adva - training - fsp 150cc-ge20x r4.x course - 2 - administration

FSP 150CC-GE20x Product Training Course 2 - Administration

FSP 150CC-GE206 R4.4.x FSP 150CC-GE201 R4.3.x

October 2010 V1.3

© 2010 ADVA Optical Networking. All rights reserved. Confidential. 2

Module Contents

Connectivity

Syslog

Security/Alarm/Audit Logs

SNMP

SNTP

Security


Connectivity

Various Options HTTP/HTTPS – eVision

Telnet, SSHv2

SNMP

CLI

NMS

User ID root netadmin user

Password ChgMeNOW ChgMeNOW ChgMeNOW

Privilege Superuser Provisioning Maintenance


Connectivity Serial Interface

Connection Attributes: Bits per second: 9600

Data bits: 8

Parity: None

Stop Bits: 1

Hardware Flow Control: None

Straight through cable with included DB9/RJ45 adapter

CLI

Software download and database backup are not available via the serial interface. IP connectivity is required for https file transfer and FTP.


Connectivity Serial Interface

CLI login screen


Connectivity CLI Basics

Serial Port, Telnet or SSH

Only need to enter the unique portion of the command term, not the entire term

“tab” can be used to auto-complete the command term once unique portion entered, but completion is not required

“back” takes you back one level

“home” takes you to the main level

“quit” logs you out from any menu/sub-menu

Arrows can be used to scroll back/forward through previous commands or edit (terminal emulation specific)

“?” at any time shows available commands or validity/next parameter of the currently entered command.


Connectivity CLI Prompt Configuration

CLI prompt can be configured via GUI and CLI

ADVA--> configure system

ADVA:system--> prompt ADVA-GE206

ADVA-GE206:system-->


Connectivity Network Element Identification

Network Element Identification can be configured via GUI and CLI

ADVA--> network-element ne-1

ADVA-NE-1--> name GE206-1

ADVA-NE-1--> location Dallas-TX

ADVA-NE-1--> contact John-Smith


Connectivity IP Access

The MGMT LAN port – DCN (eth0)

Auto-MDIX supported

Straight through or cross over will work

There is a default ip address 192.168.0.2/24 assigned.


Connectivity HTTP GUI

Applications

Navigation

Tree

Alarms and

Conditions

Info/Input


Connectivity GE206 Naming Conventions and Navigation

FLOW Entity ID Naming convention:

NE 1

Shelf 1

Slot 1

Access/Network port 2 (range is from 1 to 6)

Flow 1 (range is 1 to 32)


Connectivity GE201 Naming Conventions and Navigation

FLOW Entity ID Naming convention:

NE 1

Shelf 1

Slot 1

Access 1

Flow 1 (range is 1 to 128)


Connectivity HTTP GUI - Usage

Applications: Functionality is divided into different applications which is aligned

with user privileges

Navigation Tree:

Many nodes in the navigation tree have options that are selectable by right-clicking on the node

“OK” vs. “Apply”

Both result in the validation of the data and the writing of changes to the Flash copy of the database and the hardware

“Apply” leaves you in the edit screen where as “OK” takes you back to the display screen


General Security Banner

Banner is displayed on GUI and serial/telnet sessions at login.

In the GUI, right click System node and select “Edit Banner”

Maximum of 2000 characters

ADVA:--> configure system

ADVA:system--> security-banner “This is a private system.

Unauthorized access or use may lead to prosecution”


General Security Prompt

When logging in via the CLI, the following prompt is typically displayed:

Do you wish to continue [Y|N]-->

This prompt can cause issues with CLI based configuration systems.

The prompt can be disabled via the CLI only.

ADVA:--> configure system

ADVA:system--> security-prompt disabled



ADVA:system--> syslog-server 1

ADVA:system:syslog-1--> configure 10.10.10.10 514

ADVA:system:syslog-1--> show syslog-server

IP Address : 10.10.10.10

port : 514

General Syslog Servers


Individual controls for each log type

General Syslog Servers


General Security Log

Security Log contains events of the following type:

Login/Logout/Failed Login attempts (local / remote)

Local User creation/deletion

Password change attempts

Security logs can be directed to SYSLOG (configurable)

Security log can only be cleared by a factory reset only

Security log only visible to superuser accounts

Security log contains 1000 records


General Security Log

ADVA--> show security-log


ADVA:system--> security-log

ADVA:system:security-log--> syslog-control disabled


General Alarm Log

Alarm log (automatic output buffer) for alarms/events

Alarm logs can be directed to a SYSLOG (configurable)

Alarm logs can be disabled by superuser

Alarm logs contains 1000 records

Alarm log entries limited to 256 characters


General Alarm Log

ADVA--> show alarm-log


ADVA:system--> alarm-log

ADVA:system:alarm-log--> syslog-control disabled

ADVA:system:alarm-log--> log2file-control enabled


General Audit Log

Audit Log contains events of the following type:

all configuration related changes,

all entity (e.g. equipment, facility, etc) state changes

all system restarts

all maintenance operations (e.g. loopbacks)

Audit logs can be directed to SYSLOG (configurable)

Audit Log can be disabled by superuser

Audit log contains 1000 records

Audit log entries limited to 256 characters


General Audit Log

ADVA--> show audit-log


ADVA:system--> audit-log

ADVA:system:audit-log--> syslog-control disabled

ADVA:system:audit-log--> log2file-control enabled


SNMP Simple Network Management Protocol

V1 and V2c Defaults:

V3 Defaults:

The device is configurable via SNMP

SNMP V1, V2c and V3 are supported


SNMP Community String

ADVA--> configure snmp

ADVA:snmp--> add community noc-readonly readonly


Community string access type can be set to Trap Only

Can not be used for read-only or read-write access

The following errors will be returned by the system if the trap only community string is used to read/write access to the GE206

noSuchName for SNMPv1

noAccess for SNMPv2c

noAccess for SNMPv3 USM

Trap community string (GE206/GE206F)


ADVA:snmp--> add community "traps" trap-only


SNMP Target Parameter

The target parameters allow us to define what SNMP protocol will be used to populate trap information;

And thus what SNMP protocol will be used to send traps to the target address specified

Target parameter must be added prior to adding the target address.


ADVA:snmp--> add target-params target-param-v1 snmpv1 snmpv1 private no-auth


SNMP Target Address

Up to 10 trap recipients may be defined

Up to 10 community strings may be defined


ADVA:snmp--> add target-address NMS-US 10.10.10.10:162 2 3 trap target-param-v1 enabled


SNMP USM (User Security Model)


ADVA:snmp--> add usm-user noc-user local r0ck3t readonly auth-priv md5 des ******** ********

Engine ID „local‟ or beginning with 1 or 0

Security name 1 to 256 characters long

only „0-9 a-z A-Z _ . –‟ are accepted

If left blank User Name will be copied into this field.

Auth. Key and Priv. Key 8 – 32 characters long

Contains a mix of upper and lower case alpha characters (a-z A-Z), at least one special character (# * %) and at least one digit (0-9). Cannot begin with „#‟.

No more than 2 chars. can be repeated in consecutive positions.

Does not contain a sequence of 3 consecutive letters/digits in ascending/descending order.

Can not be the same as the user ID.


SNMP Dying Gasp Trap

The 150CC supports the ability to generate an SNMP Dying Gasp trap on power loss for scenarios where EFM-OAM Dying Gasp is not sufficient.

Only one of SNMP Dying Gasp trap or EFM-OAM Dying Gasp message can be generated on an interface.

SNMP Dying Gasp will only be sent over a Mgmt tunnel, not the MGMT LAN (only replaces EFM OAM Dying Gasp)

Configure SNMP Dying Gasp on the system level and then you can enable the trap by target address (up to 2 SNMP Dying Gasp PDUs can be configured per system).

ADVA--> network-element ne-1

ADVA-NE-1--> configure nte nte206-1-1-1

ADVA-NE-1:ge206-1-1-1--> snmp-dying-gasp enabled


NTP Network Time Protocol

Unicast:

Device only attempts to connect to the configured addresses

Support for up to 2 NTP servers


ADVA:system--> ntp-client

ADVA:system:ntp_client--> primary-server 10.10.10.10

ADVA:system:ntp_client--> backup-server 10.10.10.11

ADVA:system:ntp_client--> show ntp-client


Security

Secure access (defaults shown):

Serial Port: Enabled HTTP (port 80): Enabled

Telnet (port 23): Disabled HTTPS (port 443): Disabled

SSH: (port 22): Enabled SFTP: (port 22): Disabled

FTP (port 21): Disabled SCP: (port 21): Enabled

Access Control Lists

GUI:

Automatic logoff is provisionable

Cookie shared per PC user login per NID IP address

Serial

Automatic logoff on cable disconnect (Serial Port Auto Log off: Enable)

Serial port can be disabled

Authentication Traps can be enabled (disabled by default)


Security Operations

Access by various applications can be generically enabled or disabled;

In the configuration application right click on “System” and select- “Edit System”


ADVA:system--> ftp enabled

ADVA:system--> telnet enabled

ADVA:system--> serial enabled


Security Key Management

The device can generate unique SSL Certificates and SSH keys.

This will replace the existing keys.

ADVA--> configure user-security

ADVA:user-sec--> regenerate-ssh-keys

ADVA:user-sec--> regenerate-ssl-certificate


Security Access Control Lists

Up to 10 ACL entries can be activated at the system level

Each entry allows for the specification of a subnet that can access the unit


ADVA:system--> acl-entry 1

ADVA:acl-1--> configure permit 10.10.1.0 255.255.255.0

ADVA:acl-1--> control enabled


Last Reset Cause (GE201)

System provides a last reset cause such as warm restart or cold restart. This is available on CLI/GUI/SNMP.

System captures the last 3 instances of an abnormal event. The 3 debug files (binary) are stored on a single debug image which can be downloaded for further investigation.

IMPORTANT NOTICE

The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.

End of Administration

adva - training - fsp 150cc-ge20x r4.x course - 2 - administration

Documents

adva optical networking

cli adva

system adva

prompt advage206 advage206

ip connectivity

connectivity ip access

location dallastx advane

networkelement ne