FSP 150CC-GE20x Product Training Course 2 - Administration

FSP 150CC-GE206 R4.4.x FSP 150CC-GE201 R4.3.x October 2010 V1.3

Module Contents
Connectivity Syslog Security/Alarm/Audit Logs SNMP

SNTP
Security

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
Various Options
HTTP/HTTPS eVision Telnet, SSHv2 SNMP CLI NMS

User ID Password

root ChgMeNOW

netadmin ChgMeNOW

user ChgMeNOW

Privilege

Superuser

Provisioning

Maintenance

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

Serial Interface

Connection Attributes:
Bits per second: 9600 Data bits: 8 Parity: None Stop Bits: 1 Hardware Flow Control: None

Straight through cable with included DB9/RJ45 adapter

CLI
Software download and database backup are not available via the serial interface. IP connectivity is required for https file transfer and FTP.

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

Serial Interface
CLI login screen

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
CLI Basics
Serial Port, Telnet or SSH Only need to enter the unique portion of the command term, not the entire term tab can be used to auto-complete the command term once unique portion entered, but completion is not required

back takes you back one level

home takes you to the main level quit logs you out from any menu/sub-menu Arrows can be used to scroll back/forward through previous commands or edit (terminal emulation specific) ? at any time shows available commands or validity/next parameter of the currently entered command.

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

CLI Prompt Configuration

CLI prompt can be configured via GUI and CLI

ADVA--> configure system ADVA:system--> prompt ADVA-GE206 ADVA-GE206:system-->

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

Network Element Identification

Network Element Identification can be configured via GUI and CLI

ADVA--> network-element ne-1

ADVA-NE-1--> name GE206-1

ADVA-NE-1--> location Dallas-TX ADVA-NE-1--> contact John-Smith
8
2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
IP Access

The MGMT LAN port DCN (eth0)

Auto-MDIX supported Straight through or cross over will work

There is a default ip address 192.168.0.2/24 assigned.

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
HTTP GUI
Applications

Navigation Tree

Info/Input

Alarms and Conditions

10

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

GE206 Naming Conventions and Navigation

FLOW Entity ID Naming convention:
NE 1 Shelf 1 Slot 1 Access/Network port 2 (range is from 1 to 6) Flow 1 (range is 1 to 32)

11

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

GE201 Naming Conventions and Navigation

FLOW Entity ID Naming convention:
NE 1 Shelf 1 Slot 1 Access 1 Flow 1 (range is 1 to 128)

12

2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

HTTP GUI - Usage

Applications:
Functionality is divided into different applications which is aligned with user privileges

Navigation Tree:
Many nodes in the navigation tree have options that are selectable by right-clicking on the node

OK vs. Apply
Both result in the validation of the data and the writing of changes to the Flash copy of the database and the hardware Apply leaves you in the edit screen where as OK takes you back to the display screen

13

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Security Banner
Banner is displayed on GUI and serial/telnet sessions at login. In the GUI, right click System node and select Edit Banner Maximum of 2000 characters

ADVA:--> configure system ADVA:system--> security-banner This is a private system. Unauthorized access or use may lead to prosecution

14

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Security Prompt
When logging in via the CLI, the following prompt is typically displayed:

Do you wish to continue [Y|N]-->

This prompt can cause issues with CLI based configuration systems.

The prompt can be disabled via the CLI only.

ADVA:--> configure system ADVA:system--> security-prompt disabled

15

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Syslog Servers

ADVA--> configure system ADVA:system--> syslog-server 1 ADVA:system:syslog-1--> configure 10.10.10.10 514 ADVA:system:syslog-1--> show syslog-server

IP Address : 10.10.10.10
port : 514

16

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Syslog Servers

Individual controls for each log type

17
2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Security Log
Security Log contains events of the following type:
Login/Logout/Failed Login attempts (local / remote) Local User creation/deletion Password change attempts

Security logs can be directed to SYSLOG (configurable) Security log can only be cleared by a factory reset only Security log only visible to superuser accounts Security log contains 1000 records

18

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Security Log

ADVA--> show security-log ADVA--> configure system ADVA:system--> security-log ADVA:system:security-log--> syslog-control disabled
19
2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Alarm Log
Alarm log (automatic output buffer) for alarms/events Alarm logs can be directed to a SYSLOG (configurable) Alarm logs can be disabled by superuser Alarm logs contains 1000 records

Alarm log entries limited to 256 characters

20

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Alarm Log

ADVA--> show alarm-log ADVA--> configure system ADVA:system--> alarm-log ADVA:system:alarm-log--> syslog-control disabled ADVA:system:alarm-log--> log2file-control enabled

21

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Audit Log
Audit Log contains events of the following type:
all all all all configuration related changes, entity (e.g. equipment, facility, etc) state changes system restarts maintenance operations (e.g. loopbacks)

Audit logs can be directed to SYSLOG (configurable) Audit Log can be disabled by superuser Audit log contains 1000 records

Audit log entries limited to 256 characters

22

2010 ADVA Optical Networking. All rights reserved. Confidential.

General

Audit Log

ADVA--> show audit-log ADVA--> configure system ADVA:system--> audit-log ADVA:system:audit-log--> syslog-control disabled ADVA:system:audit-log--> log2file-control enabled

23

2010 ADVA Optical Networking. All rights reserved. Confidential.

SNMP

Simple Network Management Protocol

The device is configurable via SNMP

SNMP V1, V2c and V3 are supported

V1 and V2c Defaults:

V3 Defaults:

24

2010 ADVA Optical Networking. All rights reserved. Confidential.

SNMP

Community String

ADVA--> configure snmp

ADVA:snmp--> add community noc-readonly readonly

25

2010 ADVA Optical Networking. All rights reserved. Confidential.

Trap community string

(GE206/GE206F)
Community string access type can be set to Trap Only

Can not be used for read-only or read-write access

The following errors will be returned by the system if the trap only community string is used to read/write access to the GE206
noSuchName for SNMPv1 noAccess for SNMPv2c noAccess for SNMPv3 USM

ADVA--> configure snmp ADVA:snmp--> add community "traps" trap-only

26

2010 ADVA Optical Networking. All rights reserved. Confidential.

SNMP

Target Parameter
The target parameters allow us to define what SNMP protocol will be used to populate trap information;

And thus what SNMP protocol will be used to send traps to the target address specified Target parameter must be added prior to adding the target address.
ADVA--> configure snmp
ADVA:snmp--> add target-params target-param-v1 snmpv1 snmpv1 private no-auth

27

2010 ADVA Optical Networking. All rights reserved. Confidential.

SNMP

Target Address
Up to 10 trap recipients may be defined Up to 10 community strings may be defined

ADVA--> configure snmp ADVA:snmp--> add target-address NMS-US 10.10.10.10:162 2 3 trap target-param-v1 enabled

28

2010 ADVA Optical Networking. All rights reserved. Confidential.

SNMP

USM (User Security Model)

ADVA--> configure snmp ADVA:snmp--> add usm-user noc-user local r0ck3t readonly auth-priv md5 des ******** ********

Engine ID
local or beginning with 1 or 0

Auth. Key and Priv. Key

8 32 characters long Contains a mix of upper and lower case alpha characters (a-z A-Z), at least one special character (# * %) and at least one digit (0-9). Cannot begin with #. No more than 2 chars. can be repeated in consecutive positions. Does not contain a sequence of 3 consecutive letters/digits in ascending/descending order. Can not be the same as the user ID.

Security name
1 to 256 characters long only 0-9 a-z A-Z _ . are accepted If left blank User Name will be copied into this field.

29

2010 ADVA Optical Networking. All rights reserved. Confidential.

SNMP

Dying Gasp Trap

The 150CC supports the ability to generate an SNMP Dying Gasp trap on power loss for scenarios where EFM-OAM Dying Gasp is not sufficient. Only one of SNMP Dying Gasp trap or EFM-OAM Dying Gasp message can be generated on an interface. SNMP Dying Gasp will only be sent over a Mgmt tunnel, not the MGMT LAN (only replaces EFM OAM Dying Gasp)

Configure SNMP Dying Gasp on the system level and then you can enable the trap by target address (up to 2 SNMP Dying Gasp PDUs can be configured per system). ADVA--> network-element ne-1 ADVA-NE-1--> configure nte nte206-1-1-1 ADVA-NE-1:ge206-1-1-1--> snmp-dying-gasp enabled
30
2010 ADVA Optical Networking. All rights reserved. Confidential.

NTP

Network Time Protocol

Unicast:
Device only attempts to connect to the configured addresses Support for up to 2 NTP servers

ADVA--> configure system ADVA:system--> ntp-client ADVA:system:ntp_client--> primary-server 10.10.10.10 ADVA:system:ntp_client--> backup-server 10.10.10.11 ADVA:system:ntp_client--> show ntp-client
31

2010 ADVA Optical Networking. All rights reserved. Confidential.

Security
Secure access (defaults shown):
Serial Port: Telnet (port 23): SSH: (port 22): FTP (port 21): Enabled Disabled Enabled Disabled HTTP (port 80): HTTPS (port 443): SFTP: (port 22): SCP: (port 21): Enabled Disabled Disabled Enabled

Access Control Lists

GUI:
Automatic logoff is provisionable Cookie shared per PC user login per NID IP address

Serial
Automatic logoff on cable disconnect (Serial Port Auto Log off: Enable) Serial port can be disabled

Authentication Traps can be enabled (disabled by default)

32

2010 ADVA Optical Networking. All rights reserved. Confidential.

Security

Operations
Access by various applications can be generically enabled or disabled;
In the configuration application right click on System and select- Edit System

ADVA--> configure system ADVA:system--> ftp enabled ADVA:system--> telnet enabled ADVA:system--> serial enabled
33
2010 ADVA Optical Networking. All rights reserved. Confidential.

Security

Key Management
The device can generate unique SSL Certificates and SSH keys.
This will replace the existing keys.

ADVA--> configure user-security ADVA:user-sec--> regenerate-ssh-keys ADVA:user-sec--> regenerate-ssl-certificate

34
2010 ADVA Optical Networking. All rights reserved. Confidential.

Security

Access Control Lists

Up to 10 ACL entries can be activated at the system level Each entry allows for the specification of a subnet that can access the unit

ADVA--> configure system

ADVA:system--> acl-entry 1
ADVA:acl-1--> configure permit 10.10.1.0 255.255.255.0 ADVA:acl-1--> control enabled
35
2010 ADVA Optical Networking. All rights reserved. Confidential.

Last Reset Cause (GE201)

System provides a last reset cause such as warm restart or cold restart. This is available on CLI/GUI/SNMP.

System captures the last 3 instances of an abnormal event. The 3 debug files (binary) are stored on a single debug image which can be downloaded for further investigation.

36

2010 ADVA Optical Networking. All rights reserved. Confidential.

End of Administration

IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright for the entire content of this presentation: ADVA Optical Networking.