8600 Smart Routers Management Communications Configuration Guide 76.8600-50125G 22.04.2015 Document Information Revision History Document No Date Description of Changes 76.8600-50125G 22.04.2015 8665 Smart Router and 8615 Smart Router stacked support added 76.8600-50125F 05.11.2014 8602 Smart Router and 8615 Smart Router support added TACACS+ protocol added in TACACS+ 76.8600-50125E 24.04.2013 VPN Routing and Forwarding (VRF) support for RADIUS communication in 8605 Smart Router, 8609 Smart Router, 8611 Smart Router, 8620 Smart Router, 8630 Smart Router and 8660 Smart Router added in chapter 7.1 76.8600-50125D 31.08.2012 New 8600 brand: 8600 managed edge system and 8600 network elements changed to 8600 smart routers CLI examples layout change from table format to step list 76.8600-50125C 30.05.2012 Radius accounting protocol Start/Stop event support in 8620 Smart Router, 8630 Smart Router and 8660 Smart Router added in chapter 7.1 Radius accounting protocol Start/Stop event support in 8609 Smart Router and 8611 Smart Router added in chapter 7.1 CLI examples on flash/crypto directory updated in chapter 8.2 76.8600-50125B 31.05.2011 Login attack prevention information added as chapter 1.2 Radius accounting protocol Start/Stop events information added in chapters 7.1 and 7.2 8609 Smart Router support added 8611 Smart Router support added 8600 Smart Routers Management Communications Configuration Guide 76.8600-50125G © 2015 Coriant This revision of the manual documents the following network elements and the corresponding feature packs or higher 8602 Smart Router FP7.0 8605 Smart Router FP1.6 8607 Smart Router FP1.1 8609 Smart Router FP7.0 8611 Smart Router FP7.0 8615 Smart Router FP7.0 8620 Smart Router FP7.0 8630 Smart Router, 8660 Smart Router FP7.0 8665 Smart Router FP7.0 If a different feature pack of 8600 products is in use, please refer to the relevant product document program on the Tellabs and Coriant Portal by navigating to www.portal.tellabs.com > Product Documentation & Software > Data Networking > Tellabs 8600 Smart Routers > Technical Documentation The functionality described in this document for 8615 Smart Router is also applicable to 8615 Smart Router stacked, unless otherwise stated © 2015 Coriant All rights reserved This manual is protected by U.S and international copyright laws, conventions and treaties Your right to use this manual is subject to limitations and restrictions imposed by applicable licenses and copyright laws Unauthorized reproduction, modification, distribution, display or other use of this manual may result in criminal and civil penalties The specifications and information regarding the products in this manual are subject to change without notice All statements, information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied Users must take full responsibility for their application of any products Adobe ® Reader ® are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries 76.8600-50125G © 2015 Coriant 8600 Smart Routers Management Communications Configuration Guide 8600 Smart Routers Management Communications Configuration Guide 76.8600-50125G © 2015 Coriant Document Information Terms and Abbreviations 76.8600-50125G © 2015 Coriant Term Explanation AAA Authentication, Authorization, Accounting ACL Access Control List AES-256 Advanced Encryption Standard BMI Broadband Management Interface BMP Broadband Management Protocol A communication protocol which is used between 8600 network elements and 8000 Intelligent Network Manager CCN Configuration Change Notification CLI Command Line Interface DiffServ Differentiated Services DSA Digital Signature Algorithm FTP File Transfer Protocol IP Internet Protocol MIB Management Information Base (SNMP) MPLS Multiprotocol Label Switching NAS Network Access Server NE Network Element NTP Network Time Protocol OCNM Online Core Network Monitoring QoS Quality of Service RADIUS Remote Authentication Dial-In User Service Commonly used to provide centralized authentication, authorization, and accounting functionalities RFC Request for Comments RSA Rivest, Shamir, Adleman An algorithm for public-key cryptography SFTP SSH File Transfer Protocol Also Secure File Transfer Program SHA1 Secure Hash Algorithm SNMP Simple Network Management Protocol SSH Secure Shell TCP Transmission Control Protocol UDP User Datagram Protocol Unit In CLI refers to a card VPN Virtual Private Network VRF VPN Routing and Forwarding 8600 Smart Routers Management Communications Configuration Guide 8600 Smart Routers Management Communications Configuration Guide 76.8600-50125G © 2015 Coriant Table of Contents Table of Contents About This Manual Objectives Audience 8600 Smart Routers Technical Documentation Interface Numbering Conventions 12 Document Conventions 12 Documentation Feedback 12 8600 Smart Routers Discontinued Products 13 Management Communications 14 1.1 1.2 1.3 1.4 1.5 TELNET 19 2.1 Overview 20 CLI Configuration Examples 21 BMP 22 4.1 4.2 Overview 19 CLI 20 3.1 3.2 Security Considerations 14 Login Attack Prevention 14 Classifying Management Traffic with DiffServ 15 Outband Management and Management VRFs 15 Management Traffic Configuration Examples 16 Overview 22 BMP Configuration Examples 23 FTP 25 76.8600-50125G © 2015 Coriant 8600 Smart Routers Management Communications Configuration Guide Table of Contents 5.1 5.2 SNMP 28 6.1 6.2 7.2 7.3 Overview 32 7.1.1 References 33 RADIUS Configuration Examples 33 RADIUS Server Configuration 35 TACACS+ 36 8.1 8.2 8.3 Overview 28 6.1.1 References 29 SNMP Configuration Examples 30 RADIUS 32 7.1 Overview 25 FTP Configuration Examples 25 Overview 36 8.1.1 Authorization 37 8.1.2 References 37 TACACS+ Client Configuration Examples 38 TACACS+ Server Configuration 39 8.3.1 TACACS+ Server Configuration Example 40 SSH 41 9.1 9.2 Overview 41 SSH Configuration Examples 41 8600 Smart Routers Management Communications Configuration Guide 76.8600-50125G © 2015 Coriant About This Manual About This Manual This chapter discusses the objectives and intended audience of this manual, 8600 Smart Routers Management Communications Configuration Guide and consists of the following sections: • Objectives • Audience • Related Documentation • Interface Numbering Conventions • Document Conventions • Documentation Feedback Objectives This manual provides an overview of the 8600 management communication functions and instructions on how to configure them with a command-line interface (CLI) using a router’s console or remote terminal (TELNET) Audience This manual is designed for administration personnel for configuring 8600 functions with CLI On the other hand, 8000 Intelligent Network Manager provides access to equal functionality for administration personnel with a graphical user interface It is assumed that you have a basic understanding of BMP, CLI, FTP, SNMP, RADIUS and SSH protocols 8600 Smart Routers Technical Documentation The document numbering scheme consists of the document ID, indicated by numbers, and the document revision, indicated by a letter The references in the Related Documentation table below are generic and include only the document ID To make sure the references point to the latest available document versions, please refer to the relevant product document program on the Tellabs and Coriant Portal by navigating to www.portal.tellabs.com > Product Documentation & Software > Data Networking > 8600 Smart Routers > Technical Documentation The table below reflects the customer document content planned for SR7.0 GA, and is subject to change Before General Availability of SR7.0, the configuration guides have the status of draft, and they not always describe the full functionality 76.8600-50125G © 2015 Coriant 8600 Smart Routers Management Communications Configuration Guide About This Manual Document Title Description 8600 Smart Routers ATM and TDM Configuration Guide (76.8600-50110) Provides an overview of 8600 NEs PWE3 applications, including types, Single-Segment and Multi-Segment; PWE3 Redundancy; ATM applications, including PWE3 tunnelling, Traffic Management, Fault Management OAM, protection and TDM applications as well as instructions on how to configure them with CLI 8600 Smart Routers Boot and Mini-Applications Embedded Software Release Notes (76.8600-50108) Provides information related to the boot and mini-applications software of 8605 Smart Router, 8607 Smart Router, 8609 Smart Router, 8611 Smart Router, 8620 Smart Router, 8630 Smart Router and 8660 Smart Router as well as the installation instructions 8600 Smart Routers CLI Commands Manual (76.8600-50117) Provides commands available to configure, monitor and maintain 8600 system with CLI 8600 Smart Routers Embedded Software Release Notes 8600 Smart Routers SR7.0 Embedded Software Release Notes (76.8670-50177) for the following products: • 8602 Smart Router FP7.0 • 8609 Smart Router and 8611 Smart Router FP7.0 • 8615 Smart Router FP7.0 • 8630 Smart Router and 8660 Smart Router FP7.0 • 8665 Smart Router FP7.0 8600 Smart Routers Equipment Management Configuration Guide (76.8600-50118) Provides an overview of 8600 system HW inventory, software management, equipment protection 1+1 (CDC and SCM) as well as instructions on how to configure them with CLI 8600 Smart Routers Ethernet Configuration Guide (76 8600-50133) Provides an overview of 8600 system Ethernet applications, including interfaces; Ethernet forwarding (MAC Switching, Ethernet PWE3, IRB, VLAN, VPLS); Ethernet OAM; LAG; ELP as well as instructions on how to configure them with CLI 8600 Smart Routers Smart Routers Fault Management Configuration Guide (76.8600-50115) Provides an overview of 8600 system fault management, including fault source, types and status as well as instructions on how to configure it with CLI 8600 Smart Routers Frame Relay Configuration Guide (76.8600-50120) Provides an overview of 8600 system Frame Relay applications, including interfaces; Performance Monitoring; protection; Traffic Management as well as instructions on how to configure them with CLI 8600 Smart Routers Hardware Installation Guide (76.8600-40039) Provides guidance on mechanical installation, cooling, grounding, powering, cabling, maintenance, commissioning and ESW downloading 8600 Smart Routers Network Interfaces Configuration Guide The Network Interfaces Configuration Guide provides an overview of the 8600 NEs interface functions, including NE supported interface types and equipping; interface features; configuration options and operating modes; fault management; performance monitoring; interface configuration layers and port protocols as well as instructions on how to configure them with CLI The following interface configuration guides are available: • 8600 Smart Routers Network Interfaces Configuration Guide (76.8600-50161) (for 8602 Smart Router, 8615 Smart Router and 8665 Smart Router) 8600 Smart Routers Management Communications Configuration Guide 10 76.8600-50125G © 2015 Coriant SSH SSH 9.1 Overview SSH (Secure Shell) is a commonly used protocol built on TCP/IP offering the remote login and file transfer functionality In the 8600 system, SSH can be used as a replacement for the TELNET and FTP protocols A major advantage is that SSH provides strong security, making eavesdropping and hijacking of connections on the wire practically impossible The 8600 system contains a built-in SSH server that can be used with many free and commercial SSH client programs The following security features exist in the SSH protocol: • Encryption is used throughout the connection in both directions The server and client negotiate a suitable symmetric encryption algorithm at the beginning of the session The encryption keys are automatically generated and exchanged at the same time • Authentication codes are used during the session Any attempts to change the data by a man-inthe-middle attacker will cause an immediate termination of the session • Host authentication allows the client to verify that the server it is talking to is really who it claims to be This is accomplished by the server having a public-private key pair (the host key) The client receives and stores the public part of the key upon its first contact to the server On subsequent sessions, the server can prove its identity by possession of the private part of the key • User authentication identifies the user to the server The user authentication is traditionally done with a username/password pair In addition to password authentication, SSH also supports public key authentication In this authentication method, the user authenticates himself by possessing the private part of a public-private key pair It is required, however, that the public part of the key is stored in the server in advance The 8600 SSH server only supports SSH protocol version While all modern SSH clients support version of the protocol, this might be an issue with some old clients The SFTP protocol runs on top of the SSH protocol and provides secure file transfer services 9.2 SSH Configuration Examples Taking the SSH protocol in use on a network element requires some preconfiguration The host key pair needs to be generated for the network element The 8600 SSH server can use both DSA1 and RSA type key pairs (the names refer to algorithms used) It is possible to have an active host key for either or both of these types, but only one is needed DSA is suggested as it is guaranteed to be supported by all compliant SSH version clients Step Generate a DSA type key pair The key generation is done in the background and may take several minutes to complete The key will have index router(config)# crypto generate key ssh2-dsa 1Some clients call these DSS keys 76.8600-50125G © 2015 Coriant 8600 Smart Routers Management Communications Configuration Guide 41 SSH Step Display the key in the key list once it has been generated The fingerprint can be used for verification of the host's identity on the client side as it is unique for each key router(config)# show crypto key Key [NOT ACTIVE] - Type: ssh2-dsa - Size: 2048 bits Fingerprint: de:08:ee:b9:f5:91:53:0b:f7:de:26:fe:25:4c:ca:10 Step Activate the generated key as the SSH server host key router(config)# cli-server ssh host-key Step Enable the SSH server After this step, the network element will allow incoming SSH and SFTP connections router(config)# cli-server ssh enable Enabling public key authentication for a user requires the user to generate the key pair (or use an existing key pair) on the client The example below is shown for an OpenSSH client Step Generate the key pair on the client Two files are generated: mykey contains the private key, mykey.pub is the public part of the key in OpenSSH format $ ssh-keygen -b 2048 -t dsa -f mykey -N mypassphrase Step Convert the public key to standard SSH2 public key file format as required by the SSH server in the 8600 system The resulting public key file is mykey_ssh2.pub $ ssh-keygen >mykey_ssh2.pub -e -f mykey.pub Step For importing the key, it has to be transferred to the file system of the network element In this example, SFTP is used The flash/crypto directory is used as a temporary location for placing the key The key file can be deleted after it has been imported $ sftp 172.19.101.10 Connecting to 172.19.101.10 sftp> cd flash/crypto sftp> put mykey_ssh2.pub Uploading mykey_ssh2.pub to /flash/crypto/mykey_ssh2.pub mykey_ssh2.pub 100% 2048 0.3KB/s 00:00 sftp> Step Import the key from the flash file system to the internal key storage This public key will have index It is associated with the currently logged on user, allowing only this particular user to log in with the public key router(config)# crypto load flash: Step mykey_ssh2.pub key Display the properties of the public key The properties and the option to remove a public key are only available to the key's owner or a user with superuser privileges router(config)# show crypto key Key [ACTIVE] - Type: ssh2-dsa-public - Size: 2048 bits Owner: superuser Fingerprint: 13:c6:60:ed:91:30:23:65:36:84:80:6a:d1:5e:a5:c5 Comment: 2048-bit DSA, converted from OpenSSH by superuser@FIOU0203 Step Log in to the NE using the key stored in the file mykey The passphrase is asked, if one was given at key generation $ ssh superuser@172.19.101.10 -i mykey When the public key is no longer needed, it should be removed Step Discard the public key Only the key's owner or a user with superuser privileges can remove a key 8600 Smart Routers Management Communications Configuration Guide 42 76.8600-50125G © 2015 Coriant SSH router(config)# clear crypto key 76.8600-50125G © 2015 Coriant 8600 Smart Routers Management Communications Configuration Guide 43 ... other countries 76. 8600- 50125G © 2015 Coriant 8600 Smart Routers Management Communications Configuration Guide 8600 Smart Routers Management Communications Configuration Guide 76. 8600- 50125G © 2015... fi-documentation@tellabs.com 8600 Smart Routers Management Communications Configuration Guide 12 76. 8600- 50125G © 2015 Coriant 8600 Smart Routers Discontinued Products 8600 Smart Routers Discontinued Products 8600 Smart. .. key 8600 Smart Routers Management Communications Configuration Guide 42 76. 8600- 50125G © 2015 Coriant 9 SSH router(config)# clear crypto key 76. 8600- 50125G © 2015 Coriant 8600 Smart Routers Management