Adva - Training - FSP 150CC-GE20x R4.x Course - 2 - Administration

FSP 150CC-GE20x Product Training Course 2 - Administration

FSP 150CC-GE206 R4.4.x FSP 150CC-GE201 R4.3.x October 2010 V1.3

Module Contents 

Connectivity



Syslog



Security/Alarm/Audit Logs



SNMP



SNTP



Security

Module Contents 

Connectivity



Syslog



Security/Alarm/Audit Logs



SNMP



SNTP



Security

Connectivity 

Various Options     

HTTP/HTTPS – eVision Telnet, SSHv2 SNMP CLI NMS

User ID

root

netadmin

user

Password

ChgMeNOW ChgMe NOW

ChgMeNOW

ChgMeNOW

Privilege

Superuser

Provisioning

Maintenance

Connectivity Serial Interface



Connection Attributes:    



Bits per second: 9600 Data bits: 8 Parity: None Stop Bits: 1 Hardware Flow Control: None



Straight through cable with included DB9/RJ45 adapter



CLI



Software download and database backup are not available via the serial interface. IP connectivity is required for https file transfer and FTP.

Connectivity Serial Interface 

CLI login screen

Connectivity CLI Basics 

Serial Port, Telnet or SSH



Only need to enter the unique portion of the command term, not the entire term

  “tab”

can be used to auto-complete the command term once unique portion entered, but completion is not required

  “back”

takes you back one level

  “home”   “quit” 

takes you to the main level

logs you out from any menu/sub-menu

Arrows can be used to scroll back/forward through previous commands or edit (terminal emulation specific)

  “?”

at any time shows available commands or validity/next parameter of the currently entered command.

Connectivity CLI Prompt Configuration 

CLI prompt can be configured via GUI and CLI

ADVA--> configure system ADVA:system--> prompt ADVA-GE206 ADVA-GE206:system-->

Connectivity Network Element Identification 

Network Element Identification can be configured via GUI and CLI

ADVA--> network-element ne-1 ADVA-NE-1--> name GE206-1 ADVA-NE-1--> location Dallas-TX ADVA-NE-1--> contact John-Smith

Connectivity IP Access



The MGMT LAN port – DCN (eth0) Auto-MDIX supported  Straight through or cross over will work 



There is a default ip address 192.168.0.2/24 assigned.

Connectivity HTTP GUI  Applications

Navigation Tree

Info/Input

 Alarms and Conditions

Connectivity GE206 Naming Conventions and Navigation 

FLOW Entity ID Naming convention:     

NE  1 Shelf  1 Slot  1 Access/Network port  2 (range is from 1 to 6) Flow  1 (range is 1 to 32)

Connectivity GE201 Naming Conventions and Navigation 

FLOW Entity ID Naming convention:     

NE  1 Shelf  1 Slot  1 Access  1 Flow  1 (range is 1 to 128)

Connectivity HTTP GUI - Usage



Applications: 



Functionality is divided into different applications which is aligned with user privileges

Navigation Tree: 

Many nodes in the navigation tree have options that are selectable by right-clicking on the node

  “OK”

vs. “Apply” 

Both result in the validation of the data and the writing of changes to the Flash copy of the database and the hardware   “Apply” leaves you in the edit screen where as “OK” takes you back to the display screen 

General Security Banner  Banner  In

is displayed on GUI and serial/telnet sessions at login.

the GUI, right click System node and select “Edit Banner” 

 Maximum

of 2000 characters

ADVA:--> configure system ADVA:system--> security-banner “This is a private system. Unauthorized access or use may lead to prosecution”

General Security Prompt  When

logging in via the CLI, the following prompt is typically displayed:

Do you wish to continue [Y|N]-->

 This

prompt can cause issues with CLI based configuration systems.

 The

prompt can be disabled via the CLI only.

ADVA:--> configure system ADVA:system--> security-prompt disabled

General Syslog Servers

ADVA--> configure system ADVA:system--> syslog-server 1 ADVA:system:syslog-1--> configure 10.10.10.10 514 ADVA:system:syslog-1--> show syslog-server IP Address : 10.10.10.10 port : 514

General Syslog Servers



Individual controls for each log type

General Security Log 

Security Log contains events of the following type:   

Login/Logout/Failed Login attempts (local / remote) Local User creation/deletion Password change attempts



Security logs can be directed to SYSLOG (configurable)



Security log can only be cleared by a factory reset only



Security log only visible to superuser accounts



Security log contains 1000 records

General Security Log

ADVA--> show security-log

ADVA--> configure system ADVA:system--> security-log ADVA:system:security-log--> syslog-control disabled

General Alarm Log 

Alarm log (automatic output buffer) for alarms/events



Alarm logs can be directed to a SYSLOG (configurable)



Alarm logs can be disabled by superuser



Alarm logs contains 1000 records



Alarm log entries limited to 256 characters

General Alarm Log

ADVA--> show alarm-log ADVA--> configure system ADVA:system--> alarm-log ADVA:system:alarm-log--> syslog-control disabled ADVA:system:alarm-log--> log2file-control enabled

General Audit Log 

Audit Log contains events of the following type:    

all all all all

configuration related changes, entity (e.g. equipment, facility, etc) state changes system restarts maintenance operations (e.g. loopbacks)



Audit logs can be directed to SYSLOG (configurable)



Audit Log can be disabled by superuser



Audit log contains 1000 records



Audit log entries limited to 256 characters

General Audit Log

ADVA--> show audit-log ADVA--> configure system ADVA:system--> audit-log ADVA:system:audit-log--> syslog-control disabled ADVA:system:audit-log--> log2file-control enabled

SNMP Simple Network Management Protocol  The

device is configurable via SNMP

 SNMP 



V1, V2c and V3 are supported

V1 and V2c Defaults:

V3 Defaults:

SNMP Community String

ADVA--> configure snmp ADVA:snmp--> add community noc-readonly readonly

Trap community string (GE206/GE206F) 

Community string access type can be set to Trap Only



Can not be used for read-only or read-write access 

The following errors will be returned by the system if the trap only community string is used to read/write access to the GE206 noSuchName for SNMPv1  noAccess for SNMPv2c  noAccess for SNMPv3 USM 

ADVA--> configure snmp ADVA:snmp--> add community "traps" trap-only

SNMP Target Parameter  The

target parameters allow us to define what SNMP protocol will be used to populate trap information;

 And

thus what SNMP protocol will be used to send traps to the target address specified

 Target

parameter must be added prior to adding the target address.

ADVA--> configure snmp ADVA:snmp--> add target-params target-param-v1 snmpv1 snmpv1 private no-auth

SNMP Target Address 

Up to 10 trap recipients may be defined



Up to 10 community strings may be defined

ADVA--> configure snmp ADVA:snmp--> add target-address NMS-US 10.10.10.10:162 2 3 trap target-param-v1 enabled

SNMP USM (User Security Model)

ADVA--> configure snmp ADVA:snmp--> add usm-user noc-user local r0ck3t readonly auth-priv md5 des ******** ******** 

Engine ID 



 „local‟ or beginning with 1 or 0

Security name   

1 to 256 characters long only „0-9 a-z A-Z _ . –‟ are accepted If left blank User Name will be copied into this field.



Auth. Key and Priv. Key  

  

8 – 32 characters long Contains a mix of upper and lower case alpha characters (a-z A-Z), at least one special character (# * %) and at least one digit (0-9). Cannot begin with „#‟. No more than 2 chars. can be repeated in consecutive positions. Does not contain a sequence of 3 consecutive letters/digits in ascending/descending order. Can not be the same as the user ID.

SNMP Dying Gasp Trap



The 150CC supports the ability to generate an SNMP Dying Gasp trap on power loss for scenarios where EFM-OAM Dying Gasp is not sufficient.



Only one of SNMP Dying Gasp trap or EFM-OAM Dying Gasp message can be generated on an interface.



SNMP Dying Gasp will only be sent over a Mgmt tunnel, not the MGMT LAN (only replaces EFM OAM Dying Gasp)



Configure SNMP Dying Gasp on the system level and then you can enable the trap by target address (up to 2 SNMP Dying Gasp PDUs can be configured per system). ADVA--> network-element ne-1 ADVA-NE-1--> configure nte nte206-1-1-1 ADVA-NE-1:ge206-1-1-1--> snmp-dying-gasp enabled

NTP Network Time Protocol 

Unicast:  

Device only attempts to connect to the configured addresses Support for up to 2 NTP servers

ADVA--> configure system ADVA:system--> ntp-client ADVA:system:ntp_client--> primary-server 10.10.10.10 ADVA:system:ntp_client--> backup-server 10.10.10.11 ADVA:system:ntp_client--> show ntp-client

Security 

Secure access (defaults shown):    

Serial Port: Telnet (port 23): SSH: (port 22):  FTP (port 21):



Access Control Lists



GUI:  



HTTP (port 80): HTTPS (port 443): SFTP: (port 22):  SCP: (port 21): 

Enabled Disabled Disabled Enabled

Automatic logoff is provisionable Cookie shared per PC user login per NID IP address

Serial  



Enabled Disabled Enabled Disabled

Automatic logoff on cable disconnect (Serial Port Auto Log off: Enable) Serial port can be disabled

Authentication Traps can be enabled (disabled by default)

Security Operations  Access 

by various applications can be generically enabled or disabled;

In the configuration application right click on “System” and select- “Edit System” 

ADVA--> configure system ADVA:system--> ftp enabled ADVA:system--> telnet enabled ADVA:system--> serial enabled

Security Key Management 

The device can generate unique SSL Certificates and SSH keys. 

This will replace the existing keys.

ADVA--> configure user-security ADVA:user-sec--> regenerate-ssh-keys ADVA:user-sec--> regenerate-ssl-certificate

Security Access Control Lists  Up

to 10 ACL entries can be activated at the system level

 Each

entry allows for the specification of a subnet that can access the

unit

ADVA--> configure system ADVA:system--> acl-entry 1 ADVA:acl-1--> configure permit 10.10.1.0 255.255.255.0 ADVA:acl-1--> control enabled

Last Reset Cause (GE201) 

System provides a last reset cause such as warm restart or cold restart. This is available on CLI/GUI/SNMP.



System captures the last 3 instances of an abnormal event. The 3 debug files (binary) are stored on a single debug image which can be downloaded for further investigation.