Chapter 25 – Configuration Management 1Chapter 25 Configuration management.
Management Communications Configuration
-
Upload
elis1234567 -
Category
Documents
-
view
211 -
download
7
description
Transcript of Management Communications Configuration
Tellabs® 8600 Managed Edge SystemManagement Communications Configuration
Guide
50125_0430.11.09
Document Information
Revision History
DocumentNo.
Date Description of Changes
50125_04 30.11.09 The default TELNET value updated in chapters 3.1 and 3.2.Information on displaying terminal monitor messages is updated inchapter 3.1.
50125_03 25.09.09 Affected feature packs updated on page 2.
50125_02 27.03.09 Tellabs 8607 access switch support added.
This manual documents the following network elements and the corresponding feature packs orhigher:
FP1.0A Tellabs 8607 access switch
FP1.3 Tellabs 8605 access switch
FP2.11 Tellabs 8620 access switch, Tellabs 8630 access switch, Tellabs 8660 edge switch
© 2009 Tellabs. All rights reserved.
This Tellabs manual is owned by Tellabs or its licensors and protected by U.S. and international copyright laws, conventions andtreaties. Your right to use this manual is subject to limitations and restrictions imposed by applicable licenses and copyright laws.Unauthorized reproduction, modification, distribution, display or other use of this manual may result in criminal and civil penalties.The following trademarks and service marks are owned by Tellabs Operations, Inc. or its affiliates in the United States and/or
other countries: TELLABS®, TELLABS® logo, TELLABS and T symbol®, and T symbol®.
Any other company or product names may be trademarks of their respective companies.
The specifications and information regarding the products in this manual are subject to change without notice. All statements,information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind,
express or implied. Users must take full responsibility for their application of any products.
Adobe® Reader® are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
2
Document Information
Terms and Abbreviations
Term Explanation
AAA Authentication, Authorization, Accounting
ACL Access Control List
AES-256 Advanced Encryption Standard
BMI Broadband Management Interface
BMP Broadband Management Protocol. A communication protocol which is used betweenTellabs 8600 network elements and Tellabs 8000 network manager.
CCN Configuration Change Notification
CLI Command Line Interface
DiffServ Differentiated Services
DSA Digital Signature Algorithm
FTP File Transfer Protocol
IP Internet Protocol
MIB Management Information Base (SNMP)
MPLS Multiprotocol Label Switching
NAS Network Access Server
NE Network Element
NTP Network Time Protocol
OCNM Online Core Network Monitoring
QoS Quality of Service
RADIUS Remote Authentication Dial-In User Service. Commonly used to provide centralizedauthentication, authorization, and accounting functionalities.
RFC Request for Comments
RSA Rivest, Shamir, Adleman. An algorithm for public-key cryptography.
SFTP SSH File Transfer Protocol. Also Secure File Transfer Program.
SHA1 Secure Hash Algorithm
SNMP Simple Network Management Protocol
SSH Secure Shell
TCP Transmission Control Protocol
UDP User Datagram Protocol
Unit In CLI refers to a card.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
3
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
4
Table of Contents
Table of Contents
About This Manual ............................................................................................................ 7
Objectives....................................................................................................................................................................... 7Audience......................................................................................................................................................................... 7Related Documentation .................................................................................................................................................. 7Interface Numbering Conventions ................................................................................................................................. 8Document Conventions .................................................................................................................................................. 8Documentation Feedback............................................................................................................................................... 8
1 Management Communications .................................................................................. 9
1.1 Security Considerations....................................................................................................................................... 91.2 Classifying Management Traffic with DiffServ .................................................................................................. 101.3 Outband Management and Management VRFs................................................................................................... 101.4 Management Traffic Configuration Examples..................................................................................................... 11
2 TELNET ........................................................................................................................14
2.1 Overview ............................................................................................................................................................. 14
3 CLI................................................................................................................................. 15
3.1 Overview ............................................................................................................................................................. 153.2 CLI Configuration Examples............................................................................................................................... 16
4 BMP .............................................................................................................................. 17
4.1 Overview ............................................................................................................................................................. 174.2 BMP Configuration Examples............................................................................................................................. 18
5 FTP................................................................................................................................ 20
5.1 Overview ............................................................................................................................................................. 205.2 FTP Configuration Examples .............................................................................................................................. 20
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
5
Table of Contents
6 SNMP............................................................................................................................ 23
6.1 Overview ............................................................................................................................................................. 236.1.1 References ........................................................................................................................................... 24
6.2 SNMP Configuration Examples .......................................................................................................................... 25
7 RADIUS......................................................................................................................... 27
7.1 Overview ............................................................................................................................................................. 277.1.1 References ........................................................................................................................................... 28
7.2 RADIUS Configuration Examples ...................................................................................................................... 287.3 RADIUS Server Configuration............................................................................................................................ 30
8 SSH............................................................................................................................... 31
8.1 Overview ............................................................................................................................................................. 318.2 SSH Configuration Examples.............................................................................................................................. 31
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
6
About This Manual
About This Manual
This chapter discusses the objectives and intended audience of this manual, Tellabs® 8600Managed Edge System Management Communications Configuration Guide and consists ofthe following sections:
• Objectives
• Audience
• Related Documentation
• Interface Numbering Conventions
• Document Conventions
• Documentation Feedback
Objectives
This manual provides an overview of the Tellabs 8600 managed edge system managementcommunication functions and instructions on how to configure them with a command-line interface(CLI) using a router’s console or remote terminal (TELNET).
Audience
This manual is designed for administration personnel for configuring Tellabs 8600 managed edgesystem functions with CLI. On the other hand, Tellabs 8000 network manager provides access toequal functionality for administration personnel with a graphical user interface.
It is assumed that you have a basic understanding of BMP, CLI, FTP, SNMP, RADIUS and SSHprotocols.
Related Documentation1
Tellabs® 8600 Managed Edge SystemCLI Commands Manual (50117_XX)
Provides commands available to configure, monitorand maintain Tellabs 8600 managed edge systemproducts with CLI.
Tellabs® 8600 Managed Edge SystemIP Forwarding and Traffic ManagementConfiguration Guide (50122_XX)
Provides an overview of the Tellabs 8600 managededge system IP forwarding and traffic managementand instructions on how to configure them with CLI.
1To make sure the references point to the latest available document versions, please refer to the Tellabs® 8600 Document Set Description that can befound in Tellabs Portal www.portal.tellabs.com by navigating to Product Documentation -> Data Networking-> Tellabs 8600 Managed Edge System-> Technical Documentation-> Document Set Description.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
7
About This Manual
Interface Numbering Conventions
To be able to follow more easily the feature descriptions and configuration examples given in thisdocument, see also the Tellabs 8600 system interface numbering and related figures described inTellabs® 8600 Managed Edge System CLI Commands Manual.
Document Conventions
This is a note symbol. It emphasizes or supplements information in the document.
This is a caution symbol. It indicates that damage to equipment is possible if the instructionsare not followed.
This is a warning symbol. It indicates that bodily injury is possible if the instructions are notfollowed.
Documentation Feedback
Please contact us to suggest improvements or to report errors in our documentation:
Email: [email protected]
Fax: +358.9.4131.2430
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
8
1 Management Communications
1 Management Communications
The Tellabs 8600 system products can be reached for management and configuration purposes viaTELNET, CLI, BMP, FTP, SNMP, RADIUS and SSH protocols.
1.1 Security Considerations
Always choose complex passwords, encryption keys and SNMP community strings.
Keep unused protocols in disabled state (default).
When possible, use SSH/SFTP instead of TELNET/FTP. See chapter 2 TELNET.
Authentication and encryption for the BMP protocol are strongly recommended, and so the usershould configure both of them (as BMP is by default unauthenticated, unlike other protocols).See chapter 4 BMP.
Public key authentication for SSH/SFTP should be preferred over password authentication. Seechapter 8 SSH.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
9
1 Management Communications
1.2 Classifying Management Traffic with DiffServ
Often, management communication travels inband over the network, that is, the managementpackets and user-plane traffic share the same bandwidth. Inside the final destination, even outbandmanagement shares the same bandwidth with the inband traffic. In those cases it is possible thatcongestion in the user-plane traffic disturbs the management traffic. Even worse, an adversarymay attempt to launch a denial-of-service attack on the user plane to block network management.If the network is such that this kind of blocking is possible, it is strongly recommended that allmanagement traffic, or at least the critical parts of it, are given a higher priority than ordinary traffic.This can be achieved with Differentiated Services (DiffServ). See Tellabs® 8600 Managed EdgeSystem IP Forwarding and Traffic Management Configuration Guide.
A good choice is to classify important management traffic to the CS7 class as this class cannot beblocked by user-plane traffic. On the other hand, the total volume of management communicationshould then be controlled so that it cannot block the routing and signalling protocols, which alsouse the CS7 class.
Also access control lists (ACLs) should be used to classify management traffic with high priority asfollows (see CLI examples below):
• At the first NE where management traffic enters the network, the interface ACLs should classifythe critical management traffic with high priority, to secure traffic from management to the NEs.
• At every NE, either one or both of the following methods is used to secure traffic from NE tomanagement. If both are used, ACL replaces the other classification.
• The CLI command ’mgmt-traffic qos’ (BMP attribute mifTrafficQos) configures basic QoSfor outgoing traffic. Note that the default value is CS7 if the user does not specifically requestsomething else. This QoS is used in CLI, BMP (including CCN), SNMP and syslog packets.
• IP host access lists can classify critical management traffic with high priority.
Some low-cost products do not support host ACLs, at least not in all releases. In such products, theattribute mifTrafficQos value is used for locally originated outgoing management traffic. Similarly,some low-cost products do not support interface ACLs, and such products should not be used asthe first NE where management traffic enters the network, unless it is obvious that the incomingmanagement traffic needs no special DiffServ classification.
1.3 Outband Management and Management VRFs
In many cases, outband network management is recommended. Separate outband managementchannels are usually well protected against unauthorized access, and they are also independent ofcongestion among the normal user-plane traffic. Some cards or NEs, such as CDC and Tellabs 8620access switch, have a special management port (Ethernet) for outband management use, but any IPport in any Tellabs 8600 NE can be used for management access.
With outband management, security against unauthorized access can be enhanced by using aspecial management VRF. A separate management VRF should be created and associated with themanagement port. In this way the IP address space of network management is completely separatedfrom any IP addresses seen in the user plane.
Note that even outband management can suffer from user-plane congestion inside the target NE,and in such cases DiffServ configuration should be used, as explained in chapter 1.2 ClassifyingManagement Traffic with DiffServ.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
10
1 Management Communications
1.4 Management Traffic Configuration Examples
Example 1 is for the attribute mifTrafficQos configuration.
Command Description
router(config)# mgm-traffic qos ef Set value EF to management traffic basic QoS.
router(config-acl)# no mgm-traffic qosef
Set the default value CS7.
Fig. 1 Management Traffic Configuration
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
11
1 Management Communications
Example 2. Assume that the management server uses possibly many IP addresses and themanagement traffic enters the network through interface fe 5/0/1 in one NE. In that NE, thefollowing configuration classifies certain critical IP traffic from interface fe5/0/1 to the CS7 class;other traffic is permitted as such (it is probably in BE class).
Command Description
router(config)# ip access-listcritical_from_mgmt_cs7router(config-acl)# permit tcp any eqtelnet any action qos cs7router(config-acl)# permit tcp any anyeq telnet action qos cs7router(config-acl)# permit udp any eq56566 any action qos cs7router(config-acl)# permit udp any anyrange 56564 56565 action qos cs7router(config-acl)# permit udp any anyeq 161 action qos cs7router(config-acl)# permit tcp any eq22 any action qos cs7router(config-acl)# permit tcp any anyeq 22 action qos cs7router(config-acl)# permit tcp any eq21 any action qos cs7router(config-acl)# permit tcp any anyeq 21 action qos cs7router(config-acl)# permit tcp any eq20 any action qos cs7router(config-acl)# permit tcp any anyeq 20 action qos cs7router(config-acl)# permit udp any eq123 any action qos cs7router(config-acl)# permit udp any anyeq 123 action qos cs7router(config-acl)# permit tcp any anyeq 56501 action qos cs7router(config-acl)# permit tcp any eq50000 any action qos cs7router(config-acl)# permit tcp any anyeq 56565 action qos cs7router(config-acl)# permit ip any anyrouter(config-acl)# exitrouter(config)# interface fe 5/0/1router(cfg-if[fe 5/0/1])# ipaccess-group critical_from_mgmt_cs7 inrouter(cfg-if[fe 5/0/1])# exit
Classify important traffic to class CS7. Permitalso all other traffic, keeping it in the defaultclass. In this example, the important protocolsare: TELNET, BMP (ports 56564..56566), SNMP(port 161), SSH (port 22), FTP (port 21 and 20),NTP (port 123) and OCNM (assuming port 56501,see command ospf ocnm-listener), TheBBMS CCN server source TCP port is 50000. Thedestination TCP port of the BMP Agent is 56565.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
12
1 Management Communications
Example 3. The following host ACL classifies all important traffic to the CS7 class; other traffickeeps its default class.
Command Description
router(config)# ip access-listcritical_to_mgmt_cs7router(config-acl)# permit tcp any eqtelnet any action qos cs7router(config-acl)# permit tcp any anyeq telnet action qos cs7router(config-acl)# permit udp any anyeq 56566 action qos cs7router(config-acl)# permit udp anyrange 56564 56565 any action qos cs7router(config-acl)# permit udp any eq161 any action qos cs7router(config-acl)# permit udp any anyeq 162 action qos cs7router(config-acl)# permit tcp any eq22 any action qos cs7router(config-acl)# permit tcp any anyeq 22 action qos cs7router(config-acl)# permit tcp any eq21 any action qos cs7router(config-acl)# permit tcp any anyeq 21 action qos cs7router(config-acl)# permit tcp any eq20 any action qos cs7router(config-acl)# permit tcp any anyeq 20 action qos cs7router(config-acl)# permit udp any eq123 any action qos cs7router(config-acl)# permit udp any anyeq 123 action qos cs7router(config-acl)# permit tcp any eq56501 any action qos cs7router(config-acl)# permit tcp any anyeq 50000 action qos cs7router(config-acl)# permit tcp any eq56565 any action qos cs7router(config-acl)# permit ip any anyrouter(config-acl)# exitrouter(config)# ip host-access-groupcritical_to_mgmt_cs7 out
Classify important traffic to class CS7. Permit alsoall other traffic, keeping it in the default class. Inthis example, the important protocols are naturallythe same as in the management connection (theprevious example) but the order of the source anddestination ports are reversed and perhaps portnumbers changed. Additionally, SNMP traps (port162) and the CCN protocol are added, assumingthat the CCN destination port is 50000 (seecommand bmp-server ccn destination).Setting QoS of the TCP BMP traffic. The sourceTCP port of the BMP Agent is 56565.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
13
2 TELNET
2 TELNET
2.1 Overview
TELNET is a TCP/IP standard protocol for remote terminal service. A TELNET user can sendcommands and receive replies in illusion of working in the remote site. A TELNET clientestablishes a TCP connection to a remote TELNET server using an IP address and a TCP portas destination parameters.
The Tellabs 8600 TELNET server provides the TELNET server functionality for the Tellabs 8600network elements (NE) according to the standard TELNET protocol. The TELNET server is used toestablish a remote terminal session to a CLI Agent residing in the Tellabs 8600 NEs. The Tellabs8600 TELNET server provides multiple parallel sessions.
In the Tellabs 8600 system, SSH is recommended as replacement for TELNET as TELNET isinherently non-secure (e.g. against password eavesdropping).
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
14
3 CLI
3 CLI
3.1 Overview
Command Line Interface (CLI) provides an ASCII command line management interface for theTellabs 8600 NEs. Via CLI the user can send configuration commands to change and displaythe current configuration of the NE. The user can contact the CLI Agent residing in the NE via aTELNET connection or serial port cable connection. The TELNET connection is disabled bydefault, and should be enabled before it can be used.
Fig. 2 Two Users Have CLI Sessions in Tellabs 8600 NE
When the Tellabs 8600 NE is started up for the first time, the user can connect the CLI Agent usingthe serial port cable connection between the user’s PC and the Tellabs 8600 NE. Now the firstconfiguration commands can be sent to the NE. The first command might be setting an IP addressof some interface of the NE to make the NE reachable via a TCP/IP connection. Via the TCP/IPconnection the NE can be reached by Tellabs 8000 network manager.
For the list of available CLI configuration commands, see Tellabs® 8600 Managed Edge System CLICommands Manual.
The CLI Agent sends terminal monitor messages to notify the users when local conditions undergosignificant changes. By default, displaying of the terminal monitor messages whose emergencylevel is lower than warning is disabled.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
15
3 CLI
3.2 CLI Configuration Examples
The following CLI commands are needed to make the Tellabs 8600 NE reachable via the TCP/IPconnection.
Command Description
********************************* Tellabs 86XX Network Element ** Copyright (c) 2004 Tellabs. Allrights reserved.**********************************Press key ? for help.user name: superuserpassword: ********Enter configuration commands, one perline. End with ^Z
Login to Tellabs 8600 CLI Agent.
router> enable Enter the Privileged Execution command mode.
router# configure terminal Enter the Configure command mode.
router# cli-server telnet enable Enable the TELNET server for CLI management.
router(config)# interface mfe 0 Change the mode to configure the specific interface.
router(config-if)# no shutdown Enable the selected interface.
router(config-if)# ip address172.19.101.14/24
Set the IP address.
router(config-if)# exit Change back to the Configure command mode.
router(config)# hostname ?<string:len[1–32] New name of the host
Help for the command hostname.
router(config)# hostname hugo1 Change the hostname (these example CLIcommands for now on are not needed to configurethe TCP/IP connection).
hugo1(config)# exit Change back to the Privileged Execution commandmode.
hugo1# no terminal monitor Disable terminal monitor messages sending. Bydefault messages whose severity is ’warning’ orhigher are shown.
hugo1# terminal monitor severity error Enable terminal monitor messages sending.Messages whose severity is ’error’ or higher areshown.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
16
4 BMP
4 BMP
4.1 Overview
Broadband Management Protocol (BMP) is a Tellabs proprietary object-based management protocolbetween Tellabs 8000 network manager and a Tellabs 8600 NE. The NE can be managed via theBMP format management commands coming from Tellabs 8000 network manager. An BMP Agentresides in the Tellabs 8600 NE.
BMP communication between Tellabs 8000 network manager and the BMP Agent is primarily doneover the TCP/IP connection, if the NE supports it, or alternatively using the UDP/IP protocol.The BMP Agent receives the incoming BMP commands, launches the BMP command executionprocess, and finally constructs the reply and sends it back to Tellabs 8000 network manager.
The selection between the TCP/IP and UDP/IP communication is invisible to the user. It isimplemented in Tellabs 8000 network manager so that it always tries first communication using theTCP/IP and, if the NE does not support it, the communication is done via the UDP/IP.
Tellabs 8000 network manager can permit or deny other managers’ access to the BMP Agentusing IP access list configurations.
The BMP Agent generates BMP notifications when the NE conditions undergo significant changes.Notifications are sent to the Communication servers of those Tellabs 8000 network managers whichare registered to receive BMP notifications.
The BMP communication between Tellabs 8000 network manager and a Tellabs 8600 NE can beenabled to use SHA1 authentication. In that case both Tellabs 8000 network manager and theTellabs 8600 NE have to be configured accordingly to use the authentication. If both are not usingauthentication or the used keys are different, traffic will not be possible because the other partrejects the messages.
The BMP communication between Tellabs 8000 network manager and a Tellabs 8600 NE can alsobe enabled to use SHA1 authentication and AES-256 encrypting. Tellabs 8000 network managerand the Tellabs 8600 NE have to be configured accordingly. If both are not configured to use theauthentication and the encrypting or used keys are not valid, the other part rejects the messages.
Authentication and encryption for the BMP protocol are strongly recommended, and so theuser should configure both of them (as BMP is by default unauthenticated, unlike otherprotocols).
For security reasons the first authentication and encryption key(s) should be created in NEusing CLI over SSH or alternatively using a CLI connection through the serial port duringNE installation. Later on when transmission is used in encrypted mode, new key(s) can becreated using BMP communication from Tellabs 8000 network manager.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
17
4 BMP
4.2 BMP Configuration Examples
The following CLI commands are needed to configure the BMP Agent shown in the figure below.
Fig. 3 Tellabs 8000 Network Manager Uses IP Addresses to Connect to Tellabs 8600 NEsover TCP/IP or UDP/IP
Command Description
router(config)# bmp-server enable Enable BMP Agent.
router(config)# ip access-listbmpAccList
Create an IP access list for access rights purposes.
router(config-acl)# permit udp host172.19.12.102 any
This IP access list permits all UDP/IP messagescoming from host 172.19.12.102.
router(config-acl)# exit Change back to the Configure command mode.
router(config)# bmp-server access-groupbmpAccList
Limit the BMP Agent access rights with the IPaccess list bmpAccList. The access list permits theBMP Agent to receive only those BMP messagescoming from host 172.19.12.102.
router(config)# bmp-server notifica-tions destination 171.19.12.102
Register the manager with IP address 172.19.12.102to receive BMP notifications.
router(config)# bmp-server notifica-tions disable
Disable BMP notifications sending. Use thiscommand in case BMP notifications are not wantedto be sent anymore.
The following CLI commands are needed to configure the recommended BMI SHA-1 authenticationconfiguration.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
18
4 BMP
Command Description
router(config)# bmp-server authentica-tion-key 1 sha1 abcdefg123456router(config)# bmp-server trusted-key1router(config)# bmp-server authenticatecommand
Enable BMI SHA-1 authentication.
router(config)# no bmp-serverauthenticate commandrouter(config)# no bmp-servertrusted-key 1router(config)# no bmp-serverauthentication-key 1 sha1 abcdefg123456
Disable BMI SHA-1 authentication.
The following CLI commands are needed to configure the SHA-1 authentication and AESencryption.
Command Description
router(config)# bmp-server encryption-key 1 aes256 ivec xxxx key yyyyrouter(config)# bmp-server encryption-trusted-key 1router(config)# bmp-server encryptcommand
Enable the SHA-1 authentication and AESencryption.
router(config)# no bmp-server encryptcommandrouter(config)# no bmp-serverencryption-trusted-key 1router(config)# no bmp-serverencryption-key 1 aes256 ivec xxxxkey yyyy
Disable the SHA-1 authentication and AESencryption.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
19
5 FTP
5 FTP
5.1 Overview
File Transfer Protocol (FTP) is a TCP/IP standard protocol. It is used to transfer files from onemachine to another. Tellabs 8600 FTP server provides FTP server functionality for Tellabs 8600NEs according to the standard FTP protocol. Tellabs 8600 FTP server is used for delivering Tellabs8600 application software files to NE cards for software upgrading purposes. The FTP server isalso used for sending CLI config snapshot files to the NE.
Fig. 4 User Establishes TCP Connection to Tellabs 8600 NE and Sends Files to Flash Memoryof NE via FTP
The user sends files from his/her PC to the flash memory of the card via FTP. First the user starts anFTP client session on his/her PC and connects it to FTP server in the Tellabs 8600 NE using the IPaddress of the NE. When reached the NE, FTP can be used for accessing any file and directory in theNE. The FTP server must be enabled before use.
5.2 FTP Configuration Examples
The following CLI command is needed to enable FTP server.
Command Description
router(config)# ftp-server enable
The following FTP commands are needed to transfer an application software file to the card inslot 9 in Tellabs 8600 NE. See the figure above.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
20
5 FTP
Command Description
C:\temp> ftp 172.19.101.10 Start the FTP connection to the remote host with IPaddress 172.19.101.10.
Connected to 172.19.101.10. FTP connection succeeded.
********************************* Tellabs 86XX Network Element ** Copyright (c) 2004 Tellabs. Allrights reserved.*********************************220 FTP server running on unit in slot14.
Tellabs 8600 accessed.
User (172.19.101.10:(none)): superuser Type username.
331 User name ok
Password: ********* Type password.
230 User superuser logged in
ftp> cd flash\appl-sw\slot9 Change the current directory to the applicationsoftware directory.
250 Directory change succeeded
ftp> dir Display files and subdirectories in current directory.
200 Command ok
150 Opening data connection
-rwxrwxrwx 1 user group 1920485 Dec 112:00 bbip_gmz2711_1.1
-rwxrwxrwx 1 user group 1921265 Dec 112:00 bbip_gmz2711_1.2
-rwxrwxrwx 1 user group 1921035 Dec 112:00 bbip_gmz2711_1.5
226 File transferred
ftp: 258 bytes received in 0,00Seconds258000,00Kbytes/sec.
ftp> del bbip_gmz2711_1.1 Delete a file.
200 Command ok
200 Command ok ftp> bin Change to binary mode. This is needed for filechecksum calculations.
200 Command ok
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
21
5 FTP
ftp> put c:\newfiles\bbip_gmz2711_1.6 Move a new file to the remote host.
200 Command ok
150 File status ok
226 File transferred
ftp: 1909887 bytes sent in 11,60Sec-onds 164,70Kbytes/sec.
ftp> dir Display files and subdirectories in the currentdirectory.
200 Command ok
150 Opening data connection
-rwxrwxrwx 1 user group 1921265 Dec 112:00 bbip_gmz2711_1.2
-rwxrwxrwx 1 user group 1921035 Dec 112:00 bbip_gmz2711_1.5
-rwxrwxrwx 1 user group 1909887 Dec 112:00 bbip_gmz2711_1.6
226 File transferred
ftp: 342 bytes received in 0,01Seconds34,20Kbytes/sec.
ftp> bye Disconnect the FTP session.
200 Command ok
200 Command ok C:\temp>
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
22
6 SNMP
6 SNMP
6.1 Overview
Tellabs 8600 SNMP (Simple Network Management Protocol) Agent provides management agentfunctionality for Tellabs 8600 NEs according to the standard SNMP protocol. Generally SNMPAgent is an entity in a network element that collects network management related statistics, respondsto commands from SNMP managers, and sends spontaneous messages (traps) to the managers whenlocal conditions undergo significant changes. SNMP works over the UDP/IP protocol.
Tellabs 8600 system supports SNMP MIB-II group variables and traps as listed in chapter6.1.1 References.
Tellabs 8600 SNMP Agent supports SNMP requests GET and GET-NEXT for versions SNMPv1and SNMPv2. Tellabs 8600 SNMP Agent generates SNMPv1 and SNMPv2 traps. OperationGET-BULK for version SNMPv2 is provided.
SNMP authentication element community name is checked from every SNMP request messagearrived in the Tellabs 8600 NE. If community name is not registered in the SNMP Agentconfiguration, the request is dropped and authenticationFailure trap is generated. There are alsoother ways to limit access rights of specified community name appended to an SNMP requestentering Tellabs 8600 NE:
• Access rights to some SNMPmib groups can be denied. As default, all mib groups are accessible.
• Only SNMP requests arriving from specific source addresses are received, other requests aredropped. In this case the IP access list is appended to a community name. The access list specifiesallowed source addresses.
When a trap is generated in the Tellabs 8600 NE, the trap message is sent to those SNMP managerswhich are registered for trap receiving. The registration specifies the IP address of the manager,allowed SNMP trap version and community name. The community name is added to the trapmessage for authentication in the receiving SNMP manager. Only the traps of the specified trapversion are sent to the registered manager. Also trap types can be filtered. The filter specifiesenabled traps: the user can enable all possible traps, or all traps of specific mib group(s), or justindividual trap(s).
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
23
6 SNMP
6.1.1 References
RFC1213 (1991-03), Management information base for network management in TCP/IP based Internets:MIB-II
RFC1657 (1994-07), Definitions of managed objects for the fourth version of the border gateway protocol(BGP-4) using SMIv2
RFC1850 (1995-11), OSPF version 2 management information base
RFC1907 (1996-01), Management information base for version 2 of the simple network managementprotocol (SNMPv2)
RFC2011 (1996-11), SNMPv2 management information base for the Internet protocol using SMIv2
RFC2012 (1996-11), SNMPv2 management information base for the transmission control protocol usingSMIv2
RFC2013 (1996-11), SNMPv2 management information base for the user datagram protocol using SMIv2
RFC2096 (1997-01), IP forwarding table MIB
RFC2863 (06/2000), The interfaces group MIB (IF-MIB)
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
24
6 SNMP
6.2 SNMP Configuration Examples
The following CLI commands are needed to configure SNMP Agent shown in the figure below.
Fig. 5 SNMP Manager Sends Requests to SNMP Agent of Tellabs 8600 NE
Command Description
router(config)# snmp-server enable Enable SNMP requests and traps.
router(config)# ip access-listsnmpAccList
Create IP access list for access right purposes.
router(config-acl)# permit udp host172.19.12.105 any
The access list allows UDP messages coming fromhost 172.19.12.105.
router(config-acl)# exit Change back to the Configure command mode.
router(config)# snmp-server communityhugo mib system snmp access-groupsnmpAccList
Register community name hugo to allow SNMPrequests concerning SNMP variables of mib groupssystem and snmp. Only requests from sourcespermitted in access list snmpAccList are allowed.
router(config)# snmp-server trapshost 172.19.12.105 version 1 communityhugoV1
Register an SNMP manager with IP address172.19.12.105 to receive traps from Tellabs 8600SNMP Agent. Trap messages leave Tellabs 8600NE labelled with community name hugoV1. Onlyversion SNMPv1 traps are sent to the manager.
router(config)# snmp-server traps host127.19.12.105 version 2c communityhugoV2
Register an SNMP manager with IP address172.19.12.105 to receive traps from Tellabs 8600SNMP Agent. Trap messages leave Tellabs 8600NE labelled with community name hugoV2. Onlyversion SNMPv2 traps are sent to the manager.
router(config)# snmp-server traps mibsnmp authenticationFailure
Enable snmp mib group trap authenticationFail-ure.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
25
6 SNMP
router(config)# snmp-server traps mibsnmp
Now all snmp mib group traps are enabled.
router(config)# snmp-server traps miball
Now traps of all mib groups are enabed.
router(config)# no snmp-server trapsmib snmp authenticationFailure
Now traps of all mib groups are enabled except thesnmpAuthenticationFailure trap.
router(config)# no snmp-server trapsmib all
All traps are disabled.
router(config)# snmp-server trapssource lo1
Set value for the traps source attribute. This valueis used in SNMPv1 Trap messages.
router(config)# snmp-server locationOak street 7, Laboratory 2nd floor
Set value for system mib group variablesysLocation.
router(config)# snmp-server contact JoeJ. Jones, assistant
Set value for system mib group variablesysContact.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
26
7 RADIUS
7 RADIUS
7.1 Overview
RADIUS is a popular AAA (Authentication, Authorization, Accounting) protocol. Tellabs 8600system supports RADIUS for administrator authentication in CLI and FTP sessions. Tellabs8600 system implementation is based on [RFC2865]. The motive for using RADIUS is the factthat with a large number of network elements, it easily becomes a tedious task to maintain andupdate the user databases in the NEs. RADIUS solves the problem by moving the user databaseand authentication decision away from the NEs to one or more centralized servers. For example,adding a new administrator is simply a matter of reconfiguring the RADIUS server(s) instead ofindividually adding a new account for each NE.
The RADIUS protocol is implemented on top of the UDP protocol. The authentication is initiated bythe client with an access request packet that contains the username and password of the user loggingin. The server responds with an access granted or access denied packet. As its security mechanism,RADIUS employs a shared secret, which is configured both on the client and the server, but is nevertransmitted on the network during the RADIUS authentication. The shared secret is used to encryptthe user-provided password and to verify that the authentication response from the server is genuine.
Tellabs 8600 RADIUS client supports a concept of AAA contexts. A context consists of a list ofone or more RADIUS authentication servers and whether the context uses local (NE) user databaseeither as primary or secondary source of authentication. The context can then be bound to one of thefour services needing login (local CLI, Telnet, SSH and FTP). There is always a default contextwhich, unless otherwise configured, uses the local user database for authentication.
One or more RADIUS servers can be configured for a context. In addition, they can have anassociated priority value that specifies the preference for accessing the servers. In a typicalconfiguration, there is a primary RADIUS server and a secondary server that backs up the primaryserver.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
27
7 RADIUS
Fig. 6
7.1.1 References
[RFC2865] RFC2865 (06/2000), Remote Authentication Dial In User Service (RADIUS)
7.2 RADIUS Configuration Examples
The following example shows how to produce a simple RADIUS configuration from scratch withthe following relevant parameters:
• A single RADIUS server exists (IP address 193.64.170.160).
• Uses local (NE) user database as fallback if the RADIUS server is not reached after three retries.There is a-five-second delay between the retries.
• RADIUS is used for all services needing login.
The first step is to configure the RADIUS server.
Command Description
router(config)# aaa radius authentica-tion-server MyServer
Adds a new RADIUS authentication server namedMyServer, enters server configuration mode.
router(cfg-radius-auth[MyServer])#server-address 193.64.170.160
Configures the server’s IP address.
router(cfg-radius-auth[MyServer])#shared-secret text MyPassword
Configures a shared secret as text format password.Also arbitrary binary format secret could be used,but not all RADIUS servers support them.
router(cfg-radius-auth[MyServer])#retry 3
Packets to the server are retransmitted up to threetimes if no response is received.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
28
7 RADIUS
router(cfg-radius-auth[MyServer])#timeout 5000
Sets the retransmission timeout to 5000milliseconds (five seconds).
router(cfg-radius-auth[MyServer])# exit Exits RADIUS authentication server configurationmode.
Do not configure the shared secret over an insecure connection. If the shared secret isremotely configured, the use of SSH is strongly recommended.
The next step is to create and configure the AAA context.
Command Description
router(config)# aaa context MyContext Creates a new context “MyContext” and enterscontext configuration mode.
router(cfg-aaa[MyContext])# bind radiusauthentication-server MyServer
Associates the previously configured server withthis context. Since priority is not specified, thedefault priority is used. Priority is not meaningfulwhen there is only one server.
router(cfg-aaa[MyContext])# orderradius local
Specifies the authentication sources for thecontext. RADIUS is primarily used, local userdatabase authentication is attempted if RADIUSauthentication fails.
router(cfg-aaa[MyContext])# exit Exits context configuration mode.
Finally, the context has to be bound to the services and RADIUS authentication enabled.
Command Description
router(config)# aaa bind servicecli-local context MyContextrouter(config)# aaa bind servicecli-telnet context MyContextrouter(config)# aaa bind service sshcontext MyContextrouter(config)# aaa bind service ftpcontext MyContext
Binds MyContext to all services needing login.
router(config)# aaa radius authentica-tion enable
Enables RADIUS authentication in the NE.
router(config)# show aaa detail Displays all RADIUS-related settings for review.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
29
7 RADIUS
7.3 RADIUS Server Configuration
RADIUS is a commonly supported protocol with a many different server implementations available.While most aspects of the operation are well-standardized, there are some details in Tellabs 8600RADIUS client implementation that one is required to be aware of when configuring the server.Please see the documentation of your RADIUS server for more information about how to configureit.
Tellabs 8600 user accounts have – in addition to username and password – a numeric privilege levelassociated with them. This privilege level must be present in every Access-Accept message fromthe RADIUS server. If it is omitted, the privilege level defaults to 1 which gives the user a veryrestricted access. The privilege level is implemented as a RADIUS Vendor-Specific Attribute withVendor-Id 1397, Vendor type 1, attribute value coded as 32–bit unsigned integer.
Command Description
# Tellabs dictionary - dictio-nary.tellabs## Enable by putting the line "$INCLUDEdictionary.tellabs" into# the main dictionary file.##VENDOR Tellabs 1397## Vendor-specific attributes#ATTRIBUTE Tellabs-UserPrivilegeLevel 1integer Tellabs
An example of RADIUS server dictionary filefor privilege level attribute that works with manyRADIUS servers.
Information transmitted in attributes can be used to fine tune authorization decisions on the server.For example, one might want to restrict a user’s access rights by allowing login to a limited set ofNEs. The table below lists the attributes used and recognized by the RADIUS client in Tellabs8600 system.
Attribute Direc-tion
Description
User-Name OUT Name of the user to authenticate. The attribute is omitted if theusername is empty.
User-Password OUT Password entered by the user.
NAS-Identifier OUT Text string consisting of the network element’s Router ID number.
Service-Type OUT Set to Administrative for all four login services.
NAS-Port-Type OUT • Set to Async in case of local CLI login.
• Set to Virtual in TELNET, SSH and FTP logins.
Tellabs-UserPrivi-legeLevel
IN Privilege level of an accepted user. Vendor-specific integer attributewith Vendor-Id 1397 and Vendor type 1.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
30
8 SSH
8 SSH
8.1 Overview
SSH (Secure Shell) is a commonly used protocol built on TCP/IP offering remote login and filetransfer functionality. In Tellabs 8600 system, SSH can be used as replacement for TELNET andFTP protocols. A major advantage is that SSH provides strong security, making eavesdropping andhijacking of connections on the wire practically impossible. Tellabs 8600 system contains a built-inSSH server that can be used with many free and commercial SSH client programs.
The following security features exist in the SSH protocol:
• Encryption is used throughout the connection in both directions. The server and client negotiatea suitable symmetric encryption algorithm at the beginning of the session. The encryption keysare automatically generated and exchanged at the same time.
• Authentication codes are used during the session. Any attempts to change the data by a man-in-the-middle attacker will cause an immediate termination of the session.
• Host authentication allows the client to verify that the server it is talking to is really who it claimsto be. This is accomplished by the server having a public-private key pair (the host key). Theclient receives and stores the public part of the key upon its first contact to the server. On subse-quent sessions, the server can prove its identity by possession of the private part of the key.
• User authentication identifies the user to the server. The user authentication is traditionally donewith a username/password pair. In addition to password authentication, SSH also supports publickey authentication. In this authentication method, the user authenticates himself by possessing aprivate part of a public-private key pair. It is required, however, that the public part of the key isstored in the server in advance.
Tellabs 8600 SSH server only supports SSH protocol version 2. While all modern SSH clientssupport version 2 of the protocol, this might be an issue with some old clients. The SFTP protocolruns on top of the SSH protocol and provides secure file transfer services.
8.2 SSH Configuration Examples
Taking SSH protocol in use on a network element requires some preconfiguration. The host key pairneeds to be generated for the network element. Tellabs 8600 SSH server can use both DSA2 andRSA type key pairs (the names refer to algorithms used). It is possible to have an active host key foreither or both of these types, but only one is needed. DSA is suggested as it is guaranteed to besupported by all compliant SSH version 2 clients.
2Some clients call these DSS keys
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
31
8 SSH
Command Description
router(config)# crypto generate key 1ssh2-dsa
Starts generating a DSA type key pair. The keygeneration is done in the background and may takeseveral minutes to complete. The key will haveindex 1.
router(config)# show crypto keyKey 1 [NOT ACTIVE] - Type: ssh2-dsa -Size: 2048 bitsFingerprint:de:08:ee:b9:f5:91:53:0b:f7:de:26:fe:25:4c:ca:10
Once the key has been generated, it is shown in thekey list. The fingerprint can be used for verificationof the host’s identity on the client side as it isunique for each key.
router(config)# cli-server ssh host-key1
Activates the generated key as SSH server host key.
router(config)# cli-server ssh enable Enables the SSH server. After this step, thenetwork element will allow incoming SSH andSFTP connections.
Enabling public key authentication for a user requires the user to generate the key pair (or use anexisting key pair) on the client. The example below is shown for OpenSSH client.
Command Description
$ ssh-keygen -b 2048 -t dsa -f mykey -Nmypassphrase
This command is run on the client to generate thekey pair. Two files are generated: mykey containsthe private key, mykey.pub is the public part of thekey in OpenSSH format.
$ ssh-keygen >mykey_ssh2.pub -e -fmykey.pub
Converts the public key to standard SSH2 publickey file format as required by the SSH server inTellabs 8600 system. The resulting public key fileis mykey_ssh2.pub.
Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.
32
8 SSH
$ ftp 172.19.101.10Connected to 172.19.101.10.220-**************************************220-* *220-* Tellabs 8620 Network Element *220-* *220-* Copyright (c) 2004 Tellabs. Allrights reserved. *220-* *220-**************************************User (172.19.101.10:(none)): superuser331 User name okPassword:230 User superuser logged inftp> cd /flash/cli-script250 Directory change succeededftp> put mykey_ssh2.pub200 Command ok...
For importing the key, it has to be transferred tothe network element’s file system. In this example,FTP is used. The CLI script directory is used as atemporary location for placing the key. The key filecan be deleted after it has been imported.
router(config)# crypto load flash:/flash/cli-script/mykey_ssh2.pub key 2
Import the key from flash file system to internalkey storage. This public key will have index 2.It is associated with the currently logged on user,allowing only this particular user to log in with thepublic key.
router(config)# show crypto key 2Key 2 [ACTIVE] - Type: ssh2-dsa-public- Size: 2048 bitsOwner: superuserFingerprint:13:c6:60:ed:91:30:23:65:36:84:80:6a:d1:5e:a5:c5Comment: 2048-bit DSA, converted fromOpenSSH by superuser@FIOU0203
Shows the properties of the public key. Theproperties and the option to remove a public keyare only available to the key’s owner or a user withsuperuser privileges.
$ ssh [email protected] -i mykey Logs in the NE using the key stored in file mykey.The passphrase is asked, if one was given in keygeneration.
When the public key is no longer needed, it should be removed.
Command Description
router(config)# clear crypto key 2 Discards the public key. Only the key’s owner or auser with superuser privileges can remove a key.
50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide
33