Administering Avaya Virtual Services Platform 7200 Series and 8000 Series Release 5.1.2 NN47227-600 Issue 10.
© 2014-2017, Avaya, Inc. All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes.
documentation, Hosted Service, and the product provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software unless expressly authorized by Avaya.
Contents Chapter 1: Introduction.......................................................................................................... 10 Purpose................................................................................................................................ 10 Related resources................................................................................................................. 10 Training.........................................................................................
Contents Changing the primary or secondary boot configuration files...................................................... 46 Configuring boot flags using ACLI........................................................................................... 47 Configuring serial port devices................................................................................................ 52 Displaying the boot configuration............................................................................................
Contents Viewing the boot configuration.......................................................................................... 95 Configuring boot flags...................................................................................................... 97 Enabling Jumbo frames................................................................................................... 98 Configuring the date and time...........................................................................................
Contents Chapter 11: Network Time Protocol.................................................................................... 133 NTP fundamentals............................................................................................................... 133 Overview...................................................................................................................... 133 NTP system implementation model.................................................................................
Contents Web interface passwords............................................................................................... 182 Enhanced secure mode authentication access levels....................................................... 183 Password requirements................................................................................................. 184 System access configuration using ACLI...............................................................................
Contents Proprietary MIBs................................................................................................................. 246 Glossary................................................................................................................................. 247 January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Chapter 1: Introduction Purpose This document provides information on features in VSP Operating System Software (VOSS).
Related resources Reference for VSP Operating System Software, NN47227-100 for a list of all the VSP 4000 documents. Training Ongoing product training is available. For more information or to register, you can access the Web site at http://avaya-learning.com/. Viewing Avaya Mentor videos Avaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avaya products.
Introduction types of documentation for a specific product, for example, Application & Technical Notes for Virtual Services Platform 7000. Procedure 1. In an Internet browser, go to https://support.avaya.com. 2. Type your username and password, and then click Login. 3. Under My Information, select SSO login Profile. 4. Click E-NOTIFICATIONS. 5. In the GENERAL NOTIFICATIONS area, select the required documentation types, and then click UPDATE. 6. Click OK. 7.
Support 11. Click Submit. Support Go to the Avaya Support website at http://support.avaya.com for the most up-to-date documentation, product notices, and knowledge articles. You can also search for release notes, downloads, and resolutions to issues. Use the online service request system to create a service request. Chat with live agents to get answers to questions, or request an agent to connect you to a support team if an issue requires additional expertise.
Introduction 3. In the Search dialog box, select the option In the index named .pdx. 4. Enter a search word or phrase. 5. Select any of the following to narrow your search: • Whole Words Only • Case-Sensitive • Include Bookmarks • Include Comments 6. Click Search. The search results show the number of documents and instances found. You can sort the search results by Relevance Ranking, Date Modified, Filename, or Location. The default is Relevance Ranking.
Chapter 2: New in this document The following sections detail what is new in Administering Avaya Virtual Services Platform 7200 Series and 8000 Series, NN47227-600. Features See the following section for information about feature changes. Release 5.1.2 The following features are included in Release 5.1.2: Logon banner This release provides the option to set up a custom logon banner using EDM.
New in this document • Downgrading or upgrading from releases that support different key sizes on page 173. • Changing Secure Shell parameters on page 175. SSH parameters This release updates Secure Shell (SSH) parameters.
Features Release 5.1.1 The following features are included in Release 5.1.1: RMON1 This release supports RMON1 so RFC2819 was added to Supported standards RFCs and MIBs on page 237. RMON2 was already supported in a previous release. January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Chapter 3: Basic administration The following sections describe common procedures to configure and monitor the switch. Basic administration procedures using ACLI The following section describes common procedures that you use while you configure and monitor the switch operations. Note: Unless otherwise stated, to perform the procedures in this section, you must log on to the Privileged EXEC mode in Avaya Command Line Interface (ACLI).
Basic administration procedures using ACLI Example Switch:1> enable Save the configuration to the default location: Switch:1# save config Identify the file as a backup file and designate a location to save the file: Switch:1# save config backup /usb/PreUpgradeBackup.cfg Variable definitions Use the data in the following table to use the save config command. Variable Value backup WORD<1–99> Saves the specified file name and identifies the file as a backup file.
Basic administration About this task Restart the switch to implement configuration changes or recover from a system failure. When you restart the system, you can specify the boot config file name. If you do not specify a boot source and file, the boot command uses the configuration files on the primary boot device defined by the boot config choice command. After the switch restarts normally, it sends a cold trap within 45 seconds after the restart. Procedure 1. Enter Privileged EXEC mode: enable 2.
Basic administration procedures using ACLI Resetting the platform About this task Reset the platform to reload system parameters from the most recently saved configuration file. Procedure 1. Enter Privileged EXEC mode: enable 2. Reset the switch: reset [-y] Example Switch:1> enable Reset the switch: Switch:1# reset Are you sure you want to reset the switch? (y/n) y Variable definitions Use the data in the following table to use the reset command.
Basic administration sys shutdown 3. Before you unplug the power cord, wait until you see the following message: System Halted, OK to turn off power Example Shut down a running system. Switch:1#sys shutdown Are you sure you want shutdown the system? Y/N (y/n) ? y CP1 [05/08/14 15:47:50.164] 0x00010813 00000000 GlobalRouter HW INFO System shutdown initiated from CLI CP1 [05/08/14 15:47:52.000] LifeCycle: INFO: Stopping all processes CP1 [05/08/14 15:47:53.
Basic administration procedures using ACLI Example Ping an IP device from a GRT VLAN IP interface: Switch:1# ping 192.0.2.16 192.0.2.16 is alive Variable definitions Use the data in the following table to use the ping command. Variable Value count <1–9999> Specifies the number of times to ping (1–9999). -d Configures the ping debug mode.
Basic administration Variable Value source WORD <1–256> Specifies an IP address to be used as the source IP address in the packet header. -t <1–120> Specifies the no-answer timeout value in seconds (1–120). vrf WORD<0–16> Specifies the virtual routing and forwarding (VRF) name from 1–16 characters. WORD<0–256> Specifies the host name or IPv4 (a.b.c.d) address (string length 0–256). Specifies the address to ping.
Basic administration procedures using ACLI Table 3: Variable definitions Variable Value -a Adds data to the output file instead of overwriting it. You cannot use the -a option with the -c option. -c Compares the checksum of the specified file by WORD<1–99> with the MD5 checksum present in the checksum file name. You can specify the checksum file name using the -f option. If the checksum filename is not specified, the file / intflash/checksum.md5 is used for comparison.
Basic administration Resetting system functions About this task Reset system functions to reset all statistics counters, the console port (10101). Procedure 1. Enter Privileged EXEC mode: enable 2. Reset system functions: sys action reset {console|counters} Example Switch:1> enable Reset the statistics counters: Switch:1> sys action reset counters Are you sure you want to reset system counters (y/n)? y Variable definitions Use the data in the following table to use the sys action command.
Basic administration procedures using EDM 2. Source a configuration: source WORD<1–99> [debug] [stop] [syntax] Example Switch:1> enable Debug the script output: Switch:1# source testing.cfg debug Variable definitions Use the data in the following table to use the source command. Table 5: Variable definitions Variable Value debug Debugs the script output. stop Stops the merge after an error occurs. syntax Verifies the script syntax.
Basic administration 3. Click Chassis. 4. Click the System tab. 5. Locate ActionGroup4 near the bottom of the screen. 6. Select softReset from ActionGroup4. 7. Click Apply. Showing the MTU for the system About this task Perform this procedure to show the MTU configured for the system. Procedure 1. On the Device Physical View, select the Device. 2. In the navigation tree, open the following folders: Configuration > Edit. 3. Click Chassis. 4. Click on the Chassis tab. 5.
Basic administration procedures using EDM Name Description UsbBytesUsed Specifies the number of bytes used in USB device. UsbBytesFree Specifies the number of bytes available for use in USB device. UsbNumFiles Specifies the number of files in USB device. Displaying available storage space About this task Display information about the available space for storage devices on this system. Procedure 1. In the navigation tree, open the following folders: Configuration > Edit. 2. Click Chassis. 3.
Basic administration Name Description Slot Specifies the slot number of the device. Name Specifies the directory name of the file. Date Specifies the creation or modification date of the file. Size Specifies the size of the file. Displaying internal flash files Display information about the files on the internal flash. Note: Following procedure is supported on VSP 7000 series and VSP 8000 series only. Procedure 1. In the navigation tree, expand the following folders: Configuration > Edit. 2.
Basic administration procedures using EDM Name Description Slot Specifies the slot number of the device. Name Specifies the directory name of the file. Date Specifies the creation or modification date of the file. Size Specifies the size of the file. Copying a file About this task Copy files on the internal flash. Procedure 1. In the navigation tree, open the following folders:Configuration > Edit. 2. Click File System. 3. Click the Copy File tab. 4. Edit the fields as required. 5. Click Apply.
Basic administration Saving the configuration About this task After you change the configuration, you must save the changes on the device. Save the configuration to a file to retain the configuration settings. Note: When you logout of the EDM interface, a dialogue box automatically prompts if you want to save the configuration. If you want to save the configuration, click OK. If you want to close without saving the configuration, click Cancel.
Chapter 4: System startup fundamentals This section provides conceptual material on the boot sequence and boot processes of the switch. Review this content before you make changes to the configurable boot process options. spbm-config-mode boot flag Shortest Path Bridging (SPB) and Protocol Independent Multicast (PIM) cannot interoperate with each other on the switch at the same time. To ensure that SPB and PIM stay mutually exclusive, a boot flag called spbm-config-mode is implemented.
System startup fundamentals Figure 1: Boot sequence Stage 1: Loading Linux The port contains a boot flash partition that stores the boot images, which include the boot loader, and the Linux kernel and applications. The boot flash partition contains two versions of the boot January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Boot sequence image: a committed version (the primary release) and a backup version. A committed version is one that is marked as good (if you can start the system using that version). The system automatically uses the backup version if the system fails the first time you start with a new version. Stage 2: Loading the primary release The switch can install a maximum of six releases but can only load one of two—a primary (committed) release or a backup release.
System startup fundamentals Table 6: Configuration file statements Sample statement # software version Action : 4.0.0.0 Adds clarity to the configuration by identifying the software version. Configures the flag to the false condition, prior to loading the general configuration. #!no boot config flags sshd Boot sequence modification You can change the boot sequence in the following ways: • Change the primary designations for file sources. • Change the file names from the default values.
System connections The following table lists parameters you configure in ACLI using the boot config flags command. For information on system flags and their configuration, see Configuring system flags on page 47.
System startup fundamentals Client and server support The client-server model partitions tasks between servers that provide a service and clients that request a service. For active ACLI clients, users initiate a client connection from the VSP switch to another device. For non-active clients, the client exists on the switch and the switch console initiates the request, with no intervention from users after the initial setup. For instance, Network Time Protocol (NTP) is a non active client.
Client and server support The switch supports the following servers using IPv4: • File Transfer Protocol (FTP) • Hypertext Transfer Protocol (HTTP) • Hypertext Transfer Protocol Secure (HTTPS) • remote shell (rsh) • rlogin • Secure Copy (SCP) • Secure File Transfer Protocol (SFTP) • Secure Shell version 2 (SSHv2) • Telnet • Trivial File Transfer Protocol (TFTP) January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Chapter 5: Boot parameter configuration using ACLI Use the procedures in this section to configure and manage the boot process. • To perform the procedures in this section, you must log on to Global Configuration mode in ACLI. For more information about how to use ACLI and how to log on to the software, see Using ACLI and EDM on VSP Operating System Software, NN47227-103.
Configuring the remote host logon Switch:1# boot config flags factorydefaults Configuring the remote host logon Before you begin • The FTP server must support the FTP passive (PASV) command. If the FTP server does not support the passive command, the file transfer is aborted, and then the system logs an error message that indicates that the FTP server does not support the passive command. About this task Configure the remote host logon to modify parameters for FTP and TFTP access.
Boot parameter configuration using ACLI About this task File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), remote login (rlogin), Secure Shell version 2 (SSHv2), and Telnet server support IPv4 addresses. Procedure 1. Enter Global Configuration mode: enable configure terminal 2. Enable the access service: boot config flags {ftpd|rlogind|sshd|telnetd|tftpd} 3. Save the configuration.
Enabling remote access services Variable Value • debug-config [file]— Logs the line-by-line configuration file processing and result of the execution to the debug file while the device loads the configuration file. The system logs the debug config output to /intflash/debugconfig_primary.txt for the primary configuration file. The system logs the debug config output to /intflash/ debugconfig_backup.txt for the backup configuration, if the backup configuration file loads.
Boot parameter configuration using ACLI Variable Value hsecure Activates or disables High Secure mode. The hsecure command provides the following password behavior: • 10 character enforcement • The password must contain a minimum of 2 uppercase characters, 2 lowercase characters, 2 numbers, and 2 special characters. • Aging time • Failed login attempt limitation The default value is disabled. If you enable High Secure mode, you must restart the switch to enforce secure passwords.
Enabling remote access services Variable Value spanning tree mode, you must save the current configuration and restart the switch. spbm-config-mode Enables you to configure SPB and IS-IS, but you cannot configure PIM and IGMP either globally or on an interface. Use the no operator so that you can configure PIM and IGMP. The boot flag is enabled by default. To set this flag to the default value, use the default operator with the command. sshd Activates or disables the SSHv2 server service.
Boot parameter configuration using ACLI Variable Value If no backup config file exists, the system defaults to factory defaults. Avaya recommends that you disable the verifyconfig flag. Changing the primary or secondary boot configuration files About this task Change the primary or secondary boot configuration file to specify which configuration file the system uses to start. Configure the primary boot choices.
Configuring boot flags using ACLI Variable definitions Use the data in the following table to use the boot config command. Table 9: Variable definitions Variable Value {backup-config-file|config-file} Specifies that the boot source uses either the configuration file or a backup configuration file. WORD<0–255> Identifies the configuration file. WORD<0–255> is the device and file name, up to 255 characters including the path, in one of the following format: • a.b.c.
Boot parameter configuration using ACLI boot config flags |factorydefaults|ftpd|hsecure| logging|reboot|rlogind|spbm-config-mode|spanning-tree-mode |sshd|telnetd|tftpd|trace-logging|verify-config> 3.
Configuring boot flags using ACLI Variable Value immediately debug the configuration. After you enable debug-config and save the configuration, the debug output either displays on the console or logs to an output file the next time the switch reboots. The options are: • debug-config [console]—Displays the line-by-line configuration file processing and result of the execution on the console while the device loads the configuration file.
Boot parameter configuration using ACLI Variable Value factorydefaults Specifies whether the switch uses the factory default settings at startup. The default value is disabled. This flag is automatically reset to the default setting after the CPU restarts. If you change this parameter, you must restart the switch. ftpd Activates or disables the FTP server on the switch. The default value is disabled. To enable FTP, ensure that the tftpd flag is disabled.
Configuring boot flags using ACLI Variable Value Important: Do not change this parameter unless directed by Avaya. rlogind Activates or disables the rlogin and rsh server. The default value is disabled. spanning-tree-mode Specifies the Multiple Spanning Tree Protocol or Rapid Spanning Tree Protocol mode. If you do not specify a protocol, the switch uses the default mode. The default mode is mstp.
Boot parameter configuration using ACLI Variable Value cannot be found, the system tries to load the backup file. • Backup config behavior: If the system loads the backup config file, the system does not check the backup file for syntax errors. It does not matter if the verify-config flag is disabled or enabled. With the backup config file, the system ignores any lines with errors during the loading of the backup config file. If no backup config file exists, the system defaults to factory defaults.
Displaying the boot configuration Variable definitions Use the data in the following table to use the boot config sio console command. Table 11: Variable definitions Variable Value 8databits Specifies either 8 (true) or 7 (false) data bits for each byte for the software to interpret. The default value is 8 data bits. Use the no or default operator with the command to configure this variable to the false condition.
Boot parameter configuration using ACLI Switch:1#(config)#show boot config running-config # #Thu Mar 20 15:12:01 2014 UTC # boot config flags ftpd boot config flags rlogind boot config flags sshd boot config flags telnetd boot config flags tftpd no boot config flags verify-config boot config choice primary backup-config-file "/intflash/config.cfg" Variable definitions Use the data in the following table to use the show boot config command.
Chapter 6: Run-time process management using ACLI Configure and manage the run-time process using the Avaya Command Line Interface (ACLI). To perform the procedures in this section, you must log on to Global Configuration mode in ACLI. For more information about how to use ACLI, see Using ACLI and EDM on VSP Operating System Software, NN47227-103. Configuring the date About this task Configure the calendar time in the form of month, day, year, hour, minute, and second. Procedure 1.
Run-time process management using ACLI Table 13: Variable definitions Variable Value MMddyyyyhhmmss Specifies the date and time in the format month, day, year, hour, minute, and second. Configuring the time zone About this task Configure the time zone to use an internal system clock to maintain accurate time. The time zone data in Linux includes daylight changes for all time zones up to the year 2038. You do not need to configure daylight savings.
Configuring the run-time environment Table 14: Variable definitions Variable Value WORD<1–10> Specifies a directory name or a time zone name in /usr/share/zoneinfo, for example, Africa, Australia, Antarctica, or US. To see a list of options, enter clock time-zone at the command prompt without variables. WORD<1–20> WORD<1–20> The first instance of WORD<1–20> is the area within the timezone. The value represents a time zone data file in /usr/share/zoneinfo/ WORD<1–10>/, for example, Shanghai in Asia.
Run-time process management using ACLI terminal length <8–64> 8.
Configuring the run-time environment Variable Value • Use the no operator before this parameter, no loginmessage, to disable the default logon banner and display the new banner. Use the data in the following table to use the passwordprompt command. Table 16: Variable definitions Variable Value WORD<1-1510> Changes the ACLI password prompt. • WORD<1-1510> is an ASCII string from 1–1510 characters.
Run-time process management using ACLI Table 20: Variable definitions Variable Value <8–64> Configures the number of lines in the output display for the current session. To configure this option to the default value, use thedefault operator with the command. The default is value 23. disable|enable Configures scrolling for the output display. The default is enabled. Use the no operator to remove this configuration.
Configuring the message-of-the-day Table 21: Variable definitions Variable Value custom|static Activates or disables use of the default banner. displaymotd Enables displaymotd. motd Sets the message of the day banner. WORD<1–80> Adds lines of text to the ACLI logon banner. Configuring the message-of-the-day About this task Configure a system login message-of-the-day in the form of a text banner that appears after each successful logon. Procedure 1.
Run-time process management using ACLI Table 22: Variable definitions Variable Value WORD<1–1516> Creates a message of the day to display with the logon banner. To provide a string with spaces, include the text in quotation marks ("). To set this option to the default value, use the default operator with the command. Configuring ACLI logging About this task Use ACLI logging to track all ACLI commands executed and for fault management purposes.
Configuring system parameters Variable definitions Use the data in the following table to use the clilog commands. Table 23: Variable definitions Variable Value enable Activates ACLI logging. To disable, use the no clilog enable command. Configuring system parameters About this task Configure individual system-level switch parameters to configure global options for the switch. Procedure 1. Enter Global Configuration mode: enable configure terminal 2. Change the system name: sys name WORD<0–255> 3.
Run-time process management using ACLI Variable definitions Use the data in the following table to use the sys command. Table 24: Variable definitions Variable Value mtu <1522|9600> Activates Jumbo frame support for the data path. The value can be either 1522, 1950 (default), or 9600 bytes. 1950 or 9600 bytes activate Jumbo frame support. name WORD<0–255> Configures the system, or root level, prompt name for the switch.
Extending system message control sys msg-control control-interval <1-30> 5.
Run-time process management using ACLI To enable the message control feature, you must specify an action, control interval, and maximum message number. After you enable the feature, the log messages, which get repeated and cross the maximum message number in the control interval, trigger the force message feature. You can either suppress the message or send a trap notification, or both. Procedure 1. Enter Global Configuration mode: enable configure terminal 2.
Chapter 7: Chassis operations The following sections provide information for chassis operations such as hardware and software compatibility. Chassis operations fundamentals This section provides conceptual information for chassis operations such as hardware and software compatibility and power management. Read this section before you configure the chassis operations.
Chassis operations If you want out-of-band management, Avaya recommends that you define a specific static route in the Management Router VRF to the IP subnet where your management application resides. When you specify a static route in the Management Router VRF, it enables the client management applications originating from the switch to perform out-of-band management without affecting inband management. This enables in-band management applications to operate in the Global Router VRF.
Chassis operations fundamentals • a software process that enters an infinite loop The software lock-up detect feature monitors processes to ensure that the software functions within expected time limit. The CPU logs detail about suspended tasks in the log file. For additional information about log files, see Managing Faults on Avaya Virtual Services Platform 7200 Series and 8000 Series, NN47227-702.
Chassis operations Table 27: Recommended Auto-Negotiation configuration on 10/100/1000BASE-TX ports Port on A Port on B Remarks Recommendations Auto-Negotiation enabled Auto-Negotiation enabled Ports negotiate on highest supported mode on both sides. Avaya recommends that you use this configuration if both ports support AutoNegotiation mode. Full-duplex Full-duplex Both sides require the same Avaya recommends that mode.
Chassis operations fundamentals All devices in a network that are SONMP-enabled send hello packets to their immediate neighbors, that is, to interconnecting Layer 2 devices. A hello packet advertises the existence of the sending device and provides basic information about the device, such as the IP address and MAC address. The hello packets allow each device to construct a topology table of its immediate neighbors.
Chassis operations Switched UNI with channelization S-UNI operates on channelized ports. When an interface is dechannelized, the S-UNI interface cleans up all the channels. If S-UNI is operating on channel 1/1/1 and 1/1/2, and the circuit is dechannelized, the 1/1/1 configuration is saved and the commands are configured on 1/1. The configuration on 1/1/2 is deleted.
Chassis operations configuration using ACLI The switches support only full-duplex. Half-duplex is not supported. Chassis operations configuration using ACLI This section provides the details to configure basic hardware and system settings. Enabling jumbo frames About this task Enable jumbo frames to increase the size of Ethernet frames the chassis supports. Procedure 1. Enter Global Configuration mode: enable configure terminal 2.
Chassis operations Configuring port lock About this task Configure port lock to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action. You cannot modify a locked port until you unlock the port. Procedure 1. Enter Global Configuration mode: enable configure terminal 2. Enable port lock globally: portlock enable 3. Log on to GigabitEthernet Interface Configuration mode: interface gigabitethernet {slot/port[/sub-port][-slot/port[/subport]][,...
Chassis operations configuration using ACLI Variable Value and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. For the lock port command, use the no form of this command to unlock a port: no lock port {slot/port[/sub-port][-slot/port[/subport]][,...
Chassis operations show autotopology nmm-table Unless the witch is physically connected to other devices in the network, this topology will be blank.
Chassis operations configuration using ACLI Variable Value CS Specifies the current state of the sender of the topology message. The choices are • topChanged—Topology information recently changed. • HtBt (heartbeat)—Topology information is unchanged. • new—The sending agent is in a new state. Rem Port Specifies the slot and port that sent the topology message.
Chassis operations Configuring an IP address for the management port Configure an IP address for the management port so that you can remotely access the device using the out-of-band (OOB) management port. The management port runs on a dedicated VRF. The configured IP subnet has to be globally unique because the management protocols can go through in-band (Global Router) or out-of-band ports (Management VRF). Before you begin • Do not configure a default route in the Management VRF.
Chassis operations configuration using ACLI Example Configure the IP address for the management port: Switch:1>enable Switch:1#configure terminal Switch:1(config)#interface mgmtethernet mgmt Switch:1(config-if)#ip address 192.0.2.31 255.255.255.0 Variable definitions Use the data in the following table to use the ip address command. Variable Value Specifies the IP address followed by the subnet mask. Use the data in the following table to use the ipv6 interface address command.
Chassis operations enable configure terminal interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]} Note: If your platform supports channelization for 40 Gbps ports and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. 2. Enable Autonegotiation: auto-negotiate [port {slot/port[/sub-port][-slot/port[/sub-port]] [,...]}] enable 3. Disable Autonegotiation: no auto-negotiate [port {slot/port[/sub-port][-slot/port[/sub-port]] [,...
Chassis operations configuration using ACLI Variable Value GbE and 10 GbE operation by simply swapping transceivers. To help with this transition between 1 GbE and 10 GbE port operation, Avaya allows you to configure autonegotiation when you install a 10 GbE transceiver, even though autonegotiation is not defined for 10GbE. You can do this in anticipation of a port changeover from 10 GbE to 1 GbE.
Chassis operations interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]} Note: If your platform supports channelization for 40 Gbps ports and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. 2. Enable channelization on a port: channelize [port {slot/port[-slot/port][,...]}] enable 3. Display the status of the ports: show interfaces gigabitEthernet channelize [{slot/port[-slot/port] [,...
Chassis operations configuration using ACLI Variable Value {slot/port[/sub-port][-slot/port[/sub-port]][,...]} Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If your platform supports channelization for 40 Gbps ports and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.
Chassis operations Controlling slot power About this task The sys power slot command is used to control slot power on an Avaya Virtual Services Platform 8400. Important: This command is only available for use with the Avaya Virtual Services Platform 8400. Procedure 1. Enter Global Configuration mode: enable configure terminal 2. Configure slot power: [no] sys power slot {slot[-slot][,...
Chassis operations configuration using EDM Enabling or disabling the USB port Perform this procedure to control USB access. For security reasons, you may want to disable this port to prevent individuals from using it. By default, the port is automatically mounted when a USB device is inserted. Important: Do not perform this procedure on a VSP 4850.
Chassis operations Editing system information About this task You can edit system information, such as the contact person, the name of the device, and the location to identify the equipment. Procedure 1. In the Device Physical View tab, select the Device. 2. In the navigation tree, open the following folders: Configuration > Edit. 3. Click Chassis. 4. Click the System tab. 5. Type the contact information in the sysContact field. 6. Type the system name in the sysName field. 7.
Chassis operations configuration using EDM Name Description LastRunTimeConfigSave Displays the last run-time configuration saved. DefaultRuntimeConfigFileName Displays the default Run-time configuration file directory name. ConfigFileName Specifies the name of a new configuration file.
Chassis operations Name Description Type Specifies the chassis type. SerialNumber Specifies a unique chassis serial number. HardwareRevision Specifies the current hardware revision of the device chassis. NumSlots Specifies the number of slots available in the chassis: • VSP 7200 Series 2 slots • VSP 8200: 1 slot • VSP 8400: 4 slots NumPorts Specifies the number of ports currently installed in the chassis.
Chassis operations configuration using EDM Configuring system flags About this task Configure the system flags to enable or disable flags for specific configuration settings. Procedure 1. In the navigation tree, open the following folders: Configuration > Edit. 2. Click Chassis. 3. Click the System Flags tab. 4. Select the system flags you want to activate. 5. Clear the system flags you want to deactivate. 6. Click Apply.
Chassis operations Note: Enabling or disabling channelization resets the port QoS configuration to default values. For information about configuring QoS values, see Configuring QoS and ACL-Based Traffic Filtering on Avaya Virtual Services Platform 7200 Series and 8000 Series, NN47227-502. Procedure 1. In the Device Physical View tab, select a 40 Gbps port. 2. In the navigation pane, expand the following folders: Configuration > Edit > Port. 3. Click General. 4. Click the Channelization tab. 5.
Chassis operations configuration using EDM • If you use 1 Gbps copper SFP transceivers, the remote end must have auto-negotiation enabled. If not, the link will not be established. Procedure 1. In the Device Physical View tab, select a port. 2. In the navigation tree, open the following folders: Configuration > Edit > Port. 3. Click General. 4. Click the Interface tab. 5. Configure the fields as required. The 10/100BASE-TX ports do not consistently autonegotiate with older 10/100BASE-TX equipment.
Chassis operations Name Description DisplayFormat Identifies the slot and port numbers (slot/port). If the port is channelized, the format also includes the subport in the format slot/port/sub-port AdminStatus Configures the port as enabled (up) or disabled (down) or testing. The testing state indicates that no operational packets can be passed. OperStatus Displays the current status of the port. The status includes enabled (up) or disabled (down) or testing.
Chassis operations configuration using EDM Name Description In addition, you can use a saved configuration file with autonegotiation enabled to boot a system with either 10 GbE or 1 GbE transceivers installed. If you install a 1 GbE transceiver, the system applies autonegotiation.
Chassis operations Name Description QoSLevel Selects the Quality of Service (QoS) level for this port. The default is level1. DiffServ Enables the Differentiated Service feature for this port. The default is disabled. Layer3Trust Configures if the system should trust Layer 3 packets coming from access links or core links only. The default is core. Layer2Override8021p Specifies whether Layer 2 802.1p override is enabled (selected) or disabled (cleared) on the port. The default is disabled (clear).
Chassis operations configuration using EDM Name Description • triggerRipUpdate — manually triggers a RIP update The default is none. Result Displays result of the selected action. The default is none. Viewing the boot configuration About this task View the boot configuration to determine the software version, as well as view the source from which the switch last started. Procedure 1. On the Device Physical View, select the Device. 2.
Chassis operations Name Description Important: Do not change this parameter unless directed by Avaya. EnableRebootOnError Activates or disables automatic reboot on a fatal error. The default value is activated. Important: Do not change this parameter unless directed by Avaya. EnableTelnetServer Activates or disables the Telnet server service. The default is disabled. EnableRloginServer Activates or disables the rlogin and rsh server. The default value is disabled.
Chassis operations configuration using EDM Configuring boot flags About this task Change the boot configuration to determine the services available after the system starts. File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP) and Telnet server support IPv4 addresses. Procedure 1. In the navigation tree, open the following folders: Configuration > Edit > Chassis. 2. Click the Boot Config tab. 3. Select the services you want to enable. 4. Click Apply.
Chassis operations Name Description Important: Do not change this parameter unless directed by Avaya. EnableTelnetServer Activates or disables the Telnet server service. The default is disabled. EnableRloginServer Activates or disables the rlogin and rsh server. The default value is disabled. EnableFtpServer Activates or disables the FTP server on the switch. The default value is disabled. To enable FTP, ensure that the TFTPD flag is disabled.
Chassis operations configuration using EDM 3. Click Chassis. 4. Click the Chassis tab. 5. In MTU size, select either 1950, 9600 or 1522. 6. Click Apply. Configuring the date and time About this task Configure the date and time to correctly identify when events occur on the system. Procedure 1. On the Device Physical View, select the Device. 2. In the navigation tree, open the following folders: Configuration > Edit. 3. Click Chassis. 4. Click the User Set Time tab. 5. Type and select the correct details.
Chassis operations Associating a port to a VRF instance About this task Associate a port to a Virtual Router Forwarding (VRF) instance so that the port becomes a member of the VRF instance. You can assign a VRF instance to a port after you configure the VRF. The system assigns ports to the GlobalRouter, VRF 0, by default. Procedure 1. In the Device Physical View tab, select a port. 2. In the navigation tree, open the following folders: Configuration > Edit > Port. 3. Click General. 4. Click the VRF tab.
Chassis operations configuration using EDM Name Description AutoRecoverPort Activates or disables auto recovery of the port from action taken by CP Limit or link flap features. The default value is disabled. Configuring an IP address for the management port Configure an IP address for the management port so that you can remotely access the device using the out-of-band (OOB) management port. The management port runs on a dedicated VRF.
Chassis operations 4. Click Launch VRF Context View. A new EDM webpage appears for the VRF context. Parameters that you cannot configure for this context appear dim. 5. In the Device Physical view, select the management port. 6. In the navigation tree, expand the following folders: Configuration > Edit. 7. Click Mgmt Port. 8. Click the IP Address tab. 9. Click Insert. 10. Configure the IP address and mask. 11. Click Insert. 12. Collapse the VRF context view.
Chassis operations configuration using EDM Editing the management port parameters About this task The management port on the CP module is a 10/100/1000 Mb/s Ethernet port that you can use for an out-of-band management connection to the switch. If you use EDM to configure the static routes of the management port, you do not receive a warning if you configure a non-natural mask.
Chassis operations Name Description Note: The 10 GigabitEthernet fiber-based I/O module ports can operate at either 1 Gigabit per second (Gbps) or 10 Gbps, dependent upon the capabilities optical transceiver that you install. This presents an ambiguity with respect to the autonegotiation settings of the port, while 1 Gigabit Ethernet (GbE) ports require autonegotiation; autonegotiation is not defined and is non-existent for 10 GbE ports.
Chassis operations configuration using EDM 2. In the navigation tree, expand the following folders: Configuration > Edit. 3. Click Mgmt Port. 4. Click the IPv6 Interface tab. 5. Click Insert. 6. Edit the fields as required. 7. Click Insert. 8. Click Apply. IPv6 Interface field descriptions Use the data in the following table to use the IPv6 Interface tab. Name Description Interface Identifies the unique IPv6 interface. Descr Specifies a textual string containing information about the interface.
Chassis operations Configuring management port IPv6 addresses About this task Configure management port IPv6 addresses to add or remove IPv6 addresses from the port. The switch supports IPv6 addressing with Ping, Telnet, and SNMP. Procedure 1. In the Device Physical View tab, select the management port. 2. In the navigation pane, expand the following folders: Configuration > Edit. 3. Click Mgmt Port. 4. Click the IPv6 Addresses tab. 5. Click Insert. 6.
Chassis operations configuration using EDM Name Description Created Specifies the time this entry was created. If this entry was created prior to the last initialization of the local network management subsystem, then this option contains a zero value. LastChanged Specifies the time this entry was last updated. If this entry was updated prior to the last initialization of the local network management subsystem, then this option contains a zero value.
Chassis operations Name Description IfIndex Specifies the slot and port number for the serial port. BaudRate Specifies the baud rate of this port. The default is 9600. DataBits Specifies the number of data bits, for each byte of data, this port sends and receives. The default is 7. Enabling port lock About this task Use the port lock feature to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action.
Chassis operations configuration using EDM Procedure 1. In the navigation tree, open the following folders: Configuration > Security > Control Path. 2. Click General. 3. Click the Port Lock tab. 4. In the LockedPorts box, click the ellipsis (...) button. 5. Click the desired port or ports. 6. Click Ok. 7. In the Port Lock tab, click Apply. Port Lock field descriptions Use the data in the following table to use the Port Lock tab. Name Description Enable Activates the port lock feature.
Chassis operations Viewing power status on VSP 8400 Perform this procedure to view the power status for the chassis and cards. Procedure 1. For VSP 8400 only, in the navigation tree, expand the following folders: Configuration > Edit. 2. Click Chassis. 3. Click the Power Consumption tab. Power consumption field descriptions Use the data in the following table to use the Power Consumption tab. Name Description Index Displays an index value that identifies the component.
Chassis operations configuration using EDM Viewing topology status information About this task View topology status information (which includes Avaya Management MIB status information) to view the configuration status of the SynOptics Network Management Protocol (SONMP) on the system. Procedure 1. In the navigation tree, open the following folders: Configuration > Edit > Diagnostics. 2. Click Topology. 3. Click the Topology tab.
Chassis operations Name Description Slot Specifies the slot number in the chassis that received the topology message. Port Specifies the port that received the topology message. SubPort Specifies the channel of a channelized 40 Gbps port that received the topology message. IpAddr Specifies the IP address of the sender of the topology message. SegId (RemPort) Specifies the segment identifier of the segment from which the remote agent sent the topology message.
Chassis operations configuration using EDM Name Description PatternId Specifies a pattern identification number in the range 1–32. Pattern Specifies a forced message control pattern of 4 characters. The software and the hardware log messages that use the first four bytes matching one of the patterns in the force-msg table undergo the configured message control action. You can specify up to 32 different patterns in the force-msg table, including a wildcard pattern (****).
Chapter 8: Hardware status using EDM This section provides methods to check the status of basic hardware in the chassis using Enterprise Device Manager (EDM). Configuring polling intervals About this task Enable and configure polling intervals to determine how frequently EDM polls for port and LED status changes or detects the hot swap of installed ports. Procedure 1. In the navigation tree, open the following folders: Configuration > Device. 2. Click Preference Setting. 3.
Viewing module information Viewing module information View the administrative status for modules in the front of the chassis. About this task This procedure applies only to VSP 8400. VSP 8400 provides slots for four Ethernet Switch Modules (ESM). Procedure 1. In the Device Physical View tab, select an ESM. 2. In the navigation tree, expand the following folders: Configuration > Edit. 3. Click Card. 4. Click the Card tab. Card field descriptions Use the data in the following table to use the Card tab.
Hardware status using EDM Detail field descriptions Use the data in the following table to use the Detail tab. Name Description Type Describes the type of power used—AC or DC. Description Provides a description of the power supply. SerialNumber Specifies the power supply serial number. HardwareRevision Specifies the hardware revision number. PartNumber Specifies the power supply part number.
Viewing temperature on the chassis 4. Click the Temperature tab. Temperature field descriptions Use the data in the following table to use the Temperature tab. Name Description CpuTemperature Current CPU temperature in Celsius. MacTemperature Current MAC component temperature in Celsius. Phy1Temperature Current PHY 1 component temperature in Celsius. This field does not apply to VSP 7254XSQ. Phy2Temperature Current PHY 2 component temperature in Celsius. This field does not apply to VSP 7254XSQ.
Chapter 9: Domain Name Service The following sections provide information on the Domain Name Service (DNS) implementation for the switch. DNS fundamentals This section provides conceptual material on the Domain Name Service (DNS) implementation for the switch. Review this content before you make changes to the configurable DNS options. DNS client Every equipment interface connected to a Transmission Control Protocol over IP (TCP/IP) network is identified with a unique IPv4 or IPv6 address.
DNS configuration using ACLI IPv6 Support The Domain Name Service (DNS) used by the switch supports both IPv4 and IPv6 addresses with no difference in functionality or configuration. DNS configuration using ACLI This section describes how to configure the Domain Name Service (DNS) client using Avaya command line interface (ACLI). DNS supports IPv4 and IPv6 addresses.
Domain Name Service Variable definitions Use the data in the following table to use the ip domain-name command. Table 31: Variable definitions Variable Value WORD<0–255> Configures the default domain name. WORD<0–255> is a string 0–255 characters. Use the data in the following table to use the ip name-server command. Table 32: Variable definitions Variable Value primary|secondary|tertiary WORD<0–46> Configures the primary, secondary, or tertiary DNS server address. Enter the IP address in a.b.c.
DNS configuration using EDM Switch:1(config)# show hosts 10.10.10.1 Variable definitions Use the data in the following table to use the show hosts command. Table 33: Variable definitions Variable Value WORD<0–256> Specifies one of the following: • the name of the host DNS server as a string of 0– 256 characters. • the IP address of the host DNS server in a.b.c.d format. • The IPv6 address of the host DNS server in hexadecimal format (string length 0–46).
Domain Name Service 6. In the DnsServerListAddressType box, select the IP version. 7. In the DnsServerListAddress box, enter the DNS server IP address. 8. Click Insert. DNS Servers field descriptions Use the data in the following table to use the DNS Servers tab. Name Description DnsServerListType Configures the DNS server as primary, secondary, or tertiary. DnsServerListAddressType Configures the DNS server address type as IPv4 or IPv6. DnsServerListAddress Specifies the DNS server address.
DNS configuration using EDM Name Description HostAddressType Identifies the address type of the host. HostAddress Identifies the host IP address. This variable is a read-only field. HostSource Identifies the DNS server IP or host file. This variable is a read-only field. January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Chapter 10: Licensing The following sections provide information on the Licensing features, activation, and installation on the switch. Licensing fundamentals This section provides conceptual information about feature licensing for the switch. Review this section before you make changes to the license configuration. Feature licensing This product uses the Product Licensing and Delivery System (PLDS) as the license order, delivery and management tool.
Licensing fundamentals • PLDS Premier License plus MACsec – This license is required to enable and use the following features: - Avaya Fabric Connect Layer 3 Virtual Services Networks (VSNs) - Avaya Fabric Extend including the use of logical IS-IS interfaces - IEEE 802.1AE MACsec • PLDS Premier License to PLDS Premier License plus MACsec Uplift – This license is for customers that want to upgrade their Premier License to a Premier License plus MACsec.
Licensing Base License The Base License is included with the switch hardware and activates the features not included in the Premier License. The Base License includes the following Layer 2 features: • VLANs • RSTP • MSTP • MLT • IGMP • 802.1AX Link Aggregation (LACP) • 802.
License installation using ACLI • IP Multicast Routing parity with IGMP v1, v2, and v3 • IP VRF • IPv6 • IPv6 Alternative Routes • IPv4 and IPv6 Multicast Route Statistics • Per-queue rate limiting • SMLT • Switched UNI License type and part numbers The following table provides the part number for the various licenses supported on the switch.
Licensing • You must enable the File Transfer Protocol (FTP) or Trivial File Transfer Protocol (TFTP) server depending on which protocol you use to download the license file to the device. • Ensure that you have the correct license file with the base MAC address of the switch on which you need to install the license. Otherwise, the system does not unblock the licensed features. About this task Install a license file on the switch to enable licensed features.
License installation using ACLI 200 Type set to I, binary mode ftp> put premier_macsec.xml /intflash/premier_macsec.xml local: premier_macsec.xml remote: /intflash/premier_macsec.xml 227 Entering Passive Mode (192,0,2,16,4,2) 150 Opening BINARY mode data connection 226 Transfer complete 101 bytes sent in 2.7e-05 secs (3740.74 Kbytes/sec) ftp> Log in to the device and load the license. The following example shows a successful operation. Switch:1(config)#load-license Switch:1(config)#CP1 [06/12/15 15:59:57.
Licensing show license Example For no license: Switch:1>show license No license file is loaded. Basic feature set is available without license. ************************************************************************ Features requiring a Premier license: - Layer 3 VSNs - MACsec For a Premier with MACsec license: Switch:1>show license l License file name : /intflash/premier_macsec.
License installation using EDM Procedure 1. In the navigation tree, open the following folders: Configuration > Edit. 2. Click File System. 3. Click the Copy File tab. 4. In the Source box, type the IP address of the file server where the license file is located and the name of the license file. 5. In the Destination box, type the flash device and the name of the license file. The license file name must have a file extension of .xml. 6. Select start. 7. Click Apply.
Licensing Name Description Source Identifies the source file to copy. You must specify the full path and filename. Destination Identifies the device and the file name (optional) to which to copy the source file. You must specify the full path. Trace files are not a valid destination. Action Starts or stops the copy process.
Chapter 11: Network Time Protocol The following sections provide information on the Network Time Protocol (NTP). NTP fundamentals This section provides conceptual material on the Network Time Protocol (NTP). Review this content before you make changes to the NTP configuration Overview The Network Time Protocol (NTP) synchronizes the internal clocks of various network devices across large, diverse networks to universal standard time.
Network Time Protocol NTP system implementation model NTP is based on a hierarchical model that consists of a local NTP client that runs on the switch and on remote time servers. The NTP client requests and receives time information from one or more remote time servers. The local NTP client reviews the time information from all available time servers and synchronizes its internal clock to the time server whose time is most accurate.
NTP fundamentals Time distribution within a subnet NTP distributes time through a hierarchy of primary and secondary servers, with each server adopting a stratum, see Figure 2: NTP time servers forming a synchronization subnet on page 134. A stratum defines how many NTP hops away a particular secondary time server is from an authoritative time source (primary time server) in the synchronization subnet.
Network Time Protocol After the NTP client queries the remote time servers, the servers respond with various timestamps, along with information about their clocks, such as stratum, precision, and time reference, see Figure 3: NTP time servers operating in unicast client mode on page 136. The NTP client reviews the list of responses from all available servers and chooses one as the best available time source from which to synchronize its internal clock.
NTP configuration using ACLI NTP configuration using ACLI This section describes how to configure the Network Time Protocol (NTP) using Avaya Command Line Interface (ACLI). Before you configure NTP, you must perform the following tasks: • Configure an IP interface on the switch and ensure that the NTP server is reachable through this interface. For instructions, see Configuring IP Routing on Avaya Virtual Services Platform 7200 Series and 8000 Series, NN47227-505.
Network Time Protocol Figure 4: NTP configuration procedures January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
NTP configuration using ACLI Enabling NTP globally Enable NTP globally. Default values are in effect for most parameters. You can customize NTP by modifying parameters. Procedure 1. Enter Global Configuration mode: enable configure terminal 2. (Optional) Set the time interval between NTP updates or leave it at the default of 15 minutes: ntp interval <10-1440> Important: If NTP is already activated, this configuration does not take effect until you disable NTP, and then re-enable it. 3.
Network Time Protocol Variable Value NTP server MD5 or SHA1 authentication does not support passwords (keys) that start with a special character or contain a space between characters. WORD<0–20> specifies the secret key. interval <10-1440> Specifies the time interval, in minutes, between successive NTP updates. • The interval is expressed as an integer in a range from 10– 1440. The default value is 15.
NTP configuration using ACLI Variable definitions Use the data in the following table to use the ntp server command. Variable Value A.B.C.D Specifies the IP address of the NTP server. auth-enable Activates MD5 or SHA1 authentication on this Network Time Protocol (NTP) server. Without this option, the NTP server will not have any authentication by default. authentication-key <0-2147483647> Specifies the key ID value used to generate the MD5 or SHA1 digest for the NTP server.
Network Time Protocol Enable MD5 authentication for the NTP server: Switch:1#(config)# ntp server 192.0.2.187 auth-enable Assign an authentication key to the server: Switch:1#(config)# ntp server 192.0.2.187 authentication-key 5 Variable definitions Use the data in the following table to use the ntp and ntp server commands. Table 35: Variable definitions Variable Value A.B.C.D Specifies the IP address of the server. auth-enable Activates MD5 or SHA1 authentication on this NTP server.
NTP configuration using EDM Figure 5: NTP configuration procedures January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Network Time Protocol Enabling NTP globally About this task Enable NTP globally. Default values are in effect for most parameters. You can customize NTP by modifying parameters. Procedure 1. In the navigation tree, open the following folders: Configuration > Edit. 2. Click NTP. 3. Click the Globals tab. 4. Select the Enable check box. 5. Click Apply. Globals field descriptions Use the data in the following table to use the Globals tab. Name Description Enable Activates (true) or disables (false) NTP.
NTP configuration using EDM 6. Click Insert. The IP address of the NTP server that you configured appears on the Server tab. Server field descriptions Use the data in the following table to use the Server tab. Name Description ServerAddress Specifies the IP address of the remote NTP server. Enable Activates or disables the remote NTP server. The default is enabled. Authentication Activates or disables MD5 or SHA1 authentication on this NTP server. MD5 or SHA1 produces a message digest of the key.
Network Time Protocol Key field descriptions Use the data in the following table to use the Key tab. Name Description KeyId This field is the key ID that generates the MD5 or SHA1 digest. You must specify a value between 1–214743647. The default value is 1, which indicates that authentication is disabled. KeySecret This field is the MD5 or SHA1 key that generates the MD5 or SHA1 digest. You must specify an alphanumeric string between 0–20.
Chapter 12: Secure Shell The following sections describe how to use Secure Shell (SSH) to enable secure communications support over a network for authentication, encryption, and network integrity. Secure Shell fundamentals Methods of remote access such as Telnet or FTP generate unencrypted traffic. Anyone that can see the network traffic can see all data, including passwords and user names.
Secure Shell Figure 6: Overview of the SSHv2 protocol By using a combination of host, server, and session keys, the SSHv2 protocol can provide strong authentication and secure communication over an insecure network, offering protection from the following security risks: • IP spoofing • IP source routing • Domain name server (DNS) spoofing • Man-in-the-middle/TCP hijacking attacks • Eavesdropping and password sniffing Even if network security is compromised, traffic cannot be played back or decrypted, and
Secure Shell fundamentals SSH public key encryption clients have to connect to the VSP server with the same access level, such as rwa then the clients must connect to the server one-by-one as the VSP only supports one public key per access level. • Encryption. The SSHv2 server uses encryption algorithms to scramble data and render it unintelligible except to the receiver.
Secure Shell • VSP 7200 • VSP 9000 Outbound connections The SSHv2 client supports SSHv2 DSA public key authentication and password authentication. Note: You must enable SSH globally before you can generate SSH DSA user keys. The SSHv2 client is a secure replacement for outbound Telnet. Password authentication is the easiest way to use the SSHv2 client feature. Instead of password authentication, you can use DSA public key authentication between the VSP SSHv2 client and an SSHv2 server.
Secure Shell fundamentals Figure 7: Separate SSH version 2 protocols The modular approach of SSHv2 improves on the security, performance, and portability of the SSHv1 protocol. Important: The SSHv1 and SSHv2 protocols are not compatible. The VSP switch does not support SSHv1. January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Secure Shell User ID log of an SSH session established by SCP client Avaya Virtual Services Platform 8200 logs the user ID of an SSH session initiated by the SCP client. If an SCP client establishes an SSH session, the message appears in the following format: CP1 [08/06/15 09:43:42.230:UTC] 0x000d8602 00000000 GlobalRouter authentication succeeded for user rwa on host 10.68.231.194 CP1 [08/06/15 09:43:42.232:UTC] 0x000d8602 00000000 GlobalRouter start by user rwa on host 10.68.231.
Secure Shell fundamentals Table 36: DSA user key files SSH server SSH client side SSH server side VOSS switch with enhanced secure mode disabled Private and public keys by access level: Public keys on the server side based on access level: • rwa—/intflash/.ssh/id_dsa_rwa (private key), /intflash/.ssh/ id_dsa_rwa.pub (public key) • rwa—/intflash/.ssh/dsa_key_rwa (public key) • rw—/intflash/.ssh/id_dsa_rw (private key), /intflash/.ssh/id_dsa_rw.pub (public key) • ro—/intflash/.
Secure Shell SSH server SSH client side • privilege —/intflash/.ssh/id_dsa_priv (private key), /intflash/.ssh/ id_dsa_priv.pub (public key) SSH server side Linux with Open SSH ~/.ssh/id_dsa (private key) file permission 400 ~/.ssh/authorized_keys (public key) file ~/.ssh/id_dsa.pub (public key) file permission 644 ERS 8600/8800 — /flash/.
Secure Shell fundamentals Table 37: Third-party SSH and SCP client software SSH Client Secure Shell (SSH) Secure Copy (SCP) Tera Term Pro with TTSSH extension • Supports SSHv2. • Client distribution does not include SCP client. MS Windows • Authentication: - RSA is supported when the switch acts as a server. The VSP switch does not support RSA as a client. • Client distribution does not support WinSCP client. - DSA - Password • Provides a keygen tool. • It creates both RSA and DSA keys.
Secure Shell VSP switch as client The VSP switch acting as the SSHv2 client generates a DSA public and private server key pair. The public part of the key for DSA is stored in the following location: /intflash/.ssh/dsa_key_rwa The public part of the key must be copied to the SSH server and be named according to the naming requirement of the server. If the server is a VSP device, please consult Table 38: DSA authentication access level and file name on page 156 for proper naming convention.
Secure Shell fundamentals The VSP modular switch generates an RSA public and private server key pair. The public part of the key for RSA is stored in /intflash/.ssh/ssh_key_rsa_pub.key. If an RSA key pair does not exist, then the VSP modular switch automatically generates one when you enable the SSH server. To authenticate a client using RSA, the administrator must copy the public part of the client RSA key to the VSP switch.
Secure Shell Mozilla Firefox to view the certificate. If you cannot connect to the switch using HTTPS and the web portal displays a message of invalid certificate, that is an indication that the certificate on the switch is expired. You can replace the host.cert and host.key files with new files generated off the switch, or you can use the procedure Managing an SSL certificate on page 169 to generate a new certificate on the switch with a specific validity period.
Secure Shell configuration using ACLI Before you begin • Disable the sshd daemon. All SSHv2 commands, except enable, require that you disable the sshd daemon. • Set the user access level to read/write/all community strings. • Disable all nonsecure access services. Avaya recommends that you disable the following services: Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), Telnet, and rlogin.
Secure Shell Procedure 1. Enter Global Configuration mode: enable configure terminal 2. Enable the SSH server: boot config flags sshd 3. Save the configuration file: save config Example Enable the SSHv2 server: Switch:1>enable Switch:1#configure terminal Switch:1(config)#boot config flags sshd Switch:1(config)#save config Changing the SSH server authentication mode Use this procedure to change the SSH server authentication mode from the default of passwordauthentication to keyboard-interactive.
Secure Shell configuration using ACLI Setting SSH configuration parameters Configure Secure Shell version 2 (SSHv2) parameters to support public and private key encryption connections. The VSP switch does not support SSHv1. Note: Different releases can support different DSA host key, RSA host key, and DSA user key sizes. If you need to upgrade or downgrade to an earlier release that does not support the same key size, you must delete the all of the keys from the .
Secure Shell 9. Enable password authentication: ssh pass-auth 10. Configure the SSH connection port: ssh port <22,1024..49151> 11. Enable RSA authentication: ssh rsa-auth 12. Generate a new RSA host key: ssh rsa-host-key [<1024–2048>] 13. Enable SSH secure mode: ssh secure 14. Configure the authentication timeout: ssh timeout <1-120> 15. Configure the SSH version: ssh version 16.
Secure Shell configuration using ACLI Variable Value To disable all authentication types use the command no ssh authentication-type. dsa-auth Enables or disables the DSA authentication. The default is enabled. Use the no operator before this parameter, no ssh dsa-auth, to disable DSA authentication. dsa-host-key [<1024–1024>] Generates a new SSH DSA host key. The DSA host key size is 1024. Use the no operator before this parameter, no ssh dsa-host-key, to disable SSH DSA host key.
Secure Shell Variable Value accessible. A user role at the privilege level must login to the switch through the console port only. Use the no operator before this parameter, no ssh dsa-user-key WORD<1–15>, to disable SSH DSA user key. encryption-type {[3des-cbc] [aead-aes-128-gcm-ssh ] [aead-aes-256-gcm-ssh] [aes128-cbc][aes128-ctr] [aes192-cbc][aes192-ctr] [aes256-cbc][aes256-ctr] [blowfish-cbc] [rijndael128-cbc] [rijndael192-cbc]} Configures the encryption-type.
Secure Shell configuration using ACLI Variable Value Important: You cannot configure the TCP port 6000 as SSH connection port. rsa-auth Enables RSA authentication. The default is enabled. Use the no operator before this parameter, no ssh rsa-auth, to disable RSA authentication. rsa-host-key [<1024–2048>] Generates a new SSH RSA host key. Specify an optional key size of 1024 or 2048. The RSA host key can only be in a multiple of 1024. The default is 2048.
Secure Shell Variable Value • priv—Specifies a user role with access to all of the commands that the administrator has access to, and is referred to as an emergency-admin. However, the user with the privilege role must be authenticated within the VSP switch locally. RADIUS and TACACS+ authentication is not accessible. A user role at the privilege level must login to the switch through the console port only.
Secure Shell configuration using ACLI encryption-type aes128-cbc aes128-ctr : 3des-cbc aead-aes-128-gcm-ssh aead-aes-256-gcm-ssh aes192-cbc aes192-ctr aes256-cbc aes256-ctr blowfish- cbc rijndael128-cbc rijndael192-cbc : diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 key-exchange-method Variable definitions Use the data in the following table to use the show ssh command. Table 41: Variable definitions Variable Value global Display global system SSH information.
Secure Shell Table 42: Variable definitions Variable Value WORD<1–32> Specifies the user login name of the remote SSH server. -p <1-32768> Specifies the port number to connect to the remote SSH server. The default is 22. Generating user key files Configure the SSH parameters to generate DSA user key files. Procedure 1. Enter Global Configuration mode: enable configure terminal 2. Enable SSH server. 3. Create the DSA user key file: ssh dsa-user-key [WORD<1–15>][size <1024–1024>] 4.
Secure Shell configuration using ACLI Variable Value WORD<1–15 > Specifies the user access level. The valid user access levels for the switch are: • rwa—Specifies read-write-all. • rw—Specifies read-write. • ro—Specifies read-only • rwl3—Specifies read-write for Layer 3. • rwl2—Specifies rread-write for Layer 2. • rwl1—Specifies read-write for Layer 1. size <1024–1024> Specifies the size of the DSA user key. The default is 1024 bits.
Secure Shell configure terminal 2. Create and install a new self-signed certificate: ssl certificate [validity-period-in-days <30-3650>] 3. Delete a certificate: no ssl certificate Note: The certificate loaded in memory remains valid until you use the ssl reset command or reboot the system. Variable definitions Use the data in the following table to use the ssl certificate command. Variable Value validity-period-in-days <30-3650> Specifies an expiration time for the certificate.
Secure Shell configuration using ACLI Procedure 1. Enter Global Configuration mode: enable configure terminal 2. Enter the following command: ssh rekey enable Example Switch:1>enable Switch:1#configure terminal Enable SSH rekeying globally: Switch:1(config)#ssh rekey enable Variable Definitions Use the data in the following table to use the ssh rekey command. Variable Value enable Enables SSH rekey globally.
Secure Shell Variable Value <1–6> Sets the SSH rekey data limit in GB, range is 1–6. Configuring SSH rekey time-interval Use the following procedure to configure a time interval, after which the key exchange takes place. Procedure 1. Enter Global Configuration mode: enable configure terminal 2.
Secure Shell configuration using ACLI Rekey data limit : 1 GB Rekey time interval : 1 hours Field descriptions The following table describes the output for the show ssh rekey command. Name Description Rekey status Displays the status (TRUE or FALSE) of SSH rekeying. Rekey data limit Displays the configured SSH rekey data transmission limit GB. Rekey time interval Displays the configured SSH rekey time interval in hours.
Secure Shell moc_sshc_rsa_file_fed known_hosts ssh_ecdsa.key dsa_key_, example: dsa_key_rwa rsa_key_, example: rsa_key_rwa 4. Generate a new DSA host key: ssh dsa-host-key [<1024–1024>] 5. Generate a new SSH DSA user key: ssh dsa-user-key WORD<1–15> [size <1024–1024>] 6.
Secure Shell configuration using Enterprise Device Manager 3. In the product search field, type the product name. 4. In the Choose Release field, click a release number. 5. Click the download title to view the selected information. 6. Click the file you want to download. 7. Login to download the required software file. 8. Use an FTP client in binary mode to transfer the file to the switch. Changing Secure Shell parameters You can use Enterprise Device Manager to change the SSHv2 configuration parameters.
Secure Shell 15. Select the KeyboardInteractiveAuth if you want keyboard interactive authentication enabled. 16. In the AuthType section, select the authentication types you want. 17. In the EncryptionType section, select the encryption types you want. 18. In the KeyExchangeMethod section, select the key exchange methods you want. 19. Click Apply. SSH field descriptions Use the data in the following table to use the SSH tab. Name Description Enable Enables, disables, or securely enables SSHv2.
Secure Shell configuration using Enterprise Device Manager Name Description • deleteRsa RsaKeySize Configures SSHv2 RSA key size. The value can be from 1024 or 2048. The RSA key size can only be a multiple of 1024. The default is 2048. DsaKeySize Configures the SSHv2 DSA key size. The default value is 1024. Note: The only key size supported for DSA is 1024. RsaAuth Enables or disables SSHv2 RSA authentication. The default is enabled. DsaAuth Enables or disables SSHv2 DSA authentication.
Chapter 13: System access The following sections describe how to access the switch, create users, and user passwords. System access fundamentals This section contains conceptual information about how to access the switch and create users and user passwords for access. Logging on to the system After the startup sequence is complete, the login prompt appears.
System access fundamentals Access level Description Default logon Default password Layer 1 read-write View most switch configuration and status l1 information and change physical port settings. l1 Layer 2 read-write View and change configuration and status l2 information for Layer 2 (bridging and switching) functions. l2 Layer 3 read-write View and change configuration and status l3 information for Layer 2 and Layer 3 (routing) functions.
System access Important: When you enable RADIUS on the switch and configure a RADIUS server to be used by CLI or EDM, the server authenticates the connection, whether it is FTP, HTTPS, SSH, or TELNET. However, in the event that the RADIUS server is unresponsive or is unreachable, the switch will fall back to the local authentication, so that you can access the switch using your local login credentials.
System access fundamentals Managing the system using different VRF contexts You can use the Enterprise Device Manager (EDM) to manage the system using different Virtual Router Forwarding (VRF) contexts. • Using the GlobalRouter (VRF 0), you can manage the entire system. GlobalRouter is the default view at log in • Using a VRF context other than the GlobalRouter (VRF 0), you have limited functionality to manage the system.
System access Access policies for services You can control access to the switch by creating an access policy. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, Simple Network Management Protocol (SNMP), Hypertext Transfer Protocol (HTTP), Secure Shell version 2 (SSHv2), and remote login (rlogin). You can enable or disable access services by configuring flags.
System access fundamentals Enhanced secure mode authentication access levels After you enable enhanced secure mode with the boot config flags enhancedsecure-mode command, the switch supports role-based authentication levels.
System access Access level Description configure ACLI and web-based management user names, passwords, and the SNMP community strings. The administrator access level can also view audit logs. Login location Privilege The privilege access level has the console same access permission as the administrator; however, the privilege access level cannot use RADIUS or TACACS+ authentication. The system must authenticate the privilege access level within the switch at a console level.
System access fundamentals The default for the password complexity rule includes the following: • Two uppercase character, from the range: ABCDEFGHIJKLMNOPQRSTUVWXYZ • Two lowercase character, from the range: abcdefghijklmnopqrstuvwxyz • Two numeric character, from the range: 1234567890 • Two special character, from the range: `~!@#$%^&*()_-+={[}]|\:;”’<,>.?/ Password length rule The system enforces a minimum password length of 15 characters after you enable enhanced secure mode.
System access Password maximum age rule The system enforces automatic password renewal and password lockout after the expiration period because long-term usage of the same password can cause the system to be vulnerable to hacking. You can configure the password expiration period to a range of 1 to 365 days. The default password expiration period is 90 days.
System access configuration using ACLI System access configuration using ACLI The section provides procedures to manage system access through configurations such as usernames, passwords, and access policies. Enabling ACLI access levels Enable ACLI access levels to control the configuration actions of various users. About this task Important: Only the RWA user can disable an access level on the switch. You cannot disable the RWA access level on the switch.
System access Variable Value • ro — Specifies read-only. • rw — Specifies read-write. • rwa — Specifies read-write-all. To set this option to the default value, use the default operator with the command. By default, the system permits all access levels. To block an access level, use the no operator with the command. Changing passwords Configure new passwords for each access level, or change the logon or password for the different access levels of the switch.
System access configuration using ACLI Example Switch:1> enable Switch:1# configure terminal Change a password: Switch:1(config)# cli password smith read-write-all Enter the old password: Switch:1(config)# Enter the old password : winter Enter the new password: Switch:1(config)# Enter the New password : summer Enter the new password a second time: Switch:1(config)# Re-enter the New password : summer Set password to an access level of read-write-all and the expiration period for the password to 60 days: Swi
System access Variable Value aging-time <1-365> Configures the expiration period for passwords in days, from 1–365. The default is 90 days. default-lockout-time <60-65000> Changes the default lockout time after three invalid attempts. Configures the lockout time, in seconds, and is in the 60–65000 range. The default is 60 seconds. To configure this option to the default value, use the default operator with the command. lockout WORD<0–46> time <60-65000> Configures the host lockout time.
System access configuration using ACLI access-policy <1-65535> access-strict 4. Configure access for an access policy: access-policy <1-65535> accesslevel 5. Configure the access policy mode, network, and precedence: access-policy <1-65535> [mode ] [precedence <1-128>] [network ] If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection.
System access Variable definitions Use the data in the following table to use the access-policy command. Variable Value access-strict Restrains access to criteria specified in the access policy. • true—The system accepts only the currently configured access level. • false—The system accepts access up to the configured level. Use the no operator to remove this configuration. accesslevel Specifies the level of access if you configure the policy to allow access.
System access configuration using ACLI Variable Value The switch supports access-policies over IPv4 and IPv6 with no difference to functionality or configuration. Use the no operator to remove this configuration. precedence <1-128> Specifies a precedence value for a policy, expressed as a number from 1–128. The precedence value determines which policy the system uses if multiple policies apply. Lower numbers take higher precedence. The default value is 10.
System access Example Switch:1> enable Switch:1# configure terminal Assign a name to an access policy: Switch:1(config)# access-policy 10 name useraccounts Variable definitions Use the data in the following table to use the access-policy command. Table 47: Variable definitions Variable Value name WORD<0–15> Specifies a name expressed as a string from 0–15 characters. Allowing a network access to the switch About this task Specify the network to which you want to allow access. Procedure 1.
System access configuration using ACLI Table 48: Variable definitions Variable Value mode Specifies whether a designated network address is allowed or denied access through the specified access service. The default is allow. network The IPv4 address and subnet mask, or the IPv6 address and prefix-length permitted, or denied, access through the specified access service.
System access Table 49: Variable definitions Variable Value <0x00:0x00:0x00:0x00: 0x00:0x00> Adds a MAC address to the policy. Enter the MAC address in hexadecimal format. Specifies the action to take for the MAC address. System access security enhancements The section provides information on security enhancements after you enable enhanced secure mode. Displaying the boot config flags status Use the following procedure to display the boot config flags status.
System access configuration using ACLI flags trace-logging false flags urpf-mode false flags verify-config true In this example, the enhanced secure mode displays as false, which means the enhanced secure mode is disabled: Switch:1>enable Switch:1#show boot config flags flags block-snmp false flags debug-config false flags debugmode false flags enhancedsecure-mode false flags factorydefaults false flags ftpd true flags hsecure false flags ipv6-mode false flags logging true flags nni-mstp false flags reboo
System access configure terminal 2. Enable enhanced secure mode: boot config flags enhancedsecure-mode [jitc | non-jitc] Note: It is recommended that you enable the enhanced secure mode in the non-JITC submode, because the JITC sub-mode is more restrictive and prevents the use of some ACLI commands that are commonly used for troubleshooting. 3. (Optional) Disable enhanced secure mode: no boot config flags enhancedsecure-mode 4.
System access configuration using ACLI Variable definitions Use the data in the following table to use the boot config flags enhancedsecure-mode command. Variable Value jitc Enables the JITC enhanced secure mode. The JITC mode is more restrictive and prevents the use of some ACLI commands that are commonly used for troubleshooting. non-jitc Enables the non-JITC enhanced secure mode.
System access Variable definitions Use the data in the following table to use the password create-user command. Variable Value {auditor|operator|privilege|security} Specifies the access level for the user. WORD<1–255> Specifies the user name. Deleting accounts in enhanced secure mode Use the following procedure to delete accounts in enhanced secure mode. Before you begin • You must enable enhanced secure mode in either the JITC or non-JITC sub-modes.
System access configuration using ACLI Configuring a password for a specific user Configure a new password for a user if the password has expired or locked. Only the administrator can configure a password for a user. Before you begin • You must enable enhanced secure mode in either the JITC or non-JITC sub-modes. It is recommended that you use the non-JITC sub-mode because the JITC sub-mode is more restrictive and prevents the use of some troubleshooting utilities. Procedure 1.
System access You can only access this command after you enable enhanced secure mode. Only the individual with the administrator access role can use this command. After the administrator uses this command, the administrator must reboot the switch. Note: The command sys sys-default does not save the config file. When you execute the command sys sys-default, you must reboot the system to have the command take effect. After the system reboots, you must login and then save the config file.
System access configuration using ACLI Configuring the password complexity rule About this task Use the following procedure to configure the password complexity rule. The password complexity rule default is to use at least two uppercase, two lowercase, two numeric, and two special character to meet the password criteria. Before you begin • You must enable enhanced secure mode in either the JITC or non-JITC sub-modes.
System access Variable Value number of lowercase characters required. The third <1-2> variable defines the number of numeric characters required. The fourth <1-2> variable defines the number of special characters required. The default for each of these is 2. Configuring the password length rule About this task Configure the password length rule after you enable enhanced secure mode. By default, the minimum password length is 15.
System access configuration using ACLI Variable Value <8–32> Configures the minimum character length required. The default is 15. Configuring the change interval rule About this task Use the following procedure to configure the change interval rule. The system enforces a minimum password change interval, which defines the minimum amount of time before you can change to a new password. By default, the minimum change interval is 24 hours between changing from one password to a new password.
System access Variable Value <1–999> Configures the minimum interval between consecutive password changes. The default is 24 hours. Configuring the reuse rule Use the following procedure to configure the password reuse rule. The default password reuse rule is 3. Before you begin • You must enable enhanced secure mode in either the JITC or non-JITC sub-modes.
System access configuration using ACLI Configuring the maximum number of sessions Use the following procedure to configure the maximum number of sessions on the switch. The maxsessions value configures the number of times a particular role-based user can log in to the switch through the SSH session at the same time. The default max-sessions value is 3. The max-sessions value applies only for SSH sessions, and only with enhanced secure mode enabled.
System access Configuring the maximum age rule Use the following procedure to configure the maximum age rule. If enhanced secure mode is enabled, the individual with the administrator access level role can configure the aging-time for each user. If you configure the aging time for each user, the aging time must be more than the global change interval value. The default is 90 days. If you do not enable enhanced secure mode, the aging time is a global value for all users.
System access configuration using ACLI Variable Value user WORD<1–255> Specifies a particular user. Configuring the pre- and post-notification rule Use the following procedure to configure the pre-notification and post-notification rule. After enhanced secure mode is enabled, the switch enforces password expiry. To ensure a user does not lose access, the switch offers pre- and post-notification messages explaining when the password will expire.
System access 6. Save the configuration: save config Note: The save config command saves the configuration file with the filename configured as the primary configuration filename in boot config. Use the command show boot config choice to view the current primary and backup configuration filenames.
System access configuration using EDM System access configuration using EDM The section provides procedures you can use to manage system access by using Enterprise Device Manager (EDM). Procedures include configurations for usernames, passwords, and access policies.
System access 4. Specify the username and password for the appropriate access level. 5. Click Apply. Configuring the logon banner About this task Configure the logon banner using EDM to display a warning message to users of the CLI before authentication. Procedure 1. In the navigation tree, open the following folders: Configuration > Security > Control Path. 2. Click General. 3. Click the CLI tab. 4. Enter the banner text in the CustomBannerText field. 5. Check the CustomBannerEnable check box. 6.
System access configuration using EDM Name Description MaxTelnetSessions Specifies the maximum number of concurrent Telnet sessions in a range from 0–8. The default is 8. MaxRloginSessions Specifies the maximum number of concurrent Rlogin sessions in a range from 0–8. The default is 8. Timeout Specifies the number of seconds of inactivity for a Telnet or Rlogin session before the system initiates automatic timeout and disconnect, expressed in a range from 30–65535. The default is 900 seconds.
System access 4. Click Insert. 5. In the ID box, type the policy ID. 6. In the Name box, type the policy name. 7. Select the PolicyEnable check box. 8. Select the Mode option to allow or deny a service. If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information.
System access configuration using EDM Name Description If you configure the access policy mode to deny, the system checks the mode and service, and if they match the system denies the connection. With the access policy mode configured to deny, the system does not check AccessLevel and AccessStrict information. If you configure the access policy mode to allow, the system continues to check the AccessLevel and AccessStrict information. Service Indicates the protocol to which this entry applies.
System access Name Description trusted host user name is the same as your network logon user name; do not use the switch user name, for example, rwa. Important: You cannot use wildcard entries. The user must already be logged in with the user name to be assigned to the trusted host. For example, using "rlogin -l newusername xx.xx.xx.xx" does not work from a UNIX workstation.
System access configuration using EDM 3. Click Chassis. 4. Click the System Flags tab. 5. Select the EnableAccessPolicy check box. 6. Click Apply. 7. Click Close. System access security enhancements using EDM The section provides information to enable enhanced secure mode. Enabling enhanced secure mode Use the following procedure to enable enhanced secure mode in either the JITC or non-JITC submodes. The enhanced secure mode is disabled by default.
Chapter 14: ACLI show command reference This reference information provides show commands to view the operational status of the switch. Access, logon names, and passwords Use the show cli password command to display the access, logon name, and password combinations. The syntax for this command is as follows. show cli password The following example shows output from the show cli password command.
Basic switch configuration min-passwd-len 8 password-history 3 password-rule 1 1 1 1 pre-expiry-notification-interval 1 7 30 post-expiry-notification-interval 1 7 30 access-level ACCESS LOGIN AGING MAX-SSH-SESSIONS admin rwa 90 3 privilege 90 3 operator oper1 90 3 security security 90 3 auditor auditor 90 3 Default Lockout Time 60 Lockout-Time: STATE ena dis ena ena ena Basic switch configuration Use the show basic config command to display the basic switch configuration.
ACLI show command reference If you make a change to the switch, it appears under the specific configuration heading. The following example shows a subset of the output of this command. Switch:1#show running-config Preparing to Display Configuration... # # Sun Jan 04 14:04:23 1970 UTC # box type : VSP-8284XSQ # software version : vsp8k_4.0_B017 (PRIVATE) # cli mode : ACLI # --More-- (q = quit) Note: The output from the show running-config command displays an "end statement" near the end of the config file.
Ftp-access sessions Ftp-access sessions Use the show ftp-access command to display the total sessions allowed. The syntax for this command is as follows. show ftp-access The following example shows output from the show ftp-access command. Switch:1#show ftp-access max ipv4 sessions : 4 Hardware information Use the show sys-info command to display system status and technical information about the switch hardware components.
ACLI show command reference SysName SysUpTime SysContact SysLocation : : : : Switch 0 day(s), 15:49:09 http://support.avaya.com/ 211 Mt.
Hardware information LED#1 Label : PWR LED#1 Status : GreenSteady LED#2 Label : Status LED#2 Status : GreenSteady LED#3 Label : Rps LED#3 Status : Off LED#4 Label : Fan LED#4 Status : GreenSteady System Error Info : Send Login Success Trap : false Send Authentication Trap : false Error Code : 0 Error Severity : 0 Port Lock Info : Status LockedPorts : off : Message Control Info : Action Control-Interval Max-msg-num Status : : : : suppress-msg 30 5 enable Configuration Operation Info : Last Change: 0 da
ACLI show command reference Chassis Serial# H/W Revision H/W Config Part Number NumSlots NumPorts BaseMacAddr MacAddrCapacity MgmtMacAddr System MTU : : : : : : : : : : : 7254XSQ 15JP113CF01L 00 EC720003X-E6 2 73 a4:25:1b:54:9c:00 1024 a4:25:1b:54:9c:81 1950 Use show interface gigabtethernet command to display the port information of the switch. On a VSP 7200 Series switch that is port licensed, use the command show interfaces gigabitethernet to view the licensed status of the ports on the switch.
NTP server statistics 1/5 1/6 1/7 1/8 1/9 1/10 1/11 1/12 1/13 1/14 1/15 1/16 1/17 1/18 1/19 1/20 1/21 1/22 1/23 1/24 1/25 1/26 1/27 1/28 1/29 1/30 1/31 1/32 1/33 1/34 1/35 1/36 1/37 1/38 1/39 1/40 1/41 1/42 1/43 1/44 1/45 1/46 1/47 1/48 2/1 2/2 2/3 2/4 2/5/1 2/5/2 2/5/3 2/5/4 2/6 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 256 260 264 268 272 273 274 275 276 10GbNone 10GbNon
ACLI show command reference • reachability • root delay • precision The syntax for this command is as follows. show ntp statistics The following example shows sample command output. Switch:1##show ntp statistics N NTP Server : 192.0.2.
System information The syntax for this command is as follows. show sys power power-supply The following example shows sample command output.
ACLI show command reference Parameter Description setting Shows system settings. software Shows the version of software running on the switch, the last update of that software, and the Boot Config Table. The Boot Config Table lists the current system settings and flags. stats Shows system statistics. For more information about statistics, see Monitoring Performance on Avaya Virtual Services Platform 7200 Series and 8000 Series, NN47227-701. topology-ip Shows the circuitless IP set.
System status (detailed) The following example shows output from the show sys software command. Switch:1#show sys software System Software Info : Default Runtime Config File : /intflash/rich.cfg Config File : Last Runtime Config Save : Thu Mar 20 05:50:13 2014 Boot Config Table Version : Build vsp6k_4.0.0.0_GA (PRIVATE) on Sat Mar 15 13:06:52 EDT 2014 PrimaryConfigSource : /intflash/rich.cfg SecondaryConfigSource : /intflash/config.
ACLI show command reference H/W Config NumSlots NumPorts BaseMacAddr MacAddrCapacity : : : : : none 1 50 24:d9:21:e2:e0:00 256 --More-- (q = quit) Telnet-access sessions Use the show telnet-access command to display to show the total sessions allowed. The syntax for this command is as follows. show telnet-access The following example shows output from the show telnet-access command.
CPU queue statistics Port:1/42 QOS CoS Queue Stats ================================================================================ CoS Out Packets Out Bytes Drop Packets Drop Bytes -------------------------------------------------------------------------------0 0 0 0 0 1 0 0 0 0 2 0 0 0 0 3 0 0 0 0 4 0 0 0 0 5 0 0 0 0 6 0 0 0 0 7 0 0 0 0 Switch:1# CPU queue statistics Use the show qos cosq-stats cpu-port to display the statistics of the forwarded packets and bytes, and the dropped packets and bytes for t
Chapter 15: Port numbering and MAC address assignment reference This section provides information about the port numbering and Media Access Control (MAC) address assignment used on the switch. Port numbering A port number includes the slot location of the port in the chassis, as well as the port position. The following diagrams illustrate the components on the front panels of the switches. For more information on hardware, see Installing the Avaya Virtual Services Platform 8000 Series, NN47227-300.
Port numbering 3. QSFP+ port LEDs are in between the ports on each slot. The up arrows refer to the port above and the down arrows refer to the port below. 4. Four QSFP+ ports: two in Slot 1 and two in Slot 2. 5. USB port 6. Console port (10101) 7. Management port — The LEDs are on the bottom of the port. 8. LEDs for system power (PWR), switch status (Status), redundant power supply (RPS), and fan modules(Fan). The following figure illustrates the front view of the VSP 8400 switch.
Port numbering and MAC address assignment reference 1. LEDs indicating port activity are above the RJ-45 and SFP+ port. The up arrow on the left indicates the top port; the down arrow on the right indicates the bottom port. 2. 48 ports — The VSP 7254XSQ has 48 SFP/SFP+ fiber ports. The VSP 7254XTQ has 48 RJ-45 copper ports. 3. Six QSFP+ ports — The LEDs are below each port. There are four LEDs per port to support channelization. The up arrows refer to the port above. 4. USB port 5.
MAC address assignment The following example shows an output for this command: Switch:1(config)#show interfaces gigabitEthernet ===================================================================================== Port Interface ===================================================================================== PORT LINK PORT PHYSICAL STATUS NUM INDEX DESCRIPTION TRAP LOCK MTU ADDRESS ADMIN OPERATE ------------------------------------------------------------------------------------1/1 192 10GbNone true f
Port numbering and MAC address assignment reference Virtual MAC addresses Virtual MAC addresses are the addresses assigned to VLANs. The system assigns a virtual MAC address to a VLAN when it creates the VLAN. The MAC address for a VLAN IP address is the virtual MAC address assigned to the VLAN. January 2017 Administering Avaya VSP 7200 Series and 8000 Series Comments on this document? infodev@avaya.
Chapter 16: Supported standards, RFCs, and MIBs This chapter details the standards, request for comments (RFC), and Management Information Bases (MIB) that the switch supports. Supported IEEE standards The following table details the IEEE standards that the switch supports. Table 53: Supported IEEE standards IEEE standard Description 802.1ag Connectivity Fault Management 802.1ah Provider Backbone Bridging 802.1aq Shortest Path Bridging (SPB) 802.1AX Link Aggregation 802.1D MAC Bridges P802.
Supported standards, RFCs, and MIBs IEEE standard Description 802.3ae 10Gb/s Operation, implemented as 10GBASE-X SFP+ 802.3ba 40Gb/s and 100Gb/s Operation, implemented as 40GBASE-QSFP+ 802.3x Full Duplex & Flow Control 802.3z 1000Mb/s Operation, implemented as 1000BASE-X SFP Supported RFCs The following table and sections list the RFCs that the switch supports. Table 54: Supported request for comments Request for comment Description draft-grant-tacacs-02.
Supported RFCs Request for comment Description RFC 1256 ICMP Router Discovery RFC 1258 IPv6 Rlogin server RFC 1305 Network Time Protocol v3 Specification, Implementation and Analysis RFC 1340 Assigned Numbers RFC 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy RFC 1541 Dynamic Host Configuration Protocol RFC 1542 Clarifications and Extensions for the Bootstrap Protocol RFC 1587 The OSPF NSSA Option RFC 1591 DNS Client RFC 1723 RIP v2 — Carryin
Supported standards, RFCs, and MIBs Request for comment Description RFC 2464 Transmission of IPv6 packets over Ethernet networks RFC 2545 Use of BGP-4 multi-protocol extensions for IPv6 inter-domain routing RFC 2548 Microsoft vendor specific RADIUS attributes RFC 2579 Textual Conventions for SMI v2 RFC 2580 Conformance Statements for SMI v2 RFC 2616 Hypertext Transfer Protocol 1.
Quality of service Request for comment Description RFC 4302 IP Authentication Header (AH) RFC 4303 IP Encapsulated Security Payload (ESP) RFC 4305 Cryptographic algorithm implementation requirements for ESP and AH RFC 4308 Cryptographic suites for Internet Protocol Security (IPsec) RFC 4443 ICMP for IPv6 RFC 4541 Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping RFC 4552 OSPFv3 Authentication and confidentiality for OSPFv3 RFC 4601 Protocol Independe
Supported standards, RFCs, and MIBs Network management Table 56: Supported request for comments Request for comment Description RFC1155 SMI RFC1157 SNMP RFC1215 Convention for defining traps for use with the SNMP RFC1305 Network Time Protocol v3 Specification, Implementation and Analysis3 RFC1350 The TFTP Protocol (Revision 2) RFC1907 Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2) RFC1930 Guidelines for creation, selection, and registration of an
MIBs MIBs Table 57: Supported request for comments Request for comment Description RFC1156 MIB for network management of TCP/IP RFC1212 Concise MIB definitions RFC1213 TCP/IP Management Information Base RFC1398 Ethernet MIB RFC1442 Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2) RFC1450 Management Information Base for v2 of the Simple Network Management Protocol (SNMPv2) RFC1573 Interface MIB RFC1650 Definitions of Managed Objects for th
Supported standards, RFCs, and MIBs Table 58: Supported MIBs Standard MIB name Institute of Electrical and Electronics Engineers/Request for Comments (IEEE/RFC) File name STDMIB2— Link Aggregation 802.3ad Control Protocol (LACP) (802.3ad) ieee802-lag.mib STDMIB3—Exensible 802.1x Authentication Protocol Over Local Area Networks (EAPoL) (802.1x) ieee8021x.mib STDMIB4—Internet Assigned Numbers Authority (IANA) Interface Type — iana_if_type.
Standard MIBs Standard MIB name Institute of Electrical and Electronics Engineers/Request for Comments (IEEE/RFC) File name STDMIB26d—User-based Security Model (USM) for version 3 of the SNMP RFC2574 rfc2574.mib STDMIB26e—View-based Access Control Model (VACM) for the SNMP RFC2575 rfc2575.mib STDMIB26f —Coexistence RFC2576 between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework rfc2576.
Supported standards, RFCs, and MIBs Standard MIB name Institute of Electrical and Electronics Engineers/Request for Comments (IEEE/RFC) File name STDMIB43—Management Information Base for the User Datagram Protocol (UDP) RFC4113 rfc4113.mib Q-BRIDGE-MIB —Management Information Base for managing Virtual Bridged LANs RFC4363 rfc4363-q.mib Proprietary MIBs The following table details the proprietary MIBs that the switch supports.
Glossary Advanced Encryption Standard (AES) A privacy protocol the U.S. government organizations use AES as the current encryption standard (FIPS-197) to protect sensitive information. American Standard Code for Information Interchange (ASCII) A code to represent characters in computers. ASCII uses uppercase and lowercase alphabetic letters, numeric digits, and special symbols.
Glossary Dynamic Host Configuration Protocol (DHCP) A standard Internet protocol that dynamically configures hosts on an Internet Protocol (IP) network for either IPv4 or IPv6. DHCP extends the Bootstrap Protocol (BOOTP). Dynamic Random Access Memory (DRAM) A read-write random-access memory, in which the digital information is represented by charges stored on the capacitors and must be repeatedly replenished to retain the information.
Local Area Network (LAN) Local Area Network (LAN) A data communications system that lies within a limited spatial area, uses a specific user group and topology, and can connect to a public switched telecommunications network (but is not one). management information base (MIB) The MIB defines system operations and parameters used for the Simple Network Management Protocol (SNMP).
Glossary NonVolatile Random Access Memory (NVRAM) Random Access Memory that retains its contents after electrical power turns off. out of band (OOB) Network dedicated for management access to chassis. Packet Capture Tool (PCAP) A data packet capture tool that captures ingress and egress (on Ethernet modules only) packets on selected ports. You can analyze captured packets for troubleshooting purposes. port A physical interface that transmits and receives data.
Secure Shell (SSH) Secure Shell (SSH) SSH uses encryption to provide security for remote logons and data transfer over the Internet. SFP A hot pluggable, small form-factor pluggable (SFP) transceiver, which is used in Ethernet applications up to 1 Gbps. Simple Loop Prevention Protocol (SLPP) Simple Hello Protocol that prevents loops in a Layer 2 network (VLAN). Simple Network Management Protocol (SNMP) SNMP administratively monitors network performance through agents and management stations.
Glossary user-based security model (USM) A security model that uses a defined set of user identities for authorized users on a particular Simple Network Management Protocol (SNMP) engine. virtual router forwarding (VRF) Provides traffic isolation between customers operating over the same node. Each virtual router emulates the behavior of a dedicated hardware router by providing separate routing functionality, and the network treats each VRF as a separate physical router.
