
o InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnecti
on.1.ExternalIPAddress or
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnectio
n.1.ExternalIPAddress: public IP address that is used as monitored interface.
o Any customized parameter: a CLI command makes it possible to create custom objects that
are inserted in the INFORM data.

4.1.3 Initiating TR-069 Sessions from ACS

4.1.3.1 Connection Requests

ACS-initiated sessions are needed to perform immediately actions on the CPE (such as software update).
The ACS must send an HTTP GET request to the embedded HTTP server of OneOS, dedicated to TR-69.
(Note that there might two instances of HTTP servers running in OneOS – one for web-based
configuration, one for TR-69 –).
The TR-69 http server is bound to a configurable port and interface (and optionally an ACL). The GET
request can be authenticated by means of a password. After authentication, OneOS sends an INFORM
with “6 CONNECTION REQUEST” as event code.

4.1.3.2 Scheduled INFORM

The ACS can ask the CPE to send an INFORM later at a specified time. In that case, the event code in the
INFORM will be “3 SCHEDULED”.
Use case: Scheduled informs are useful for an ACS to schedule firmware updates of many CPE while
limiting the number of simultaneous firmware upgrades.

Admin User Guide Page 4.1-173 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.1.4 RPC invoked by ACS

When invoking the INFORM RPC (sent because of reboot, interface going up, connection request from
ACS …), the ACS is due to answer with an INFORM response containing the action to perform, namely an
RPC call and associated parameters.

4.1.4.1 Download RPC

The supported downloaded file types are:

• “1 Firmware Upgrade Image”: to update the router firmware.
• “2 Web Content”: to download and extract a TAR file for Web Configurator or IBC update.
• “3 Vendor Configuration File”: to update the router configuration.
The files can be downloaded with HTTP or HTTPS transport protocol with optional username/password
authentication.
N.B.: in Download RPC, the failure/success URL redirect is not implemented.

4.1.4.1.1 Firmware Update

The inform response specifies the URL to query to download the firmware, username and passwords for
authentication. The parameters FileSize and TargetFileName are ignored.
In router configuration, a parameter defines the backup firmware, in case the new firmware is invalid
(default backup-software: /BSA/binaries/OneOs.old). Actually, the appropriate setup is to configure
the router as follows:
• /BSA/bsaBoot.inf specifies the running firmware as /BSA/binaries/OneOs.new
• Backup firmware is /BSA/binaries/OneOs. Implicitly, the OneOS boot loader tries to load
/BSA/binaries/OneOs.new at boot; if this file is invalid (e.g. power-off during software download),
the boot loader loads the backup software /BSA/ binaries/OneOs.
Before downloading the file, the running software (if it exists) is renamed to overwrite the backup firmware.
The new firmware replaces the running firmware (typically OneOs.new). After download, software integrity
is checked. If the check is not passed, the new firmware is removed.
After reboot, an INFORM RPC is sent with event code “7 TRANSFER COMPLETE”.

4.1.4.1.2 Configuration Update

The parameters FileSize and TargetFileName are ignored.

The configuration file is downloaded in /BSA/bsaStart.cfg.new.au and compared with the
configuration download during the last TR-069 configuration update operation
(/BSA/config/bsaStart.cfg.add.au or /BSA/config/bsaStart.cfg.bad.au). If they are
different, OneOS continues configuration update otherwise the operation is considered successful.
After configuration download, two behaviors are possible:
• Execute the downloaded configuration (upgrade mode=add-in). If no error in execution is detected,
the upgrade is considered successful. If successful, the running configuration is saved. The
downloaded configuration file is saved in /BSA/config/bsaStart.cfg.old.au. The download
operation result is successful if the downloaded file is not empty and the configuration file is executed
without errors.
• Replace the current configuration (mode=overwrite). The downloaded configuration file is saved in
/BSA/config/bsaStart.cfg.old.au. The router replaces the current configuration with the new
one. The download operation is always considered successful, if the downloaded configuration file is
not empty.

Admin User Guide Page 4.1-174 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Upon operation success, a reboot is done and after reboot, an INFORM RPC is sent with event code “7
TRANSFER COMPLETE”.
With the mode add-in, if the configuration is not executed properly, reboot is done automatically to restore
the older configuration.
After successful download, a reboot can be done if a configuration flag enables it.

4.1.4.1.3 Web Configurator, IBC Packages or Default Configuration File Update

Such update is possible by means of the DOWNLOAD RPC where FileType = “2 Web Content”. The
parameter FileSize is ignored.
Updating the web configurator, IBC or the default configuration file is handled differently by OneOS. The
downloaded files are packaged in a TAR file. To distinguish these update types, the TAR file contains a file
(located at root path inside the TAR file) that must be named cwmp-update-type.txt). This file can
contain one of the following strings:
• DEFAULT_CONFIG to update a default configuration file. The TAR file is downloaded and extracted in
the directory provided in TargetFileName tag (typically flash:/).
• WEB to update the Web Configurator. The TAR file is downloaded and extracted in the directory
provided in TargetFileName tag (typically flash://webroot). Prior to doing the extraction, the
HTTP server is shutdown and the HTTP server root directory (default: /webroot) is cleaned. After
extraction, the HTTP server is re-enabled again.
• IBC to update the IBC Packages. The TAR file is downloaded and extracted in the directory provided
in TargetFileName tag (typically flash:/). Prior to doing the extraction, the IBC Service is
shutdown. Then, IBC packages are updated. Finally, the IBC Service is restarted if needed.
If cwmp-update-type.txt file is missing or its content does not match any of the above mentioned
strings, the update type is assumed to be equivalent to WEB.
To create a CWMP update file, first create the file cwmp-update-type.txt and then copy the TAR file
(i.e. IBC TAR package, web TAR package…) named as web.tar under the same directory. Create the
MD5 checksum of web.tar and save the file as web.tar.md5. Finally create the CWMP update file by
creating a TAR archive file containing web.tar, web.tar.md5 and cwmp-update-type.txt files.
Warning: as of V4.2R5E15, MD5 check sum is mandatory, otherwise update is rejected.
Example for a web package (with Linux commands):
Localhost$ cd <workingdirectory>
Localhost$ echo “WEB” > cwmp-update-type.txt
Localhost$ cp WCF-OA-….tar web.tar
Localhost$ md5sum web.tar > web.tar.md5
Localhost$ tar –r –file web.tar web.tar.md5
Localhost$ tar cvf cwmp-package.tar web.tar cwmp-update-type.txt

Admin User Guide Page 4.1-175 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.1.4.1.4 Netbooster update via TR069

Such update is possible by means of the DOWNLOAD RPC with FileType = “2 Web Content” for inter-
operability with OneProvisio(OPV) and "1-Firmware Upgrade" for other vendor ACS.
The file to be downloaded from OPV/ACS should be a TAR file containing :
• eah.tar.
• cwmp-update-type.txt containing the EAH keyword.
The content of cwmp-update-type.txt is used by the TR069 client on the device to identify the
downloaded tar from OPV/ACS.

Package format

The package is built with files packaged in a TAR archive file. The files will be noted hereafter as SHELL-
like variables and must follow the next conventions:
• - the $platform can be either oalinux or dtbImage.initrd.one90_c1.
• - the $install_tar can be any name with .tar extension.
• - the $install_ipk must begin either by netbooster or psmart.
• - $install_ipk_md5 must be the concatenation of $install_ipk and ".md5". This file is not
mandatory. It is verified only if present.
• - $final_cwmp_update_tar has got any name.

In the TAR, all the files are optional. It is not necessary to put an oalinux, and you can put 0 to N .ipk.
• 1) First, create the Netbooster package TAR file containing all the files (.ipk, .md5 & oalinux).
tar -cvf $install_tar $install_ipk $install_ipk_md5 $platform

OR
• 1) First, create the Packetsmart package TAR file containing both(.ipk, oalinux) files.
tar -cvf $install_tar $install_ipk $platform

• 2) .Create the final Netbooster/Packetsmart TR069 update tar file.

o 2.1) Create the file with name cwmp-update-type.txt. The content in this file should be
"EAH" (without the double quotes). This file should not have any other content except EAH.
o 2.2) Tar the cwmp-update-type.txt & $install_tar into a single TAR file:
tar -cvf $final_cwmp_update_tar cwmp-update-type.txt $install_tar

o 2.3) The final Netbooster/Packetsmart package $final_cwmp_update_tar is ready, and it

has the contents:
 $install_tar
 cwmp-update-type.txt

Admin User Guide Page 4.1-176 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Reboot RPC

The ACS can invoke the REBOOT RPC.

4.1.4.2 FactoryReset RPC

The ACS can invoke this RPC so that the product reboots and returns to factory defaults.

4.1.4.3 Upload RPC

This RPC enables an ACS to request the CPE to upload a file on a server. The following restrictions apply:
• Only FileType “1 Vendor Configuration File” is supported (i.e. upload of the running configuration)
• Transport layer can be: http or https, with or without username/password authentication

4.1.4.4 GetRPCMethods

This RPC enables the ACS to retrieve the list of supported RPC.

4.1.4.5 Managed Objects RPC

The following RPC are supported to handle CWMP managed objects.

SetParameterValues / GetParameterValues / GetParameterNames / AddObject / DeleteObjet

4.1.5 TR-69 Scenarios behind a NAT Gateway (TR-111, TR-69 Pass-through)

Problem statement: a LAN device managed by CWMP protocol is addressed with a private IP address.
This raises a security concern in that the LAN device could be installed and running from any LAN. Also for
incoming connection requests, the LAN CPE should indicate a ConnectionRequestURL with a publicly
IP addressable IP address.
To solve this technical issue, the Broadband Forum (formerly DSL forum) released the TR-111 standard.
OneOS fully supports TR-111 part 1 (Device-Gateway Association) as gateway and this is the default
behavior. On non-standard products, OneOS behaves as LAN device. In that case, all objects in its data
model start from root object Device.* instead of InternetGatewayDevice.*.
TR-111 is implicitly active when enabling TR-69. As gateway, OneOS DHCP server replies with the DHCP
option 125 if receiving the option 125 in DHCP requests. Similarly, OneOS products behaving as LAN
device automatically include DHCP option 125 if TR-069 is active. Finally, the TR-111 data model for
device - gateway association is populated accordingly.
OneOS fully supports TR-111 part 2 (Connection Request via NAT Gateway) that allows an ACS to initiate
a Session with a device that is operating behind a NAT Gateway. This provides the equivalent functionality
of the TR-069 Connection Request, but makes use of a different mechanism to accommodate this
scenario.

Admin User Guide Page 4.1-177 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.2 CONFIGURING CWMP

To start configuring CWMP, enter in CWMP configuration mode as follows:

CLI> configure terminal
CLI(configure)> cwmp
CLI(cwmp)>

Use the following command to remove the CWMP configuration:

CLI(cwmp)> no cwmp

Use the following command to use a designated VRF different from the default VRF (it is possible to use a
different VRF for the session itself and for the file transfers):
CLI(cwmp)> vrf <vrf-name> [session | transfer]

Use the following command to use the default VRF (it is possible to use a different VRF for the session
itself and for the file transfers):
CLI(cwmp)> no vrf [session | transfer]

The ProductClass can be configured. It can be taken either from the X.509 certificate (if available) or the
motherboard type or the product name (see CLI commands show product-info-area at line
Motherboard type and show system hardware at line Device - default cert-or-mb-type):
CLI(cwmp)> product-class-specification { cert-or-mb-type
| mb-type
| product-name }

The ACS URL can be either learnt (using DHCP option 43) or manually configured.
Use the following command to have the ACS URL learnt using DHCP option 43:
CLI(cwmp)> [no] acs url learn

Use the following command to manually enter the ACS URL. The ACS URL can be a designated name or
an IP address. The URL may contain a port number in case a different port than default (7547) is used:
CLI(cwmp)> acs url {http|https}://<ip-or-name>[:<port>]/<path>/<filename>

By default the OUI value used in the requests to the ACS is taken from the first three bytes of MAC
address #0 of the device (0012EF or 70FC8C, depending on product or manufacturing date). To force this
value to be taken in any case, use:
CLI(cwmp)> static-oui

To return to the default value (first three bytes of MAC address):

CLI(cwmp)> no static-oui

Admin User Guide Page 4.2-178 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

If HTTP authentication is used to authenticate the CPE (authentication for HTTP sessions initiated by the
CPE), by default the username used is TR-69 compliant (OUI + Product-Class + Serial-Number).
Use the following command to force the username to use:
CLI(cwmp)> acs auth username <string>
CLI(cwmp)> no acs auth username

If HTTP authentication is used to authenticate the CPE (authentication for HTTP sessions initiated by the
CPE), the password used can be a static string or a string made up of a static string concatenated with the
serial number (so that every router has a different password):
CLI(cwmp)> acs auth password <string> [serial-number]
CLI(cwmp)> no acs auth password

The serial number can either be the true serial number of the device (default) or a particular backup
number (refer to OneAccess Customer Support):
CLI(cwmp)> serial-number { default | bnumber }

The password can also be a customer specific password (refer to OneAccess Customer Support):
CLI(cwmp)> [no] acs auth cnumber

By default the OneOS-based router works in Internet Gateway Device mode, use the following command
to force the mode:
CLI(cwmp)> mode { internetgatewaydevice | device }

The monitored interface must be configured. It defines the interface that triggers the sending of an
INFORM RPC whose event if BOOT or BOOTSTRAP after a configurable timer (by default: no delayed-
start timer). The monitored interface is also the IP address that is in the INFORM:
• to construct the URL for connection request. It is: http://<monitored-interface-ip>/<random>
• to know if the ExternalIPAddress is a PPP or IP interface for the object
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.ExternalIPAddress or
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1.ExternalIPAddress

The following command can be entered up to 5 times in order to monitor up to 5 interfaces.

CLI(cwmp)> trigger monitored-interface <type> <unit> [delayed-start
<seconds>]
CLI(cwmp)> no trigger monitored-interface <type> <unit>

If the OneOS-based router is installed as a LAN device (TR-111 client), the TR-111 association must be
configured as a trigger; the BOOT/BOOTSTRAP events will only trigger an INFORM if the TR-111
association is successful (use of DHCP option 125 to learn the gateway identity).
CLI(cwmp)> [no] trigger gateway-association

Note: this command does not trigger TR-111 association, but modifies the trigger monitoring an interface.
If the command is entered after that the monitored interface is up, nothing will happen.

CWMP packets take as source address the IP address of the outgoing interface, but it can be forced:
CLI(cwmp)> source-interface <type> <unit>
CLI(cwmp)> no source-interface

When software upload is required, the inform response specifies the URL to query to download the
firmware, username and passwords for authentication. Today, the parameters FileSize and
TargetFileName are ignored.
In the case where the firmware transfer can take another path that the query, it is possible to force the
actual source address for the transfer:
CLI(cwmp)> [no] transfer-source enable

Admin User Guide Page 4.2-179 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

In router configuration, a parameter defines the backup firmware, in case the new firmware is invalid
(default backup-software: /BSA/binaries/OneOs.old). Actually, the appropriate setup is to configure
the router as follows:
• /BSA/bsaBoot.inf specifies the running firmware as /BSA/binaries/OneOs.new
• Backup firmware is /BSA/binaries/OneOs. Implicitly, the OneOS boot loader tries to load
/BSA/binaries/OneOs.new at boot; if this file is invalid (e.g. power-off during software download),
the boot loader loads the backup software /BSA/binaries/OneOs.
Before downloading the file, the running software (if it exists) is renamed to overwrite the backup firmware.
The new firmware replaces the running firmware (typically OneOs.new). After download, software integrity
is checked. If the check is not passed, the new firmware is renamed and the router reboots. Finally, an
INFORM RPC is sent with event code “7 TRANSFER COMPLETE”.
To use another name for backup software, use the next command:
CLI(cwmp)> backup-software <path/filename>
CLI(cwmp)> no backup-software

Configuration download: the configuration file is downloaded in temporary file and compared with the
configuration download during the last TR-069 configuration update operation. If they are different, OneOS
continues configuration update otherwise the operation is considered successful.
To define the behavior after configuration download:
CLI(cwmp)> config-update download-behaviour { add-in [skip] | overwrite }

o overwrite mode is the default behavior. In this mode the downloaded configuration file is
saved in /BSA/config/bsaStart.tr69. The router replaces the current configuration with
the downloaded one. The download operation is always considered successful when the
downloaded configuration file is not empty. The router reboots.
o In add-in mode the downloaded configuration is executed. If no error in execution is detected,
the upgrade is considered successful. If successful, the running version is saved. The
downloaded configuration file is saved. The download operation result is successful if the
downloaded file is not empty and the configuration file is executed without errors. By default, in
this mode, if the configuration is not executed properly, the update is canceled and a reboot is
done automatically. Use the skip keyword to ignore the detected errors and force the upgrade
to be considered as successful (to be used with caution).

Custom proprietary objects may be inserted in the data model.

CLI(cwmp)> [no] set-param <proprietary-managed-object-name> <value>
[set] [get] [inform] [val-chd]

o The optional arguments after the value define how the object is accessed:
 get: the object can be read by the GetParameterValue RPC.
 set: the object can be read by the GetParameterValue RPC and written by the
SetParameterValue RPC.
 inform: the object is included in the INFORM.
 val-chd: a value change on this object causes an ACS notification.

To terminate the configuration:

CLI(cwmp)> exit
CLI(configure)>

Admin User Guide Page 4.2-180 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.3 CWMP DATA MODEL

Operations with the data model can be done by means of the following RPC: SetParameterValues,
GetParameterValues, GetParameterNames, and also AddObject, DeleteObject for objects that
are instantiated.
These operations can be simulated by means of CLI commands that query the OneOS CWMP stack and
are expected to return the same result as the corresponding RPC. In the following CLI commands, it is not
necessary to include the managed object root keyword (either “InternetGatewayDevice.” or
“Device.”; “.” is enough).
To simulate GetParameterValues:
CLI> cwmp get-param <managed-object-name>

To simulate SetParameterValues:
CLI> cwmp set-param <managed-object-name> <value> <type>

To simulate GetParameterNames:
CLI> cwmp get-param-names <managed-object-path>

To dump the supported OneOS data model:

CLI> cwmp get-param-names .

The CWMP data model include some objects that are instantiated: they are present if the corresponding
service is explicitly configured in OneOS configuration. An object instance is identified by its number, for
example: “InternetGatewayDevice.LANDevice.1”.

To simulate AddObject:
CLI> cwmp add-object <managed-collection–of-object-path>

To simulate DeleteObject:
CLI> cwmp delete-object <managed-object-instance-path>

The data model can be exported in XML Motive file format using the following command:
CLI> cwmp make-xml { internetgatewaydevice | device }
version { motive | motive_w }

Use motive_w to add in the XML text the "Writable" information, otherwise use motive.
Note: the XML file is stored in the /cwmp directory; this directory must exist prior to the CLI.

Admin User Guide Page 4.3-181 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

The following table explains how to understand several instantiation numbers of CWMP managed objects.
To simplify notations, the root object (InternetGatewayDevice. or Device.) is omitted.

CWMP Object Instance

Corresponding Service in CLI Configuration

LANDevice.{i}
The {i} instance corresponds to the BVI number. CLI configuration:
configure terminal
interface bvi {i}
…
exit
exit
LANDevice.{i}.Hosts.Host.{j}
When querying such object, OneOS CWMP engine looks up the DHCP pool associated with the BVI {i}; i.e. the
th
DHCP pool must be within BVI IP network. Host.{j} is the j host in the DHCP binding table that corresponds to
that pool.

LANDevice.{i}.LANEthernetInterfaceConfig.{j}
LANEthernetInterfaceConfig.{j} corresponds to the Ethernet port fastEthernet 0/{j-1}. That port
must be port of the BVI {i} bridge group. CLI configuration:
configure terminal
interface bvi {i}
…
bridge-group <x>
exit
interface fastEthernet 0/{j-1}
bridge-group <x>
no ip address
exit
exit

LANDevice.{i}.LANHostConfigManagement.IPInterface.{j}
IPInterface.1 corresponds to the main IP address; the following instances are secondary addresses by order
of configuration. CLI example:
configure terminal
interface bvi {i}
! IPInterface.1
ip address 192.168.1.1 255.255.255.0
! IPInterface.2
ip address 192.168.1.1 255.255.255.0 second
…
exit
exit

LANDevice.{i}.WLANConfiguration.{j}
The {j} instance corresponds to the interface dot11radio 0/{j}.
It must be part of BVI {i} bridge-group.
configure terminal
interface bvi {i}
…
bridge-group <x>
exit
interface dot11radio 0/{j}
bridge-group <x>
no ip address
exit
exit

WANDevice.{i}

Admin User Guide Page 4.3-182 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

CWMP Object Instance

Corresponding Service in CLI Configuration

{i} is the index of the physical interface minus one.

Each ATM physical interface: atm {i-1}.y. {i} is therefore 1 most of the time.

WANDevice.{i}.WANConnectionDevice.{j}
{j} is the index of the ATM sub-interface (atm {i-1}.{j}). atm 0.1 is mapped to
WANDevice.1.WANConnectionDevice.1

WANDevice.{i}.WANConnectionDevice.{j}.WANIPConnection.{k} or
WANDevice.{i}.WANConnectionDevice.{j}.WANPPPConnection.{k}
A singly WANIPConnection instance is supported. k is always worth 1.

WANDevice.{i}.WANConnectionDevice.{j}.WANIPConnection.1.PortMapping.{k}
{k} starts from 1 to N, where N is the number of static NAPT rules.
configure terminal
interface atm {i-1}.{j}
…
ip nat static-napt tcp 192.168.1.2 80 self 80
ip nat static-napt udp 192.168.1.2 245 self 245
exit
exit
Services.VoiceService.{i}.VoiceProfile.{j}
{i} and {j} are always 1.

Services.VoiceService.1.VoiceProfile.1.Enable
Administrative state of the SIP or H.323 gateway. State mapping (TR-69 OneOS):
- Disabled: voice gateway is shutdown
- Enabled: voice gateway is ‘no shutdown’
- Quiescent: not supported

Services.VoiceService.1.VoiceProfile.1.Line.{i}
If applied to FXS, {i} index represents indeed an FXS line. With ISDN BRI/PRI, it represents a SIP account.
To identify the number of SIP accounts, the voice routing table is scanned from index MIN to index MAX (MIN=25,
MAX= max limit of the product – 25). Index is route-number i.e. MIN +1.
Get Action: do a get on all sub-objects.
Set Action: N/A.
Add Object: create a route after the last voice route and set a default sip-username=prefix=xxxxxx, phyRefList=0.

Services.VoiceService.1.VoiceProfile.1.Line.{i}.Enable
When manipulating that object, the software looks for all physical voice ports associated with pots-group {i}.
Mapping TR-69  OneOS when reading Enable:
- Enabled: all voice ports are ‘no shutdown’
- Quiescent: not supported
- Disabled: if not enabled

Services.VoiceService.1.VoiceProfile.1.Line.{i}.DirectoryNumber

Admin User Guide Page 4.3-183 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

CWMP Object Instance

Corresponding Service in CLI Configuration

Get/Set action:
- Sets/gets the prefix <number> length <yy> and sip-username.
- If the PhyReferenceList object is not empty and the associated pots-group corresponds to a single FXS
voice port, adds the "insert-calling-number <directoryNumber>" under the voice port.
Valid format: [+]?[A-Z09*#]+
If the directory number is in the international format:
- The OneOS router must be configured with the option to automatically process international numbering plan.
- The value in "prefix <number> ..." command is pre-processed (e.g. in France, a directory number of
+33141877001 becomes 0141877001) and the voice route must match number with ToN = National.
- In case of FXS, the number in "insert-calling-number" is the DirectoryNumber that was pre- and post-
processed for FXS (post-processing for a dial-peer not supporting internal number format).

Services.VoiceService.1.VoiceProfile.1.Line.{i}.SIP.AuthUserName
Set Action:
- Corresponds to sip-authentication.
- If not empty, the prefix attribute "ua-sip" is set.
- If empty, the prefix attribute "ua-sip" is unset.

Services.VoiceService.1.VoiceProfile.1.Line.{i}.SIP.AuthPassword
- Set Action: corresponds to sip-authentication.

Services.VoiceService.1.VoiceProfile.1.Line.{i}.PhyReferenceList
It corresponds to the pots-group. Format (regexp): \d+
Set: for the corresponding route, associate the dial-peer pots <nbr> in hunting mode.
Get: take the pots-group value from the route. If it is not a pots-group or if it is not set, return an empty string.

Services.VoiceService.1.VoiceProfile.1.Line.{i}.Status
OneOS looks up the dp-pots ua-sip under voice-routing as described above.
- If that number must be registered to SIP server (the command ‘dial-peer pots <i> … ua-sip’ is
present), the status corresponds to registration status of that number.
- If that number must not be registered, corresponds to the global registration status of SIP / H.323 gateway.
State mapping (TR-69  OneOS):
- Disabled: SIP gateway is shutdown or the voice-port associated with that number is shutdown.
- Registering: SIP gateway is ‘no shutdown’ (or the gateway interface is up) but SIP gateway / number is not
registered.
- Up: number registered (or the SIP gateway is completely registered).

Services.VoiceService.1.VoiceProfile.1.X_ONEACCESS_VOICEPOTS.{i}
Proprietary object: Voice pots table.
Add object: creates the dial-peer voice pots.
Object index {i} corresponds to dial-peer voice pots {i}.

Services.VoiceService.1.VoiceProfile.1.X_ONEACCESS_VOICEPOTS.{i}.port
Proprietary object: Voice port. Typically "5/0", "5/1".

Services.VoiceService.1.VoiceProfile.1.X_ONEACCESS_VOICEPOTS.{i}.potsGroup
Proprietary object: Pots-group number.

Services.VoiceService.1.ISDNInterface.{i}
The {i} instance of the object corresponds to the BRI port+1 (ISDN 5/0 is mapped to ISDNInterface.1).

Admin User Guide Page 4.3-184 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.4 ENABLING TR-111/TR-69 PASS-THROUGH

TR111 UDP Connection Request module uses a STUN Server to determine if a NAT Binding is in use or
not and retrieve the public address/port in the case that NAT is used.
When CWMP service is up, and STUN client parameter is set to TRUE, TR111 UDP Connection Request
module will try to communicate via UDP with the STUN Server.

To start the STUN client, use the following command in CWMP configuration mode:
CLI(cwmp)> udp-cr stun-client enable true

To stop the STUN client, use the following command in CWMP configuration mode:
CLI(cwmp)> udp-cr stun-client enable false

To configure the STUN Server address, use the following command in CWMP configuration mode. The
default STUN Server port number is 3489.
CLI(cwmp)> udp-cr stun-client server-address <IP-address> [<port>]

If NAT is detected, the parameter NATDetected is set to TRUE and the parameter
UDPConnectionRequestAddress is updated with the public address.
If no NAT is detected, the parameter NATDetected is set to FALSE and the parameter
UDPConnectionRequestAddress is updated with the private address.

To configure the STUN client authentication settings, use the following command in CWMP configuration
mode:
CLI(cwmp)> udp-cr stun-client authentication <username> <password>

To configure the STUN client keepalive settings, use the following command in CWMP configuration
mode:
CLI(cwmp)> udp-cr stun-client keepalive <min-seconds> <max-seconds>

To restore the STUN client keepalive default settings (min=0; max=4294967295 seconds), use the
following command in CWMP configuration mode:
CLI(cwmp)> udp-cr stun-client default keepalive

To configure the STUN client minimum notification interval, use the following command in CWMP
configuration mode:
CLI(cwmp)> udp-cr stun-client min-notification-interval <seconds>

To restore the STUN client default minimum notification interval (0 second), use the following command in
CWMP configuration mode:
CLI(cwmp)> udp-cr stun-client default min-notification-interval

To configure a fixed STUN client source port, use the following command in CWMP configuration mode:
CLI(cwmp)> udp-cr stun-client source-port fixed <1024-65535>

Admin User Guide Page 4.4-185 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

To configure a random STUN client source port to be taken within a range, use the following command in
CWMP configuration mode:
CLI(cwmp)> udp-cr stun-client source-port random <min> <max>

To restore the STUN client default source-port (3478), use the following command in CWMP configuration
mode:
CLI(cwmp)> udp-cr stun-client default source-port

Admin User Guide Page 4.4-186 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.5 MANUAL CWMP OPERATIONS

Invoking the request download event:

CLI> cwmp inform request-download { 1-firmware-update
| 2-web-content
| 3-vendor-configuration-file }

Sending a CWMP INFORM with BOOTSTRAP event:

CLI> cwmp start

Sending a CWMP INFORM with BOOT event:

CLI> cwmp event BOOT

To cancel the CWMP operation in progress:

CLI> cwmp stop

To force CWMP to send a BOOTSTRAP event at next boot, you must clean up a file (that would also be
cleaned up by a factory reset):
CLI> rm /BSA/persist/cwmp.ini
CLI> reboot

Admin User Guide Page 4.5-187 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4.6 CWMP STATISTICS AND TROUBLESHOOTING

The debug mode activates the traces and also saves the CWMP transaction messages in the
/cwmp/temp directory:
CLI> [no] debug cwmp { all | application | session | data | soap }

The CWMP statistics are provided by the next command:

CLI> show cwmp statistics

The CWMP configuration status is obtained as follows:

CLI> show cwmp setup

The status of the ongoing downloads is obtained as follows:

CLI> show cwmp request-download state

The status of the ongoing UDP-connection request is obtained as follows:

CLI> show cwmp udp-cr

4.7 CWMP CONFIGURATION EXAMPLE

configure terminal
cwmp
acs url http://acserver:7547/proxyServlet
trigger monitored-interface atm 0.1
config-update download-behaviour add-in
exit
exit

Admin User Guide Page 4.7-188 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

5 A U T O C O N F I G U R A T I O N

This section describes the autoconfiguration features of OneOS and how to activate this function.
Autoconfiguration permits, when starting DHCP client on an interface, to automatically acquire
configuration parameters. This permits also to retrieve new image releases, thus facilitating image update
on a large-scale basis. In order to adapt to varying customer requirements, several autoconfiguration
methods can be defined.
The objective of such function is to optimize deployment and maintenance costs of OneOS-based routers.
Indeed, all routers stored in the warehouse have the same configuration files and software. When they are
deployed in the customer premises, they download their configuration files and software if needed. This
procedure enables the standardization of deployment and maintenance, which, in turn, enables significant
operative savings.

Admin User Guide Page 4.7-189 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

5.1 AUTOCONFIGURATION FEATURES

The Autoconfiguration implementation is compliant with DHCP RFC 2131 and RFC 2132. Note that some
well defined DHCP fields have been reused, in order to provide a better use for our customers.
Autoconfiguration can download router software and configuration. The following diagram shows the state
machine of autoconfiguration and the controls made to avoid the download of faulty
software/configurations. The first step ("Execute bsaStart and backup configuration") is detailed in the
second diagram.

Overall State Machine

Execute bsaStart.cfg
Backup configuration Yes
Start in case of errors Reboot
(detailed in next diagram)

No - errors in bsaStart.cfg

Run Autoconfig periodically.

Retrieve SW and / or config to
download

Download Config.
No
New config
different from
bsaStart.cfg? No
Is new OS name
Yes different from
current?
Yes

New config Yes

No different from
bsaStart.err?

Is downloaded
No
OS integrity
Copy bsaStart.cfg correct?
Yes
into bsaStart.old.
Copy new config
into bsaStart.cfg.
Reboot. Reboot

Admin User Guide Page 5.1-190 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Detail of Sub-State "Execute bsaStart.cfg Backup configuration in case of errors"

Execute bsaStart.cfg

No Errors while Executing Yes

bsaStart.cfg

Rename bsaStart.err Copy bsaStart.cfg into bsaStart.err

bsaStart.bak Put bsaStart.cfg into bsaStart.tmp
(but CLI lines causing errors are
commented out in bsaStart.tmp)
Suppress bsaStart.bak

Start autoconfig if configured

Is command ‘reboot-recovery-on-
error’ present?
No Yes

Start autoconfig if configured Copy bsaStart.old into bsaStart.cfg

Reboot

5.2 AUTOCONFIGURATION CONFIGURATION COMMANDS

The autoconfiguration feature requires that a DHCP client be enabled on an interface.

5.2.1 Enabling Autoconfiguration

To enable autoconfiguration and select the method, use the following command in global configuration
mode:
CLI(configure)> autoconfiguration <method>
CLI(oaac-mthd1)>

Actually, only methods ‘1’, ‘2’, ‘3’ and ‘4’ are available (see below). From there, the user must configure
method-specific parameters.
To deactivate autoconfiguration, use the no form of the following command in global configuration mode.
CLI(configure)> no autoconfiguration <method>

Once the method-specific parameters are entered, enter the ‘execute’ command to complete the service
configuration:
CLI(oaac-mthd1)> execute

Admin User Guide Page 5.2-191 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

5.2.2 Method-1-Specific Autoconfiguration Parameters

5.2.2.1 Voice Autoconfiguration

Voice service could also be started using autoconfiguration method #1. To activate this feature, use the
following command under H.323 gateway configuration:
CLI(h323gw)> gw-address autoconfig

In this case, The OneOS-based router waits for a DHCP request and uses the information contained in the
DHCP message (option #14) to start the H.323 gateway. The option #14 is an ASCII string with the
following format:

Option14: “<protocol identifier>|<A>.<B>.<C>.<D>|<gateway identifier>”

Where:
• The protocol identifier should be set to 2 when H.323 protocol is selected. Others values has been
reserved to maintain future software compatibility.
• ‘<A>.<B>.<C>.<D>’ is the gatekeeper IP address, used to setup a manual or automatic registration to
this gatekeeper. When OneOS receives a broadcast IP address, an automatic process is started
instead of a manual one. When this IP address is set to 0, the H.323 gateway is stopped after
disconnecting all running calls.
• The gateway identifier provides the name of the OneOS-based router to the gatekeeper (concerning
the RAS protocol).
The OneOS-based router can dynamically update those parameters even if the H.323 gateway is already
started. The H.323 gateway behavior depends on theses parameters.
In this case, others parameters into h323-gateway configuration entry are optional except the gw-
interface and no shutdown commands.
To deactivate this feature, use the following command:
CLI(h323gw)> gw-address implicit

5.2.2.2 Software Image Download

‘Method #1’ enables to check that the device has the right software image and to download a new image if
needed. The process is described as follows:
• The router gets the IP address of a TFTP server in the option #17
• If the option #17 provides a valid address, the router downloads an image information file that
indicates the software image name and size and the TFTP server, where the image is stored.
• If the image currently in use is different from the one retrieved in the image information file, the new
image is downloaded and the device reboots with the new image.
The option #17 is an ASCII string containing the IP address of the TFTP server under the format:
‘<A>.<B>.<C>.<D>’.
The image information file is a text file with the following fields:
[one200]
<string>:<software-image-file>
<tftp-ip-addres>
<length-in-bytes>
[one400]
<string>:<software-image-file>
<tftp-ip-addres>
<length-in-bytes>
[one100]
<string>:<software-image-file>
<tftp-ip-addres>
<length-in-bytes>
[one300] -- also available for one180
<string>:<software-image-file>
<tftp-ip-addres>
<length-in-bytes>

Admin User Guide Page 5.2-192 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Where:
• string is actually any string (not significant today, for future use).
• software-image-file is the name of the image file of the TFTP server.
• tftp-ip-addres is the address of the TFTP server, where the image can be downloaded.
• length-in-bytes is the size in bytes of the image (to check if there is enough space in flash before
downloading).
The file can contain information for several device names.

5.2.2.3 Configuration Example

The following example shows a WAN topology in which autoconfiguration and DHCP is configured. In this
example, router A is the DHCP client that needs to be auto-configured. Router B is the DHCP server as
well as the default gateway router for A.

Router B
88.123.12.1 HOSTB
88.123.12.243


Router A
10.0.0.1 GATEKEEPER
88.123.12.242
10.0.0.255

The configuration script is as follows for router A:

ip dhcp vendorid voipt0t2-oneaccess
autoconfiguration method1
interface FastEthernet 0/0
ip address 10.0.0.1 255.255.255.0
exit
! …
! here, configure atm
! …
interface atm 0.1
pvc ipoa vpi 0 vci 32
execute
exit
ip address dhcp client-id fastethernet 0/0
ip nat inside overload
exit
! …
! here, configure voice
! …
dial-peer voice voip 0
gatekeeper mandatory ! select RAS protocol
no shutdown
exit
h323-gateway
gw-interface atm 0.1 ! link the H.323 gateway to an interface
gw-address autoconfig ! select autoconfiguration feature

Admin User Guide Page 5.2-193 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

no shutdown
exit
exit

The configuration script is as follows for router B:

ip dhcp pool global
host 88.123.12.2
client-identifier ONE60/08:00:51:00:11
default-router 88.123.12.1
dns-server 122.12.32.154
netmask 255.255.252.0
lease 0 12 0
option ascii 14 2|88.123.12.242|gw-test
option ascii 17 88.123.12.243
exit
interface FastEthernet 0/0
ip address 88.123.12.10 255.255.252.0
exit

DHCP autoconfiguration parameters are ASCII strings configured as following:

Option14: “2|88.123.12.242|gw-test”
Option17: “88.123.12.243”

File oneaccess.general located in host B can be configured like that:

[one200]
F01L002.00:ONEOS1-VOIP-V3.3R2E31T1
220.0.0.43
5446002
[one400]
F0L002.00:ONEOS2-VOIP-V3.3R2E31T1
220.0.0.43
5555002

Once A retrieved main DHCP parameters (IP address, net mask, default route and DNS server),
autoconfiguration looks up for options #17 and #14.
Voice parameters contained in option #14 indicate that a gatekeeper named gw-test at IP address
88.123.12.242 is ready. The first number (2) means that h323 module is required. Otherwise, voice
configuration is bypassed.
Option #17 is the IP address of the remote TFTP server to download image information file
oneaccess.general. Once the IP address is extracted from option #17, the file is retrieved and
analyzed.

5.2.3 Method-2-Specific Autoconfiguration Parameters

Note: as of V4.3R2E2 software release, Method-2 Autoconfiguration is not supported outside default VRF.

5.2.3.1 Voice Autoconfiguration

Voice autoconfiguration is the same as method 1.

5.2.3.2 Downloading Configuration and Software

In this method, the process is:

• The router sends a DHCP discover with option #60 (vendor-id) under the form voipt0t2-
oneaccess-<software-release> and gets the IP address of a TFTP server in the option #17.
• If the option #17 provides a valid address, the router downloads an information file that indicates the
software image name, configuration file and the FTP servers to be used, where the configuration and
image files are stored.
• The option #67 tells what is the information file name containing all the above-mentioned information.

Admin User Guide Page 5.2-194 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

The option #17 is an ASCII string containing the IP address of the TFTP server under the format:
‘<A>.<B>.<C>.<D>’.
The downloaded information file is under the following form:
/home/luci/admintests/oaac/config_one200
192.168.30.234
lucilu
luci123
admintests/oaac/oneos1.gen
192.168.30.234

The syntax is the following:

<config-path/filename>
<ftp-server-ip>
<login>
<password>
<path/gen-file>
<tftp-server-ip>

Details about parameters:

• config-path/filename: full path and file name of the configuration file that must be downloaded.
• ftp-server-ip: it is assumed that the configuration file is on a FTP server whose IP is provided
here.
• login: FTP login.
• password: FTP password.
• path/gen-file: full path and name of the general file, where the software images are specified.
This file is similar to oneaccess.general of autoconfiguration method 1. It has the following form:
[one200]
F01L002.00:ONEOS1-VOIP-V3.3R2E31T1
220.0.0.43
5446002
[one400]
F0L002.00:ONEOS2-VOIP-V3.3R2E31T1
220.0.0.43
5555002
• tftp-server-ip: TFTP server where the general file is kept.
The autoconfiguration is retried until successful; then, the process restarts periodically (corresponding to
the DHCP lease time) in order to check for new versions or configuration.
At successful completion of the software upload/download, some test calls are sent. Traps are emitted to
the configured event managers, if no test call is successful. If no successful call after 3 attempts is
observed, the Voice LED remains red.
To enable autoconfiguration method 2 and select the method, use the following command in global
configuration mode:
CLI(configure)> autoconfiguration 2
CLI(oaac-mthd2)>

To configure the interface onto which DHCP requests must be issued, enter the following command:
CLI(oaac-mthd2)> add-interface <type> <unit>

If the software image is allowed to be upgraded, the following command must be entered (default:
disabled):
CLI(oaac-mthd2)> os-update {enabled|disabled}

To specify the hostname that must be used within DHCP inform:

CLI(oaac-mthd2)> add-hostname <string>

The autoconfiguration can be enabled only after synchronization with a NTP server:
CLI(oaac-mthd2)> add-ntp-server <ip>

The autoconfiguration logs can be sent to a syslog server:

Admin User Guide Page 5.2-195 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

CLI(oaac-mthd2)> add-syslog-server <ip>

When the configuration is completed, always enter the ‘execute’ command to activate the changes:
CLI(oaac-mthd3)> execute

The next parameter enables to reboot automatically with the old configuration in case the new
configuration downloaded is detected as invalid (errors while executing the start configuration; by default:
disabled):
CLI(oaac-mthd3)> exit
CLI(configure)> [no] reboot-recovery-on-error

5.2.4 Method-3-Specific Autoconfiguration Parameters

5.2.4.1 Voice Autoconfiguration

Voice autoconfiguration is the same as method 1.

5.2.4.2 Enabling test calls

This method is similar to method 2 but no image and configuration file are downloaded. In this method, the
process is:
• The router sends a DHCP discover with option #60 (vendor-id) under the form voipt0t2-
oneaccess-<software-release> and gets the IP address of a TFTP server in the option #17.
• The router retrieves the voice parameters and proceeds with test calls.
The autoconfiguration is retried until successful. Traps are emitted to the configured event managers, if no
test call is successful. If no successful call after 3 attempts is observed, the Voice LED remains red.
To enable autoconfiguration method 3, use the following command in global configuration mode:
CLI(configure)> autoconfiguration 3
CLI(oaac-mthd3)>

To configure the interface onto which DHCP requests must be issued, enter the following command:
CLI(oaac-mthd3)> add-interface <type> <unit>

To specify the hostname that must be used within DHCP inform:

CLI(oaac-mthd3)> add-hostname <string>

The autoconfiguration can be enabled only after synchronization with a NTP server:
CLI(oaac-mthd3)> add-ntp-server <ip>

The autoconfiguration logs can be sent to a syslog server:

CLI(oaac-mthd3)> add-syslog-server <ip>

When the configuration is completed, always enter the execute command to activate the changes:
CLI(oaac-mthd3)> execute

5.2.5 Method-4 Autoconfiguration

Note: as of V4.3R2E2 software release, Method-4 Autoconfiguration is not supported outside default VRF.
Autoconfiguration method 4 is configured with the same parameters as autoconfiguration method 2 and
the file formats on FTP/TFTP servers are the same, as well as DHCP options.
The main differences between method 2 and 4 are exclusively related to OneOS behavior: the way to
download files, to reboot and to recover from errors is different. To further detail the behavior of method-4
autoconfiguration, the next diagram depicts the autoconfiguration steps:

Admin User Guide Page 5.2-196 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Delay Timer

Start must_reboot:=no

get gen_client
KO File

OK

get autoconf para

KO meters (gen_vx)

OK

is running-sw different from

SW indicated in gen-file and
OS update enabled? No

Yes

get OneOS File

downloaded file
passes integrity
No check?

Yes

downloaded file is
different from running
software? No

Yes

rename startup OneOs as OneOs.old

rename downloaded OneOs as startup OneOs
if(OneOs!=OneOs.old) must reboot := yes

get Config File

is it a new
Config file? No

Yes

save current config as old

replace start config with new
config, must reboot := yes

must reboot == yes?

No

Yes

Reboot

Admin User Guide Page 5.2-197 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

5.3 AUTOCONFIGURATION STATISTICS

To display statistics about the existing autoconfiguration, use the following command line:
CLI> show autoconfiguration
autoconfig method1
config: tftp tries 0 (0 successfull, 0 bad params)
software version: tftp tries 0 (0 errors, 0 checksum errors)
system: errors fs 0, other

To display help information on how to use autoconfiguration, simply type the ‘autoconfiguration’ command:
CLI(configure)> autoconfiguration
method1: voice configuration and image version download manager
dhcp: option 14{A|B|C}, A=2 for H323, B gatekeeper ip@, B gateway identifier
option 17{D}, tftp server to download config file
oneaccess.general format:
[header] machine type: one200 or one400
filename in the format A:B where A is a private name, B is the image version
ipaddress ip address of tftp server to download image from filesize number of bytes of
the file to download

5.4 AUTOCONFIGURATION DEBUG AND TRACE

To enable autoconfiguration debugging, use the following command:

CLI> debug autoconfiguration

CLI> no debug autoconfiguration

Admin User Guide Page 5.4-198 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6 E V E N T - D R I V E N C P E C O N F I G U R A T I O N

6.1 EVENT-DRIVEN CPE CONFIGURATION OVERVIEW

• The Event-driven CPE configuration functionality makes it possible to handle OneOS events and
accordingly trigger command-line interface (CLI) applets in order to execute a set of configuration
actions.
• Event-driven CPE configuration function involves two software modules:
o Object tracking module: it provides in-box monitoring of different components of OneOS such
as interfaces or a VRRP instance. Tracked OneOS components are identified as objects with a
reported value which is either UP or DOWN. Other OneOS processes (such as Embedded
Event Manager described hereafter) can make use of the object tracking function to monitor
the state of specific objects and trigger actions accordingly.
o Embedded Event Manager (EEM): it implements automatic CPE configuration on the basis of
CLI commands configured in an applet and the state of a tracked object. It is a software
module designed to detect a defined event and execute an EEM applet when that event
occurs. An EEM applet defines an event and a set of CLI commands to be executed when that
event occurs.

6.2 OBJECT TRACKING FUNCTION OVERVIEW

• Each tracked object is identified by a unique number.

• The value of an object is either UP or DOWN.
• The object tracking module polls a tracked object every specified seconds and updates the value of
the tracked object accordingly (see also below).
• The change in the state of an object can be taken into account immediately or after a specified delay.
• An object can reflect the state of several objects (i.e. the state of a list of objects) with a Boolean AND
function (the global object will be UP when all objects are UP and DOWN when at least one object is
DOWN), or with a Boolean OR function (the global object will be UP when at least one object is UP
and DOWN when all objects are DOWN).
• Up to 99 objects can be tracked simultaneously.

Admin User Guide Page 6.2-199 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• The following table gives the list of objects which can be tracked:

Object State Object value

Last RTR probe operation successful UP
RTR probe result
Last RTR probe operation failed DOWN
The interface line-protocol state is up and the UP
interface has an IP address
Interface IP routing state
The interface line-protocol is down or the interface DOWN
IP address is unknown
The VRRP is in the master state UP
VRRP state
The VRRP is in the backup or initialize state DOWN

• The following table gives the default tracking polling timer intervals:

Object Default polling timer interval Configurable

RTR probe result 5 seconds NO
Interface IP routing state 1 second YES
VRRP state 3 seconds NO
Tracking list of objects 1 second NO

6.3 EMBEDDED EVENT MANAGER OVERVIEW

• EEM applet execution is triggered by events (change of a tracked object state).

• It is also possible to execute an EEM applet manually.
• Only one event can be defined within an EEM applet.
• Up to at least 30 EEM applets can be configured simultaneously.
• In case of execution of multiple applets simultaneously, the EEM applets are executed in the
sequence in which they occur.
• Multiple EEM applets can be triggered from the same event.
• The execution of an EEM applet is timed out by the expiration of a 20-second timer.
• At least 60 CLI commands (actions) are allowed within an EEM applet.

Admin User Guide Page 6.3-200 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.4 OBJECT TRACKING CONFIGURATION

6.4.1 Tracking the state of an RTR probe

• To define an object to track the state of an existing RTR probe and enter in tracking RTR object
configuration mode, use the following command in global configuration mode:
CLI(configure)> track <object-id> ip-rtr <session-id> reachability
CLI(track-rtr)>

o object-id is the number (1 – 100) of the defined object.

o session-id is the number of an existing RTR probe session. Refer to section 2.26.2 for more
information about RTR probes.
To remove the tracking object, use the no form of the command:
CLI(configure)> no track <object–id>

• To filter out flapping RTR probe states (getting UP and/or getting DOWN), use the following command
in tracking RTR object configuration mode:
CLI(track-rtr)> track-delay { up <up-timer> [down <down-timer>]
| down <down-timer> [up <up-timer>] }

o up-timer is the time in seconds (2 – 60) the RTR probe has to be continuously UP in order to
be considered UP by the tracking function. Default value: 2 seconds.
o down-timer is the time in seconds (2 – 60) the RTR probe has to be continuously DOWN in
order to be considered DOWN by the tracking function. Default value: 2 seconds.
To return to the default values for the timers, use the no form of the command:
CLI(track-rtr)> no track-delay

• To terminate the configuration of the tracking of RTR probe state, use the following command in
tracking RTR object configuration mode:
CLI(track-rtr)> exit
CLI(configure)>

Admin User Guide Page 6.4-201 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.4.2 Tracking the IP routing state of an interface

• To define an object to track the IP state of an interface and enter in tracking interface object
configuration mode, use the following command in global configuration mode:
CLI(configure)> track <object-id> interface
{ ethernet <slot>/<port>[.<sub-if>]
| fastethernet <slot>/<port>[.<sub-if>]
| gigabitethernet <slot>/<port>[.<sub-if>]
| dot11radio <slot>/<port>[.<sub-if>] | loopback <id>
| atm <port>[.<sub-if>] | pstn <slot>/<port>[.<sub-if>]
| efm <slot>/<port>[.<sub-if>] | serial <slot>.<port>
| dialer <id> | l2tunnel <id> | tunnel <id> }
ip-routing
CLI(track-int)>

o object-id is the number (1 – 100) of the defined object.

To remove the tracking object, use the no form of the command:
CLI(configure)> no track <object–id>

• To filter out flapping IP routing state of interfaces (getting UP and/or getting DOWN), use the following
command in tracking interface object configuration mode:
CLI(track-int)> track-delay { up <up-timer> [down <down-timer>]
| down <down-timer> [up <up-timer>] }

o up-timer is the time in seconds (2 – 60) the interface has to be continuously UP in order to
be considered UP by the tracking function. Default value: 2 seconds.
o down-timer is the time in seconds (2 – 60) the interface has to be continuously DOWN in
order to be considered DOWN by the tracking function. Default value: 2 seconds.
To return to the default values for the timers, use the no form of the command:
CLI(track-int)> no track-delay

• To define the interval in which the tracking process polls the tracked interface state, use the following
command in tracking interface object configuration mode:
CLI(track-int)> track timer interface <value>

o value is the polling interval in milliseconds (500 – 60000; must be multiple of 500
milliseconds). Default value: 1000 milliseconds (1 second).
To return to the default value for the timer, use the no form of the command:
CLI(track-int)> no track timer interface

• To terminate the configuration of the tracking of IP routing state of interface, use the following
command in tracking interface object configuration mode:
CLI(track-int)> exit
CLI(configure)>

Admin User Guide Page 6.4-202 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.4.3 Tracking the state of a VRRP instance

• To define an object to track the state of an existing VRRP instance and enter in tracking VRRP object
configuration mode, use the following command in global configuration mode:
CLI(configure)> track <object-id> vrrp <vrrp-id> [vrf <vrf-name>]
CLI(track-vrrp)>

o object-id is the number (1 – 100) of the defined object.

o vrrp-id is the identifier of an existing virtual router instance.
o vrf-name is the name of the corresponding VRF instance. When not provided, the default
VRF is used.
To remove the tracking object, use the no form of the command:
CLI(configure)> no track <object–id>

• To filter out flapping VRRP states (getting UP and/or getting DOWN), use the following command in
tracking VRRP object configuration mode:
CLI(track-vrrp)> track-delay { up <up-timer> [down <down-timer>]
| down <down-timer> [up <up-timer>] }

o up-timer is the time in seconds (2 – 60) the VRRP instance has to be continuously UP in
order to be considered UP by the tracking function. Default value: 2 seconds.
o down-timer is the time in seconds (2 – 60) the VRRP instance has to be continuously DOWN
in order to be considered DOWN by the tracking function. Default value: 2 seconds.
To return to the default values for the timers, use the no form of the command:
CLI(track-vrrp)> no track-delay

• To terminate the configuration of the tracking of VRRP state, use the following command in tracking
VRRP object configuration mode:
CLI(track-vrrp)> exit
CLI(configure)>

Admin User Guide Page 6.4-203 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.4.4 Tracking the state of a list of objects

• To define an object to track the state of a list of objects and enter in tracking list of objects
configuration mode, use the following command in global configuration mode:
CLI(configure)> track <object-id> list-boolean { and | or }
CLI(track-list)>

o object-id is the number (1 – 100) of the defined object.

o and and or keywords define the type of list (refer to chapter 6.2 for more information).
To remove the tracking object, use the no form of the command:
CLI(configure)> no track <object–id>

• To add to the Boolean list of objects an object whose state has to be tracked, use the following
command in tracking list configuration mode:
CLI(track-list)> object <object-number> [not]

o object-number is the number (1 – 100) of the selected object to be added to the list.
o not keyword is used to indicate that the "inverted" state of the object has to be taken into
account.
The object command can be entered multiple times so as to track several objects.
To remove an object from the tracking list, use the no form of the command:
CLI(track-list)> no object <object-number>

• To filter out flapping tracking list states (getting UP and/or getting DOWN), use the following command
in tracking list object configuration mode:
CLI(track-list)> track-delay { up <up-timer> [down <down-timer>]
| down <down-timer> [up <up-timer>] }

o up-timer is the time in seconds (2 – 60) the tracking list object has to be continuously UP in
order to be considered UP by the tracking function. Default value: 2 seconds.
o down-timer is the time in seconds (2 – 60) the tracking list object has to be continuously
DOWN in order to be considered DOWN by the tracking function. Default value: 2 seconds.
To return to the default values for the timers, use the no form of the command:
CLI(track-list)> no track-delay

• To terminate the configuration of the tracking list, use the following command in tracking list object
configuration mode:
CLI(track-list)> exit
CLI(configure)>

Admin User Guide Page 6.4-204 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.4.5 Tracking the state of an IP route

• To define an object to track an IP route and enter in tracking dialer-watch-list configuration mode, use
the following command in global configuration mode:
CLI(configure)> track <object-id> dialer-watch-list <list_name>
CLI(track-dialer-watch)>

o object-id is the number (1 – 100) of the defined object.

o <list_name> is the name of the dialer-watch-list.
Use this command to condition the status of a static route with the tracking of an IP route; refer to the
example below.

• To filter out flapping route states (getting UP and/or getting DOWN), use the following command in
tracking dialer-watch-list configuration mode:
CLI(track-dialer-watch)> track-delay { up <up-timer> [down <down-timer>]
| down <down-timer> [up <up-timer>] }

o up-timer is the time in seconds (2 – 60) the route has to be continuously UP in order to be
considered UP by the tracking function. Default value: 2 seconds.
o down-timer is the time in seconds (2 – 60) the route has to be continuously DOWN in order
to be considered DOWN by the tracking function. Default value: 2 seconds.
To return to the default values for the timers, use the no form of the command:
CLI(track-rtr)> no track-delay

• To terminate the configuration of the tracking of an IP route state, use the following command in
tracking dialer-watch-list configuration mode:
CLI(track-dialer-watch)> exit
CLI(configure)>

Example

• The route 77.242.202.241 is set to next hop 192.168.1.1 if the route 57.210.107.37 is installed in the
routing table (learnt from BGP for example):

CLI(configure)> dialer watch-list ROUTE_TRACK

CLI (watch-list)> ip 57.210.107.37 255.255.255.255
CLI (watch-list)> exit
CLI(configure)>

CLI(configure)> track 20 dialer-watch-list ROUTE_TRACK

CLI(track-dialer-watch)> track-delay up 10 down 10
CLI(track-dialer-watch)> exit
CLI(configure)>

CLI(configure)> ip route 77.242.202.241 255.255.255.255 192.168.1.1

name zscaler_route_1 track 20

Admin User Guide Page 6.4-205 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.4.6 Tracking the state of a MEP

• To define an object to track the state of a MEP and enter in tracking MEP object configuration mode,
use the following command in global configuration mode:
CLI(configure)> track <object-id> mep mpid <mepId> level <meLevel>
direction <inward|outward> vlan <vlanId>
interface <type-unit>

CLI(track-mep)>

o <object-id> is the number (1 – 100) of the defined object.

o mpid <mepId> is the ID of the MEP.
o level <meLevel>. This is the MEG level (0 - 7) on which the MEP is defined.
o direction <inward|outward>. This sets whether the MEP is inward or outward facing.
o vlan <vlanId>. This is the VLAN ID (0 - 4094) on which the MEP is located.
o interface <type-unit>. This is the interface on which the MEP has been configured.
To remove the tracking object, use the no form of the command:
CLI(configure)> no track <object–id>

• To filter out flapping MEP states (getting UP and/or getting DOWN), use the following command in
tracking MEP object configuration mode:
CLI(track- mep)> track-delay { up <up-timer> [down <down-timer>]
| down <down-timer> [up <up-timer>] }

o up-timer is the time in seconds (2 – 60) the MEP has to be continuously UP in order to be
considered UP by the tracking function. Default value: 2 seconds.
o down-timer is the time in seconds (2 – 60) the MEP has to be continuously DOWN in order
to be considered DOWN by the tracking function. Default value: 2 seconds.
To return to the default values for the timers, use the no form of the command:
CLI(track- mep)> no track-delay

• To terminate the configuration of the tracking of the MEP state, use the following command in tracking
MEP object configuration mode:
CLI(track- mep)> exit
CLI(configure)>

Admin User Guide Page 6.4-206 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5 EMBEDDED EVENT MANAGER CONFIGURATION

6.5.1 Initial delay configuration

• During startup (power-on or reboot) events are not monitored to avoid false detections. To define the
delay after startup after which the tracking of objects can start, use the following command in global
configuration mode:
CLI(configure)> track-initial-delay <seconds> [generate-event]

o <seconds> is the delay in seconds (1 – 3600) after which the tracking of objects can start.
Default value: 120 seconds (2 minutes).
o The generate-event keyword is used to define whether events need to be triggered
automatically after the delay expiration. When present, at the expiry of the initial delay timer,
OneOS generates events for all the tracked objects on the basis of the current object states.
This process runs once after the initial delay timer such applets can be triggered based on the
router state after startup.
• To return back to the default initial delay timer (2 minutes), use the no form of the command:
CLI(configure)> no track-initial-delay

6.5.2 Embedded Event Manager Applet configuration

6.5.2.1 Defining the EEM applet

• To define an EEM applet and enter in applet configuration mode, use the following command in global
configuration mode:
CLI(configure)> event manager applet <applet-name>
CLI(config-applet)>

• An applet consists of one event and up to twenty actions (see below).

• To delete an EEM applet, use the no form of the command:
CLI(configure)> no event manager applet <applet-name>

Admin User Guide Page 6.5-207 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.2 Defining the event tracking for which the applet is run

• To define the event that causes the applet to run, use the following command in applet configuration
mode:
CLI(config-applet)> event track <object-number> [state {up | down | any}]

o <object-number> is the number of the tracked object which state changes will trigger the
applet.
o The state keyword is used to specify the event criterion that causes the EEM applet to run:
 up. The applet is run when the object transitions from a DOWN state to an UP state
(default value).
 down. The applet is run when the object transitions from an UP state to a DOWN state.
 any. The applet is run whenever the object state changes.
To remove the event from the applet configuration, use the no form of the command:
CLI(config-applet)> no event track

• Alternatively, one can configure event none so that the EEM applet can be triggered manually
(e.g. for test purpose):
CLI(config-applet)> event none

To remove, use the no form of the command:

CLI(config-applet)> no event none

With event none, to manually run the EEM applet, use the following command in global mode:
CLI> event manager run <applet-name>

Admin User Guide Page 6.5-208 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.3 Defining the timing event for which the applet is run

• To define the timing event that causes the applet to run, use the following command in applet
configuration mode:
CLI(config-applet)> event timer [countdown | watchdog] time <value>

o countdown is used to run an applet after a certain time defined by time. The applet is
executed once.
o watchdog is used to run an applet periodically. The period is then defined by the time
parameter.
o The time <value> must be entered in second in the range <1-86400>.

• To define the timing event that causes the applet to run based on cron entry, use the following
command in applet configuration mode:
CLI(config-applet)> event timer cron cron-entry <cron-entry> name <name>

o The <cron-entry> must be entered between quotes, with the following format:
“minOfhour hrOfDay dayOfMonth moOfYear dayOfWeek”
Where cron entries are:
 minOfHour is from '0' to '59'
 hrOfDay is from '0' to '23'
 dayOfMonth is from '0' to '30'
 moOfYear is from '1' to '12'
 dayOfWeek is from '0' to '6'
o The maximum length of the <cron-entry> is 256 characters.
o Each entry of the <cron-entry> should be separated by at least one space character " ".
o Any entry of the <cron_entry> field can be given as '*'; this means any value.
o Any entry of the <cron_entry> field can be given a single numeric, or a list, or a range, or a
step value, or a combination of any two/all of these types.
For example, minOfHour can be given as:
 Single value: 10 (10 minutes)
 List 4,6,10,30 (4, 6, 10 or 30 minutes)
 Range 10-25 (for any minutes in the range from 10 to 25 minutes)
 Step 10-30/3 (all minutes between 10 and 30, by a step of 3 minutes)
When a range or step format is given, first, the minimum and then the maximum must be
given (min-max or min-max/step).

Admin User Guide Page 6.5-209 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• Different overall examples of the use of the cron-entry in event timer are given below:
o event timer cron cron-entry "30 * 14,20,23,30 1-6/2 5"
This will trigger the applet every Thursday, every 2 months, between January and June starting
in January, on the 14th, 20th, 23rd and 30th day of the month, every hour at 30 minutes.

o event timer cron cron-entry "0-30/2 3-15 * * *"

This will trigger the applet every month, every day, every hour, between 3 AM and 3PM every 2
minutes during the first 30 minutes of the hour

o event timer cron cron-entry "30 10 15 11 6"

This will trigger the applet at 10:30 every 15th of November.

• To remove the event from the applet configuration, use the no form of the command:
CLI(config-applet)> no event timer

6.5.2.4 Defining the syslog event for which the applet is run

• To define the syslog event that causes the applet to run, use the following command in applet
configuration mode:
CLI(config-applet)> event [tag <event-tag>]
syslog pattern <regular-expression>
[priority <priority-level>] [severity <level>]

o <regular expression>. Use this to define the pattern to match in the syslog message. The
maximum length is 128 characters.
o <priority-level>. Use this to define the level of priority to match in the syslog event.
o <level>. This defines the level of severity to match in the syslog event. This must be in the
range from 0 to 7.

• To remove the event from the applet configuration, use the no form of the command:
CLI(config-applet)> no event syslog

Admin User Guide Page 6.5-210 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.5 Defining the CLI commands to be executed when the event occurs

• To define the CLI commands to be executed when the EEM applet is triggered, use the following
command in applet configuration mode (up to 20 times):
CLI(config-applet)> action <label> cli <cli-string> [prompt1 <string1>
[prompt2 <string2>]]

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o <cli-string> defines the CLI command to be executed when the action is triggered in the
EEM applet. Note that the CLI command must be entered between quotes.
o <string1> and <string2> are used as input for the prompts that the CLI command may
display.
Warning: <cli-string>,<string1>, and <string2> must be entered between quotes if they
contain multiple words. They are always displayed enclosed in quotes even when not entered that
way.
When the command is used, the output of the <cli-string> will be stored and can be recalled via
the variable $_cli_result.
$_cli_result will store the output of the last CLI executed only.

• The following CLI command allows fixing the size of buffer:

CLI(configure)> event manager eem-cliresult-buffsize <buffer size>

o <buffer size> must be in the range of 1024 to 9216 characters.

A log warning that the result has been truncated, is available in debug eem logs.
To remove the action from the applet configuration, use the no form of the command:
CLI(config-applet)> no action <label>

Admin User Guide Page 6.5-211 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.6 Matching a Regular Expression in $_cli_result

6.5.2.6.1 Regular Expression

• Regular Expression is a powerful string matching syntax that not only allows matching a string with a
searched pattern, but allows extracting some text within a text.
Typically, Regular Expression would be used after executing a show command, whose text output has
been stored in $_cli_result. The Regular Expression makes it possible to extract a counter or the
state of a service and store that in variables.
• The CLI result can be matched by a Regular Expression by using the following CLI:
CLI(config-applet)> action <label> regexp <pattern>
$_cli_result [ <matched-var> [ <var1> ... <varN>]]

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o <matched-var>. This will contain the matched string if the <pattern> has been found,
otherwise it is empty.
o <var1> ... <varN>. These are the names of the variables where the Regular Expression
sub-matches are stored. In further EEM script lines, the variables can be substituted with their
values by prefixing them with a $ character.
o <pattern>. Use this to define the pattern to be matched in the text contained in
$_cli_result.

• Patterns for matching can be of 128 characters and variable length can be 24 characters maximum.
Input string can be 64 characters long.
• The following table shows some of the Regular Expression Pattern Matching Characters that are
supported:

. Matches any single character. 0.0 matches 0x0 and 020.

t..t matches strings such as test, text, and tart.
\ Matches the character following the backslash. 172\.1\.. matches 172.1.10.10 but not
Also matches (escapes) special characters. 172.12.0.0
\. allows a period to be matched as a period.
? Matches zero or one occurrence of the pattern ba?b matches bb and bab.
(Precede the question mark with Ctrl-V
sequence to prevent it from being interpreted as
a help command.).
$ Matches the character or null string at the end of 123$ matches 0123, but not 1234.
an input string.
* Matches zero or more sequences of the 5* matches any occurrence of the number 5
character preceding the asterisk. Also acts as a including none.
wildcard for matching any number of characters. 18\..* matches the characters 18. and any
characters that follow 18.
+ Matches one or more sequences of the 8+ requires there to be at least one number 8 in
character preceding the plus sign. the string to be matched.
[] Matches any one of the characters between the [0-9] matches any number in the range 0 to 9.
brackets.
() Nest characters for matching. Separate (17) matches any number of the two-character
endpoints of a range with a dash (-). string 17.
| Concatenates constructs. Matches one of the A(B|C)D matches ABD and ACD, but not AD,
characters or character patterns on either side of ABCD, ABBD, or ACCD.
the vertical bar.
_ Replaces a long regular expression list by The characters _1300_ can match any of the
matching a comma (,), left brace ({), right brace following strings:
(}), the beginning of the input string, the end of
the input string, or a space. ^1300$

Admin User Guide Page 6.5-212 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

^1300space
space1300
{1300,
,1300,
{1300}
,1300,

Warning: The following Regular Expression characters are not supported:

.*, \S, \n, \r, [A-Za-z0-9], \t, \s, \d, ^ (start of line)
When they are used in an applet, the following error message will be displayed on the console:
EEM: The pattern xx is not supported in regexp

6.5.2.6.2 Usage of variables in applet

In the regexp pattern, 2 types of variables are supported, sticky and non-sticky.
• Sticky variables can retain their values across single applet execution until the particular applet is
unconfigured. The default values for sticky variables are zero. Sticky variable names are predefined:
#appVar0
#appVar1
#appVar2
#appVar3
#appVar4
#appVar5
#appVar6
#appVar7
• Non-sticky variables can be created using action set, action regexp, and these values are not
retained across applet execution.
Names of these variables are user-defined and should not start with #.
To access these variables, the variable name should be prefixed with $.
For example, to access variable counter, one should use $counter.
The maximum number of non-sticky variables within an applet is 24.

Admin User Guide Page 6.5-213 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.6.3 Setting value to a variable

Setting a value to a variable is done using the following command:

CLI(config-applet)> action <label> set <variable_name> <value>

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o <variable name>. This is the name of the variable prefixed with $.
o <value> can be an absolute value or a variable name.

Example

action 1.0 set $var1 100

This sets the value of variable var1 to 100.

action 1.2 set #appVar0 $_result

This sets the value of variable #appVar0 to the value of variable $_result.

6.5.2.6.4 Mathematical operation with variable

• Some mathematical operations can be executed with variables.

The result of a mathematical operation is stored in the $_result variable.
• A variable can be multiplied using the following command:
CLI(config-applet)> action <label> multiply <variable_name> <value>

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o <variable name>. This is the name of the variable prefixed with $.
o <value> can be an absolute value or a variable name.

• A variable can be added using the following command:

CLI(config-applet)> action <label> add <variable_name> <value>

o <variable name>. This is the name of the variable prefixed with $.

o <value> can be an absolute value or a variable name.

Example

action 1.1 add $#appVar0 1

This adds 1 to the value of variable #appVar0.

action 1.5 multiply $#appVar0 $#appVar1

This multiplies variable #appVar0 with #appVar1.

Admin User Guide Page 6.5-214 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.6.5 Displaying the value of a variable

• The value of a variable can be displayed with the following command:

CLI(config-applet)> action <label> puts <string>

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o <string> is the name of the variable prefixed with $; the maximum string length is 256.
Note however, that the total CLI command length itself has a limit of 255 characters, so it is
bound by the remaining keywords.
The command can be used to print values of the following variables by adding a $ character before
the variable name:
o sticky variables
o non sticky variables
o _result
o _regexp_result
• When trying to reference any other variable, the applet execution will be set to error and a
corresponding message will be displayed if debugging has been enabled.
• The output of the puts statement will be shown on the console. It will also be displayed in the
debugging, if enabled.

Admin User Guide Page 6.5-215 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.7 Using the results of regexp matching

• The result of the regexp is stored and can be recalled in the next command lines by the variable
$_regexp_result.
• $_regexp_result will have value 1 if regexp matched and 0 if regexp does not match.

• Conditional execution based on $_regexp_result in the applet can be triggered by using the
following CLI:
CLI(config-applet)> action <label> if
$_regexp_result { eq | gt | ge | lt | le | ne }
<string-op-2> goto <label-2>

• Conditional execution based on string match and string sub match in the applet can be triggered by
using the following CLI:
CLI(config-applet)> action <label> if
<variable name> { eq | gt | ge | lt | le | ne }
<string-op-2> goto <label-2>

6.5.2.8 Sending a syslog message into an applet

• To trigger the sending of a syslog message in an applet, use the following command:
CLI(config-applet)> action <label> syslog
[server <a.b.c.d> | X:X:X:X::X | hostname]
[severity <severity-level>] msg <msg-text>
facility <string>

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o [server <a.b.c.d> | X:X:X:X::X | hostname]. This defines the address of the
syslog server to send the message to. An IPv6 server or hostname is also supported.
If the syslog server is not mentioned explicitly, configured syslog messages will be sent to all
syslog servers configured in the device.
o <severity-level> defines the severity level of the syslog messages; <severity-level>
can be: emergencies, alerts, critical, errors, warnings, notifications, info,
debug, $_last_log_severity, $_last_syslog_severity.
o <msg-text> defines the content of the syslog messages. The value of sticky and non-sticky
variables can be imbedded into the user's syslog messages.
The syslog message size is limited to 128 bytes in backend.
o <string> defines the value of the facility code of the syslog message.
• Note that a user/syslog message with invalid msg severity and facility will not be sent to the server.
• Example:
action 1.2 syslog server 10.4.32.132 severity “informational”
msg "MGMT IP = $ipaddr" facility 23

Admin User Guide Page 6.5-216 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.9 Sending an email notification in case of a LTE event

• The OneOS device can send (an) email(s) when the LTE connection is being used for data
transmission.
This functionality can for instance be used to alert a network administrator when the LTE connection is
being used as backup and it has become active, meaning that the normal connection has failed; this
could lead to an extra cost.
• This functionality can be configured by using the following command:
CLI(config-applet)> action <label> email <recipient> <template-file-name>

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o <recipient> is the destination email address.
o <template-file-name> is the email template that will be used:
 The body of the email will be prepared by using the data contained in this template file.
 The template file can contain any data and can be stored anywhere on the device, for
instance in /webroot, but the complete path must be specified as argument in this
command.
Note that the email subject is fixed and cannot be changed.
 The template can contain SHELL style variables, like for instance $customerId and
$number. These will be replaced with actual values when the email is composed.
Refer to the example below.

• Note that, for sending and receiving emails, the email ID and details must be configured on the device
as well, using the following commands:
CLI(configure)> smtp server <smtp-server-address>
CLI(configure)> smtp local-email <local-email-address>
CLI(configure)> smtp local-name <local-user-name>
CLI(configure)> smtp auth-name <authentication-name>
CLI(configure)> smtp auth-password <authentication-password>

• When this feature has been configured, it will be shown when running the following show commands:
CLI> show running-config

CLI> show event manager applet

CLI> show event manager applet <applet name>

Admin User Guide Page 6.5-217 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Example

• Configured applet:
CLI(configure)> event manager applet email
CLI(config-applet)> event none
CLI(config-applet)> action "3.0" "set" "number" "10"
CLI(config-applet)> action "3.1" puts "number = $number"
CLI(config-applet)> action "3.2" "set" "customerId" "Gobus"
CLI(config-applet)> action "4.0" email "[email protected]"
"webroot/email_template"
CLI(config-applet)> exit
CLI(configure)> end

The template file contains the following data:

"sending mail $customerId
test var $number cccc
LTE connection in use"

 2 variables are present: $customerId and $number.

 When the applet named email gets executed, these 2 variables will be changed to the
values in actions "3.0" and "3.2", i.e. 10 and 13, and the email body will be prepared
as follows:
"sending mail Gobus
test var 10 cccc
LTE connection in use”

• Running the show event manager applet command shows:

CLI> show event manager applet email
No Applet Name Event Type
1 email none
action "3.0" "set" "number" "10"
action "3.1" puts "number = $number"
action "3.2" "set" "customerId" "Gobus"
action "4.0" email "[email protected]" "webroot/email_template"

Admin User Guide Page 6.5-218 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.10 Sending an alarm as a trigger action using applet

• An alarm can be sent through an applet as a trigger action by using the following command.
CLI(config-applet)> action <label> alarm <index> {oid_to_monitor}
{delta | absolute}
{rising <threshold> | falling <threshold>}
[description <description> ]
[owner <owner-string>]

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o <index>. This is an unsigned integer, ranging between 1 and 65535, unique for each applet.
o oid_to_monitor. This is the OID value to be monitored, and can be a string of maximum
120 characters.
o delta. This indicates the alarm method; delta indicates that the threshold values given in the
command should be interpreted in terms of the difference between successive readings. The
delta is calculated as the last iteration value subtracted from the current value and is compared
against the configured threshold. Delta calculation will be skipped for the first iteration to avoid
using the wrong value for the last iteration.
o absolute. This indicates the alarm method; absolute indicates that the threshold values
given in the command must be interpreted as absolute values; i.e., the difference between the
current value and preceding values is irrelevant. For method absolute, the current value is
always compared against the configured threshold.
o rising <threshold>. This is the upper threshold for a monitored variable and specifies the
value at which the alarm must be triggered: the alarm will be triggered if the value is greater
than or equal to the configured threshold.
o falling <threshold>. This is the lower threshold for a monitored variable and specifies
the value at which the alarm must be triggered: the alarm will be set if the value is less than the
configured threshold.
o <description>. This is a string of maximum 32 characters.
o <owner-string>. This is a string of maximum 32 characters.

• During the initialization, the previous alarm will be set to none. Following conditions will be checked to
generate alarms:
o A rising alarm will be generated if the previous alarm was not a rising alarm.
o A falling alarm will be generated if the previous alarm was not a falling alarm.
• In an applet with a given alarm index, only one alarm can be configured. The alarm index is used as
the key for the action rmon-trap and action if-alarm, as described in:
o 6.5.2.11 Sending a RMON trap.
o 6.5.2.12 Action if-alarm based on alarm computation.

• As a prerequisite, the value of the alarm variable needs to be set before calling the action alarm
command.
The variable name should be "alarmValue". Refer to the following configuration example:
action "1.0" "set" "alarmValue" "10000"
action "1.1" alarm "10" ".1.3.6.1.2.1.1.4.0" "absolute" "rising" "20"

Admin User Guide Page 6.5-219 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.5.2.11 Sending a RMON trap

• Action alarm, described in 6.5.2.10, is used for the computation of an alarm condition, which is used
by the rmon-trap action.
Alarm computation is based on alarm method (delta or absolute) and type, which defines how it is
compared (rising or falling); i.e. alarm computation means, whether the current absolute value
or delta value of the object is rising or falling compared to the threshold.
• To trigger the sending of a RMON trap in an applet, use the following command:
CLI(config-applet)> action <label> rmon-trap <alarm-index>
<oid_to_monitor>

o <label> is a string that uniquely identifies the action. The actions are sorted and run in
ascending alphanumeric key sequence using the label as sort key.
o rmon-trap <alarm-index>. This is an unsigned integer, as defined in the
action <label> alarm <index> … applet (6.5.2.10). The alarm index is used as key to
retrieve the details from the corresponding action alarm.
o <oid_to_monitor>. oid stands for the root Object ID in the MIB tree (is in the form
a.b.c.d…). For example, the 1.3.6 OID stands for access to the whole Internet MIB.
• If the rmon-trap action does not find the matching action alarm in an applet, the rmon-trap applet
will abort and the output of the command show event manager history event will provide the
details.
• Also refer to section 2.11 RMON Mechanism.

6.5.2.12 Action if-alarm based on alarm computation

• Action alarm, described in 6.5.2.10, is used for the computation of an alarm condition, which is used
by the if-alarm action.
Alarm computation is based on alarm method (delta or absolute) and type, which defines how it is
compared (rising or falling).
• To trigger the action, use the following command:
CLI(config-applet)> action if-alarm <alarm-index> is {rising | falling }

o <alarm-index>. This is an unsigned integer, as defined in the action <label> alarm

<index> … applet (6.5.2.10). The alarm index is used as key to retrieve the details from the
corresponding action alarm.
o The if-alarm condition will be true if the corresponding alarm (rising/falling) is
generated.
• If the if-alarm action does not find the matching action alarm in an applet, the if-alarm applet will
abort and the output of the command show event manager history event will provide the
details.

6.5.2.13 Terminating the applet configuration

• To terminate the configuration of the EEM applet, use the following command in applet configuration
mode:
CLI(config-applet)> exit
CLI(configure)>

Admin User Guide Page 6.5-220 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.6 EVENT-DRIVEN CPE CONFIGURATION STATISTICS AND DEBUG

Statistics

• To display the EEM applets configuration, use the following command line:
CLI> show event manager applet [<applet-name>]
No Applet Name Event Type
1 BACKUP track
track 1 state DOWN
action "1.0" cli "configure terminal"
action "2.0" cli "ip dns-proxy dns-server learn priority dhcp"
action "3.0" cli "end"
No Applet Name Event Type
2 DEFAULT track
track 1 state UP
action "A" cli "configure terminal"
action "B" cli "ip dns-proxy dns-server learn priority ipcp"
action "C" cli "end"
No Applet Name Event Type
3 BACKUP2 track
track 2 state DOWN
action "1.5" cli "configure terminal"
action "2.5" cli "ip route 0.0.0.0 0.0.0.0 atm 0.1 5"
action "3.5" cli "end"
No Applet Name Event Type
4 DEFAULT2 track
track 2 state UP
action "A.1" cli "configure terminal"
action "B.2" cli "ip route 0.0.0.0.0 0.0.0.0.0 atm 0.1 200"
action "C.3" cli "end"
No Applet Name Event Type
5 PBR-UP track
track 17 state UP
action "1.0" cli "configure terminal"
action "2.0" cli "interface atm 0.1"
action "3.0" cli "ip policy-routing route-to-master"
action "4.0" cli "end"
No Applet Name Event Type
6 PBR-DOWN track
track 17 state DOWN
action "1.0" cli "configure terminal"
action "2.0" cli "interface atm 0.1"
action "3.0" cli "no ip policy-routing route-to-master"
action "4.0" cli "end"

• To display the history of events, use the following command; this command will show the last
execution status (success/failed) of 30 applets at a time:
CLI> show event manager history events
No. Com. Status Time of Event Event Type Applet Name
1 Success 2000-01-01 00:29:13 track DEFAULT
2 Success 2000-01-01 00:38:07 track BACKUP
3 Success 2000-01-01 00:40:42 track DEFAULT
4 Success 2000-01-01 01:14:46 track BACKUP
5 Success 2000-01-01 01:16:40 track DEFAULT

• To clear the event manager history, use the following command:

CLI> clear event manager history events <applet-name>

o The <applet-name> is optional. If no <applet-name> is specified, the entire applet

execution history will be cleared.
o If an <applet-name> is specified, only the history related to that particular applet will be
cleared.

Admin User Guide Page 6.6-221 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To display the state of tracking objects, use the following command line:
CLI> show track [<object-number>]
Track 17

Object 15 DOWN

Object 16 UP

Boolean AND is DOWN

0 Change, Last Change None

Up Delay 2, Down Delay 2

Poll Interval (in msec) 1000

Tracked by: Applet : PBR-UP

Tracked by: Applet : PBR-DOWN

Track 16

interface GigabitEthernet 1/0 ip-routing

Ip-routing is UP

5 Change, Last Change 01:16:50

Up Delay 20, Down Delay 20

Poll Interval (in msec) 1000

Track 15

VRRP Id 8

Vrrp is DOWN

0 Change, Last Change None

Up Delay 20, Down Delay 20

Poll Interval (in msec) 3000

Track 1

interface GigabitEthernet 1/0 ip-routing

Ip-routing is UP

5 Change, Last Change 01:16:40

Up Delay 10, Down Delay 10

Poll Interval (in msec) 1000

Tracked by: Applet : BACKUP

Tracked by: Applet : DEFAULT

Track 2

RTR Session Id 1 reachability

Latest Completion Time (milliseconds): Unknown

Latest Operation Return Code: Timeout

Reachability is DOWN

0 Change, Last Change None

Up Delay 20, Down Delay 20

Poll Interval (in msec) 5000

Tracked by: Applet : BACKUP2

Tracked by: Applet : DEFAULT2

Admin User Guide Page 6.6-222 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To display the state of tracking timers, use the following command line:
CLI> show track timers
Timer Type Track Type Track Id Poll Interval Time To Next Poll
(in msec) (in msec)
Poll Timer list-boolean * 1000 440
Poll Timer interface 16 1000 940
Poll Timer interface 1 1000 940
Poll Timer vrrp * 3000 1440
Poll Timer rtr * 5000 2440

Note: the "*" in this table means "all Track Id".

Troubleshooting

• To enable debugging of EEM applets:

CLI> debug event manager <type> <level>

o <type> allows selecting the type of information taken into account by the debugging
command.
There are three types that can be entered:
 actions. This is for debugging the Event Manager Applet; it allows displaying the list
of actions of the applet.
 core. This is for Event Core Debugging; it allows checking the execution steps of the
applet.
 all. This is to enable debugging in all modules; it allows debugging both actions and
core types together.
This will print the regexp match values as well as the mathematical results of different
mathematical operation (using action add/multiply/subtract/set).
Also, when a show command has been used, the output of the show command will be
printed.
o <level> allows defining the level of details to be displayed.
There are four levels that can be entered:
 low
 med
 high
 Verbose. This is giving the maximum of details.
To disable EEM applets debugging:
CLI> no debug event manager <type>

• To enable debugging of object tracking module core:

CLI> debug track core [<level>]

To disable object tracking module core debugging:

CLI> no debug track core

• To enable debugging of interface tracking module:

CLI> debug track interface [<level>]

To disable interface tracking module debugging:

CLI> no debug track interface

Admin User Guide Page 6.6-223 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• To enable the debugging of RTR probe tracking module:

CLI> debug track rtr [<level>]

To disable RTR probe tracking module debugging:

CLI> no debug track rtr

• To enable the debugging of VRRP state tracking module:

CLI> debug track vrrp [<level>]

To disable VRRP state tracking module debugging:

CLI> no debug track vrrp

• To enable debugging of list of object tracking module:

CLI> debug track list [<level>]

To disable list of object tracking module debugging:

CLI> no debug track list

• To enable debugging of timer tracking module:

CLI> debug track timer [<level>]

To disable timer tracking module debugging:

CLI> no debug track timer

• To enable debugging of a MEP tracking module:

CLI> debug track mep level <low | medium | high | verbose>

To disable MEP tracking module debugging:

CLI> no debug track mep

• To enable debugging of all tracking modules at a time:

CLI> debug track all <level>

To disable all tracking modules debugging:

CLI> no debug track all

Admin User Guide Page 6.6-224 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

6.7 EVENT-DRIVEN CPE CONFIGURATION EXAMPLES

Event tracking example

In the following configuration example, only CLI commands related to event management CPE
configuration are fully shown.

hostname CLI
interface GigabitEthernet 0/0
ip address dhcp
exit
ip dns-proxy dns-server learn priority dhcp
no snmp set-write-community private
no snmp set-read-community public
rtr session 1
type echo protocol ipIcmpEcho 80.1.1.1
frequency 5
owner ""
paths-of-statistics-kept 1
hops-of-statistics-kept 1
exit
rtr reaction-trigger 1 1
rtr schedule 1 life forever start-time now
track 17 list-boolean and
Object 15
Object 16
exit
track 16 interface GigabitEthernet 1/0 ip-routing
track-delay up 20 down 20
exit
track 15 vrrp 8
track-delay up 20 down 20
exit
track 1 interface GigabitEthernet 1/0 ip-routing
track-delay up 10 down 10
exit
track 2 ip-rtr 1 reachability
track-delay up 20 down 20
exit
event manager applet BACKUP
event track 1 state DOWN
action "1.0" cli "configure terminal"
action "2.0" cli "ip dns-proxy dns-server learn priority dhcp"
action "3.0" cli "end"
exit
event manager applet DEFAULT
event track 1 state UP
action "A" cli "configure terminal"
action "B" cli "ip dns-proxy dns-server learn priority ipcp"
action "C" cli "end"
exit
event manager applet BACKUP2
event track 2 state DOWN
action "1.5" cli "configure terminal"
action "2.5" cli "ip route 0.0.0.0 0.0.0.0 atm 0.1 5"
action "3.5" cli "end"
exit
event manager applet DEFAULT2
event track 2 state UP
action "A.1" cli "configure terminal"

Admin User Guide Page 6.7-225 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

action "B.2" cli "ip route 0.0.0.0.0 0.0.0.0.0 atm 0.1 200"
action "C.3" cli "end"
exit
event manager applet PBR-UP
event track 17 state UP
action "1.0" cli "configure terminal"
action "2.0" cli "interface atm 0.1"
action "3.0" cli "ip policy-routing route-to-master"
action "4.0" cli "end"
exit
event manager applet PBR-DOWN
event track 17 state DOWN
action "1.0" cli "configure terminal"
action "2.0" cli "interface atm 0.1"
action "3.0" cli "no ip policy-routing route-to-master"
action "4.0" cli "end"
exit
end

Event timing example

In the following configuration example, only CLI commands related to time-driven CPE configuration are
fully shown.
event manager applet app_sysLoad_track
event timer watchdog time 60
action "1.0" cli "show system status"
action "1.1" regexp "Current CPU load +: +([0-9]+)\.([0-9]+)%"
"$_cli_result" "Current_load" "Load_percent" "load_per_deci"
action "1.2" "set" "#appVar0" "$Current_load"
action "1.3" "set" "#appVar1" "$Load_percent"
action "1.4" "set" "#appVar2" "$load_per_deci"
action "1.7" syslog server "10.4.32.132" severity "debugging" msg
"Current_load = $#appVar0; Load_percent = $#appVar1; load_per_deci =
$#appVar2" facility 23
exit

Event syslog example

In the following configuration example, only CLI commands related to time-driven CPE configuration are
fully shown.
event manager applet app_Int_ip_change
event syslog pattern "Interface"
action "1.0" cli "show ip interface brief"
action "1.1" regexp "Ethernet 0/0 +([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
"$_cli_result" "match" "ipaddr"
action "1.2" syslog server "10.4.32.132" severity "informational" msg
"MGMT IP = $ipaddr" facility 23
exit

Admin User Guide Page 6.7-226 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

7 P O W E R R E D U N D A N C Y

Note that this chapter only applies to ONE1560 and ONE2510.

• To activate the dual power supply function, use the following command:
CLI(configure)> power redundancy-mode

• To deactivate the dual power supply function, use the following command:
CLI(configure)> no power redundancy-mode

o no power redundancy-mode is the default setting.

• The OneOS device is able to detect if a power supply is connected to each power connector.
Each power supply connector has a corresponding green LED which lights up when the power supply
is connected and functions OK.
• A power supply is considered as no longer available when the voltage drops below 11,1V.
• The status of each power supply can be displayed with the show system status command.
The following output is a practical example, of a device with two active power supplies:
CLI> show system status
System Information for device MB92SsFPEmNW+R S/N T1442006907002078

Software version : ONEOS92-MULTI-V5.2R1E4_NB98006_T6

Software created on : 27/05/15 00:04:58
License token : None
Boot version : BOOT92-SEC-V5.2R2E16
Boot created on : 23/10/13 16:28:58

Boot flags : 0x10000008 0x80

Current system time : 25/08/15 09:38:33

System started : 29/05/15 20:18:49
Start caused by : Software requested / Administrator requested reboot
Sys Up time : 87d 13h 19m 44s
System clock ticks : 378243567

Core 0, control, CPU load for 1 second: 4.7% (Critical 2.8% Non Critical 1.9%), 1 minute
5.0%
Core 1, forwarding, CPU load for 1 second: 5.0% , 1 minute 5.0%

Redundant PSU : PSU 1 OK / PSU 2 OK

If only power supply 2 is present, the last line will say:

Redundant PSU : PSU 1 unplugged / PSU 2 OK

Admin User Guide Page 6.7-227 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

• When the dual power supply function is active, and a power supply is no longer available at a certain
moment, the following actions take place:
o The corresponding green LED on the back panel of the device is switched off.
o The Status LED on the front panel starts blinking red.
o A message is displayed on the console.
o An OneOS event is generated.
o A Syslog message is sent.
o A SNMP trap is sent.
Note that, when the dual power supply function is not active when a power supply is no longer
available, only the corresponding green LED on the back panel of the device is switched off. The other
actions do not take place then.

• To show the dual power supply function state, use the following command:
CLI> show power redundancy-mode

It will either show Power redundancy mode is active or

Power redundancy mode is inactive.

• If the dual power supply function has been activated, it is also shown when running the
show running-config command:
CLI> show running-config
Building configuration...

Current configuration:

console timeout 10800

no reboot recovery-on-error
power redundancy-mode
logging syslog alerts
logging buffered size 16364
hostname CLI
…

Admin User Guide Page 6.7-228 of 245

8 A N N E X A – L I S T O F M A N A G E D E V E N T S

Refer to the following tables:

• 8.1 Table 1 – Sys (System)
• 8.2 Table 2 – Adm (Management)
• 8.3 Table 3 – WAN (data interfaces)
• 8.4 Table 4 – IP
• 8.5 Table 5 – Vox (Voice)

8.1 TABLE 1 – SYS (SYSTEM)

Event Number (EN) Event description Type Family SubFamily Severity

1 generic fatal event Fatal gshdsl evt1 1

2 generic error event Error gshdsl evt2 1
3 generic warning event Warning gshdsl evt3 1
4 user : line created Info gshdsl evt4 1
5 user : line deleted Info gshdsl evt5 1
6 digital loopback started Info gshdsl evt6 1
7 digital loopback stopped Info gshdsl evt7 1
8 analog loopback started Info gshdsl evt8 1
9 analog loopback stopped Info gshdsl evt9 1
10 state machine transition Info gshdsl evt10 1
11 Link Up Event gshdsl evt11 1
12 Link Down Event gshdsl evt12 1
13 Attenuation alarm start Event gshdsl evt13 1
14 Attenuation alarm end Event gshdsl evt14 1
15 Noise margin alarm start Event gshdsl evt15 1
16 Noise margin alarm end Event gshdsl evt16 1
17 Reserved for future use Fatal gshdsl evt17 1
18 Reserved for future use Fatal gshdsl evt18 1
ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

19 Reserved for future use Fatal gshdsl evt19 1

20 Reserved for future use Fatal gshdsl evt20 1
21 Reserved for future use Fatal gshdsl evt21 1
22 Reserved for future use Fatal gshdsl evt22 1
23 Reserved for future use Fatal gshdsl evt23 1
24 Reserved for future use Fatal gshdsl evt24 1
25 Reserved for future use Fatal gshdsl evt25 1
26 generic fatal event Fatal sdsl evt1 1
27 generic error event Error sdsl evt2 1
28 generic warning event Warning sdsl evt3 1
29 user : line created Info sdsl evt4 1
30 user : line deleted Info sdsl evt5 1
31 digital loopback started Info sdsl evt6 1
32 digital loopback stopped Info sdsl evt7 1
33 analog loopback started Info sdsl evt8 1
34 analog loopback stopped Info sdsl evt9 1
35 state machine transition Info sdsl evt10 1
36 Link Up Event sdsl evt11 1
37 Link Down Event sdsl evt12 1
38 Noise margin alarm start Event sdsl evt15 1
39 Noise margin alarm end Event sdsl evt16 1
40 Reserved for future use Fatal sdsl evt17 1
41 Reserved for future use Fatal sdsl evt18 1
42 Reserved for future use Fatal sdsl evt19 1
43 Reserved for future use Fatal sdsl evt20 1
44 Reserved for future use Fatal sdsl evt21 1
45 Reserved for future use Fatal sdsl evt22 1
46 Reserved for future use Fatal sdsl evt23 1
47 Reserved for future use Fatal sdsl evt24 1
48 Reserved for future use Fatal sdsl evt25 1
49 Reserved for future use Fatal sdsl evt26 1
50 Reserved for future use Fatal sdsl evt27 1
51 generic fatal event Fatal adsl evt1 1
52 generic error event Error adsl evt2 1
53 generic warning event Warning adsl evt3 1
54 user : line created Event adsl evt4 1
55 user : line deleted Event adsl evt5 1

Admin User Guide Page 8.1-2 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

56 Link Up Event adsl evt6 1

57 Link Down Event adsl evt7 1
58 generic fatal event Fatal suni evt1 1
59 generic error event Error suni evt2 1
60 generic warning event Warning suni evt3 1
61 Link Up Event suni evt4 1
62 Link Up Event suni evt5 1
63 Report Event suni evt6 1
64 Reboot on request Fatal opsys evt1 1
65 Delayed reboot initiated Fatal opsys evt2 1
66 Delayed reboot canceled Fatal opsys evt3 1
67 Delayed reboot timed out Fatal opsys evt4 1
68 Software Watchdog time out Fatal opsys evt5 1
69 Invalid DSP number Fatal opsys evt6 1
70 Base of exception event codes Fatal opsys evt7 1
71 reserved Fatal opsys evt8 1
72 Machine check exception Fatal opsys evt9 1
73 DSI exception Fatal opsys evt10 1
74 ISI exception Fatal opsys evt11 1
75 External interrupt Fatal opsys evt12 1
76 Alignment exception Fatal opsys evt13 1
77 Program exception Fatal opsys evt14 1
78 Floating point exception Fatal opsys evt15 1
79 Decrementer exception Fatal opsys evt16 1
80 reserved Fatal opsys evt17 1
81 reserved Fatal opsys evt18 1
82 System Call exception Fatal opsys evt19 1
83 Trace exception Fatal opsys evt20 1
84 reserved Fatal opsys evt21 1
85 reserved Fatal opsys evt22 1
86 Instruction translation miss exception Fatal opsys evt23 1
87 Data load translation miss exception Fatal opsys evt24 1
88 Data store translation miss exception Fatal opsys evt25 1
89 Instruction address breakpoint exception Fatal opsys evt26 1
90 System management interrupt Fatal opsys evt27 1
91 Invalid default boot line Fatal opsys evt28 1
92 Generic fatal event Fatal ima evt1 1

Admin User Guide Page 8.1-3 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

93 Generic error event Error ima evt2 1

94 Generic warning event Warning ima evt3 1
95 IMA Link Up Event ima evt4 1
96 IMA Link Down Event ima evt5 1
97 IMA Group Up Event ima evt6 1
98 IMA Group Down Event ima evt7 1
99 TC Link Up Event ima evt8 1
100 TC Link Down Event ima evt9 1
101 Generic report event Event ima evt10 1
102 atmFast : fatal error when transmit block is free Fatal atmfast evt1 1
103 system monitoring : Monitoring Error Fatal monitor evt1 1
104 Ping Test OK Event ping evt1 1
105 Ping Test KO Event ping evt2 1
sarPQIAtmErrorIntHandler: UNRECOVERABLE ERROR - SCC Global Underrun
106 Fatal atmsar evt1 1
in Serial Atm
107 To be used Fatal atmsar evt2 1
108 WIFI: station association Event wifi association 1
109 WIFI: station authentication Event wifi authentication 1
110 WIFI: station information base Event wifi sib 1
111 WIFI: ssid access point status Event wifi ssid 1
112 WIFI: hardware presence Event wifi hardware 1
113 WIFI: generic radio events Event wifi radio 1
114 Task Overflow Instrumentation Fatal opsys task 1
115 Memory overflow (malloc fails) Fatal opsys evt29 1
116 Retraining of GSHDSL line Event gshdsl evt26 1
117 Reboot at date Warning reboot at 1
118 Reboot after delay Warning reboot after 1
119 System startup info Info startup system 1
120 generic fatal event Fatal vdsl evt1 1
121 generic error event Error vdsl evt2 1
122 generic warning event Warning vdsl evt3 1
123 user : line created Event vdsl evt4 1
124 user : line deleted Event vdsl evt5 1
125 Link Up Event vdsl evt6 1
126 Link Down Event vdsl evt7 1
127 Power Supply 1 plugged and operational Event power power1 1
128 Power Supply 1 failure Event power power1 1

Admin User Guide Page 8.1-4 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

129 Power Supply 1 un plugged Event power power1 1

130 Power Supply 2 plugged and operational Event power power2 1
131 Power Supply 2 failure Event power power2 1
132 Power Supply 2 un plugged Event power power2 1

Admin User Guide Page 8.1-5 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8.2 TABLE 2 – ADM (MANAGEMENT)

Event Number (EN) Event description Type Family SubFamily Severity

4001 test Info tst tst 1

4002 Error detected in startup configuration: using failsafe configuration Error startup cfg 1
4003 Error detected in startup configuration: configuration reviewed Error startup cfg 1
4004 Error occurred during autoconfiguration: resource server unavailable Error autoconfig res 1
4005 Error occurred during autoconfiguration: configuration file unavailable Error autoconfig cfg 1
4006 Error occurred during autoconfiguration: configuration file is empty Error autoconfig cfg 1
4007 Error occurred during autoconfiguration: OS file unavailable Error autoconfig pkg 1
4008 Error occurred during autoconfiguration: OS file is empty Error autoconfig pkg 1
4009 Error occurred during autoconfiguration: wrong OS binaries Error autoconfig pkg 1
4010 Error occurred while executing CLI file Error wcf exec 1
4011 Successful execution of CLI file Info wcf exec 1
4012 No WCF CLI file found in folder Error wcf exec 1
4013 Cannot start execution task Error wcf exec 1
4014 Temporary CLI file correctly executed Info wcf submit 1
4015 CLI correctly saved to WCFx.CLI file Info wcf submit 1
4016 WCF handler generic error Error wcf submit 1
4017 WCF post processing generic error Error wcf postprocess 1
4018 WCF html parser generic error Error wcf htmlparse 1
4019 Temporary CLI file incorrectly executed Error wcf submit 1
4020 Generic upgrade process info Info wcf upgrade 1
4021 Generic upgrade process error Error wcf upgrade 1
4022 Generic ppa-pm cli info Info ppapm cli 1
4023 Generic ppa-pm cli error Error ppapm cli 1
4024 Generic ppa-pm snmp info Info ppapm snmp 1
4025 Generic ppa-pm snmp error Error ppapm snmp 1
4026 Generic ppa-pm exec info Info ppapm exec 1
4027 Generic ppa-pm exec error Error ppapm exec 1
4028 Generic dual-config exec info Info bkconfig exec 1
4029 Generic dual-config cli info Info bkconfig cli 1
4030 Generic check-list exec info Info chklist exec 1

Admin User Guide Page 8.2-6 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

4031 Generic check-list cli info Info chklist cli 1

4032 Auto-update download-layer Info autoupdate downloadlayer 1
4033 Auto-update sequencer Info autoupdate sequencer 1
4034 Auto-update triggers Info autoupdate triggers 1
4035 Auto-update configuration Info autoupdate configuration 1
4036 Auto-update software Info autoupdate software 1
4037 Auto-update resource Info autoupdate resource 1
4038 Auto-update tar-resource Info autoupdate tar-resource 1
4039 Auto-update manager Info autoupdate manager 1
4040 WCF html parser generic info Info wcf htmlparse 1
4041 CWMP Data Layer Info Info cwmp data 1
4042 CWMP Data Layer Warning Warning cwmp data 1
4043 CWMP Data Layer Error Error cwmp data 1
4044 CWMP Session Layer Info Info cwmp session 1
4045 CWMP Session Layer Warning Warning cwmp session 1
4046 CWMP Session Layer Error Error cwmp session 1
4047 CWMP Application Layer Info Info cwmp application 1
4048 CWMP Application Layer Warning Warning cwmp application 1
4049 CWMP Application Layer Error Error cwmp application 1
4050 Use of save-running Info config config-upd 1
4051 CWMP Soap Layer Info Info cwmp soap 1
4052 CWMP Soap Layer Warning Warning cwmp soap 1
4053 CWMP Soap Layer Error Error cwmp soap 1
4054 Generic core event Info core core1 1

Admin User Guide Page 8.2-7 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8.3 TABLE 3 – WAN (DATA INTERFACES)

Event Number (EN) Event description Type Family SubFamily Severity

8001 Event to Indicate an alarm has turned on for a pvc Event atm_oam status 2
8002 Event to Indicate a change has occurred on the operational status of the pvc Event atm_oam status 1
Event to Indicate a change has occurred on the operational status of the Virtual
8003 Event atm_oam status 1
Path
8004 Event to Indicate an alarm has turned on for a Virtual Path Event atm_oam status 2
8005 Event to indicate ping atm is finished on this pvc Event atm_oam loopback_ping 2
8006 Event to indicate ping atm is beginning on this pvc Event atm_oam loopback_ping 2
8007 Event to Indicate an alarm has turned off for a pvc Event atm_oam status_1 2
8008 Event to Indicate an alarm has turned off for a Virtual Path Event atm_oam status_2 2
8009 Event to indicate Up Down for an interface Event eshs status_3 1
8010 Event to indicate Up Down for Ipoa Event eshs status_4 1
8011 Event to indicate Up Down for Pppoa Event eshs status_5 1
8012 Event to indicate Up Down for VoiceoA Event eshs status_6 1
8013 Event to indicate Up Down for PPPoEoA Event eshs status_7 1
8014 Event to indicate SL DOWN Event eshs_sl status_8 1
8015 Event to indicate SL UP Event eshs_sl status_9 1
8016 Event to indicate Ipoa Pvc Created Event ipoa status_10 1
8017 Event to indicate Ipoa Pvc Deleted Event ipoa status_11 1
8018 Event to indicate Ipoa Pvc modified Event ipoa status_12 1
8019 Event to indicate Ncp Level Up Event ncp status_13 1
8020 Event to indicate Ncp Level Down Event ncp status_14 1
8021 Event to indicate PppoSL NCP is Up Event ncp_sl status_15 1
8022 Event to indicate PppoSL NCP is Down Event ncp_sl status_16 1
8023 Event to indicate Lcp Level Up Event lcp status_17 1
8024 Event to indicate Lcp Level Down Event lcp status_18 1
8025 Event to indicate PppoSL LCP is Up Event lcp_sl status_19 1
8026 Event to indicate PppoSL LCP is Down Event lcp_sl status_20 1
8027 Event to indicate Voiceoa Pvc Created Event voiceoa status_21 1
8028 Event to indicate Voiceoa Pvc Deleted Event voiceoa status_22 1
8029 Event to indicate Voiceoa Pvc modified Event voiceoa status_23 1

Admin User Guide Page 8.3-8 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8030 Event to indicate Pppoeoa Pvc Created Event pppoeoa status_24 1

8031 Event to indicate Pppoeoa Pvc Deleted Event pppoeoa status_25 1
8032 Event to indicate Pppoeoa Pvc modified Event pppoeoa status_26 1
8033 Event to indicate Pppoa Pvc Created Event pppoa status_27 1
8034 Event to indicate Pppoa Pvc Deleted Event pppoa status_28 1
8035 Event to indicate Pppoa Pvc modified Event pppoa status_29 1
8036 Event to indicate Pppoa Pvc reconnected Event pppoa status_30 1
8037 Event to indicate Pppoa Pvc deconnected Event pppoa status_31 1
8038 Event to indicate Pppoa LCP is Up Event pppoa status_32 1
8039 Event to indicate Pppoa LCP is Down Event pppoa status_33 1
8040 Event to indicate Pppoa Ip is Up Event pppoa status_34 1
8041 Event to indicate Pppoa Ip is Down Event pppoa status_35 1
8042 Event to indicate PppoSL interface Created Event ppposl status_36 1
8043 Event to indicate PppoSL interface Deleted Event ppposl status_37 1
8044 Event to indicate PppoSL interface modified Event ppposl status_38 1
8045 Event to indicate PPPoSL connection request Event ppposl status_39 1
8046 Event to indicate PPPoSL disconnection request Event ppposl status_40 1
8047 Event to indicate common signaling UP Event isdn status_41 1
8048 Event to indicate shutdown interface ISDN Event isdn status_42 1
8049 Event to indicate no shutdown interface ISDN Event isdn status_43 1
8050 Event to indicate incoming call call-back refused Event isdn status_44 1
8051 Event to indicate outgoing call call-back accepted Event isdn status_45 1
8052 Event to indicate direct incoming call refused Event isdn status_46 1
8053 Event to indicate direct incoming call accepted Event isdn status_47 1
8054 Event to indicate interface (down) PPPoB deconnected Event isdn status_48 1
8055 Event to indicate PPPoB reconnect requested Event isdn status_49 1
8056 Event to indicate PPPoB disconnect requested Event isdn status_50 1
8057 Event to indicate reconnection requested by call back on PPPoA Event isdn status_51 1
8058 Event to indicate disconnection requested by call back on PPPoA Event isdn status_52 1
8059 Event to indicate OPEN HDLC link over B requested by M3.1, or M2.1 or M2.2. Event isdn status_53 1
8060 Event to indicate CLOSE HDLC link over B requested by M3.1, or M2.1 or M2.2. Event isdn status_54 1
8061 Event to indicate disconnection of the channel B after HDLC inactivity Event isdn status_55 1
8062 Event to indicate call requested by M4.0 et M4. Event isdn status_56 1
8063 Event to indicate free requested by M4.0 et M4. Event isdn status_57 1
8064 Event to indicate outgoing call accepted Event isdn status_58 1
8065 Event to indicate incoming LIB recieved Event isdn status_59 1
8066 Event to indicate direct call requested Event isdn status_60 1

Admin User Guide Page 8.3-9 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8067 Event to indicate outgoing call accepted Event isdn status_61 1

8068 Event to indicate incoming free recieved Event isdn status_62 1
8069 Event to indicate incoming call refused Event isdn status_63 1
8070 Event to indicate line non-helpful (secourable ) Event isdn status_64 1
8071 Event to indicate line non-helpful, configuration KO Event isdn status_65 1
8072 Event to indicate helpful line accepted Event isdn status_66 1
8073 Event to indicate line not helped Event isdn status_67 1
8074 Event to indicate line ATM or serial-link ES Event isdn status_68 1
8075 Event to indicate PVC non-helpful Event isdn status_69 1
8076 Event to indicate PVC non-helpful, configuration KO Event isdn status_70 1
8077 Event to indicate helpful PVC accepted Event isdn status_71 1
8078 Event to indicate PVC not helped Event isdn status_72 1
8079 Event to indicate PVC is UP Event isdn status_73 1
8080 generic fatal event Fatal x25xot evt1 1
8081 generic error event Error x25xot evt2 1
Warnin
8082 generic warning event g x25xot evt3 1
8083 X25 interface created Info x25xot evt4 1
8084 X25 interface deleted Info x25xot evt5 1
8085 XOT outgoing call routed to remote Info x25xot evt6 1
8086 XOT outgoing call : routing failed Info x25xot evt7 1
8087 reserved Info x25xot evt8 1
8088 reserved Info x25xot evt9 1
8089 reserved Info x25xot evt10 1
8090 reserved Info x25xot evt11 1
8091 reserved Info x25xot evt12 1
8092 reserved Info x25xot evt13 1
8093 reserved Info x25xot evt14 1
8094 reserved Info x25xot evt15 1
8095 X25 interface : link level connected Event x25xot evt16 1
8096 X25 interface : link level disconnected Event x25xot evt17 1
8097 X25 interface : network layer restart pending Event x25xot evt18 1
8098 X25 interface : network layer restart completed Event x25xot evt19 1
8099 X25/XOT logical channel : outgoing call pending Event x25xot evt20 1
8100 X25/XOT logical channel : outgoing call completed Event x25xot evt21 1
8101 X25/XOT logical channel : outgoing call failed Event x25xot evt22 1
8102 X25/XOT logical channel : incoming call received Event x25xot evt23 1

Admin User Guide Page 8.3-10 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8103 X25/XOT logical channel : incoming call accepted Event x25xot evt24 1
8104 X25/XOT logical channel : incoming call cleared Event x25xot evt25 1
8105 X25/XOT logical channel connected : incoming clear Event x25xot evt26 1
8106 X25/XOT logical channel connected : outgoing clear Event x25xot evt27 1
8107 XOT outgoing TCP call pending Event x25xot evt28 1
8108 XOT outgoing TCP call successful Event x25xot evt29 1
8109 XOT outgoing TCP call failed Event x25xot evt30 1
8110 XOT incoming call TCP accepted Event x25xot evt31 1
8111 XOT incoming call TCP refused Event x25xot evt32 1
8112 XOT TCP connection disconnected locally Event x25xot evt33 1
8113 XOT TCP connection disconnected by remote Event x25xot evt34 1
8114 reserved Event x25xot evt35 1
8115 reserved Event x25xot evt36 1
8116 reserved Event x25xot evt37 1
8117 reserved Event x25xot evt38 1
8118 reserved Event x25xot evt39 1
8119 reserved Event x25xot evt40 1
8120 Event to indicate Pppoeoa Pvc reconnected Event pppoeoa evt41 1
8121 Event to indicate Pppoeoa Pvc deconnected Event pppoeoa evt42 1
8122 Event to indicate Pppoeoa LCP is Up Event pppoeoa evt43 1
8123 Event to indicate Pppoeoa LCP is Down Event pppoeoa evt44 1
8124 Event to indicate Pppoeoa Ip is Up Event pppoeoa evt45 1
8125 Event to indicate Pppoeoa Ip is Down Event pppoeoa evt46 1
8126 ISDN : generic fatal event Fatal dialisdn evt1 1
8127 ISDN : generic error event Error dialisdn evt2 1
Warnin
8128 ISDN : generic warning event g dialisdn evt3 1
8129 ISDN : generic info event Info dialisdn evt4 1
8130 ISDN : outgoing call pending Event dialisdn evt5 1
8131 ISDN : outgoing call completed Event dialisdn evt6 1
8132 ISDN : outgoing call failed Event dialisdn evt7 1
8133 ISDN : incoming call received Event dialisdn evt8 1
8134 ISDN : incoming call accepted Event dialisdn evt9 1
8135 ISDN : incoming call cleared Event dialisdn evt10 1
8136 ISDN : incoming clear Event dialisdn evt11 1
8137 ISDN : outgoing clear Event dialisdn evt12 1
8138 PSTN : generic fatal event Fatal dialpstn evt1 1

Admin User Guide Page 8.3-11 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8139 PSTN : generic error event Error dialpstn evt2 1

Warnin
8140 PSTN : generic warning event g dialpstn evt3 1
8141 PSTN : generic info event Info dialpstn evt4 1
8142 PSTN : outgoing call pending Event dialpstn evt5 1
8143 PSTN : outgoing call completed Event dialpstn evt6 1
8144 PSTN : outgoing call failed Event dialpstn evt7 1
8145 PSTN : incoming call received Event dialpstn evt8 1
8146 PSTN : incoming call accepted Event dialpstn evt9 1
8147 PSTN : incoming call cleared Event dialpstn evt10 1
8148 PSTN : incoming clear Event dialpstn evt11 1
8149 PSTN : outgoing clear Event dialpstn evt12 1
8150 PSTN : device available Event dialpstn evt13 1
8151 PSTN : device ready for incoming call Event dialpstn evt14 1
8152 AUTH : generic fatal event Fatal auth evt1 1
8153 AUTH : generic error event Error auth evt2 1
Warnin
8154 AUTH : generic warning event g auth evt3 1
8155 AUTH : generic info event Info auth evt4 1
8156 AUTH : outgoing call pending Event auth evt5 1
8157 AUTH : outgoing call completed Event auth evt6 1
8158 AUTH : outgoing call failed Event auth evt7 1
8159 L2TP Tunnel generic fatal Fatal l2tp evt1 1
8160 L2TP Tunnel generic Event Event l2tp evt2 1

Admin User Guide Page 8.3-12 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8.4 TABLE 4 – IP

Event Number (EN) Event description Type Family SubFamily Severity

16001 Logging enabled for filters Info acl evt1 1

Admin User Guide Page 8.4-13 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

8.5 TABLE 5 – VOX (VOICE)

Event Number (EN) Event description Type Family SubFamily Severity

12011 Layer 1 on ISDN BRI port <5/x> <activated or deactivated> Info gen sigplan 2
12012 Layer 1 Error on ISDN BRI port <5/x> : <activation failure / deactivation> Warning gen sigplan 1
12013 Layer 1 on E1/T1 port <5/x> <activated or deactivated> Info gen sigplan 1
12014 Alarm on E1/T1 port <5/x> : <LOS, AI, RAI, End of LOS, End of AI, End of RAI> Info gen sigplan 1
FXS port <5/x> : <off-hook / on-hook / ringing on / ringing off / polarity reverse /
12015 Info gen sigplan 2
polarity normal>
12016 Voice port <5/x> status change : <shutdown / no shutdown> Info gen sigplan 2
12018 Connection to BLES voice gateway <vcd> established Info voatm sigplan 1
12019 Connection to BLES voice gateway <vcd> failure - <cause of failure> Warning voatm sigplan 1
VOATM VP/VC <vcd> status change : <shutdown / no shutdown / ready /
12020 Info voatm sigplan 1
disconnected>
12021 VMOA port <vcd:VMOA port> status change : <blocked/unblocked> by <vgw/user> Info voatm sigplan 3
12022 ISDN VMOA port <vcd:VMOA port> D-Channel allocated (CID : <CID>) Info voatm sigplan 3
12023 ISDN VMOA port <vcd:VMOA port> D-Channel deallocated (CID : <CID>) Info voatm sigplan 3
ISDN VMOA port <vcd:VMOA port> B-channel <B1..B30> allocated (CID : <CID>,
12024 Info voatm sigplan 3
Type : <Voice/Data>)
12025 ISDN VMOA port <vcd:VMOA port> B-channel <B1..B30> deallocated Info voatm sigplan 3
12026 VMOA port <vcd:VMOA port> allocation failure : <cause> Error voatm sigplan 1
12027 Remote alarm on VTOA CID <vcd>:<cid> - <cause> Info voatm userplan 2
12028 <number> Voice packet lost on CID <vcd>:<cid> Warning voatm userplan 2
12029 <number> Excessive Jitter on CID <vcd>:<cid> Warning voatm userplan 2
12030 FAX/Modem detected on CID <vcd>:<cid> Info voatm userplan 3
12031 End of FAX/Modem on CID <vcd>:<cid> Info voatm userplan 3
12032 Voice coder <coder><transmitting/receiving> on CID <vcd>:<cid> Info voatm userplan 3
12033 DSP failure <dsp number>: <cause of failure> Error gen userplan 1
12034 <number> Invalid voice packets received Warning voatm userplan 2
12035 Voice activation <false / true> on CID <vcd>:<cid> Info voatm userplan 3
12036 No sync clock. Fallback to freerun clock. Warning gen userplan 2
12037 Sync clock is back. Info gen userplan 2
12038 AAL2 clock differs from system clock on CID <vcd>:<cid> Warning voatm userplan 2

Admin User Guide Page 8.5-14 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

12039 System clock is synchronized on AAL2 clock on CID <vcd>:<cid> Info voatm userplan 2
12040 AAL1 synchronized on VP/VC <vcd> Info voatm userplan 2
12041 AAL1 out of synchro on VP/VC <vcd> Warning voatm userplan 2
12042 <number> Excessive Jitter on VP/VC <vcd> Warning voatm userplan 2
12043 <number> Invalid cells received on VP/VC <vcd> Warning voatm userplan 2
12044 H323 gateway registered with the gatekeeper <gk-id> Info voip controlplan 3
12045 H323 gateway registration failure. Cause: <cause> Error voip controlplan 1
Incoming call on <voip|local> port <port nr> calling: <E164 number> called: <E164
12046 Info voip controlplan 3
number> call id: <internal call id>
Outgoing call on <voip|local> port <port nr> number: <E164 number> call id:
12047 Info voip controlplan 3
<internal call id>
Incoming call failure on <voip|local> port <port nr> call id: <internal call id> cause:
12048 Error voip controlplan 1
<cause>
Outgoing call failure on <voip|local> port <port nr> call id: <internal call id> cause:
12049 Error voip controlplan 1
<Q850 cause|RAS cause>
12050 Overlap dialing call id: <internal call id> number: <digits> Info voip controlplan 3
12051 Alert received call id: <internal call id> Info voip controlplan 3
12052 Call connected call id: <internal call id> Info voip controlplan 3
12053 VoIP RTP transmission <start|stop> call id: <internal call id> coder: <coder> Info voip userplan 3
12054 VoIP RTP reception <start|stop> call id: <internal call id> coder: <coder> Info voip userplan 3
12055 VoIP media channel opening failure call id: <internal call id> cause: <H245 cause> Error voip userplan 1
12056 Call disconnected call id: <internal call id> cause: <Q850 cause> Info voip controlplan 3
12057 H245 DTMF <sent|received> call id: <internal call id> number: <number> Info voip controlplan 3
12058 Fax T38 starting call id: <internal call id> Info voip userplan 3
12059 Fax T38 end of call call id: <internal call id> Info voip userplan 3
12060 Fax T38 call failure call id: <internal call id> cause: <T38 cause> Error voip userplan 1
VMOA port <vcd:VMOA port> voice port %s allocation information: CAC changed on
12061 Info voatm sigplan 1
B-channel <B1..B30> deallocated : <cid>
VMOA port <vcd:VMOA port> voice port %s allocation information: updating CAC
12062 Info voatm sigplan 1
failed on B-channel <B1..B30> deallocated : <cid>
12063 Vxx-ces port 0/x up Info voatm sigplan 1
12064 Vxx-ces port 0/x down Warning voatm sigplan 1
Remote disconnection on <voip|local> port <port nr>, cause: <cause>[text], call id:
12065 Info voip controlplan 1
<internal call id>.
Local disconnection on <voip|local> port <port nr>, cause: <cause>[text], call id:
12066 <internal call id>. Info voip controlplan 1
Route limitation to 20 digits <calling:E164 number>|<called:E164 number>, call id:
12067 <internal call id>. Info voip controlplan 1

Admin User Guide Page 8.5-15 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

Decimal overlap dialing <transmitting/receiving> on CID <vcd>:<cid>, number:

12068 Info gen sigplan 1
<digits>.
12069 Modem Passthrough starting call id: <internal call id> Info voip userplan 1
12070 DTMF <number> <received/sent> on local port <5/x> Info gen sigplan 1
12071 %i Excessive Jitter on local port 5/%i, call-id: %i Warning voip userplan 2
12072 Fax T38 <info>, call-id: <internal call id> Info voip userplan 1
12073 Reboot on call reception: call-id: <internal call id> Info voip controlplan 1
12074 BERT Errored Second ES: %<nb of ES>, ESR: %<ratio of ES>% Info voip userplan 3
12075 BERT Severely Errored Second SES: %<nb of SES>, SESR: %<ratio of SES>% Info voip userplan 3
12076 BERT Bit Error Ratio BER: %<BER mantissa>,E-:%<BER exponent> Info voip userplan 3
12077 BERT Out of Sync Warning voip userplan 3
12078 Generate BERT Info factory test 1
12079 Begin test BERT Info factory test 1
12080 TEST OK Info factory test 1
12081 TEST FAILED Info factory test 1
12082 Synchro failure Info factory test 1
12083 VOIP Fatal Error Error voip controlplan 1
12084 Portability status : <%s>. Info voip portability 1
12085 Portability unexpected incoming call during status : done. Info voip portability 1
12086 ACK Info voip sip 1
12087 BYE Info voip sip 1
12088 CANCEL Info voip sip 1
12089 INFO Info voip sip 1
12090 INVITE Info voip sip 1
12091 MESSAGE Info voip sip 1
12092 NOTIFY Info voip sip 1
12093 OPTIONS Info voip sip 1
12094 PRACK Info voip sip 1
12095 PREFER Info voip sip 1
12096 REGISTER Info voip sip 1
12097 UPDATE Info voip sip 1
12098 1xx Information Info voip sip 1
12099 200 OK Info voip sip 1
12100 3xx Redirection Info voip sip 1
12101 4xx Erreur du client Error voip sip 1
12102 5xx Erreur du serveur Error voip sip 1
12103 6xx Problème globale Error voip sip 1

Admin User Guide Page 8.5-16 of 245

ONEOS V5.2 ADMIN USER GUIDE (EDITION 21)

12104 Max-bandwidth exceeded Error voip cac 1

12105 Digit map Info voip controlplan 1

Admin User Guide Page 8.5-17 of 245