Management Communications Configuration

Tellabs
8600 Managed Edge System

Management Communications Conguration
Guide
50125_04
30.11.09
Document Information
Revision History
Document
No.
Date Description of Changes
50125_04 30.11.09 The default TELNET value updated in chapters 3.1 and 3.2.
Information on displaying terminal monitor messages is updated in
chapter 3.1.
50125_03 25.09.09 Affected feature packs updated on page 2.
50125_02 27.03.09 Tellabs 8607 access switch support added.
This manual documents the following network elements and the corresponding feature packs or
higher:
FP1.0A Tellabs 8607 access switch
FP1.3 Tellabs 8605 access switch
FP2.11 Tellabs 8620 access switch, Tellabs 8630 access switch, Tellabs 8660 edge switch
2009 Tellabs. All rights reserved.
This Tellabs manual is owned by Tellabs or its licensors and protected by U.S. and international copyright laws, conventions and
treaties. Your right to use this manual is subject to limitations and restrictions imposed by applicable licenses and copyright laws.
Unauthorized reproduction, modication, distribution, display or other use of this manual may result in criminal and civil penalties.
The following trademarks and service marks are owned by Tellabs Operations, Inc. or its afliates in the United States and/or
other countries: TELLABS
, TELLABS
logo, TELLABS and T symbol
, and T symbol
.
Any other company or product names may be trademarks of their respective companies.
The specications and information regarding the products in this manual are subject to change without notice. All statements,
information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind,
express or implied. Users must take full responsibility for their application of any products.
Adobe
Reader
are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Tellabs
8600 Managed Edge System 50125_04

Management Communications Conguration Guide 2009 Tellabs.
2
Document Information
Terms and Abbreviations
Term Explanation
AAA Authentication, Authorization, Accounting
ACL Access Control List
AES-256 Advanced Encryption Standard
BMI Broadband Management Interface
BMP Broadband Management Protocol. A communication protocol which is used between
Tellabs 8600 network elements and Tellabs 8000 network manager.
CCN Conguration Change Notication
CLI Command Line Interface
DiffServ Differentiated Services
DSA Digital Signature Algorithm
FTP File Transfer Protocol
IP Internet Protocol
MIB Management Information Base (SNMP)
MPLS Multiprotocol Label Switching
NAS Network Access Server
NE Network Element
NTP Network Time Protocol
OCNM Online Core Network Monitoring
QoS Quality of Service
RADIUS Remote Authentication Dial-In User Service. Commonly used to provide centralized
authentication, authorization, and accounting functionalities.
RFC Request for Comments
RSA Rivest, Shamir, Adleman. An algorithm for public-key cryptography.
SFTP SSH File Transfer Protocol. Also Secure File Transfer Program.
SHA1 Secure Hash Algorithm
SNMP Simple Network Management Protocol
SSH Secure Shell
TCP Transmission Control Protocol
UDP User Datagram Protocol
Unit In CLI refers to a card.
50125_04 Tellabs

2009 Tellabs. Management Communications Conguration Guide
3
Tellabs

4
Table of Contents
Table of Contents
About This Manual ............................................................................................................ 7
Objectives....................................................................................................................................................................... 7
Audience......................................................................................................................................................................... 7
Related Documentation.................................................................................................................................................. 7
Interface Numbering Conventions ................................................................................................................................. 8
Document Conventions .................................................................................................................................................. 8
Documentation Feedback............................................................................................................................................... 8
1 Management Communications .................................................................................. 9
1.1 Security Considerations....................................................................................................................................... 9
1.2 Classifying Management Trafc with DiffServ .................................................................................................. 10
1.3 Outband Management and Management VRFs................................................................................................... 10
1.4 Management Trafc Conguration Examples..................................................................................................... 11
2 TELNET ........................................................................................................................ 14
2.1 Overview ............................................................................................................................................................. 14
3 CLI................................................................................................................................. 15
3.1 Overview ............................................................................................................................................................. 15
3.2 CLI Conguration Examples............................................................................................................................... 16
4 BMP .............................................................................................................................. 17
4.1 Overview ............................................................................................................................................................. 17
4.2 BMP Conguration Examples............................................................................................................................. 18
5 FTP................................................................................................................................ 20
5.1 Overview ............................................................................................................................................................. 20
5.2 FTP Conguration Examples .............................................................................................................................. 20
50125_04 Tellabs

5
Table of Contents
6 SNMP............................................................................................................................ 23
6.1 Overview ............................................................................................................................................................. 23
6.1.1 References ........................................................................................................................................... 24
6.2 SNMP Conguration Examples .......................................................................................................................... 25
7 RADIUS......................................................................................................................... 27
7.1 Overview ............................................................................................................................................................. 27
7.1.1 References ........................................................................................................................................... 28
7.2 RADIUS Conguration Examples ...................................................................................................................... 28
7.3 RADIUS Server Conguration............................................................................................................................ 30
8 SSH............................................................................................................................... 31
8.1 Overview ............................................................................................................................................................. 31
8.2 SSH Conguration Examples.............................................................................................................................. 31
Tellabs

6
About This Manual
About This Manual
This chapter discusses the objectives and intended audience of this manual, Tellabs
8600
Managed Edge System Management Communications Conguration Guide and consists of
the following sections:
Objectives
Audience
Related Documentation
Interface Numbering Conventions
Document Conventions
Documentation Feedback
Objectives
This manual provides an overview of the Tellabs 8600 managed edge system management
communication functions and instructions on how to congure them with a command-line interface
(CLI) using a routers console or remote terminal (TELNET).
Audience
This manual is designed for administration personnel for conguring Tellabs 8600 managed edge
system functions with CLI. On the other hand, Tellabs 8000 network manager provides access to
equal functionality for administration personnel with a graphical user interface.
It is assumed that you have a basic understanding of BMP, CLI, FTP, SNMP, RADIUS and SSH
protocols.
Related Documentation
1
Tellabs

CLI Commands Manual (50117_XX)
Provides commands available to congure, monitor
and maintain Tellabs 8600 managed edge system
products with CLI.
Tellabs

IP Forwarding and Trafc Management
Conguration Guide (50122_XX)
Provides an overview of the Tellabs 8600 managed
edge system IP forwarding and trafc management
and instructions on how to congure them with CLI.
1
To make sure the references point to the latest available document versions, please refer to the Tellabs 8600 Document Set Description that can be
found in Tellabs Portal www.portal.tellabs.com by navigating to Product Documentation -> Data Networking-> Tellabs 8600 Managed Edge System
-> Technical Documentation-> Document Set Description.
50125_04 Tellabs

7
About This Manual
Interface Numbering Conventions
To be able to follow more easily the feature descriptions and conguration examples given in this
document, see also the Tellabs 8600 system interface numbering and related gures described in
Tellabs
8600 Managed Edge System CLI Commands Manual.

Document Conventions
This is a note symbol. It emphasizes or supplements information in the document.
This is a caution symbol. It indicates that damage to equipment is possible if the instructions
are not followed.
This is a warning symbol. It indicates that bodily injury is possible if the instructions are not
followed.
Documentation Feedback
Please contact us to suggest improvements or to report errors in our documentation:
Email: -documentation@tellabs.com
Fax: +358.9.4131.2430
Tellabs

8
1 Management Communications
The Tellabs 8600 system products can be reached for management and conguration purposes via
TELNET, CLI, BMP, FTP, SNMP, RADIUS and SSH protocols.
1.1 Security Considerations
Always choose complex passwords, encryption keys and SNMP community strings.
Keep unused protocols in disabled state (default).
When possible, use SSH/SFTP instead of TELNET/FTP. See chapter 2 TELNET.
Authentication and encryption for the BMP protocol are strongly recommended, and so the user
should congure both of them (as BMP is by default unauthenticated, unlike other protocols).
See chapter 4 BMP.
Public key authentication for SSH/SFTP should be preferred over password authentication. See
chapter 8 SSH.
50125_04 Tellabs

9
1.2 Classifying Management Trafc with DiffServ
Often, management communication travels inband over the network, that is, the management
packets and user-plane trafc share the same bandwidth. Inside the nal destination, even outband
management shares the same bandwidth with the inband trafc. In those cases it is possible that
congestion in the user-plane trafc disturbs the management trafc. Even worse, an adversary
may attempt to launch a denial-of-service attack on the user plane to block network management.
If the network is such that this kind of blocking is possible, it is strongly recommended that all
management trafc, or at least the critical parts of it, are given a higher priority than ordinary trafc.
This can be achieved with Differentiated Services (DiffServ). See Tellabs
8600 Managed Edge

System IP Forwarding and Trafc Management Conguration Guide.
A good choice is to classify important management trafc to the CS7 class as this class cannot be
blocked by user-plane trafc. On the other hand, the total volume of management communication
should then be controlled so that it cannot block the routing and signalling protocols, which also
use the CS7 class.
Also access control lists (ACLs) should be used to classify management trafc with high priority as
follows (see CLI examples below):
At the rst NE where management trafc enters the network, the interface ACLs should classify
the critical management trafc with high priority, to secure trafc from management to the NEs.
At every NE, either one or both of the following methods is used to secure trafc from NE to
management. If both are used, ACL replaces the other classication.
The CLI command mgmt-trafc qos (BMP attribute mifTrafcQos) congures basic QoS
for outgoing trafc. Note that the default value is CS7 if the user does not specically request
something else. This QoS is used in CLI, BMP (including CCN), SNMP and syslog packets.
IP host access lists can classify critical management trafc with high priority.
Some low-cost products do not support host ACLs, at least not in all releases. In such products, the
attribute mifTrafcQos value is used for locally originated outgoing management trafc. Similarly,
some low-cost products do not support interface ACLs, and such products should not be used as
the rst NE where management trafc enters the network, unless it is obvious that the incoming
management trafc needs no special DiffServ classication.
1.3 Outband Management and Management VRFs
In many cases, outband network management is recommended. Separate outband management
channels are usually well protected against unauthorized access, and they are also independent of
congestion among the normal user-plane trafc. Some cards or NEs, such as CDC and Tellabs 8620
access switch, have a special management port (Ethernet) for outband management use, but any IP
port in any Tellabs 8600 NE can be used for management access.
With outband management, security against unauthorized access can be enhanced by using a
special management VRF. A separate management VRF should be created and associated with the
management port. In this way the IP address space of network management is completely separated
from any IP addresses seen in the user plane.
Note that even outband management can suffer from user-plane congestion inside the target NE,
and in such cases DiffServ conguration should be used, as explained in chapter 1.2 Classifying
Management Trafc with DiffServ.
Tellabs

10
1.4 Management Trafc Conguration Examples
Example 1 is for the attribute mifTrafcQos conguration.
Command Description
router(config)# mgm-traffic qos ef Set value EF to management trafc basic QoS.
router(config-acl)# no mgm-traffic qos
ef
Set the default value CS7.
Fig. 1 Management Trafc Conguration
50125_04 Tellabs

11
Example 2. Assume that the management server uses possibly many IP addresses and the
management trafc enters the network through interface fe 5/0/1 in one NE. In that NE, the
following conguration classies certain critical IP trafc from interface fe5/0/1 to the CS7 class;
other trafc is permitted as such (it is probably in BE class).
Command Description
router(config)# ip access-list
critical_from_mgmt_cs7
router(config-acl)# permit tcp any eq
telnet any action qos cs7
router(config-acl)# permit tcp any any
eq telnet action qos cs7
router(config-acl)# permit udp any eq
56566 any action qos cs7
router(config-acl)# permit udp any any
range 56564 56565 action qos cs7
eq 161 action qos cs7
router(config-acl)# permit ip any any
router(config-acl)# exit
router(config)# interface fe 5/0/1
router(cfg-if[fe 5/0/1])# ip
access-group critical_from_mgmt_cs7 in
router(cfg-if[fe 5/0/1])# exit
Classify important trafc to class CS7. Permit
also all other trafc, keeping it in the default
class. In this example, the important protocols
are: TELNET, BMP (ports 56564..56566), SNMP
(port 161), SSH (port 22), FTP (port 21 and 20),
NTP (port 123) and OCNM (assuming port 56501,
see command ospf ocnm-listener), The
BBMS CCN server source TCP port is 50000. The
destination TCP port of the BMP Agent is 56565.
Tellabs

12
Example 3. The following host ACL classies all important trafc to the CS7 class; other trafc
keeps its default class.
Command Description
critical_to_mgmt_cs7
telnet any action qos cs7
eq telnet action qos cs7
router(config-acl)# permit udp any
range 56564 56565 any action qos cs7
router(config-acl)# permit ip any any
router(config-acl)# exit
router(config)# ip host-access-group
critical_to_mgmt_cs7 out
Classify important trafc to class CS7. Permit also
all other trafc, keeping it in the default class. In
this example, the important protocols are naturally
the same as in the management connection (the
previous example) but the order of the source and
destination ports are reversed and perhaps port
numbers changed. Additionally, SNMP traps (port
162) and the CCN protocol are added, assuming
that the CCN destination port is 50000 (see
command bmp-server ccn destination).
Setting QoS of the TCP BMP trafc. The source
TCP port of the BMP Agent is 56565.
50125_04 Tellabs

13
2 TELNET
2 TELNET
2.1 Overview
TELNET is a TCP/IP standard protocol for remote terminal service. A TELNET user can send
commands and receive replies in illusion of working in the remote site. A TELNET client
establishes a TCP connection to a remote TELNET server using an IP address and a TCP port
as destination parameters.
The Tellabs 8600 TELNET server provides the TELNET server functionality for the Tellabs 8600
network elements (NE) according to the standard TELNET protocol. The TELNET server is used to
establish a remote terminal session to a CLI Agent residing in the Tellabs 8600 NEs. The Tellabs
8600 TELNET server provides multiple parallel sessions.
In the Tellabs 8600 system, SSH is recommended as replacement for TELNET as TELNET is
inherently non-secure (e.g. against password eavesdropping).
Tellabs

14
3 CLI
3 CLI
3.1 Overview
Command Line Interface (CLI) provides an ASCII command line management interface for the
Tellabs 8600 NEs. Via CLI the user can send conguration commands to change and display
the current conguration of the NE. The user can contact the CLI Agent residing in the NE via a
TELNET connection or serial port cable connection. The TELNET connection is disabled by
default, and should be enabled before it can be used.
Fig. 2 Two Users Have CLI Sessions in Tellabs 8600 NE
When the Tellabs 8600 NE is started up for the rst time, the user can connect the CLI Agent using
the serial port cable connection between the users PC and the Tellabs 8600 NE. Now the rst
conguration commands can be sent to the NE. The rst command might be setting an IP address
of some interface of the NE to make the NE reachable via a TCP/IP connection. Via the TCP/IP
connection the NE can be reached by Tellabs 8000 network manager.
For the list of available CLI conguration commands, see Tellabs
8600 Managed Edge System CLI

Commands Manual.
The CLI Agent sends terminal monitor messages to notify the users when local conditions undergo
signicant changes. By default, displaying of the terminal monitor messages whose emergency
level is lower than warning is disabled.
50125_04 Tellabs

15
3 CLI
3.2 CLI Conguration Examples
The following CLI commands are needed to make the Tellabs 8600 NE reachable via the TCP/IP
connection.
Command Description
********************************
* Tellabs 86XX Network Element *
* Copyright (c) 2004 Tellabs. All
rights reserved.*
*********************************
Press key ? for help.
user name: superuser
password: ********
Enter configuration commands, one per
line. End with ^Z
Login to Tellabs 8600 CLI Agent.
router> enable Enter the Privileged Execution command mode.
router# configure terminal Enter the Congure command mode.
router# cli-server telnet enable Enable the TELNET server for CLI management.
router(config)# interface mfe 0 Change the mode to congure the specic interface.
router(config-if)# no shutdown Enable the selected interface.
router(config-if)# ip address
172.19.101.14/24
Set the IP address.
router(config-if)# exit Change back to the Congure command mode.
router(config)# hostname ?
<string:len[132] New name of the host
Help for the command hostname.
router(config)# hostname hugo1 Change the hostname (these example CLI
commands for now on are not needed to congure
the TCP/IP connection).
hugo1(config)# exit Change back to the Privileged Execution command
mode.
hugo1# no terminal monitor Disable terminal monitor messages sending. By
default messages whose severity is warning or
higher are shown.
hugo1# terminal monitor severity error Enable terminal monitor messages sending.
Messages whose severity is error or higher are
shown.
Tellabs

16
4 BMP
4 BMP
4.1 Overview
Broadband Management Protocol (BMP) is a Tellabs proprietary object-based management protocol
between Tellabs 8000 network manager and a Tellabs 8600 NE. The NE can be managed via the
BMP format management commands coming from Tellabs 8000 network manager. An BMP Agent
resides in the Tellabs 8600 NE.
BMP communication between Tellabs 8000 network manager and the BMP Agent is primarily done
over the TCP/IP connection, if the NE supports it, or alternatively using the UDP/IP protocol.
The BMP Agent receives the incoming BMP commands, launches the BMP command execution
process, and nally constructs the reply and sends it back to Tellabs 8000 network manager.
The selection between the TCP/IP and UDP/IP communication is invisible to the user. It is
implemented in Tellabs 8000 network manager so that it always tries rst communication using the
TCP/IP and, if the NE does not support it, the communication is done via the UDP/IP.
Tellabs 8000 network manager can permit or deny other managers access to the BMP Agent
using IP access list congurations.
The BMP Agent generates BMP notications when the NE conditions undergo signicant changes.
Notications are sent to the Communication servers of those Tellabs 8000 network managers which
are registered to receive BMP notications.
The BMP communication between Tellabs 8000 network manager and a Tellabs 8600 NE can be
enabled to use SHA1 authentication. In that case both Tellabs 8000 network manager and the
Tellabs 8600 NE have to be congured accordingly to use the authentication. If both are not using
authentication or the used keys are different, trafc will not be possible because the other part
rejects the messages.
The BMP communication between Tellabs 8000 network manager and a Tellabs 8600 NE can also
be enabled to use SHA1 authentication and AES-256 encrypting. Tellabs 8000 network manager
and the Tellabs 8600 NE have to be congured accordingly. If both are not congured to use the
authentication and the encrypting or used keys are not valid, the other part rejects the messages.
Authentication and encryption for the BMP protocol are strongly recommended, and so the
user should congure both of them (as BMP is by default unauthenticated, unlike other
protocols).
For security reasons the rst authentication and encryption key(s) should be created in NE
using CLI over SSH or alternatively using a CLI connection through the serial port during
NE installation. Later on when transmission is used in encrypted mode, new key(s) can be
created using BMP communication from Tellabs 8000 network manager.
50125_04 Tellabs

17
4 BMP
4.2 BMP Conguration Examples
The following CLI commands are needed to congure the BMP Agent shown in the gure below.
Fig. 3 Tellabs 8000 Network Manager Uses IP Addresses to Connect to Tellabs 8600 NEs
over TCP/IP or UDP/IP
Command Description
router(config)# bmp-server enable Enable BMP Agent.
bmpAccList
Create an IP access list for access rights purposes.
router(config-acl)# permit udp host
172.19.12.102 any
This IP access list permits all UDP/IP messages
coming from host 172.19.12.102.
router(config-acl)# exit Change back to the Congure command mode.
router(config)# bmp-server access-group
bmpAccList
Limit the BMP Agent access rights with the IP
access list bmpAccList. The access list permits the
BMP Agent to receive only those BMP messages
coming from host 172.19.12.102.
router(config)# bmp-server notifica-
tions destination 171.19.12.102
Register the manager with IP address 172.19.12.102
to receive BMP notications.
router(config)# bmp-server notifica-
tions disable
Disable BMP notications sending. Use this
command in case BMP notications are not wanted
to be sent anymore.
The following CLI commands are needed to congure the recommended BMI SHA-1 authentication
conguration.
Tellabs

18
4 BMP
Command Description
router(config)# bmp-server authentica-
tion-key 1 sha1 abcdefg123456
router(config)# bmp-server trusted-key
1
router(config)# bmp-server authenticate
command
Enable BMI SHA-1 authentication.
router(config)# no bmp-server
authenticate command
trusted-key 1
authentication-key 1 sha1 abcdefg123456
Disable BMI SHA-1 authentication.
The following CLI commands are needed to congure the SHA-1 authentication and AES
encryption.
Command Description
router(config)# bmp-server encryption-
key 1 aes256 ivec xxxx key yyyy
router(config)# bmp-server encryption-
trusted-key 1
router(config)# bmp-server encrypt
command
Enable the SHA-1 authentication and AES
encryption.
router(config)# no bmp-server encrypt
command
encryption-trusted-key 1
encryption-key 1 aes256 ivec xxxx
key yyyy
Disable the SHA-1 authentication and AES
encryption.
50125_04 Tellabs

19
5 FTP
5 FTP
5.1 Overview
File Transfer Protocol (FTP) is a TCP/IP standard protocol. It is used to transfer les from one
machine to another. Tellabs 8600 FTP server provides FTP server functionality for Tellabs 8600
NEs according to the standard FTP protocol. Tellabs 8600 FTP server is used for delivering Tellabs
8600 application software les to NE cards for software upgrading purposes. The FTP server is
also used for sending CLI cong snapshot les to the NE.
Fig. 4 User Establishes TCP Connection to Tellabs 8600 NE and Sends Files to Flash Memory
of NE via FTP
The user sends les from his/her PC to the ash memory of the card via FTP. First the user starts an
FTP client session on his/her PC and connects it to FTP server in the Tellabs 8600 NE using the IP
address of the NE. When reached the NE, FTP can be used for accessing any le and directory in the
NE. The FTP server must be enabled before use.
5.2 FTP Conguration Examples
The following CLI command is needed to enable FTP server.
Command Description
router(config)# ftp-server enable
The following FTP commands are needed to transfer an application software le to the card in
slot 9 in Tellabs 8600 NE. See the gure above.
Tellabs

20
5 FTP
Command Description
C:\temp> ftp 172.19.101.10 Start the FTP connection to the remote host with IP
address 172.19.101.10.
Connected to 172.19.101.10. FTP connection succeeded.
********************************
* Tellabs 86XX Network Element *
* Copyright (c) 2004 Tellabs. All
rights reserved.*
********************************
220 FTP server running on unit in slot
14.
Tellabs 8600 accessed.
User (172.19.101.10:(none)): superuser Type username.
331 User name ok
Password: ********* Type password.
230 User superuser logged in
ftp> cd flash\appl-sw\slot9 Change the current directory to the application
software directory.
250 Directory change succeeded
ftp> dir Display les and subdirectories in current directory.
200 Command ok
150 Opening data connection
-rwxrwxrwx 1 user group 1920485 Dec 1
12:00 bbip_gmz2711_1.1
12:00 bbip_gmz2711_1.2
12:00 bbip_gmz2711_1.5
226 File transferred
ftp: 258 bytes received in 0,00Seconds
258000,00Kbytes/sec.
ftp> del bbip_gmz2711_1.1 Delete a le.
200 Command ok
200 Command ok ftp> bin Change to binary mode. This is needed for le
checksum calculations.
200 Command ok
50125_04 Tellabs

21
5 FTP
ftp> put c:\newfiles\bbip_gmz2711_1.6 Move a new le to the remote host.
200 Command ok
150 File status ok
ftp: 1909887 bytes sent in 11,60Sec-
onds 164,70Kbytes/sec.
ftp> dir Display les and subdirectories in the current
directory.
200 Command ok
150 Opening data connection
12:00 bbip_gmz2711_1.2
12:00 bbip_gmz2711_1.5
12:00 bbip_gmz2711_1.6
ftp: 342 bytes received in 0,01Seconds
34,20Kbytes/sec.
ftp> bye Disconnect the FTP session.
200 Command ok
200 Command ok C:\temp>
Tellabs

22
6 SNMP
6 SNMP
6.1 Overview
Tellabs 8600 SNMP (Simple Network Management Protocol) Agent provides management agent
functionality for Tellabs 8600 NEs according to the standard SNMP protocol. Generally SNMP
Agent is an entity in a network element that collects network management related statistics, responds
to commands from SNMP managers, and sends spontaneous messages (traps) to the managers when
local conditions undergo signicant changes. SNMP works over the UDP/IP protocol.
Tellabs 8600 system supports SNMP MIB-II group variables and traps as listed in chapter
6.1.1 References.
Tellabs 8600 SNMP Agent supports SNMP requests GET and GET-NEXT for versions SNMPv1
and SNMPv2. Tellabs 8600 SNMP Agent generates SNMPv1 and SNMPv2 traps. Operation
GET-BULK for version SNMPv2 is provided.
SNMP authentication element community name is checked from every SNMP request message
arrived in the Tellabs 8600 NE. If community name is not registered in the SNMP Agent
conguration, the request is dropped and authenticationFailure trap is generated. There are also
other ways to limit access rights of specied community name appended to an SNMP request
entering Tellabs 8600 NE:
Access rights to some SNMP mib groups can be denied. As default, all mib groups are accessible.
Only SNMP requests arriving from specic source addresses are received, other requests are
dropped. In this case the IP access list is appended to a community name. The access list species
allowed source addresses.
When a trap is generated in the Tellabs 8600 NE, the trap message is sent to those SNMP managers
which are registered for trap receiving. The registration species the IP address of the manager,
allowed SNMP trap version and community name. The community name is added to the trap
message for authentication in the receiving SNMP manager. Only the traps of the specied trap
version are sent to the registered manager. Also trap types can be ltered. The lter species
enabled traps: the user can enable all possible traps, or all traps of specic mib group(s), or just
individual trap(s).
50125_04 Tellabs

23
6 SNMP
6.1.1 References
RFC1213 (1991-03), Management information base for network management in TCP/IP based Internets:
MIB-II
RFC1657 (1994-07), Denitions of managed objects for the fourth version of the border gateway protocol
(BGP-4) using SMIv2
RFC1850 (1995-11), OSPF version 2 management information base
RFC1907 (1996-01), Management information base for version 2 of the simple network management
protocol (SNMPv2)
RFC2011 (1996-11), SNMPv2 management information base for the Internet protocol using SMIv2
RFC2012 (1996-11), SNMPv2 management information base for the transmission control protocol using
SMIv2
RFC2013 (1996-11), SNMPv2 management information base for the user datagram protocol using SMIv2
RFC2096 (1997-01), IP forwarding table MIB
RFC2863 (06/2000), The interfaces group MIB (IF-MIB)
Tellabs

24
6 SNMP
6.2 SNMP Conguration Examples
The following CLI commands are needed to congure SNMP Agent shown in the gure below.
Fig. 5 SNMP Manager Sends Requests to SNMP Agent of Tellabs 8600 NE
Command Description
router(config)# snmp-server enable Enable SNMP requests and traps.
snmpAccList
Create IP access list for access right purposes.
router(config-acl)# permit udp host
172.19.12.105 any
The access list allows UDP messages coming from
host 172.19.12.105.
router(config-acl)# exit Change back to the Congure command mode.
router(config)# snmp-server community
hugo mib system snmp access-group
snmpAccList
Register community name hugo to allow SNMP
requests concerning SNMP variables of mib groups
system and snmp. Only requests from sources
permitted in access list snmpAccList are allowed.
router(config)# snmp-server traps
host 172.19.12.105 version 1 community
hugoV1
Register an SNMP manager with IP address
172.19.12.105 to receive traps from Tellabs 8600
SNMP Agent. Trap messages leave Tellabs 8600
NE labelled with community name hugoV1. Only
version SNMPv1 traps are sent to the manager.
router(config)# snmp-server traps host
127.19.12.105 version 2c community
hugoV2
Register an SNMP manager with IP address
172.19.12.105 to receive traps from Tellabs 8600
SNMP Agent. Trap messages leave Tellabs 8600
NE labelled with community name hugoV2. Only
version SNMPv2 traps are sent to the manager.
router(config)# snmp-server traps mib
snmp authenticationFailure
Enable snmp mib group trap authenticationFail-
ure.
50125_04 Tellabs

25
6 SNMP
snmp
Now all snmp mib group traps are enabled.
all
Now traps of all mib groups are enabed.
router(config)# no snmp-server traps
mib snmp authenticationFailure
Now traps of all mib groups are enabled except the
snmpAuthenticationFailure trap.
router(config)# no snmp-server traps
mib all
All traps are disabled.
router(config)# snmp-server traps
source lo1
Set value for the traps source attribute. This value
is used in SNMPv1 Trap messages.
router(config)# snmp-server location
Oak street 7, Laboratory 2nd floor
Set value for system mib group variable
sysLocation.
router(config)# snmp-server contact Joe
J. Jones, assistant
Set value for system mib group variable
sysContact.
Tellabs

26
7 RADIUS
7 RADIUS
7.1 Overview
RADIUS is a popular AAA (Authentication, Authorization, Accounting) protocol. Tellabs 8600
system supports RADIUS for administrator authentication in CLI and FTP sessions. Tellabs
8600 system implementation is based on [RFC2865]. The motive for using RADIUS is the fact
that with a large number of network elements, it easily becomes a tedious task to maintain and
update the user databases in the NEs. RADIUS solves the problem by moving the user database
and authentication decision away from the NEs to one or more centralized servers. For example,
adding a new administrator is simply a matter of reconguring the RADIUS server(s) instead of
individually adding a new account for each NE.
The RADIUS protocol is implemented on top of the UDP protocol. The authentication is initiated by
the client with an access request packet that contains the username and password of the user logging
in. The server responds with an access granted or access denied packet. As its security mechanism,
RADIUS employs a shared secret, which is congured both on the client and the server, but is never
transmitted on the network during the RADIUS authentication. The shared secret is used to encrypt
the user-provided password and to verify that the authentication response from the server is genuine.
Tellabs 8600 RADIUS client supports a concept of AAA contexts. A context consists of a list of
one or more RADIUS authentication servers and whether the context uses local (NE) user database
either as primary or secondary source of authentication. The context can then be bound to one of the
four services needing login (local CLI, Telnet, SSH and FTP). There is always a default context
which, unless otherwise congured, uses the local user database for authentication.
One or more RADIUS servers can be congured for a context. In addition, they can have an
associated priority value that species the preference for accessing the servers. In a typical
conguration, there is a primary RADIUS server and a secondary server that backs up the primary
server.
50125_04 Tellabs

27
7 RADIUS
Fig. 6
7.1.1 References
[RFC2865] RFC2865 (06/2000), Remote Authentication Dial In User Service (RADIUS)
7.2 RADIUS Conguration Examples
The following example shows how to produce a simple RADIUS conguration from scratch with
the following relevant parameters:
A single RADIUS server exists (IP address 193.64.170.160).
Uses local (NE) user database as fallback if the RADIUS server is not reached after three retries.
There is a-ve-second delay between the retries.
RADIUS is used for all services needing login.
The rst step is to congure the RADIUS server.
Command Description
router(config)# aaa radius authentica-
tion-server MyServer
Adds a new RADIUS authentication server named
MyServer, enters server conguration mode.
router(cfg-radius-auth[MyServer])#
server-address 193.64.170.160
Congures the servers IP address.
shared-secret text MyPassword
Congures a shared secret as text format password.
Also arbitrary binary format secret could be used,
but not all RADIUS servers support them.
retry 3
Packets to the server are retransmitted up to three
times if no response is received.
Tellabs

28
7 RADIUS
timeout 5000
Sets the retransmission timeout to 5000
milliseconds (ve seconds).
router(cfg-radius-auth[MyServer])# exit Exits RADIUS authentication server conguration
mode.
Do not congure the shared secret over an insecure connection. If the shared secret is
remotely congured, the use of SSH is strongly recommended.
The next step is to create and congure the AAA context.
Command Description
router(config)# aaa context MyContext Creates a new context MyContext and enters
context conguration mode.
router(cfg-aaa[MyContext])# bind radius
authentication-server MyServer
Associates the previously congured server with
this context. Since priority is not specied, the
default priority is used. Priority is not meaningful
when there is only one server.
router(cfg-aaa[MyContext])# order
radius local
Species the authentication sources for the
context. RADIUS is primarily used, local user
database authentication is attempted if RADIUS
authentication fails.
router(cfg-aaa[MyContext])# exit Exits context conguration mode.
Finally, the context has to be bound to the services and RADIUS authentication enabled.
Command Description
router(config)# aaa bind service
cli-local context MyContext
router(config)# aaa bind service
cli-telnet context MyContext
router(config)# aaa bind service ssh
context MyContext
router(config)# aaa bind service ftp
context MyContext
Binds MyContext to all services needing login.
router(config)# aaa radius authentica-
tion enable
Enables RADIUS authentication in the NE.
router(config)# show aaa detail Displays all RADIUS-related settings for review.
50125_04 Tellabs

29
7 RADIUS
7.3 RADIUS Server Conguration
RADIUS is a commonly supported protocol with a many different server implementations available.
While most aspects of the operation are well-standardized, there are some details in Tellabs 8600
RADIUS client implementation that one is required to be aware of when conguring the server.
Please see the documentation of your RADIUS server for more information about how to congure
it.
Tellabs 8600 user accounts have in addition to username and password a numeric privilege level
associated with them. This privilege level must be present in every Access-Accept message from
the RADIUS server. If it is omitted, the privilege level defaults to 1 which gives the user a very
restricted access. The privilege level is implemented as a RADIUS Vendor-Specic Attribute with
Vendor-Id 1397, Vendor type 1, attribute value coded as 32bit unsigned integer.
Command Description
# Tellabs dictionary - dictio-
nary.tellabs
#
# Enable by putting the line "$INCLUDE
dictionary.tellabs" into
# the main dictionary file.
#
#
VENDOR Tellabs 1397
#
# Vendor-specific attributes
#
ATTRIBUTE Tellabs-UserPrivilegeLevel 1
integer Tellabs
An example of RADIUS server dictionary le
for privilege level attribute that works with many
RADIUS servers.
Information transmitted in attributes can be used to ne tune authorization decisions on the server.
For example, one might want to restrict a users access rights by allowing login to a limited set of
NEs. The table below lists the attributes used and recognized by the RADIUS client in Tellabs
8600 system.
Attribute Direc-
tion
Description
User-Name OUT Name of the user to authenticate. The attribute is omitted if the
username is empty.
User-Password OUT Password entered by the user.
NAS-Identier OUT Text string consisting of the network elements Router ID number.
Service-Type OUT Set to Administrative for all four login services.
NAS-Port-Type OUT Set to Async in case of local CLI login.
Set to Virtual in TELNET, SSH and FTP logins.
Tellabs-UserPrivi-
legeLevel
IN Privilege level of an accepted user. Vendor-specic integer attribute
with Vendor-Id 1397 and Vendor type 1.
Tellabs

30
8 SSH
8 SSH
8.1 Overview
SSH (Secure Shell) is a commonly used protocol built on TCP/IP offering remote login and le
transfer functionality. In Tellabs 8600 system, SSH can be used as replacement for TELNET and
FTP protocols. A major advantage is that SSH provides strong security, making eavesdropping and
hijacking of connections on the wire practically impossible. Tellabs 8600 system contains a built-in
SSH server that can be used with many free and commercial SSH client programs.
The following security features exist in the SSH protocol:
Encryption is used throughout the connection in both directions. The server and client negotiate
a suitable symmetric encryption algorithm at the beginning of the session. The encryption keys
are automatically generated and exchanged at the same time.
Authentication codes are used during the session. Any attempts to change the data by a man-in-
the-middle attacker will cause an immediate termination of the session.
Host authentication allows the client to verify that the server it is talking to is really who it claims
to be. This is accomplished by the server having a public-private key pair (the host key). The
client receives and stores the public part of the key upon its rst contact to the server. On subse-
quent sessions, the server can prove its identity by possession of the private part of the key.
User authentication identies the user to the server. The user authentication is traditionally done
with a username/password pair. In addition to password authentication, SSH also supports public
key authentication. In this authentication method, the user authenticates himself by possessing a
private part of a public-private key pair. It is required, however, that the public part of the key is
stored in the server in advance.
Tellabs 8600 SSH server only supports SSH protocol version 2. While all modern SSH clients
support version 2 of the protocol, this might be an issue with some old clients. The SFTP protocol
runs on top of the SSH protocol and provides secure le transfer services.
8.2 SSH Conguration Examples
Taking SSH protocol in use on a network element requires some preconguration. The host key pair
needs to be generated for the network element. Tellabs 8600 SSH server can use both DSA
2
and
RSA type key pairs (the names refer to algorithms used). It is possible to have an active host key for
either or both of these types, but only one is needed. DSA is suggested as it is guaranteed to be
supported by all compliant SSH version 2 clients.
2
Some clients call these DSS keys
50125_04 Tellabs

31
8 SSH
Command Description
router(config)# crypto generate key 1
ssh2-dsa
Starts generating a DSA type key pair. The key
generation is done in the background and may take
several minutes to complete. The key will have
index 1.
router(config)# show crypto key
Key 1 [NOT ACTIVE] - Type: ssh2-dsa -
Size: 2048 bits
Fingerprint:
de:08:ee:b9:f5:91:53:0b:f7:de:26:fe:25:4c:ca:10
Once the key has been generated, it is shown in the
key list. The ngerprint can be used for verication
of the hosts identity on the client side as it is
unique for each key.
router(config)# cli-server ssh host-key
1
Activates the generated key as SSH server host key.
router(config)# cli-server ssh enable Enables the SSH server. After this step, the
network element will allow incoming SSH and
SFTP connections.
Enabling public key authentication for a user requires the user to generate the key pair (or use an
existing key pair) on the client. The example below is shown for OpenSSH client.
Command Description
$ ssh-keygen -b 2048 -t dsa -f mykey -N
mypassphrase
This command is run on the client to generate the
key pair. Two les are generated: mykey contains
the private key, mykey.pub is the public part of the
key in OpenSSH format.
$ ssh-keygen >mykey_ssh2.pub -e -f
mykey.pub
Converts the public key to standard SSH2 public
key le format as required by the SSH server in
Tellabs 8600 system. The resulting public key le
is mykey_ssh2.pub.
Tellabs

32
8 SSH
$ ftp 172.19.101.10
Connected to 172.19.101.10.
220-
**************************************
220-* *
220-* Tellabs 8620 Network Element *
220-* *
220-* Copyright (c) 2004 Tellabs. All
rights reserved. *
220-* *
220-
**************************************
User (172.19.101.10:(none)): superuser
331 User name ok
Password:
230 User superuser logged in
ftp> cd /flash/cli-script
250 Directory change succeeded
ftp> put mykey_ssh2.pub
200 Command ok
...
For importing the key, it has to be transferred to
the network elements le system. In this example,
FTP is used. The CLI script directory is used as a
temporary location for placing the key. The key le
can be deleted after it has been imported.
router(config)# crypto load flash:
/flash/cli-script/mykey_ssh2.pub key 2
Import the key from ash le system to internal
key storage. This public key will have index 2.
It is associated with the currently logged on user,
allowing only this particular user to log in with the
public key.
router(config)# show crypto key 2
Key 2 [ACTIVE] - Type: ssh2-dsa-public
- Size: 2048 bits
Owner: superuser
Fingerprint:
13:c6:60:ed:91:30:23:65:36:84:80:6a:d1:5e:a5:c5
Comment: 2048-bit DSA, converted from
OpenSSH by superuser@FIOU0203
Shows the properties of the public key. The
properties and the option to remove a public key
are only available to the keys owner or a user with
superuser privileges.
$ ssh superuser@172.19.101.10 -i mykey Logs in the NE using the key stored in le mykey.
The passphrase is asked, if one was given in key
generation.
When the public key is no longer needed, it should be removed.
Command Description
router(config)# clear crypto key 2 Discards the public key. Only the keys owner or a
user with superuser privileges can remove a key.
50125_04 Tellabs

33

Management Communications Configuration

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Management Communications Configuration

Enviado por

Direitos autorais:

Formatos disponíveis

Tellabs

8600 Managed Edge System

logo, TELLABS and T symbol

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System

8600 Managed Edge System

8600 Managed Edge System CLI Commands Manual.

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System CLI

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

8600 Managed Edge System 50125_04

8600 Managed Edge System

Você também pode gostar