adva - training - fsp 150cc-ge20x r4.x course - 2 - administration
DESCRIPTION
Adva - Training - FSP 150CC-GE20x R4.x Course - 2 - AdministrationTRANSCRIPT
FSP 150CC-GE20x Product Training Course 2 - Administration
FSP 150CC-GE206 R4.4.x FSP 150CC-GE201 R4.3.x
October 2010 V1.3
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 2
Module Contents
Connectivity
Syslog
Security/Alarm/Audit Logs
SNMP
SNTP
Security
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 3
Connectivity
Various Options HTTP/HTTPS – eVision
Telnet, SSHv2
SNMP
CLI
NMS
User ID root netadmin user
Password ChgMeNOW ChgMeNOW ChgMeNOW
Privilege Superuser Provisioning Maintenance
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 4
Connectivity Serial Interface
Connection Attributes: Bits per second: 9600
Data bits: 8
Parity: None
Stop Bits: 1
Hardware Flow Control: None
Straight through cable with included DB9/RJ45 adapter
CLI
Software download and database backup are not available via the serial interface. IP connectivity is required for https file transfer and FTP.
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 5
Connectivity Serial Interface
CLI login screen
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 6
Connectivity CLI Basics
Serial Port, Telnet or SSH
Only need to enter the unique portion of the command term, not the entire term
“tab” can be used to auto-complete the command term once unique portion entered, but completion is not required
“back” takes you back one level
“home” takes you to the main level
“quit” logs you out from any menu/sub-menu
Arrows can be used to scroll back/forward through previous commands or edit (terminal emulation specific)
“?” at any time shows available commands or validity/next parameter of the currently entered command.
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 7
Connectivity CLI Prompt Configuration
CLI prompt can be configured via GUI and CLI
ADVA--> configure system
ADVA:system--> prompt ADVA-GE206
ADVA-GE206:system-->
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 8
Connectivity Network Element Identification
Network Element Identification can be configured via GUI and CLI
ADVA--> network-element ne-1
ADVA-NE-1--> name GE206-1
ADVA-NE-1--> location Dallas-TX
ADVA-NE-1--> contact John-Smith
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 9
Connectivity IP Access
The MGMT LAN port – DCN (eth0)
Auto-MDIX supported
Straight through or cross over will work
There is a default ip address 192.168.0.2/24 assigned.
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 10
Connectivity HTTP GUI
Applications
Navigation
Tree
Alarms and
Conditions
Info/Input
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 11
Connectivity GE206 Naming Conventions and Navigation
FLOW Entity ID Naming convention:
NE 1
Shelf 1
Slot 1
Access/Network port 2 (range is from 1 to 6)
Flow 1 (range is 1 to 32)
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 12
Connectivity GE201 Naming Conventions and Navigation
FLOW Entity ID Naming convention:
NE 1
Shelf 1
Slot 1
Access 1
Flow 1 (range is 1 to 128)
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 13
Connectivity HTTP GUI - Usage
Applications: Functionality is divided into different applications which is aligned
with user privileges
Navigation Tree:
Many nodes in the navigation tree have options that are selectable by right-clicking on the node
“OK” vs. “Apply”
Both result in the validation of the data and the writing of changes to the Flash copy of the database and the hardware
“Apply” leaves you in the edit screen where as “OK” takes you back to the display screen
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 14
General Security Banner
Banner is displayed on GUI and serial/telnet sessions at login.
In the GUI, right click System node and select “Edit Banner”
Maximum of 2000 characters
ADVA:--> configure system
ADVA:system--> security-banner “This is a private system.
Unauthorized access or use may lead to prosecution”
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 15
General Security Prompt
When logging in via the CLI, the following prompt is typically displayed:
Do you wish to continue [Y|N]-->
This prompt can cause issues with CLI based configuration systems.
The prompt can be disabled via the CLI only.
ADVA:--> configure system
ADVA:system--> security-prompt disabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 16
ADVA--> configure system
ADVA:system--> syslog-server 1
ADVA:system:syslog-1--> configure 10.10.10.10 514
ADVA:system:syslog-1--> show syslog-server
IP Address : 10.10.10.10
port : 514
General Syslog Servers
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 17
Individual controls for each log type
General Syslog Servers
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 18
General Security Log
Security Log contains events of the following type:
Login/Logout/Failed Login attempts (local / remote)
Local User creation/deletion
Password change attempts
Security logs can be directed to SYSLOG (configurable)
Security log can only be cleared by a factory reset only
Security log only visible to superuser accounts
Security log contains 1000 records
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 19
General Security Log
ADVA--> show security-log
ADVA--> configure system
ADVA:system--> security-log
ADVA:system:security-log--> syslog-control disabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 20
General Alarm Log
Alarm log (automatic output buffer) for alarms/events
Alarm logs can be directed to a SYSLOG (configurable)
Alarm logs can be disabled by superuser
Alarm logs contains 1000 records
Alarm log entries limited to 256 characters
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 21
General Alarm Log
ADVA--> show alarm-log
ADVA--> configure system
ADVA:system--> alarm-log
ADVA:system:alarm-log--> syslog-control disabled
ADVA:system:alarm-log--> log2file-control enabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 22
General Audit Log
Audit Log contains events of the following type:
all configuration related changes,
all entity (e.g. equipment, facility, etc) state changes
all system restarts
all maintenance operations (e.g. loopbacks)
Audit logs can be directed to SYSLOG (configurable)
Audit Log can be disabled by superuser
Audit log contains 1000 records
Audit log entries limited to 256 characters
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 23
General Audit Log
ADVA--> show audit-log
ADVA--> configure system
ADVA:system--> audit-log
ADVA:system:audit-log--> syslog-control disabled
ADVA:system:audit-log--> log2file-control enabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 24
SNMP Simple Network Management Protocol
V1 and V2c Defaults:
V3 Defaults:
The device is configurable via SNMP
SNMP V1, V2c and V3 are supported
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 25
SNMP Community String
ADVA--> configure snmp
ADVA:snmp--> add community noc-readonly readonly
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 26
Community string access type can be set to Trap Only
Can not be used for read-only or read-write access
The following errors will be returned by the system if the trap only community string is used to read/write access to the GE206
noSuchName for SNMPv1
noAccess for SNMPv2c
noAccess for SNMPv3 USM
Trap community string (GE206/GE206F)
ADVA--> configure snmp
ADVA:snmp--> add community "traps" trap-only
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 27
SNMP Target Parameter
The target parameters allow us to define what SNMP protocol will be used to populate trap information;
And thus what SNMP protocol will be used to send traps to the target address specified
Target parameter must be added prior to adding the target address.
ADVA--> configure snmp
ADVA:snmp--> add target-params target-param-v1 snmpv1 snmpv1 private no-auth
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 28
SNMP Target Address
Up to 10 trap recipients may be defined
Up to 10 community strings may be defined
ADVA--> configure snmp
ADVA:snmp--> add target-address NMS-US 10.10.10.10:162 2 3 trap target-param-v1 enabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 29
SNMP USM (User Security Model)
ADVA--> configure snmp
ADVA:snmp--> add usm-user noc-user local r0ck3t readonly auth-priv md5 des ******** ********
Engine ID „local‟ or beginning with 1 or 0
Security name 1 to 256 characters long
only „0-9 a-z A-Z _ . –‟ are accepted
If left blank User Name will be copied into this field.
Auth. Key and Priv. Key 8 – 32 characters long
Contains a mix of upper and lower case alpha characters (a-z A-Z), at least one special character (# * %) and at least one digit (0-9). Cannot begin with „#‟.
No more than 2 chars. can be repeated in consecutive positions.
Does not contain a sequence of 3 consecutive letters/digits in ascending/descending order.
Can not be the same as the user ID.
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 30
SNMP Dying Gasp Trap
The 150CC supports the ability to generate an SNMP Dying Gasp trap on power loss for scenarios where EFM-OAM Dying Gasp is not sufficient.
Only one of SNMP Dying Gasp trap or EFM-OAM Dying Gasp message can be generated on an interface.
SNMP Dying Gasp will only be sent over a Mgmt tunnel, not the MGMT LAN (only replaces EFM OAM Dying Gasp)
Configure SNMP Dying Gasp on the system level and then you can enable the trap by target address (up to 2 SNMP Dying Gasp PDUs can be configured per system).
ADVA--> network-element ne-1
ADVA-NE-1--> configure nte nte206-1-1-1
ADVA-NE-1:ge206-1-1-1--> snmp-dying-gasp enabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 31
NTP Network Time Protocol
Unicast:
Device only attempts to connect to the configured addresses
Support for up to 2 NTP servers
ADVA--> configure system
ADVA:system--> ntp-client
ADVA:system:ntp_client--> primary-server 10.10.10.10
ADVA:system:ntp_client--> backup-server 10.10.10.11
ADVA:system:ntp_client--> show ntp-client
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 32
Security
Secure access (defaults shown):
Serial Port: Enabled HTTP (port 80): Enabled
Telnet (port 23): Disabled HTTPS (port 443): Disabled
SSH: (port 22): Enabled SFTP: (port 22): Disabled
FTP (port 21): Disabled SCP: (port 21): Enabled
Access Control Lists
GUI:
Automatic logoff is provisionable
Cookie shared per PC user login per NID IP address
Serial
Automatic logoff on cable disconnect (Serial Port Auto Log off: Enable)
Serial port can be disabled
Authentication Traps can be enabled (disabled by default)
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 33
Security Operations
Access by various applications can be generically enabled or disabled;
In the configuration application right click on “System” and select- “Edit System”
ADVA--> configure system
ADVA:system--> ftp enabled
ADVA:system--> telnet enabled
ADVA:system--> serial enabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 34
Security Key Management
The device can generate unique SSL Certificates and SSH keys.
This will replace the existing keys.
ADVA--> configure user-security
ADVA:user-sec--> regenerate-ssh-keys
ADVA:user-sec--> regenerate-ssl-certificate
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 35
Security Access Control Lists
Up to 10 ACL entries can be activated at the system level
Each entry allows for the specification of a subnet that can access the unit
ADVA--> configure system
ADVA:system--> acl-entry 1
ADVA:acl-1--> configure permit 10.10.1.0 255.255.255.0
ADVA:acl-1--> control enabled
© 2010 ADVA Optical Networking. All rights reserved. Confidential. 36
Last Reset Cause (GE201)
System provides a last reset cause such as warm restart or cold restart. This is available on CLI/GUI/SNMP.
System captures the last 3 instances of an abnormal event. The 3 debug files (binary) are stored on a single debug image which can be downloaded for further investigation.
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.
End of Administration