which means you’ll need to terminate the session and restart a new one. A sample output of the more command is as follows: CES# more version.dat V06_00.313 reformat Command The reformat command is used to reformat the floppy diskette to be used in the creation of a recovery diskette. Although the command may be executed remotely, local interaction is necessary because you need to place and remove the floppy diskette on the Nortel VPN Router. A sample output of the refor- mat command is as follows: CES#reformat ? diskette Reformats the diskette CES#reformat diskette ? full Formats the floppy disk in full mode. quick Formats the floppy disk in quick mode. CES#reformat diskette full ? <cr> reload Command The reload command gives a remote administrator the capability to restart the Nortel VPN Router. A variety of options are available with this command, as shown in the following sample output: CES#reload ? At Reload at a specific time/date boot-drive Enables reboot drive boot-normal Boot in normal mode boot-safe Boot in safe mode cancel Cancels pending reload config-file Enables boot configuration file disable-after-restart Prevents remote logins after shutdown disable-logins Prevents new remote logins before shutdown in Reload after a time interval LINE Reason for reload no-sessions Reload after all users log off power-off Power down after shutdown restart Restart after shutdown <cr> 658 Appendix B 17_781274 appb.qxp 6/21/06 10:03 PM Page 658 Because this command will perform a cold restart of the unit, it will cause all user and Branch Office Tunnels to drop. This command must be used carefully and with proper notification to all those who would be affected when exercis- ing this command. rename Command The rename command is used to rename a file or a directory. The assumption is that the path will be specified, or that the user will be one directory level above a directory to be named, or within a directory where a file that is to be renamed is located. A sample of the rename command is as follows: CES#rename ? WORD Source URL CES# CES#mkdir /ide0/system/test CES#rename /ide0/system/test test1 CES#dir /ide0/system Directory of /ide0/system/ <DIR> /ide0/ . . <DIR> SUN FEB 26 13:56:58 2006 TEST1 <DIR> FRI FEB 03 16:00:12 2006 UCODE 12 WED FEB 08 17:58:00 2006 UPGRADE.DAT 12 FRI FEB 03 15:58:38 2006 VERSION.DAT From this example, you can see that a directory test was created and renamed to test1. To verify this, a section of the /ide0/system directory is displayed showing that the directory test1 currently resides within that directory structure. retrieve Command The retrieve command is used to obtain a new software image from an FTP server where it is stored. The code must be located on the server in the direc- tory that is specified within the command. In the following sample output of the command, it is assumed that it has been placed in the root directory of the FTP server. The FTP server root directory does not necessarily have to be the root directory of the computer itself, but a directory that the FTP server inter- preted to be its root. Sample output of the retrieve command is as follows: Command Line Interpreter Commands 659 17_781274 appb.qxp 6/21/06 10:03 PM Page 659 CES#retrieve ? software Enables retrieval of the latest software image CES#retrieve software ? Hostname or A.B.C.D IP addr of the host remote server CES#retrieve software 10.10.0.51 ? version Software image file version CES#retrieve software 10.10.0.51 version ? WORD Software image CES#retrieve software 10.10.0.51 version V06_00.313 ? path Path to the directory where the software is stored uid User ID for the FTP server CES#$oftware 10.10.0.51 version V06_00.313 path V06_00.313 uid anonymous ? password FTP server password CES#$51 version V06_00.313 path V06_00.313 uid anonymous password guest ? recurse Do it anyway if present <cr> CES#$rsion V06_00.313 path V06_00.313 uid anonymous password guest recurse ? <cr> Notice that the path does not specify a path, but rather a filename of the optimized sever code that may be loaded directly on the Nortel VPN Router. Because no other path has been specified, it is understood that the file resides within the root directory of the FTP server. The recurse portion of the com- mand represents recursion in that if the code is already resident on the unit, to overwrite it with the code that is currently being retrieved. The optimized version of server code is indicated by the suffix extensions of tar and gz being used on the file. These files have been in use since the ver- sion V04_85 release of server code. It allows the FTP process to go much more smoothly with the extraction of a single file, and its expansion takes place directly on the unit when retrieval has been completed. Files with the zip extension must be unzipped into a directory named with the code version that is to be applied, and located within the root directory or specified path of the FTP server. Whenever possible, you should use the optimized version of server code because of its ease of use. Global Configuration Mode The Global Configuration mode allows an administrative user to configure all parameters and features of the Nortel VPN Router. However, these commands are extremely powerful, and they must be practiced so that the user is thor- oughly familiar with the commands and contexts prior to executing these commands on an operational Nortel VPN Router. Also, these commands may require a particular sequence of commands to be executed in the proper order. 660 Appendix B 17_781274 appb.qxp 6/21/06 10:03 PM Page 660 We highly recommend that users take the time to familiarize themselves totally with the command and its behavior on the unit prior to using it on a VPN Router that is in a production environment. Improper context, syntax, or execution of a command can cause the unit to be unmanageable remotely and, in severe conditions, can necessitate recovery actions to restore the unit to its mode of operation prior to an improper command being executed. As with all upgrades, configuration changes, or anything that may affect the overall operation of the unit, the minimum of a backup of the configuration file and LDAP files should be done prior to exercising the command as a pre- caution in case recovery is made necessary. A listing of the available configuration commands is as follows: CES#configure ? terminal Enable configuration from the terminal CES#configure terminal Enter configuration commands, one per line. End with Ctrl/z. CES(config)#? Configure commands: aaa Authentication, authorization and accounting access-hours Adds and configures access hours access-list Adds an access list entry accounting Accounting server adminname Enables administrator to enable the administrator login name and password aot Async over tcp arp Adds a static ARP entry audible Enables audible alarm auto-save-logging Enables auto-save-logging function for event-log bgp Enable BGP over public interfaces bo-conn Adds or configures branch office connections bo-group Enables branch office group configuration commands clear Disables the number of days the journal files will be removed from internal RADIUS server client-policy Adds or modifies client policy clip Configures Circuitless IP clock Sets the system clock cmp Enables certificate management protocol compress-files Enables file compression console Sets or displays the restriction level of the console session controller configure physical I/O parameters create Creates Safe mode config crl Enables the retrieval of certificate revocation list(CRLs) crypto Enables crypto certificate configuration data-collection-interval Displays data collection interval information default Enables default switch settings configuration demand Configures Demand services dns-proxy Enables DNS Proxy on the CES domain Edits or adds domain set or domain Command Line Interpreter Commands 661 17_781274 appb.qxp 6/21/06 10:03 PM Page 661 end Exits from configure mode erase Deletes a configuration file event-log Specifies the size of the event log exception Defines backup FTP servers for the CES exit Saves settings and leaves configuration mode filter Enables filter configuration fips Enables federal information processing standards firewall Enables firewall type frame-relay Enables Frame Relay debug mode on a specific slot and port ftp-server Configures file transfer protocol to the system management IP Address fwua Enables Firewall User Authentication group Configures user groups help Describes the interactive help system hostname Enables the system hostname http Configures HTTP protocol https Enables HTTPS service icmp Enables ICMP service identification Enables identification protocol to the system managment IP Address idle-timeout Enables an automatic logout when an administrator session is not in use interface Selects an interface to configure OR configures an interface group ip Enables IP settings ipsec Enables IPSEC tunnel configuration ipx ipx commands l2f L2F tunnel configuration l2tp L2TP tunnel configuration ldap Control LDAP server (Mini-CLI emulation) ldap-server LDAP server configuration license Installs license key for paid feature load Bulk load configuration commands (Mini-CLI emulation) log-file-lifetime Sets the log file’s time to live (in days) logging Enables the syslog server host logout Disconnect this telnet session map-class Configures a map-class maximum-paths Enables the maximum equal cost paths multicast-boundary Enables adding interfaces to multicast boundary list multicast-relay Enables multicast relay network Adds network and allows to assign IP address and subnet mask to the network no Disables features ntp Enables network time protocol ospf Enables the maximum equal cost paths to calculate within OSPF policy CSF Policy Manager pptp Enables PPTP tunnel configuration prompt Changes session prompt proxy Enables the external LDAP authentication server 662 Appendix B 17_781274 appb.qxp 6/21/06 10:03 PM Page 662 qos Enables qos radius Enables RADIUS service radius-accounting Enables RADIUS Accounting service radius-client Configures Radius Client radius-server Radius server configuration restrict Restricts management access to CES (Mini-CLI emulation) rip maximum equal cost paths to calculate within RIP route-map Add a route map route-policy Enables the route policy feature router Specifies a routing process to configure safe-mode Enables Safe Mode Configuration save Save current boot config (Mini-CLI emulation) scheduler Enables scheduler settings serial-banner Configure the serial banner serial-banner-fragment Add a new line to serial banner serial-port Enables serial port configuration service Enables services show Displays configuration information snmp-server SNMP Server settings split-dns Enables DNS Server to be split between public and private domains ssh Enables SSH service ssl Configures SSL ssl-vpn SSL-VPN Acceleration configuration mode system Enables system settings system-log-to-file Write system log to file telnet Virtual terminal protocol to the system management IP address Tunnel Enables the tunneling protocols, i.e., IPsec, PPTP, L2TP, L2F tunnel-guard Enables to set tunnel guard properties user User configuration mode Summary The Command Line Interpreter (CLI) command set is extensive. It provides a terminal or Telnet user great flexibility and control over the configuration and maintenance of the Nortel VPN Router. These commands allow a user to per- form these functions with low-bandwidth requirements, which makes the CLI command set extremely useful in out-of-band management scenarios. However, with the power and flexibility of these commands, the user must be careful in their use. The command line is not as intuitive as a GUI-based user interface, nor does it have complete checking on the execution of the command. Whereas the GUI interface may flag a problem, the CLI command may not. We highly recommend that users familiarize themselves totally with the commands Command Line Interpreter Commands 663 17_781274 appb.qxp 6/21/06 10:03 PM Page 663 and the options within them prior to their use in a production environment. The best way to do this is in a lab environment where the user can exercise various commands and observe their behavior. As you can see by the contents of this appendix, the CLI command library is extensive. This appendix is intended as a quick introduction to the use of the CLI command set and is not totally inclusive of all the options that these com- mands contain. 664 Appendix B 17_781274 appb.qxp 6/21/06 10:03 PM Page 664 665 A Request for Comments (RFC) is a document that is generated to outline a standard. The RFC is published by the Internet Engineering Task Force (IETF). Most RFCs are drafts and can be changed later. All RFCs are submitted and reviewed before they are published. Once an RFC becomes a standard, no other changes are allowed to the RFC. An RFC can, however, be replaced by an updated RFC in the future. RFCs are informational in nature and suggest processes to obtain a goal. There are even a few RFCs that are humorous and really serve no other purpose than to entertain. A few of these are listed toward the end of this appendix. Table C-1 shows RFCs that are related to many of the standards and proto- cols that have been discussed in this book. This should serve as a reference where you can obtain very basic information about the RFC; you can then access the RFC for additional reading. If you need more information about a particular RFC, or about RFCs in general, you can get it from the ICTF Web site: www.ietf.org/ Related Request for Comments Reference Guide APPENDIX C 18_781274 appc.qxp 6/21/06 10:03 PM Page 665 Table C-1: RFC Reference TOPIC RFC NUMBER TITLE STATUS L2F 2341 Cisco Layer Two Historic Forwarding (Protocol) “L2F” L2TP 2661 Layer Two Tunneling Proposed Standard Protocol “L2TP” 2809 Implementation of L2TP Informational Compulsory Tunneling via RADIUS 2888 Secure Remote Access Informational with L2TP 3070 Layer Two Tunneling Protocol Proposed Standard (L2TP) over Frame Relay 3145 L2TP Disconnect Cause Proposed Standard Information 3193 Securing L2TP Using IPSec Proposed Standard 3301 Layer Two Tunneling Protocol Proposed Standard (L2TP): ATM access network extensions 3308 Layer Two Tunneling Protocol Proposed Standard (L2TP) Differentiated Services Extension 3355 Layer Two Tunneling Protocol Proposed Standard (L2TP) Over ATM Adaptation Layer 5 (AAL5) 3371 Layer Two Tunneling Protocol Proposed Standard “L2TP” Management Information Base 3438 Layer Two Tunneling Protocol Best Current (L2TP) Internet Assigned Practice Numbers Authority (IANA) Considerations Update 3573 Signaling of Modem-On-Hold Proposed Standard Status in Layer 2 Tunneling Protocol (L2TP) 3817 Layer 2 Tunneling Protocol Informational (L2TP) Active Discovery Relay for PPP over Ethernet (PPPoE) 666 Appendix C 18_781274 appc.qxp 6/21/06 10:03 PM Page 666 Table C-1: (continued) TOPIC RFC NUMBER TITLE STATUS 3931 Layer Two Tunneling Proposed Standard Protocol Version 3 (L2tpv3) 4045 Extensions to Support Experimental Efficient Carrying of Multicast Traffic in Layer-2 Tunneling Protocol (L2TP) PPTP 2637 Point-to-Point Tunneling Informational Protocol IPSec 2207 RSVP Extensions for IPSec Proposed Standard Data Flows 2410 The NULL Encryption Proposed Standard Algorithm and Its Use with IPSec 2709 Security Model with Informational Tunnel-mode IPSec for NAT Domains 3104 RSIP Support for Experimental End-to-End IPSec 3193 Securing L2TP Using IPSec Proposed Standard 3456 Dynamic Host Configuration Proposed Standard Protocol (DHCPv4) Configuration of IPSec Tunnel Mode 3457 Requirements for IPSec Informational Remote Access Scenarios 3554 On the Use of Stream Proposed Standard Control Transmission Protocol (SCTP) with IPSec 3566 The AES-XCBC-MAC-96 Proposed Standard Algorithm and Its Use with IPSec 3585 IPSec Configuration Policy Proposed Standard Information Model (continued) Related Request for Comments Reference Guide 667 18_781274 appc.qxp 6/21/06 10:03 PM Page 667 [...]... Packets and Congestion Avoidance Best Current Practice 105 8 Routing Information Protocol Historic 1387 RIP Version 2 Protocol Analysis Informational 1388 RIP Version 2 Carrying Additional Information Proposed Standard 1389 RIP Version 2 MIB Extensions Proposed Standard 1581 Protocol Analysis for Extensions to RIP to Support Demand Circuits Informational 1582 Extensions to RIP to Support Demand Circuits... Directory Access Protocol (LDAP) Cancel Operation Proposed Standard 3928 Lightweight Directory Access Protocol (LDAP) Client Update Protocol (LCUP) Proposed Standard 4104 Policy Core Extension Lightweight Directory Access Protocol Schema (PCELS) Proposed Standard 4370 Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control Proposed Standard 4373 Lightweight Directory Access Protocol... Standard (ESN) Addendum to IPSec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP) 4308 Cryptographic Suites for IPSec Proposed Standard 4309 Using Advanced Encryption Standard (AES) CCM Mode with IPSec Encapsulating Security Payload (ESP) Proposed Standard 4312 The Camellia Cipher Algorithm and Its Use with IPSec Proposed Standard Related Request for. .. Redundancy Protocol (VRRP) Draft Standard 1105 Border Gateway Protocol (BGP) Experimental 1163 Border Gateway Protocol (BGP) Historic 1164 Application of the Border Gateway Protocol in the Internet Historic 1265 BGP Protocol Analysis Informational 1267 Border Gateway Protocol 3 (BGP-3) Historic 1268 Application of the Border Gateway Protocol in the Internet Historic 1269 Definitions of Managed Objects for the... Proposed Standard 2830 Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security Proposed Standard 2849 The LDAP Data Interchange Format (LDIF) Technical Specification Proposed Standard 2891 LDAP Control Extension for Server Side Sorting of Search Results Proposed Standard 2926 Conversion of LDAP Schemas to and from SLP Templates Informational 2927 MIME Directory Profile for LDAP... Proposed Standard 1721 RIP Version 2 Protocol Analysis Informational 1722 RIP Version 2 Protocol Applicability Statement Standard 1723 RIP Version 2 Carrying Additional Information Standard 1724 RIP Version 2 MIB Extension Draft Standard 2091 Triggered Extensions to RIP to Support Demand Circuits Proposed Standard 2453 RIP Version 2 Standard 0439 PARRY Encounters the DOCTOR Unknown 0967 All Victims Together... Directory Access Protocol (LDAP) Proposed Standard 3673 Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes Proposed Standard 3674 Feature Discovery in Lightweight Directory Access Protocol (LDAP) Proposed Standard 3687 Lightweight Directory Access Protocol (LDAP) and X.500 Component Matching Rules Proposed Standard 3698 Lightweight Directory Access Protocol (LDAP): Additional... Informational 3947 Negotiation of NAT-Traversal in the IKE Proposed Standard 4109 Algorithms for Internet Key Exchange version 1 (IKEv1) Proposed Standard 4306 Internet Key Exchange (IKEv2) Protocol Proposed Standard 4304 Extended Sequence Number (ESN) Addendum to IPSec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP) Proposed Standard 4307 Cryptographic... Networks (VPNs) Proposed Standard 4365 Applicability Statement for BGP/MPLS IP Virtual Private Networks (VPNs) Informational 4381 Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs) Informational 4382 MPLS/BGP Layer 3 Virtual Private Network (VPN) Management Information Base Proposed Standard 1969 The PPP DES Encryption Protocol (DESE) Informational 2419 The PPP DES Encryption Protocol,... Related Request for Comments Reference Guide Table C-1: (continued) TOPIC RFC NUMBER TITLE STATUS 3352 Connection-less Lightweight Directory Access Protocol (CLDAP) to Historic Status Informational 3377 Lightweight Directory Access Protocol (v3): Technical Specification Proposed Standard 3383 Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP) . Protocol (L2TP) PPTP 2637 Point -to- Point Tunneling Informational Protocol IPSec 2207 RSVP Extensions for IPSec Proposed Standard Data Flows 2 410 The NULL Encryption Proposed Standard Algorithm and. familiar with the commands and contexts prior to executing these commands on an operational Nortel VPN Router. Also, these commands may require a particular sequence of commands to be executed in. need to terminate the session and restart a new one. A sample output of the more command is as follows: CES# more version.dat V06_00.313 reformat Command The reformat command is used to reformat