Management Communications Configuration

Tellabs® 8600 Managed Edge SystemManagement Communications Configuration

Guide

50125_0430.11.09

Document Information

Revision History

DocumentNo.

Date Description of Changes

50125_04 30.11.09 The default TELNET value updated in chapters 3.1 and 3.2.Information on displaying terminal monitor messages is updated inchapter 3.1.

50125_03 25.09.09 Affected feature packs updated on page 2.

50125_02 27.03.09 Tellabs 8607 access switch support added.

This manual documents the following network elements and the corresponding feature packs orhigher:

FP1.0A Tellabs 8607 access switch

FP1.3 Tellabs 8605 access switch

FP2.11 Tellabs 8620 access switch, Tellabs 8630 access switch, Tellabs 8660 edge switch

© 2009 Tellabs. All rights reserved.

This Tellabs manual is owned by Tellabs or its licensors and protected by U.S. and international copyright laws, conventions andtreaties. Your right to use this manual is subject to limitations and restrictions imposed by applicable licenses and copyright laws.Unauthorized reproduction, modification, distribution, display or other use of this manual may result in criminal and civil penalties.The following trademarks and service marks are owned by Tellabs Operations, Inc. or its affiliates in the United States and/or

other countries: TELLABS®, TELLABS® logo, TELLABS and T symbol®, and T symbol®.

Any other company or product names may be trademarks of their respective companies.

The specifications and information regarding the products in this manual are subject to change without notice. All statements,information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind,

express or implied. Users must take full responsibility for their application of any products.

Adobe® Reader® are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Tellabs® 8600 Managed Edge System 50125_04Management Communications Configuration Guide © 2009 Tellabs.

2

Document Information

Terms and Abbreviations

Term Explanation

AAA Authentication, Authorization, Accounting

ACL Access Control List

AES-256 Advanced Encryption Standard

BMI Broadband Management Interface

BMP Broadband Management Protocol. A communication protocol which is used betweenTellabs 8600 network elements and Tellabs 8000 network manager.

CCN Configuration Change Notification

CLI Command Line Interface

DiffServ Differentiated Services

DSA Digital Signature Algorithm

FTP File Transfer Protocol

IP Internet Protocol

MIB Management Information Base (SNMP)

MPLS Multiprotocol Label Switching

NAS Network Access Server

NE Network Element

NTP Network Time Protocol

OCNM Online Core Network Monitoring

QoS Quality of Service

RADIUS Remote Authentication Dial-In User Service. Commonly used to provide centralizedauthentication, authorization, and accounting functionalities.

RFC Request for Comments

RSA Rivest, Shamir, Adleman. An algorithm for public-key cryptography.

SFTP SSH File Transfer Protocol. Also Secure File Transfer Program.

SHA1 Secure Hash Algorithm

SNMP Simple Network Management Protocol

SSH Secure Shell

TCP Transmission Control Protocol

UDP User Datagram Protocol

Unit In CLI refers to a card.

50125_04 Tellabs® 8600 Managed Edge System© 2009 Tellabs. Management Communications Configuration Guide

3


4

Table of Contents

Table of Contents

About This Manual ............................................................................................................ 7

Objectives....................................................................................................................................................................... 7Audience......................................................................................................................................................................... 7Related Documentation .................................................................................................................................................. 7Interface Numbering Conventions ................................................................................................................................. 8Document Conventions .................................................................................................................................................. 8Documentation Feedback............................................................................................................................................... 8

1 Management Communications .................................................................................. 9

1.1 Security Considerations....................................................................................................................................... 91.2 Classifying Management Traffic with DiffServ .................................................................................................. 101.3 Outband Management and Management VRFs................................................................................................... 101.4 Management Traffic Configuration Examples..................................................................................................... 11

2 TELNET ........................................................................................................................14

2.1 Overview ............................................................................................................................................................. 14

3 CLI................................................................................................................................. 15

3.1 Overview ............................................................................................................................................................. 153.2 CLI Configuration Examples............................................................................................................................... 16

4 BMP .............................................................................................................................. 17

4.1 Overview ............................................................................................................................................................. 174.2 BMP Configuration Examples............................................................................................................................. 18

5 FTP................................................................................................................................ 20

5.1 Overview ............................................................................................................................................................. 205.2 FTP Configuration Examples .............................................................................................................................. 20


5

Table of Contents

6 SNMP............................................................................................................................ 23

6.1 Overview ............................................................................................................................................................. 236.1.1 References ........................................................................................................................................... 24

6.2 SNMP Configuration Examples .......................................................................................................................... 25

7 RADIUS......................................................................................................................... 27

7.1 Overview ............................................................................................................................................................. 277.1.1 References ........................................................................................................................................... 28

7.2 RADIUS Configuration Examples ...................................................................................................................... 287.3 RADIUS Server Configuration............................................................................................................................ 30

8 SSH............................................................................................................................... 31

8.1 Overview ............................................................................................................................................................. 318.2 SSH Configuration Examples.............................................................................................................................. 31


6

About This Manual

About This Manual

This chapter discusses the objectives and intended audience of this manual, Tellabs® 8600Managed Edge System Management Communications Configuration Guide and consists ofthe following sections:

• Objectives

• Audience

• Related Documentation

• Interface Numbering Conventions

• Document Conventions

• Documentation Feedback

Objectives

This manual provides an overview of the Tellabs 8600 managed edge system managementcommunication functions and instructions on how to configure them with a command-line interface(CLI) using a router’s console or remote terminal (TELNET).

Audience

This manual is designed for administration personnel for configuring Tellabs 8600 managed edgesystem functions with CLI. On the other hand, Tellabs 8000 network manager provides access toequal functionality for administration personnel with a graphical user interface.

It is assumed that you have a basic understanding of BMP, CLI, FTP, SNMP, RADIUS and SSHprotocols.

Related Documentation1

Tellabs® 8600 Managed Edge SystemCLI Commands Manual (50117_XX)

Provides commands available to configure, monitorand maintain Tellabs 8600 managed edge systemproducts with CLI.

Tellabs® 8600 Managed Edge SystemIP Forwarding and Traffic ManagementConfiguration Guide (50122_XX)

Provides an overview of the Tellabs 8600 managededge system IP forwarding and traffic managementand instructions on how to configure them with CLI.

1To make sure the references point to the latest available document versions, please refer to the Tellabs® 8600 Document Set Description that can befound in Tellabs Portal www.portal.tellabs.com by navigating to Product Documentation -> Data Networking-> Tellabs 8600 Managed Edge System-> Technical Documentation-> Document Set Description.


7

About This Manual

Interface Numbering Conventions

To be able to follow more easily the feature descriptions and configuration examples given in thisdocument, see also the Tellabs 8600 system interface numbering and related figures described inTellabs® 8600 Managed Edge System CLI Commands Manual.

Document Conventions

This is a note symbol. It emphasizes or supplements information in the document.

This is a caution symbol. It indicates that damage to equipment is possible if the instructionsare not followed.

This is a warning symbol. It indicates that bodily injury is possible if the instructions are notfollowed.

Documentation Feedback

Please contact us to suggest improvements or to report errors in our documentation:

Email: [email protected]

Fax: +358.9.4131.2430


8

1 Management Communications


The Tellabs 8600 system products can be reached for management and configuration purposes viaTELNET, CLI, BMP, FTP, SNMP, RADIUS and SSH protocols.

1.1 Security Considerations

Always choose complex passwords, encryption keys and SNMP community strings.

Keep unused protocols in disabled state (default).

When possible, use SSH/SFTP instead of TELNET/FTP. See chapter 2 TELNET.

Authentication and encryption for the BMP protocol are strongly recommended, and so the usershould configure both of them (as BMP is by default unauthenticated, unlike other protocols).See chapter 4 BMP.

Public key authentication for SSH/SFTP should be preferred over password authentication. Seechapter 8 SSH.


9


1.2 Classifying Management Traffic with DiffServ

Often, management communication travels inband over the network, that is, the managementpackets and user-plane traffic share the same bandwidth. Inside the final destination, even outbandmanagement shares the same bandwidth with the inband traffic. In those cases it is possible thatcongestion in the user-plane traffic disturbs the management traffic. Even worse, an adversarymay attempt to launch a denial-of-service attack on the user plane to block network management.If the network is such that this kind of blocking is possible, it is strongly recommended that allmanagement traffic, or at least the critical parts of it, are given a higher priority than ordinary traffic.This can be achieved with Differentiated Services (DiffServ). See Tellabs® 8600 Managed EdgeSystem IP Forwarding and Traffic Management Configuration Guide.

A good choice is to classify important management traffic to the CS7 class as this class cannot beblocked by user-plane traffic. On the other hand, the total volume of management communicationshould then be controlled so that it cannot block the routing and signalling protocols, which alsouse the CS7 class.

Also access control lists (ACLs) should be used to classify management traffic with high priority asfollows (see CLI examples below):

• At the first NE where management traffic enters the network, the interface ACLs should classifythe critical management traffic with high priority, to secure traffic from management to the NEs.

• At every NE, either one or both of the following methods is used to secure traffic from NE tomanagement. If both are used, ACL replaces the other classification.

• The CLI command ’mgmt-traffic qos’ (BMP attribute mifTrafficQos) configures basic QoSfor outgoing traffic. Note that the default value is CS7 if the user does not specifically requestsomething else. This QoS is used in CLI, BMP (including CCN), SNMP and syslog packets.

• IP host access lists can classify critical management traffic with high priority.

Some low-cost products do not support host ACLs, at least not in all releases. In such products, theattribute mifTrafficQos value is used for locally originated outgoing management traffic. Similarly,some low-cost products do not support interface ACLs, and such products should not be used asthe first NE where management traffic enters the network, unless it is obvious that the incomingmanagement traffic needs no special DiffServ classification.

1.3 Outband Management and Management VRFs

In many cases, outband network management is recommended. Separate outband managementchannels are usually well protected against unauthorized access, and they are also independent ofcongestion among the normal user-plane traffic. Some cards or NEs, such as CDC and Tellabs 8620access switch, have a special management port (Ethernet) for outband management use, but any IPport in any Tellabs 8600 NE can be used for management access.

With outband management, security against unauthorized access can be enhanced by using aspecial management VRF. A separate management VRF should be created and associated with themanagement port. In this way the IP address space of network management is completely separatedfrom any IP addresses seen in the user plane.

Note that even outband management can suffer from user-plane congestion inside the target NE,and in such cases DiffServ configuration should be used, as explained in chapter 1.2 ClassifyingManagement Traffic with DiffServ.


10


1.4 Management Traffic Configuration Examples

Example 1 is for the attribute mifTrafficQos configuration.

Command Description

router(config)# mgm-traffic qos ef Set value EF to management traffic basic QoS.

router(config-acl)# no mgm-traffic qosef

Set the default value CS7.

Fig. 1 Management Traffic Configuration


11


Example 2. Assume that the management server uses possibly many IP addresses and themanagement traffic enters the network through interface fe 5/0/1 in one NE. In that NE, thefollowing configuration classifies certain critical IP traffic from interface fe5/0/1 to the CS7 class;other traffic is permitted as such (it is probably in BE class).

Command Description

router(config)# ip access-listcritical_from_mgmt_cs7router(config-acl)# permit tcp any eqtelnet any action qos cs7router(config-acl)# permit tcp any anyeq telnet action qos cs7router(config-acl)# permit udp any eq56566 any action qos cs7router(config-acl)# permit udp any anyrange 56564 56565 action qos cs7router(config-acl)# permit udp any anyeq 161 action qos cs7router(config-acl)# permit tcp any eq22 any action qos cs7router(config-acl)# permit tcp any anyeq 22 action qos cs7router(config-acl)# permit tcp any eq21 any action qos cs7router(config-acl)# permit tcp any anyeq 21 action qos cs7router(config-acl)# permit tcp any eq20 any action qos cs7router(config-acl)# permit tcp any anyeq 20 action qos cs7router(config-acl)# permit udp any eq123 any action qos cs7router(config-acl)# permit udp any anyeq 123 action qos cs7router(config-acl)# permit tcp any anyeq 56501 action qos cs7router(config-acl)# permit tcp any eq50000 any action qos cs7router(config-acl)# permit tcp any anyeq 56565 action qos cs7router(config-acl)# permit ip any anyrouter(config-acl)# exitrouter(config)# interface fe 5/0/1router(cfg-if[fe 5/0/1])# ipaccess-group critical_from_mgmt_cs7 inrouter(cfg-if[fe 5/0/1])# exit

Classify important traffic to class CS7. Permitalso all other traffic, keeping it in the defaultclass. In this example, the important protocolsare: TELNET, BMP (ports 56564..56566), SNMP(port 161), SSH (port 22), FTP (port 21 and 20),NTP (port 123) and OCNM (assuming port 56501,see command ospf ocnm-listener), TheBBMS CCN server source TCP port is 50000. Thedestination TCP port of the BMP Agent is 56565.


12


Example 3. The following host ACL classifies all important traffic to the CS7 class; other traffickeeps its default class.

Command Description

router(config)# ip access-listcritical_to_mgmt_cs7router(config-acl)# permit tcp any eqtelnet any action qos cs7router(config-acl)# permit tcp any anyeq telnet action qos cs7router(config-acl)# permit udp any anyeq 56566 action qos cs7router(config-acl)# permit udp anyrange 56564 56565 any action qos cs7router(config-acl)# permit udp any eq161 any action qos cs7router(config-acl)# permit udp any anyeq 162 action qos cs7router(config-acl)# permit tcp any eq22 any action qos cs7router(config-acl)# permit tcp any anyeq 22 action qos cs7router(config-acl)# permit tcp any eq21 any action qos cs7router(config-acl)# permit tcp any anyeq 21 action qos cs7router(config-acl)# permit tcp any eq20 any action qos cs7router(config-acl)# permit tcp any anyeq 20 action qos cs7router(config-acl)# permit udp any eq123 any action qos cs7router(config-acl)# permit udp any anyeq 123 action qos cs7router(config-acl)# permit tcp any eq56501 any action qos cs7router(config-acl)# permit tcp any anyeq 50000 action qos cs7router(config-acl)# permit tcp any eq56565 any action qos cs7router(config-acl)# permit ip any anyrouter(config-acl)# exitrouter(config)# ip host-access-groupcritical_to_mgmt_cs7 out

Classify important traffic to class CS7. Permit alsoall other traffic, keeping it in the default class. Inthis example, the important protocols are naturallythe same as in the management connection (theprevious example) but the order of the source anddestination ports are reversed and perhaps portnumbers changed. Additionally, SNMP traps (port162) and the CCN protocol are added, assumingthat the CCN destination port is 50000 (seecommand bmp-server ccn destination).Setting QoS of the TCP BMP traffic. The sourceTCP port of the BMP Agent is 56565.


13

2 TELNET

2 TELNET

2.1 Overview

TELNET is a TCP/IP standard protocol for remote terminal service. A TELNET user can sendcommands and receive replies in illusion of working in the remote site. A TELNET clientestablishes a TCP connection to a remote TELNET server using an IP address and a TCP portas destination parameters.

The Tellabs 8600 TELNET server provides the TELNET server functionality for the Tellabs 8600network elements (NE) according to the standard TELNET protocol. The TELNET server is used toestablish a remote terminal session to a CLI Agent residing in the Tellabs 8600 NEs. The Tellabs8600 TELNET server provides multiple parallel sessions.

In the Tellabs 8600 system, SSH is recommended as replacement for TELNET as TELNET isinherently non-secure (e.g. against password eavesdropping).


14

3 CLI

3 CLI

3.1 Overview

Command Line Interface (CLI) provides an ASCII command line management interface for theTellabs 8600 NEs. Via CLI the user can send configuration commands to change and displaythe current configuration of the NE. The user can contact the CLI Agent residing in the NE via aTELNET connection or serial port cable connection. The TELNET connection is disabled bydefault, and should be enabled before it can be used.

Fig. 2 Two Users Have CLI Sessions in Tellabs 8600 NE

When the Tellabs 8600 NE is started up for the first time, the user can connect the CLI Agent usingthe serial port cable connection between the user’s PC and the Tellabs 8600 NE. Now the firstconfiguration commands can be sent to the NE. The first command might be setting an IP addressof some interface of the NE to make the NE reachable via a TCP/IP connection. Via the TCP/IPconnection the NE can be reached by Tellabs 8000 network manager.

For the list of available CLI configuration commands, see Tellabs® 8600 Managed Edge System CLICommands Manual.

The CLI Agent sends terminal monitor messages to notify the users when local conditions undergosignificant changes. By default, displaying of the terminal monitor messages whose emergencylevel is lower than warning is disabled.


15

3 CLI

3.2 CLI Configuration Examples

The following CLI commands are needed to make the Tellabs 8600 NE reachable via the TCP/IPconnection.

Command Description

********************************* Tellabs 86XX Network Element ** Copyright (c) 2004 Tellabs. Allrights reserved.**********************************Press key ? for help.user name: superuserpassword: ********Enter configuration commands, one perline. End with ^Z

Login to Tellabs 8600 CLI Agent.

router> enable Enter the Privileged Execution command mode.

router# configure terminal Enter the Configure command mode.

router# cli-server telnet enable Enable the TELNET server for CLI management.

router(config)# interface mfe 0 Change the mode to configure the specific interface.

router(config-if)# no shutdown Enable the selected interface.

router(config-if)# ip address172.19.101.14/24

Set the IP address.

router(config-if)# exit Change back to the Configure command mode.

router(config)# hostname ?<string:len[1–32] New name of the host

Help for the command hostname.

router(config)# hostname hugo1 Change the hostname (these example CLIcommands for now on are not needed to configurethe TCP/IP connection).

hugo1(config)# exit Change back to the Privileged Execution commandmode.

hugo1# no terminal monitor Disable terminal monitor messages sending. Bydefault messages whose severity is ’warning’ orhigher are shown.

hugo1# terminal monitor severity error Enable terminal monitor messages sending.Messages whose severity is ’error’ or higher areshown.


16

4 BMP

4 BMP

4.1 Overview

Broadband Management Protocol (BMP) is a Tellabs proprietary object-based management protocolbetween Tellabs 8000 network manager and a Tellabs 8600 NE. The NE can be managed via theBMP format management commands coming from Tellabs 8000 network manager. An BMP Agentresides in the Tellabs 8600 NE.

BMP communication between Tellabs 8000 network manager and the BMP Agent is primarily doneover the TCP/IP connection, if the NE supports it, or alternatively using the UDP/IP protocol.The BMP Agent receives the incoming BMP commands, launches the BMP command executionprocess, and finally constructs the reply and sends it back to Tellabs 8000 network manager.

The selection between the TCP/IP and UDP/IP communication is invisible to the user. It isimplemented in Tellabs 8000 network manager so that it always tries first communication using theTCP/IP and, if the NE does not support it, the communication is done via the UDP/IP.

Tellabs 8000 network manager can permit or deny other managers’ access to the BMP Agentusing IP access list configurations.

The BMP Agent generates BMP notifications when the NE conditions undergo significant changes.Notifications are sent to the Communication servers of those Tellabs 8000 network managers whichare registered to receive BMP notifications.

The BMP communication between Tellabs 8000 network manager and a Tellabs 8600 NE can beenabled to use SHA1 authentication. In that case both Tellabs 8000 network manager and theTellabs 8600 NE have to be configured accordingly to use the authentication. If both are not usingauthentication or the used keys are different, traffic will not be possible because the other partrejects the messages.

The BMP communication between Tellabs 8000 network manager and a Tellabs 8600 NE can alsobe enabled to use SHA1 authentication and AES-256 encrypting. Tellabs 8000 network managerand the Tellabs 8600 NE have to be configured accordingly. If both are not configured to use theauthentication and the encrypting or used keys are not valid, the other part rejects the messages.

Authentication and encryption for the BMP protocol are strongly recommended, and so theuser should configure both of them (as BMP is by default unauthenticated, unlike otherprotocols).

For security reasons the first authentication and encryption key(s) should be created in NEusing CLI over SSH or alternatively using a CLI connection through the serial port duringNE installation. Later on when transmission is used in encrypted mode, new key(s) can becreated using BMP communication from Tellabs 8000 network manager.


17

4 BMP

4.2 BMP Configuration Examples

The following CLI commands are needed to configure the BMP Agent shown in the figure below.

Fig. 3 Tellabs 8000 Network Manager Uses IP Addresses to Connect to Tellabs 8600 NEsover TCP/IP or UDP/IP

Command Description

router(config)# bmp-server enable Enable BMP Agent.

router(config)# ip access-listbmpAccList

Create an IP access list for access rights purposes.

router(config-acl)# permit udp host172.19.12.102 any

This IP access list permits all UDP/IP messagescoming from host 172.19.12.102.

router(config-acl)# exit Change back to the Configure command mode.

router(config)# bmp-server access-groupbmpAccList

Limit the BMP Agent access rights with the IPaccess list bmpAccList. The access list permits theBMP Agent to receive only those BMP messagescoming from host 172.19.12.102.

router(config)# bmp-server notifica-tions destination 171.19.12.102

Register the manager with IP address 172.19.12.102to receive BMP notifications.

router(config)# bmp-server notifica-tions disable

Disable BMP notifications sending. Use thiscommand in case BMP notifications are not wantedto be sent anymore.

The following CLI commands are needed to configure the recommended BMI SHA-1 authenticationconfiguration.


18

4 BMP

Command Description

router(config)# bmp-server authentica-tion-key 1 sha1 abcdefg123456router(config)# bmp-server trusted-key1router(config)# bmp-server authenticatecommand

Enable BMI SHA-1 authentication.

router(config)# no bmp-serverauthenticate commandrouter(config)# no bmp-servertrusted-key 1router(config)# no bmp-serverauthentication-key 1 sha1 abcdefg123456

Disable BMI SHA-1 authentication.

The following CLI commands are needed to configure the SHA-1 authentication and AESencryption.

Command Description

router(config)# bmp-server encryption-key 1 aes256 ivec xxxx key yyyyrouter(config)# bmp-server encryption-trusted-key 1router(config)# bmp-server encryptcommand

Enable the SHA-1 authentication and AESencryption.

router(config)# no bmp-server encryptcommandrouter(config)# no bmp-serverencryption-trusted-key 1router(config)# no bmp-serverencryption-key 1 aes256 ivec xxxxkey yyyy

Disable the SHA-1 authentication and AESencryption.


19

5 FTP

5 FTP

5.1 Overview

File Transfer Protocol (FTP) is a TCP/IP standard protocol. It is used to transfer files from onemachine to another. Tellabs 8600 FTP server provides FTP server functionality for Tellabs 8600NEs according to the standard FTP protocol. Tellabs 8600 FTP server is used for delivering Tellabs8600 application software files to NE cards for software upgrading purposes. The FTP server isalso used for sending CLI config snapshot files to the NE.

Fig. 4 User Establishes TCP Connection to Tellabs 8600 NE and Sends Files to Flash Memoryof NE via FTP

The user sends files from his/her PC to the flash memory of the card via FTP. First the user starts anFTP client session on his/her PC and connects it to FTP server in the Tellabs 8600 NE using the IPaddress of the NE. When reached the NE, FTP can be used for accessing any file and directory in theNE. The FTP server must be enabled before use.

5.2 FTP Configuration Examples

The following CLI command is needed to enable FTP server.

Command Description

router(config)# ftp-server enable

The following FTP commands are needed to transfer an application software file to the card inslot 9 in Tellabs 8600 NE. See the figure above.


20

5 FTP

Command Description

C:\temp> ftp 172.19.101.10 Start the FTP connection to the remote host with IPaddress 172.19.101.10.

Connected to 172.19.101.10. FTP connection succeeded.

********************************* Tellabs 86XX Network Element ** Copyright (c) 2004 Tellabs. Allrights reserved.*********************************220 FTP server running on unit in slot14.

Tellabs 8600 accessed.

User (172.19.101.10:(none)): superuser Type username.

331 User name ok

Password: ********* Type password.

230 User superuser logged in

ftp> cd flash\appl-sw\slot9 Change the current directory to the applicationsoftware directory.

250 Directory change succeeded

ftp> dir Display files and subdirectories in current directory.

200 Command ok

150 Opening data connection

-rwxrwxrwx 1 user group 1920485 Dec 112:00 bbip_gmz2711_1.1



226 File transferred

ftp: 258 bytes received in 0,00Seconds258000,00Kbytes/sec.

ftp> del bbip_gmz2711_1.1 Delete a file.

200 Command ok

200 Command ok ftp> bin Change to binary mode. This is needed for filechecksum calculations.

200 Command ok


21

5 FTP

ftp> put c:\newfiles\bbip_gmz2711_1.6 Move a new file to the remote host.

200 Command ok

150 File status ok


ftp: 1909887 bytes sent in 11,60Sec-onds 164,70Kbytes/sec.

ftp> dir Display files and subdirectories in the currentdirectory.

200 Command ok

150 Opening data connection





ftp: 342 bytes received in 0,01Seconds34,20Kbytes/sec.

ftp> bye Disconnect the FTP session.

200 Command ok

200 Command ok C:\temp>


22

6 SNMP

6 SNMP

6.1 Overview

Tellabs 8600 SNMP (Simple Network Management Protocol) Agent provides management agentfunctionality for Tellabs 8600 NEs according to the standard SNMP protocol. Generally SNMPAgent is an entity in a network element that collects network management related statistics, respondsto commands from SNMP managers, and sends spontaneous messages (traps) to the managers whenlocal conditions undergo significant changes. SNMP works over the UDP/IP protocol.

Tellabs 8600 system supports SNMP MIB-II group variables and traps as listed in chapter6.1.1 References.

Tellabs 8600 SNMP Agent supports SNMP requests GET and GET-NEXT for versions SNMPv1and SNMPv2. Tellabs 8600 SNMP Agent generates SNMPv1 and SNMPv2 traps. OperationGET-BULK for version SNMPv2 is provided.

SNMP authentication element community name is checked from every SNMP request messagearrived in the Tellabs 8600 NE. If community name is not registered in the SNMP Agentconfiguration, the request is dropped and authenticationFailure trap is generated. There are alsoother ways to limit access rights of specified community name appended to an SNMP requestentering Tellabs 8600 NE:

• Access rights to some SNMPmib groups can be denied. As default, all mib groups are accessible.

• Only SNMP requests arriving from specific source addresses are received, other requests aredropped. In this case the IP access list is appended to a community name. The access list specifiesallowed source addresses.

When a trap is generated in the Tellabs 8600 NE, the trap message is sent to those SNMP managerswhich are registered for trap receiving. The registration specifies the IP address of the manager,allowed SNMP trap version and community name. The community name is added to the trapmessage for authentication in the receiving SNMP manager. Only the traps of the specified trapversion are sent to the registered manager. Also trap types can be filtered. The filter specifiesenabled traps: the user can enable all possible traps, or all traps of specific mib group(s), or justindividual trap(s).


23

6 SNMP

6.1.1 References

RFC1213 (1991-03), Management information base for network management in TCP/IP based Internets:MIB-II

RFC1657 (1994-07), Definitions of managed objects for the fourth version of the border gateway protocol(BGP-4) using SMIv2

RFC1850 (1995-11), OSPF version 2 management information base

RFC1907 (1996-01), Management information base for version 2 of the simple network managementprotocol (SNMPv2)

RFC2011 (1996-11), SNMPv2 management information base for the Internet protocol using SMIv2

RFC2012 (1996-11), SNMPv2 management information base for the transmission control protocol usingSMIv2

RFC2013 (1996-11), SNMPv2 management information base for the user datagram protocol using SMIv2

RFC2096 (1997-01), IP forwarding table MIB

RFC2863 (06/2000), The interfaces group MIB (IF-MIB)


24

6 SNMP

6.2 SNMP Configuration Examples

The following CLI commands are needed to configure SNMP Agent shown in the figure below.

Fig. 5 SNMP Manager Sends Requests to SNMP Agent of Tellabs 8600 NE

Command Description

router(config)# snmp-server enable Enable SNMP requests and traps.

router(config)# ip access-listsnmpAccList

Create IP access list for access right purposes.

router(config-acl)# permit udp host172.19.12.105 any

The access list allows UDP messages coming fromhost 172.19.12.105.

router(config-acl)# exit Change back to the Configure command mode.

router(config)# snmp-server communityhugo mib system snmp access-groupsnmpAccList

Register community name hugo to allow SNMPrequests concerning SNMP variables of mib groupssystem and snmp. Only requests from sourcespermitted in access list snmpAccList are allowed.

router(config)# snmp-server trapshost 172.19.12.105 version 1 communityhugoV1

Register an SNMP manager with IP address172.19.12.105 to receive traps from Tellabs 8600SNMP Agent. Trap messages leave Tellabs 8600NE labelled with community name hugoV1. Onlyversion SNMPv1 traps are sent to the manager.

router(config)# snmp-server traps host127.19.12.105 version 2c communityhugoV2

Register an SNMP manager with IP address172.19.12.105 to receive traps from Tellabs 8600SNMP Agent. Trap messages leave Tellabs 8600NE labelled with community name hugoV2. Onlyversion SNMPv2 traps are sent to the manager.

router(config)# snmp-server traps mibsnmp authenticationFailure

Enable snmp mib group trap authenticationFail-ure.


25

6 SNMP

router(config)# snmp-server traps mibsnmp

Now all snmp mib group traps are enabled.

router(config)# snmp-server traps miball

Now traps of all mib groups are enabed.

router(config)# no snmp-server trapsmib snmp authenticationFailure

Now traps of all mib groups are enabled except thesnmpAuthenticationFailure trap.

router(config)# no snmp-server trapsmib all

All traps are disabled.

router(config)# snmp-server trapssource lo1

Set value for the traps source attribute. This valueis used in SNMPv1 Trap messages.

router(config)# snmp-server locationOak street 7, Laboratory 2nd floor

Set value for system mib group variablesysLocation.

router(config)# snmp-server contact JoeJ. Jones, assistant

Set value for system mib group variablesysContact.


26

7 RADIUS

7 RADIUS

7.1 Overview

RADIUS is a popular AAA (Authentication, Authorization, Accounting) protocol. Tellabs 8600system supports RADIUS for administrator authentication in CLI and FTP sessions. Tellabs8600 system implementation is based on [RFC2865]. The motive for using RADIUS is the factthat with a large number of network elements, it easily becomes a tedious task to maintain andupdate the user databases in the NEs. RADIUS solves the problem by moving the user databaseand authentication decision away from the NEs to one or more centralized servers. For example,adding a new administrator is simply a matter of reconfiguring the RADIUS server(s) instead ofindividually adding a new account for each NE.

The RADIUS protocol is implemented on top of the UDP protocol. The authentication is initiated bythe client with an access request packet that contains the username and password of the user loggingin. The server responds with an access granted or access denied packet. As its security mechanism,RADIUS employs a shared secret, which is configured both on the client and the server, but is nevertransmitted on the network during the RADIUS authentication. The shared secret is used to encryptthe user-provided password and to verify that the authentication response from the server is genuine.

Tellabs 8600 RADIUS client supports a concept of AAA contexts. A context consists of a list ofone or more RADIUS authentication servers and whether the context uses local (NE) user databaseeither as primary or secondary source of authentication. The context can then be bound to one of thefour services needing login (local CLI, Telnet, SSH and FTP). There is always a default contextwhich, unless otherwise configured, uses the local user database for authentication.

One or more RADIUS servers can be configured for a context. In addition, they can have anassociated priority value that specifies the preference for accessing the servers. In a typicalconfiguration, there is a primary RADIUS server and a secondary server that backs up the primaryserver.


27

7 RADIUS

Fig. 6

7.1.1 References

[RFC2865] RFC2865 (06/2000), Remote Authentication Dial In User Service (RADIUS)

7.2 RADIUS Configuration Examples

The following example shows how to produce a simple RADIUS configuration from scratch withthe following relevant parameters:

• A single RADIUS server exists (IP address 193.64.170.160).

• Uses local (NE) user database as fallback if the RADIUS server is not reached after three retries.There is a-five-second delay between the retries.

• RADIUS is used for all services needing login.

The first step is to configure the RADIUS server.

Command Description

router(config)# aaa radius authentica-tion-server MyServer

Adds a new RADIUS authentication server namedMyServer, enters server configuration mode.

router(cfg-radius-auth[MyServer])#server-address 193.64.170.160

Configures the server’s IP address.

router(cfg-radius-auth[MyServer])#shared-secret text MyPassword

Configures a shared secret as text format password.Also arbitrary binary format secret could be used,but not all RADIUS servers support them.

router(cfg-radius-auth[MyServer])#retry 3

Packets to the server are retransmitted up to threetimes if no response is received.


28

7 RADIUS

router(cfg-radius-auth[MyServer])#timeout 5000

Sets the retransmission timeout to 5000milliseconds (five seconds).

router(cfg-radius-auth[MyServer])# exit Exits RADIUS authentication server configurationmode.

Do not configure the shared secret over an insecure connection. If the shared secret isremotely configured, the use of SSH is strongly recommended.

The next step is to create and configure the AAA context.

Command Description

router(config)# aaa context MyContext Creates a new context “MyContext” and enterscontext configuration mode.

router(cfg-aaa[MyContext])# bind radiusauthentication-server MyServer

Associates the previously configured server withthis context. Since priority is not specified, thedefault priority is used. Priority is not meaningfulwhen there is only one server.

router(cfg-aaa[MyContext])# orderradius local

Specifies the authentication sources for thecontext. RADIUS is primarily used, local userdatabase authentication is attempted if RADIUSauthentication fails.

router(cfg-aaa[MyContext])# exit Exits context configuration mode.

Finally, the context has to be bound to the services and RADIUS authentication enabled.

Command Description

router(config)# aaa bind servicecli-local context MyContextrouter(config)# aaa bind servicecli-telnet context MyContextrouter(config)# aaa bind service sshcontext MyContextrouter(config)# aaa bind service ftpcontext MyContext

Binds MyContext to all services needing login.

router(config)# aaa radius authentica-tion enable

Enables RADIUS authentication in the NE.

router(config)# show aaa detail Displays all RADIUS-related settings for review.


29

7 RADIUS

7.3 RADIUS Server Configuration

RADIUS is a commonly supported protocol with a many different server implementations available.While most aspects of the operation are well-standardized, there are some details in Tellabs 8600RADIUS client implementation that one is required to be aware of when configuring the server.Please see the documentation of your RADIUS server for more information about how to configureit.

Tellabs 8600 user accounts have – in addition to username and password – a numeric privilege levelassociated with them. This privilege level must be present in every Access-Accept message fromthe RADIUS server. If it is omitted, the privilege level defaults to 1 which gives the user a veryrestricted access. The privilege level is implemented as a RADIUS Vendor-Specific Attribute withVendor-Id 1397, Vendor type 1, attribute value coded as 32–bit unsigned integer.

Command Description

# Tellabs dictionary - dictio-nary.tellabs## Enable by putting the line "$INCLUDEdictionary.tellabs" into# the main dictionary file.##VENDOR Tellabs 1397## Vendor-specific attributes#ATTRIBUTE Tellabs-UserPrivilegeLevel 1integer Tellabs

An example of RADIUS server dictionary filefor privilege level attribute that works with manyRADIUS servers.

Information transmitted in attributes can be used to fine tune authorization decisions on the server.For example, one might want to restrict a user’s access rights by allowing login to a limited set ofNEs. The table below lists the attributes used and recognized by the RADIUS client in Tellabs8600 system.

Attribute Direc-tion

Description

User-Name OUT Name of the user to authenticate. The attribute is omitted if theusername is empty.

User-Password OUT Password entered by the user.

NAS-Identifier OUT Text string consisting of the network element’s Router ID number.

Service-Type OUT Set to Administrative for all four login services.

NAS-Port-Type OUT • Set to Async in case of local CLI login.

• Set to Virtual in TELNET, SSH and FTP logins.

Tellabs-UserPrivi-legeLevel

IN Privilege level of an accepted user. Vendor-specific integer attributewith Vendor-Id 1397 and Vendor type 1.


30

8 SSH

8 SSH

8.1 Overview

SSH (Secure Shell) is a commonly used protocol built on TCP/IP offering remote login and filetransfer functionality. In Tellabs 8600 system, SSH can be used as replacement for TELNET andFTP protocols. A major advantage is that SSH provides strong security, making eavesdropping andhijacking of connections on the wire practically impossible. Tellabs 8600 system contains a built-inSSH server that can be used with many free and commercial SSH client programs.

The following security features exist in the SSH protocol:

• Encryption is used throughout the connection in both directions. The server and client negotiatea suitable symmetric encryption algorithm at the beginning of the session. The encryption keysare automatically generated and exchanged at the same time.

• Authentication codes are used during the session. Any attempts to change the data by a man-in-the-middle attacker will cause an immediate termination of the session.

• Host authentication allows the client to verify that the server it is talking to is really who it claimsto be. This is accomplished by the server having a public-private key pair (the host key). Theclient receives and stores the public part of the key upon its first contact to the server. On subse-quent sessions, the server can prove its identity by possession of the private part of the key.

• User authentication identifies the user to the server. The user authentication is traditionally donewith a username/password pair. In addition to password authentication, SSH also supports publickey authentication. In this authentication method, the user authenticates himself by possessing aprivate part of a public-private key pair. It is required, however, that the public part of the key isstored in the server in advance.

Tellabs 8600 SSH server only supports SSH protocol version 2. While all modern SSH clientssupport version 2 of the protocol, this might be an issue with some old clients. The SFTP protocolruns on top of the SSH protocol and provides secure file transfer services.

8.2 SSH Configuration Examples

Taking SSH protocol in use on a network element requires some preconfiguration. The host key pairneeds to be generated for the network element. Tellabs 8600 SSH server can use both DSA2 andRSA type key pairs (the names refer to algorithms used). It is possible to have an active host key foreither or both of these types, but only one is needed. DSA is suggested as it is guaranteed to besupported by all compliant SSH version 2 clients.

2Some clients call these DSS keys


31

8 SSH

Command Description

router(config)# crypto generate key 1ssh2-dsa

Starts generating a DSA type key pair. The keygeneration is done in the background and may takeseveral minutes to complete. The key will haveindex 1.

router(config)# show crypto keyKey 1 [NOT ACTIVE] - Type: ssh2-dsa -Size: 2048 bitsFingerprint:de:08:ee:b9:f5:91:53:0b:f7:de:26:fe:25:4c:ca:10

Once the key has been generated, it is shown in thekey list. The fingerprint can be used for verificationof the host’s identity on the client side as it isunique for each key.

router(config)# cli-server ssh host-key1

Activates the generated key as SSH server host key.

router(config)# cli-server ssh enable Enables the SSH server. After this step, thenetwork element will allow incoming SSH andSFTP connections.

Enabling public key authentication for a user requires the user to generate the key pair (or use anexisting key pair) on the client. The example below is shown for OpenSSH client.

Command Description

$ ssh-keygen -b 2048 -t dsa -f mykey -Nmypassphrase

This command is run on the client to generate thekey pair. Two files are generated: mykey containsthe private key, mykey.pub is the public part of thekey in OpenSSH format.

$ ssh-keygen >mykey_ssh2.pub -e -fmykey.pub

Converts the public key to standard SSH2 publickey file format as required by the SSH server inTellabs 8600 system. The resulting public key fileis mykey_ssh2.pub.


32

8 SSH

$ ftp 172.19.101.10Connected to 172.19.101.10.220-**************************************220-* *220-* Tellabs 8620 Network Element *220-* *220-* Copyright (c) 2004 Tellabs. Allrights reserved. *220-* *220-**************************************User (172.19.101.10:(none)): superuser331 User name okPassword:230 User superuser logged inftp> cd /flash/cli-script250 Directory change succeededftp> put mykey_ssh2.pub200 Command ok...

For importing the key, it has to be transferred tothe network element’s file system. In this example,FTP is used. The CLI script directory is used as atemporary location for placing the key. The key filecan be deleted after it has been imported.

router(config)# crypto load flash:/flash/cli-script/mykey_ssh2.pub key 2

Import the key from flash file system to internalkey storage. This public key will have index 2.It is associated with the currently logged on user,allowing only this particular user to log in with thepublic key.

router(config)# show crypto key 2Key 2 [ACTIVE] - Type: ssh2-dsa-public- Size: 2048 bitsOwner: superuserFingerprint:13:c6:60:ed:91:30:23:65:36:84:80:6a:d1:5e:a5:c5Comment: 2048-bit DSA, converted fromOpenSSH by superuser@FIOU0203

Shows the properties of the public key. Theproperties and the option to remove a public keyare only available to the key’s owner or a user withsuperuser privileges.

$ ssh [email protected] -i mykey Logs in the NE using the key stored in file mykey.The passphrase is asked, if one was given in keygeneration.

When the public key is no longer needed, it should be removed.

Command Description

router(config)# clear crypto key 2 Discards the public key. Only the key’s owner or auser with superuser privileges can remove a key.


33

Documents

Management Communications Configuration