Part No. 060318-10, Rev. K March 2015 OmniSwitch AOS Release 7 Switch Management Guide www.alcatel-lucent-lucent.
This user guide documents AOS Release 7.3.4 for the OmniSwitch 10K and OmniSwitch 6900. The functionality described in this guide is subject to change without notice. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2015 by Alcatel-Lucent.
Contents About This Guide ......................................................................................................... xv Supported Platforms ......................................................................................................... xv Who Should Read this Manual? ....................................................................................... xv When Should I Read this Manual? ...................................................................................
Contents Using SNMP to Manage the Switch ..................................................................2-5 User Accounts ..........................................................................................................2-5 Configuring the Console Port ..........................................................................................2-6 Setting the EMP Port’s IP Address .................................................................................
Contents Secure Copy an Existing File ............................................................................3-9 Move an Existing File or Directory .................................................................3-10 Change File Attribute and Permissions ...........................................................3-10 Delete an Existing File ....................................................................................3-10 Utility Commands ........................................................
Contents Using the USB Flash Drive ...........................................................................................4-21 Transferring Files Using a USB Flash Drive ..................................................4-21 Automatically Copying Code Using a USB Flash Drive ................................4-21 Disaster Recovery Using a USB Flash Drive ..................................................4-22 Displaying CMM Conditions .......................................................................
Contents Syntax Checking ................................................................................................6-7 Text Editing on the Switch .......................................................................................6-8 Invoke the “Vi” Editor .......................................................................................6-8 Creating Snapshot Configuration Files ...........................................................................6-9 Snapshot Feature List ...............
Contents Verifying the User Configuration .................................................................................7-20 Chapter 8 Managing Switch Security ........................................................................................ 8-1 In This Chapter ................................................................................................................8-1 Switch Security Defaults ................................................................................................
Contents SNMP Overview ...........................................................................................................10-7 SNMP Operations ..................................................................................................10-7 Using SNMP for Switch Management ...................................................................10-8 Setting Up an SNMP Management Station .....................................................10-8 SNMP Versions ..........................................
Contents Modify Table Entry Example - VLAN .........................................................11-10 Modify Table Entry Example - Interface Speed ............................................11-11 Delete Table Entry Example .........................................................................11-12 Query Table Info Example ............................................................................11-13 CLI Example .....................................................................................
Contents Recommended Topologies ...................................................................................12-14 Campus Core .................................................................................................12-14 Data Center VC .............................................................................................12-15 Interaction with Other Features ...................................................................................12-16 Data Center Bridging ...................
Contents Information Provided by DHCP Server ..........................................................13-7 Information Provided by Instruction File ........................................................13-7 File Servers and Download Process ................................................................13-8 LED Status .......................................................................................................13-8 Interaction With Other Features ...............................................
Contents Automatic Fabric Port Eligibility ..................................................................14-10 Automatic Fabric Discovery Window ...........................................................14-10 LACP Discovery ..................................................................................................14-10 SPB Discovery .....................................................................................................14-11 Dynamic Service Access Points (SAPs) ....................
Contents Verifying NTP Configuration .....................................................................................15-13 Appendix A Software License and Copyright Statements ..................................................... A-1 Alcatel-Lucent License Agreement ................................................................................ A-1 ALCATEL-LUCENT SOFTWARE LICENSE AGREEMENT ............................ A-1 Third Party Licenses and Notices ............................................
About This Guide This OmniSwitch AOS Release 7 Switch Management Guide describes basic attributes of your switch and basic switch administration tasks. The software features described in this manual are shipped standard with your switches. These features are used when readying a switch for integration into a live network environment. Supported Platforms This information in this guide applies only to the OmniSwitch 10K and OmniSwitch 6900 switches.
What is in this Manual? About This Guide What is in this Manual? This configuration guide includes information about the following features: • Basic switch administrative features, such as file editing utilities, procedures for loading new software, and setting up system information (name of switch, date, time). • Configurations files, including snapshots, off-line configuration, time-activated file download.
About This Guide Documentation Roadmap Documentation Roadmap The OmniSwitch user documentation suite was designed to supply you with information at several critical junctures of the configuration process.The following section outlines a roadmap of the manuals that will help you at each stage of the configuration process. Under each stage, we point you to the manual or manuals that will be most helpful to you.
Documentation Roadmap About This Guide The OmniSwitch AOS Release 7 Data Center Switching Guide includes configuration information for data center networks using virtualization technologies (SPBM and UNP) and Data Center Bridging protocols (PFC, ETC, and DCBX). Anytime The OmniSwitch AOS Release 7 CLI Reference Guide contains comprehensive information on all CLI commands supported by the switch.
About This Guide Related Documentation Related Documentation The following are the titles and descriptions of all the related OmniSwitch user manuals: • OmniSwitch 10K Getting Started Guides Describes the hardware and software procedures for getting an OmniSwitch up and running. Also provides information on fundamental aspects of OmniSwitch software architecture.
Technical Support About This Guide Technical Support An Alcatel-Lucent service agreement brings your company the assurance of 7x24 no-excuses technical support. You’ll also receive regular software updates to maintain and maximize your Alcatel-Lucent product’s features and functionality and on-site hardware replacement through our global network of highly qualified service delivery partners.
1 Getting Started and Upgrading AOS This chapter provides an overview of what to expect when first bringing up an OmniSwitch. It describes the Automatic Management features an OmniSwitch runs when booting for the first time as well as whether a switch will come up in standalone or VC mode. This chapter is also helpful for getting started with a new AOS release by covering important information related to upgrading the switch.
Getting Started Specifications Getting Started and Upgrading AOS Getting Started Specifications The functionality described in this chapter is supported on the OmniSwitch Series switches unless otherwise stated in the following Specifications table or specifically noted within any section of this chapter. Platforms Supported OmniSwitch 10K, 6900 Standalone Configuration Files boot.cfg Virtual Chassis Configuration Files vcboot.cfg vcsetup.cfg Demo License 45-day Demo license Image Files Ros.
Getting Started and Upgrading AOS Automatic Management Features Automatic Management Features All switches that ship from the factory with AOS Release 7.3.4.R01 will default to Virtual Chassis mode and attempt to run the automatic VC, automatic remote configuration, and automatic fabric protocols. The automatic features can be disabled during the switch reboot or after the switch has finished booting if desired.
Automatic Management Features Getting Started and Upgrading AOS Power Up N Factory Y Default? Demo License AutoVC Begins1 Created VC Ready? N Y N Valid License? RCL Starts 2 Standalone Mode Y N N VC Config? Y Boot.cfg? VC Reboots RCL Config Applied Y Y RCL Success? N Config Applied Auto Fabric Enabled3 Automatic Management Features Flow Overview 1. See Chapter 12, “Configuring Virtual Chassis” for additional information on Auto VC. 2.
Getting Started and Upgrading AOS Standalone or Virtual Chassis Mode Standalone or Virtual Chassis Mode When a chassis boots with its default factory configuration it will run in VC mode. There may be times when standalone mode is preferred such as when introducing the chassis into an already existing network. There are multiple ways to have the switch come up in standalone mode instead of VC mode.
Upgrading the Software Getting Started and Upgrading AOS Upgrading the Software This section is to assist with upgrading an OmniSwitch. The goal is to provide a clear understanding of the basic steps and types of upgrade processes available for an OmniSwitch. Depending upon the AOS version, model, and configuration of the OmniSwitch various upgrade procedures are supported. This section provides an overview.
Getting Started and Upgrading AOS Upgrading the Software Prerequisites Before upgrading, the individual performing the upgrade must: • Read the release notes for the appropriate AOS release. • Be the responsible party for maintaining the switch's configuration • Be aware of any issues that may arise from a network outage caused by improperly loading this code • Understand that the switch must be rebooted and network access may be affected by following this procedure.
Upgrading the Software Getting Started and Upgrading AOS Switch Maintenance It's recommended to perform switch maintenance prior to performing any upgrade. This can help with preparing for the upgrade and removing unnecessary files. The following steps can be performed at any time prior to a software upgrade. These procedures can be done using Telnet and FTP, however using SSH and SFTP/SCP are recommended as a security best-practice since Telnet and FTP are not secure.
Getting Started and Upgrading AOS Upgrading the Software Standard Upgrade This section describes the basic steps for upgrading an OmniSwitch standalone or virtual chassis using a standard upgrade. This section is an overview. For specific step-by-step instructions please refer to the Release Notes. 1 Follow the instructions in the “Switch Maintenance” on page 1-8 section. 2 Download the upgrade files from the Service & Support website. 3 FTP the upgrade files to the RUNNING directory of the switch.
Upgrading the Software Getting Started and Upgrading AOS Resetting NIs - OS10K After performing an ISSU upgrade the NIs must be reset to complete the ISSU upgrade. They can be reset manually using the ‘issu slot’ or ‘reload slot’commands. If the NIs are not reset by the time the NI reset timer expires (Refer to “Getting Started Specifications” on page 1-2), they will be reset individually by the system in ascending order beginning with slot 1.
2 Logging Into the Switch Logging into the switch may be done locally or remotely. Management tools include: the Command Line Interface (CLI), which may be accessed locally via the console port, or remotely via Telnet; WebView, which requires an HTTP client (browser) on a remote workstation; and SNMP, which requires an SNMP manager (such as Alcatel-Lucent’s OmniVista or HP OpenView) on the remote workstation. Secure sessions are available using the Secure Shell interface.
Login Specifications Logging Into the Switch For more information about... See...
Logging Into the Switch Quick Steps for Logging Into the Switch Quick Steps for Logging Into the Switch The following procedure assumes that you have set up the switch as described in your OmniSwitch 10K Getting Started Guide and Hardware Users Guide. Setup includes: • Connecting to the switch via the console port. • Setting up the Ethernet Management Port (EMP). • Enabling (or “unlocking”) management interfaces types through the aaa authentication command for the interface you are using.
Overview of Switch Login Components Logging Into the Switch Overview of Switch Login Components Switch access components include access methods (or interfaces) and user accounts stored on the local user database in the switch and/or on external authentication servers. Each access method, except the console port, must be enabled or “unlocked” on the switch before users can access the switch through that interface.
Logging Into the Switch Overview of Switch Login Components Using the WebView Management Tool • HTTP—The switch has a Web browser management interface for users logging in via HTTP. This management tool is called WebView. For more information about using WebView, see Chapter 9, “Using WebView.” Using SNMP to Manage the Switch • SNMP—Any standard SNMP application may be used for configuring the switch. See Chapter 10, “Using SNMP.
Configuring the Console Port Logging Into the Switch Configuring the Console Port The console port default settings are listed in the Hardware Users Guide. If you wish to modify the default serial connection settings (i.e.
Logging Into the Switch Setting the EMP Port’s IP Address Setting the EMP Port’s IP Address In order to access the switch through the EMP port the port's default IP and network mask should be changed. There are multiple IP addresses to consider when configuring the EMP port. • The EMP IP address shared between both CMMs, stored in the boot.cfg file. • The Primary or Secondary’s CMM’s IP address, stored in NVRAM. (Not required for remote access) Only the shared EMP IP address stored in the boot.
Using Telnet Logging Into the Switch Using Telnet Telnet may be used to log into the switch from a remote station. All of the standard Telnet commands are supported by software in the switch. When Telnet is used to log in, the switch acts as a Telnet server. If a Telnet session is initiated from the switch itself during a login session, then the switch acts as a Telnet client.
Logging Into the Switch Using Secure Shell Using Secure Shell The Secure Shell feature provides a secure mechanism that allows you to log in to a remote switch, to execute commands on a remote device, and to move files from one device to another. Secure Shell provides secure, encrypted communications even when your transmission is between two untrusted hosts or over an unsecure network.
Using Secure Shell Logging Into the Switch Secure Shell Application Overview Secure Shell is an access protocol used to establish secured access to your OmniSwitch. The Secure Shell protocol can be used to manage an OmniSwitch directly or it can provide a secure mechanism for managing network servers through the OmniSwitch. The drawing below illustrates the Secure Shell being used as an access protocol replacing Telnet to manage the OmniSwitch.
Logging Into the Switch Using Secure Shell Secure Shell Authentication Secure Shell authentication is accomplished in several phases using industry standard algorithms and exchange mechanisms. The authentication phase is identical for Secure Shell and Secure Shell FTP. The following sections describe the process in detail.
Using Secure Shell Logging Into the Switch Authentication Phase When the client tries to authenticate, the server determines the process used by telling the client which authentication methods can be used. The client has the freedom to attempt several methods listed by the server. The server will disconnect itself from the client if a certain number of failed authentications are attempted or if a time-out period expires.
Logging Into the Switch Using Secure Shell 6 Connect to the OmniSwitch using SSH with PKA. #ssh -o PreferredAuthentications=publickey new_ssh_user@192.168.2.1 –v Note. By default if PKA fails, the user is prompted for a password. This is the password that was specified when the user name was created on the OmniSwitch. 7 (Optional) To enforce Secure Shell PKA on a switch and not prompt for a password use the ssh enforce-pubkey-auth command.
Modifying the Login Banner Logging Into the Switch Modifying the Login Banner The Login Banner feature allows you to change the banner that displays whenever someone logs into the switch. This feature can be used to display messages about user authorization and security. You can display the same banner for all login sessions or you can implement different banners for different login sessions.
Logging Into the Switch Modifying the Login Banner The banner files must contain only ASCII characters and should bear the .txt extension. The switch will not reproduce graphics or formatting contained in the file. Modifying the Text Display Before Login By default, the switch does not display any text before the login prompt for any CLI session. At initial bootup, the switch creates a pre_banner.txt file in the /flash/switch directory.
Configuring Login Parameters Logging Into the Switch Configuring Login Parameters You can set the number of times a user may attempt unsuccessfully to log in to the switch’s CLI by using the session login-attempt command as follows: -> session login-attempt 5 In this example, the user may attempt to log in to the CLI five (5) times unsuccessfully. If the user attempts to log in the sixth time, the switch will break the TCP connection.
Logging Into the Switch Enabling the DNS Resolver Enabling the DNS Resolver A Domain Name System (DNS) resolver is an optional internet service that translates host names into IP addresses. Every time you enter a host name when logging into the switch, a DNS service must look up the name on a server and resolve the name to an IP address. You can configure up to three IPv4 domain name servers and three IPv6 domain name servers that will be queried in turn to resolve the host name.
Verifying Login Settings page 2-18 Logging Into the Switch OmniSwitch AOS Release 7 Switch Management Guide March 2015
3 Managing System Files This chapter describes the several methods of transferring software files onto the OmniSwitch and how to register those files for use by the switch. This chapter also describes several basic switch management procedures and discusses the Command Line Interface (CLI) commands used.
File Management Specifications Managing System Files File Management Specifications The functionality described in this chapter is supported on the OmniSwitch Series switches unless otherwise stated in the following Specifications table or specifically noted within any section of this chapter.
Managing System Files Switch Administration Overview Switch Administration Overview The OmniSwitch has a variety of software features designed for different networking environments and applications. Over the life of the switch, it is very likely that your configuration and feature set will change because the needs of your network are likely to expand. Also, software updates become available from Alcatel-Lucent.
Switch Administration Overview Managing System Files Switch Directories You can create your own directories in the switch flash directory. This allows you to organize your configuration and text files on the switch. You can also use the vi command to create files. This chapter tells you how to make, copy, move, and delete both files and directories. Listing Directory: /flash Directory: /flash/certified Directory: /flash/network (Files) (Files) Directory: /flash/working (Files) swlog.0 swlog.
Managing System Files File and Directory Management File and Directory Management A number of CLI commands allow you to manage files on your switch by grouping them into subdirectories within the switch’s flash directory. For documentation purposes, we have categorized the commands into the following three groups. • Directory commands allow you to create, copy, move, remove, rename, and display directories.
File and Directory Management Managing System Files To list all the files and directories in your current directory, use the ls command. Here is a sample display of the flash directory.
Managing System Files File and Directory Management Directory Commands The directory commands are applied to the switch file system and to files contained within the file system. When you first enter the flash directory, your login is located at the top of the directory tree. You may navigate within this directory by using the pwd and cd commands (discussed below). The location of your login within the directory structure is called your current directory.
File and Directory Management Managing System Files Changing Directories Use the cd command to navigate within the file directory structure. The cd command allows you to move “up” or “down” the directory tree. To go down, you must specify a directory located in your current directory. For example: ->pwd /flash ->cd certified ->pwd /flash/certified To move “up” the directory tree, use the cd command. Enter cd ..
Managing System Files File and Directory Management Removing a Directory and its Contents The rmdir command removes the specified directory and all its contents. The following command would remove the dir1 directory. ->rmdir /flash/dir1 or ->rm -rf /flash/dir1 File Commands The file commands apply to files located in the /flash file directory and its sub-directories. Creating or Modifying Files The switch has an editor for creating or modifying files.
File and Directory Management Managing System Files Move an Existing File or Directory The mv command is used to move an existing file or directory to another location. You can specify the path and name for the file or directory being moved. If no path is specified, the command assumes the current path. You can also specify a path and a new name for the file or directory being moved. If no name is specified, the existing name will be used.
Managing System Files File and Directory Management Utility Commands The utility commands include freespace, fsck, and newfs. These commands are used to check and verify flash. Displaying Free Memory Space The freespace command displays the amount of free memory space available for use in the switch’s file system. You may issue this command from any location in the switch’s directory tree.
File and Directory Management Managing System Files Deleting the Entire File System The newfs command deletes the file system and all the files and directories contained in it. This command is used when you want to reload all files in the file system. Caution. This command will delete all of the switch’s system files. All configurations programmed into the switch will be lost. Do not use this command unless you are prepared to reload all files.
Managing System Files Loading Software onto the Switch Loading Software onto the Switch There are multiple methods for loading software to and from your switch. The method you use depends on your workstation software, your hardware configuration, and the location and condition of your switch. These methods are discussed here. • FTP/SFTP/SCP Server—You can use the switch as a FTP/SFTP server. If you have client software on your workstation, you can transfer a file to the switch.
Loading Software onto the Switch Managing System Files Using the Switch as an FTP Client Using the switch as an FTP client is useful in cases where you do not have access to a workstation with an FTP client. You can establish an FTP session locally by connecting a terminal to the switch console port. You can also establish an FTP session to a remote switch by using a Telnet session. Once you are logged into the switch as an FTP client, you can use standard FTP commands.
Managing System Files Loading Software onto the Switch 2 You must have a login and password that is recognized by the IP address you specify. When you enter your login, the device you are logging in to, will request your password as shown here. -> sftp 198.51.100.125 login as: rrlogin2 rrlogin2's password for keyboard-interactive method: 3 After logging in, you will receive the sftp> prompt.
Installing Software Licenses Managing System Files Installing Software Licenses Some features require a software license and are restricted only to a licensed user. Purchasing a license part number along with an authorization code from Alcatel-Lucent is required. The authorization code is then used to generate a license file. To generate a license file, install the file on the switch, and active features, do the following: 1 Log on to https://service.esd.alcatel-lucent.
Managing System Files Setting the System Clock Setting the System Clock The switch clock displays time by using a 24-hour clock format. It can also be set for use in any time zone. Daylight Savings Time (DST) is supported for a number of standard time zones. DST parameters can be programmed to support non-standard time zones and time off-set applications. All switch files and directories listed in the flash directory bear a time stamp. This feature is useful for file management purposes.
Setting the System Clock Managing System Files The following command will set the switch’s system time to 3:14:00 p.m: -> system time 15:41:00 Daylight Savings Time Configuration The switch automatically adjusts for Daylight Savings Time (DST) depending on the timezone selected. If the configured timezone supports DST it is automatically enabled and cannot be disabled. If the configured timezone does not support DST it is automatically disabled and cannot be enabled.
Managing System Files Setting the System Clock Time Zone and DST Information Table (continued) Abbreviation Name Hours from UTC nst Newfoundland -03:30 1st Sunday in Apr. at Last Sunday in Oct. 2:00 a.m. at 2:00 a.m. ast Atlantic Standard Time -04:00 2nd Sunday in Mar. at 2:00 a.m. 1st Sunday in Nov. at 1:00 2:00 a.m. est Eastern Standard Time -05:00 2nd Sunday in Mar. at 2:00 a.m. 1st Sunday in Nov. at 1:00 2:00 a.m. cst Central Standard Time -06:00 2nd Sunday in Mar. at 2:00 a.m.
Setting the System Clock page 3-20 Managing System Files OmniSwitch AOS Release 7 Switch Management Guide March 2015
4 Managing CMM Directory Content The CMM (Chassis Management Module) software runs the OmniSwitch Series switches. Each OmniSwitch chassis can run with two CMMs to provide redundancy; one CMM is designated as the primary CMM, and the other is designated as the secondary CMM. The directory structure of the CMM software is designed to prevent corrupting or losing switch files. It also allows you to retrieve a previous version of the switch software.
CMM Specifications Managing CMM Directory Content CMM Specifications Platforms Supported OmniSwitch 10K, 6900 Size of Flash Memory 2 GB Maximum Length of File Names 255 Characters Maximum Length of Directory Names 255 Characters Maximum Length of System Name 32 Characters Default Boot Directory Certified USB Flash Drive Specifications Platforms Supported OmniSwitch 10K, 6900 USB Flash Drive Support Alcatel-Lucent Certified USB Flash Drive Automatic Software Upgrade Supported Disaster Rec
Managing CMM Directory Content CMM Files CMM Files The management of a switch is controlled by the following types of files: • Image files, which are proprietary code developed by Alcatel-Lucent. These files are not configurable by the user, but may be upgraded from one release to the next. These files are also known as archive files as they are really the repository of several smaller files grouped together under a common heading. • A configuration file, named boot.
CMM Files Managing CMM Directory Content CMM Software Directory Structure The directory structure that stores the image and configuration files is divided into multiple parts: • The certified directory contains files that have been certified by an authorized user as the default files for the switch. Should the switch reboot, it would reload the files in the certified directory to reactivate its functionality. Configuration changes CAN NOT be saved directly to the certified directory.
Managing CMM Directory Content CMM Files Changes made to the RUNNING CONFIGURATION will immediately alter switch functionality. However, these changes are not saved unless explicitly done so by the user using the write memory command. If the switch reboots before the RUNNING CONFIGURATION is saved, then the certified directory is reloaded to the RUNNING CONFIGURATION and configuration changes are lost.
CMM Files Managing CMM Directory Content Scenario 2: Running Configuration Saved to the Working Directory The network administrator recreates Switch X’s RUNNING CONFIGURATION and immediately saves the running configuration to the working directory. In another mishap, the power to the switch is again interrupted. The switch reboots rolls back to the certified directory. However, since the configuration file was saved to the working directory, that configuration can be retrieved.
Managing CMM Directory Content CMM Files Scenario 4: Rollback to Previous Version of Switch Software Later that year, a software upgrade is performed. The network administrator loads the new software via FTP to the working directory and reboots the switch from that directory. Since the switch is specifically booted from the working directory, the switch is running from the working directory.
CMM Files Managing CMM Directory Content Redundancy CMM software redundancy is one of the switch’s most important fail over features. For CMM software redundancy, two fully-operational CMM modules must be installed at all times. In addition, the CMM software must be synchronized. (Refer to “Synchronizing the Primary and Secondary CMMs” on page 4-18 for more information.) When two CMMs are running one CMM has the primary role and the other has the secondary role at any given time.
Managing CMM Directory Content CMM Files CMM A CMM B W R 1. Switch is booted up from the working directory which becomes the running-configuration. R 2. The primary CMM copies its running-configuration to the secondary CMM. Booting from the Working Directory Note. It is important to certify the RUNNING-DIRECTORY and synchronize the CMMS as soon as the validity of the software is established.
CMM Files Managing CMM Directory Content Scenario 3: Synchronizing CMMs When changes have been saved to the primary CMM certified directory, these changes need to be propagated to the secondary CMM using the copy flash-synchro command. The following diagram illustrates the process that occurs when synchronizing CMMs. CMM A R CMM B C R 1. A copy flashsynchro command is issued on the primary CMM and the running-configuration is copied to the certified directory. C 2.
Managing CMM Directory Content Managing Switch Configurations - Single CMM Managing Switch Configurations - Single CMM The following sections define commands that allow the user to manipulate the files in the directory structure of a single CMM.
Managing Switch Configurations - Single CMM Managing CMM Directory Content Scheduling a Reboot It is possible to cause a reboot of the CMM at a future time by setting time parameters in conjunction with the reload command, using the in or at keywords. To schedule a reboot of the primary CMM in 3 hours and 3 minutes, you would enter: -> reload all in 3:03 To schedule a reboot for June 30 at 8:00pm, you would enter: -> reload all at 20:00 june 30 Note.
Managing CMM Directory Content Managing Switch Configurations - Single CMM Saving the Running Configuration Once the switch has booted and is running, a user can modify various parameters of switch functionality. These changes are stored temporarily in the RUNNING CONFIGURATION in the RAM of the switch. In order to save these changes, the RUNNING CONFIGURATION must be saved.
Managing Switch Configurations - Single CMM Managing CMM Directory Content Rebooting from a Directory Besides a regular boot of the switch (from the certified directory), you can also force the switch to boot from a different directory. This is useful for checking whether a new configuration or image file will boot the switch correctly, before committing it to the certified directory.
Managing CMM Directory Content Managing Switch Configurations - Single CMM Copying the RUNNING DIRECTORY to the Certified Directory When the RUNNING CONFIGURATION is saved to the RUNNING DIRECTORY, the switch’s RUNNING DIRECTORY and certified directories are now different. This difference, if the CMM reboots, causes the switch to boot and run from the certified directory. When the switch is booted and run from the certified directory, changes made to switch functionality cannot be saved. The boot.
Managing Switch Configurations - Single CMM Managing CMM Directory Content Show Currently Used Configuration Depending on how a a switch is booted different directories can become the RUNNING DIRECTORY. See “Where is the Switch Running From?” on page 4-4. for additional information.
Managing CMM Directory Content Managing CMM Redundancy Managing CMM Redundancy The following section describe circumstances that the user should be aware of when managing the CMM directory structure on a switch with redundant CMMs. It also includes descriptions of the CLI commands designed to synchronize software between the primary and secondary CMMs. Rebooting the Secondary CMM You can specify a reboot of the secondary CMM by using the secondary keyword in conjunction with the reload command.
Managing CMM Redundancy Managing CMM Directory Content Synchronizing the Primary and Secondary CMMs If you have a secondary CMM in your switch, it will be necessary to synchronize the software between the primary and secondary CMMs. If the primary CMM goes down then the switch fails over to the secondary CMM. If the software in the secondary CMM is not synchronized with the software in the primary CMM, the switch will not function as configured by the administrator.
Managing CMM Directory Content Managing CMM Redundancy Swapping the Primary CMM for the Secondary CMM If the primary CMM is having problems, or if it needs to be shut down, then the secondary CMM can be instructed to “take over” the switch operation as the primary CMM is shut down. It’s normal for the NIs to indicate a DOWN status for approximately 10 seconds while establishing communication to the secondary CMM, however this does not affect the flow of traffic. Note.
Managing CMM Redundancy Managing CMM Directory Content Show Currently Used Configuration In a chassis with a redundant CMMs, the display for the currently running configuration tells the user if the primary and secondary CMMs are synchronized.
Managing CMM Directory Content Using the USB Flash Drive Using the USB Flash Drive An Alcatel-Lucent certified USB flash drive can be connected to the CMM and used to transfer images to and from the flash memory on the switch. This can be used for upgrading switch code, backing up files or recovering a failed CMM. For the automatic upgrades and disaster recovery the USB flash drive must be configured with the proper directory structure, depending on the platform, as noted in the table below.
Using the USB Flash Drive Managing CMM Directory Content using the running setup. The switch will then reboot from the working directory applying the code upgrade. 6 Once the switch reboots the auto-copy feature will automatically be disabled to prevent another upgrade. Disaster Recovery Using a USB Flash Drive A USB flash drive can be loaded with the necessary files to recover a failed CMM.
Managing CMM Directory Content Displaying CMM Conditions Displaying CMM Conditions To show various CMM conditions, such as where the switch is running from and which files are installed, use the following CLI show commands: show running-directory Shows the directory from where the switch was booted. show reload Shows the status of any time delayed reboot(s) that are pending on the switch. show microcode Displays microcode versions installed on the switch.
Displaying CMM Conditions page 4-24 Managing CMM Directory Content OmniSwitch AOS Release 7 Switch Management Guide March 2015
5 Using the CLI Alcatel-Lucent’s Command Line Interface (CLI) is a text-based configuration interface that allows you to configure switch applications and to view switch statistics. Each CLI command applicable to the switch is defined in the OmniSwitch AOS Release 7 CLI Reference Guide. All command descriptions listed in the Reference Guide include command syntax definitions, defaults, usage guidelines, example screen output, and release history.
CLI Specifications Using the CLI CLI Specifications The following table lists specifications for the Command Line Interface. Platforms Supported OmniSwitch 10K, 6900 Configuration Methods • Online configuration via real-time sessions using CLI commands. • Offline configuration using text file holding CLI commands. Command Capture Feature Snapshot feature captures switch configurations in a text file.
Using the CLI Command Entry Rules and Syntax A configuration file can be viewed or edited offline using a standard text editor. It can then be uploaded and applied to additional switches in the network. This allows you to easily clone switch configurations. This ability to store comprehensive network information in a single text file facilitates troubleshooting, testing, and overall network reliability. See Chapter 6, “Working With Configuration Files,” for detailed information about configuration files.
Command Entry Rules and Syntax Using the CLI Using “Show” Commands The CLI contains show commands that allow you to view configuration and switch status on your console screen. The show syntax is used with other command keywords to display information pertaining to those keywords. For example, the show vlan command displays a table of all VLANs currently configured, along with pertinent information about each VLAN.
Using the CLI Command Help -> sh v ERROR: Invalid entry” “v” The letter ‘v’ does not uniquely identify a keyword and could stand for multiple keywords such as ‘vlan’, ‘violation’ or ‘verbose’. The ‘?’ can be used to list the possible keywords. Command Help The CLI has an internal help feature you can invoke by using the question mark (?) character as a command. The CLI help feature provides progressive information on how to build your command syntax, one keyword at a time.
Command Help Using the CLI The !! (bang, bang) command will display the last command line entered and automatically run the command. Inserting Characters To insert a character between characters already typed, use the Left and Right Arrow keys to place the cursor into position, then type the new character. Once the command is correct, execute it by pressing Enter. In the following example, the user enters the wrong syntax to execute the command. The result is an error message.
Using the CLI Logging CLI Commands and Entry Results Logging CLI Commands and Entry Results The switch provides command logging via the command-log command. This feature allows users to record the most recent commands entered via Telnet, Secure Shell, and console sessions. In addition to a list of commands entered, the results of each command entry are recorded. Results include information such as whether a command was executed successfully, or whether a syntax or configuration error occurred.
Logging CLI Commands and Entry Results Using the CLI Viewing the Current Command Logging Status As mentioned above, the command logging feature is disabled by default. To view whether the feature is currently enabled or disabled on the switch, use the show command-log status command. For example: -> show command-log status CLI command logging: Enable In this case, the feature has been enabled by the user via the command-log command.
Using the CLI Customizing the Screen Display Customizing the Screen Display The CLI has several commands that allow you to customize the way switch information is displayed to your screen. You can make the screen display smaller or larger. You can also adjust the size of the table displays and the number of lines shown on the screen. Note. Screen display examples in this chapter assume the use of a VT-100/ASCII emulator.
Verifying CLI Usage Using the CLI Verifying CLI Usage To display information about CLI commands and the configuration status of your switch, use the show commands listed here: show session config Displays session manager configuration information (e.g., default prompt, banner file name, and inactivity timer). show prefix Shows the command prefix (if any) currently stored by the CLI. Prefixes are stored for command families that support the prefix recognition feature.
6 Working With Configuration Files Commands and settings needed for the OmniSwitch can be contained in an ASCII-based configuration text file. Configuration files can be created in several ways and are useful in network environments where multiple switches must be managed and monitored. This chapter describes how configuration files are created, how they are applied to the switch, and how they can be used to enhance OmniSwitch 10K and OmniSwitch 6900 usability.
Configuration File Specifications Working With Configuration Files Configuration File Specifications The following table lists specifications applicable to Configuration Files. Platforms Supported OmniSwitch 10K, 6900 Creation Methods for Configuration Files • Create a text file on a word processor and upload it to the switch. • Invoke the switch’s snapshot feature to create a text file. • Create a text file using the switch’s text editor.
Working With Configuration Files Tutorial for Creating a Configuration File For more information about these displays, refer to the OmniSwitch AOS Release 7 CLI Reference Guide. 5 Use the show ip helper command to verify that the DHCP Relay parameters defined in the configura- tion files were actually implemented on the switch.
Quick Steps for Applying Configuration Files Working With Configuration Files Quick Steps for Applying Configuration Files Setting a File for Immediate Application In this example, the configuration file configfile_1 exists on the switch in the /flash directory. When these steps are followed, the file will be immediately applied to the switch. 1 Verify that there are no timer sessions pending on the switch.
Working With Configuration Files Quick Steps for Applying Configuration Files Note. Optional. To verify that the switch received this configuration apply request, enter the show configuration status command. The display is similar to the one shown here. -> show configuration status File configuration
Configuration Files Overview Working With Configuration Files Configuration Files Overview Instead of using CLI commands entered at a workstation, you can configure the switch using an ASCIIbased text file. You may type CLI commands directly into a text document to create a configuration file that will reside in your switch’s /flash directory.
Working With Configuration Files Configuration Files Overview Cancelling a Timed Session You may cancel a pending timed session by using the configuration cancel command. To confirm that your timer session has been cancelled, use the show configuration status command. The following will display.
Configuration Files Overview Working With Configuration Files In this example, the proposed asc.1.snap configuration file contains three errors. As with the configuration apply command, an error file (.err) is automatically generated by the switch whenever an error is detected. By default, this file is placed in the root /flash directory. If a configuration file is located in another directory, be sure to specify the full path. For example: -> configuration syntax check /flash/working/asc.1.
Working With Configuration Files Creating Snapshot Configuration Files Creating Snapshot Configuration Files You can generate a list of configurations currently running on the switch by using the configuration snapshot command. A snapshot is a text file that lists commands issued to the switch during the current login session. Note. A user must have read and write permission for the configuration family of commands to generate a snapshot file for those commands.
Creating Snapshot Configuration Files Working With Configuration Files User-Defined Naming Options When the snapshot syntax does not include a file name, the snapshot file is created using the default file name asc.n.snap. Here, the n character holds the place of a number indicating the order in which the snapshot file name is generated. For example, the following syntax may generate a file named asc.1.snap.
Working With Configuration Files Creating Snapshot Configuration Files ! OSPF : ! BGP : ! IP multicast : ! IPv6 : ! RIPng : ! Health monitor : ! Interface : ! Link Aggregate : ! VLAN AGG: ! 802.
Verifying File Configuration Working With Configuration Files Verifying File Configuration You can verify the content and the status of the switch’s configuration files with commands listed in the following table. show configuration status Displays whether there is a pending timer session scheduled for a configuration file and indicates whether the running configuration and the saved configuration files are identical or different.
7 Managing Switch User Accounts Switch user accounts may be set up locally on the switch for users to log into and manage the switch. The accounts specify login information (combinations of usernames and passwords) and privileges. The switch has several interfaces (e.g. console, Telnet, HTTP, FTP) through which users may access the switch. The switch may be set up to allow or deny access through any of these interfaces.
User Database Specifications Managing Switch User Accounts User Database Specifications Platforms Supported OmniSwitch 10K, 6900 Maximum number of alphanumeric characters in a username 63 Maximum number of alphanumeric characters in a user password 30 Maximum number of local user accounts 50 User Account Defaults • Two user accounts are available on the switch by default: admin and default.
Managing Switch User Accounts User Account Defaults • Global user account lockout defaults are as follows: Parameter Description Command Default Length of time during which failed login attempts are counted. user lockout-window 0—failed login attempts are never aged out. Length of time a user account remains locked out of the switch before the account is automatically unlocked.
Overview of User Accounts Managing Switch User Accounts Overview of User Accounts A user account includes a login name, password, and user privileges. These privileges determine whether the user has read or write access to the switch and which command domains and command families the user is authorized to execute on the switch. The designation of particular command families/domains or command families for user access is sometimes referred to as partitioned management.
Managing Switch User Accounts Overview of User Accounts • Privileges—The user’s read and write access to command domains and families. See “Configuring Privileges for a User” on page 7-15 for more details. • SNMP access—Whether or not the user is permitted to manage the switch via SNMP. See “Setting Up SNMP Access for a User Account” on page 7-16 for more details. Typically, options for the user are configured at the same time the user is created.
Overview of User Accounts Managing Switch User Accounts Quick Steps for Network Administrator User Accounts 1 Configure the user with the relevant username and password. For example, to create a user called thomas with a password of techpubs, enter the following: -> user thomas password techpubs For information about creating a user and setting up a password, see “Creating a User” on page 7-8.
Managing Switch User Accounts Overview of User Accounts Default User Settings The default user account on the switch is used for storing new user defaults for privileges and profile information. This account does not include a password and cannot be used to log into the switch. At the first switch startup, the default user account is configured for: • No read or write access. • No SNMP access.
Creating a User Managing Switch User Accounts Note. Password settings configured through the user password-policy commands are not automatically saved to the switch configuration. Creating a User To create a new user, enter the user command with the desired username and password. Use the password keyword. For example: -> user thomas password techpubs In this example, a user account with a user name of thomas and a password of techpubs is stored in the local user database. Note.
Managing Switch User Accounts Creating a User 3 Enter the desired password. The system then displays a prompt to verify the password. -> password enter old password:******** enter new password: ********* reenter new password: 4 Enter the password again. -> password enter old password:******** enter new password: ********* reenter new password: ********* -> The password is now reset for the current user. At the next switch login, the user must enter the new password.
Configuring Password Policy Settings Managing Switch User Accounts Configuring Password Policy Settings The global password policy settings for the switch define the following requirements that are applied to all user accounts: • Minimum password size. • Whether or not the password can contain the username. • The minimum number of uppercase characters required in a password. • The minimum number of uppercase characters required in a password. • The minimum number of base-10 digits required in a password.
Managing Switch User Accounts Configuring Password Policy Settings Configuring Password Character Requirements The character requirements specified in the global password policy determine the minimum number of uppercase, lowercase, non-alphanumeric, and 10-base digit characters required in all passwords. These requirements are configured using the following user password-policy commands: Command Configures ...
Configuring Password Policy Settings Managing Switch User Accounts Specific User Password Expiration To set password expiration for an individual user, use the user command with the expiration keyword and the desired number of days or an expiration date. For example: -> user bert password techpubs expiration 5 This command gives user bert a password expiration of five days. To set a specific date for password expiration, include the date in mm/dd/yyyy hh:mm format.
Managing Switch User Accounts Configuring Global User Lockout Settings Configuring Global User Lockout Settings The following user lockout settings configured for the switch apply to all user accounts: • Lockout window—the length of time a failed login attempt is aged before it is no longer counted as a failed attempt. • Lockout threshold—the number of failed login attempts allowed within a given lockout window period of time.
Configuring Global User Lockout Settings Managing Switch User Accounts By default, the lockout threshold number is set to 0; this means that there is no limit to the number of failed login attempts allowed, even if a lockout window time period exists. To configure a lockout threshold number, use the user lockout-threshold command.
Managing Switch User Accounts Configuring Privileges for a User Configuring Privileges for a User To configure privileges for a user, enter the user command with the read-only or read-write option and the desired CLI command domain names or command family names. The read-only option provides access to show commands; the read-write option provides access to configuration commands and show commands. Command families are subsets of command domains.
Setting Up SNMP Access for a User Account Managing Switch User Accounts Setting Up SNMP Access for a User Account By default, users can access the switch based on the SNMP setting specified for the default user account. The user command, however, may be used to configure SNMP access for a particular user. SNMP access may be configured without authentication and encryption required (supported by SNMPv1, SNMPv2, or SNMPv3).
Managing Switch User Accounts Setting Up SNMP Access for a User Account For this user, if the SNMP community map mode is enabled (the default), the SNMP community map must include a mapping for this user to a community string. In this example, the community string is our_group: -> snmp community map our_group user thomas In addition, the global SNMP security level on the switch must allow non-authenticated SNMP frames through the switch.
Multiple User Sessions Managing Switch User Accounts Multiple User Sessions Several CLI commands give you information about user sessions that are currently operating on the OmniSwitch, including your own session. These commands allow you to list the number and types of sessions that are currently running on the switch. You can also terminate another session, provided you have administrative privileges. Listing Other User Sessions The who command displays all users currently logged into the OmniSwitch.
Managing Switch User Accounts Multiple User Sessions Listing Your Current Login Session In order to list information about your current login session, you may either use the who command and identify your login by your IP address or you may enter the whoami command. The following will display: -> whoami Session number = 4 User name = admin, Access type = telnet, Access port = NI, IP address = 148.211.11.
Verifying the User Configuration Managing Switch User Accounts Verifying the User Configuration To display information about user accounts configured locally in the user database, use the show commands listed here: show user Displays information about all users or a particular user configured in the local user database on the switch. show user password-policy Displays the minimum number of characters that are required for a user password.
8 Managing Switch Security Switch security is provided on the switch for all available management interfaces. The switch may be set up to allow or deny access through any of these interfaces. In This Chapter This chapter describes how to set up switch management interfaces through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch AOS Release 7 CLI Reference Guide.
Switch Security Defaults Managing Switch Security Switch Security Defaults Access to managing the switch is always available for the admin user through the console port, even if management access to the console port is disabled for other users.
Managing Switch Security Switch Security Overview Switch Security Overview Switch security features increase the security of the basic switch login process by allowing management only through particular interfaces for users with particular privileges. Login information and privileges may be stored on the switch and/or an external server, depending on the type of external server you are using and how you configure switch access.
Authenticated Switch Access Managing Switch Security Authenticated Switch Access Authenticated Switch Access (ASA) is a way of authenticating users who want to manage the switch. With authenticated access, all switch login attempts require authentication via the local user database or via a third-party server. This section describes how to configure management interfaces for authenticated access as well as how to specify external servers that the switch can poll for login information.
Managing Switch Security Authenticated Switch Access Interaction With the User Database By default, switch management users may be authenticated through the console port via the local user database. If external servers are configured for other management interfaces (such as Telnet, or HTTP), but the servers become unavailable, the switch will poll the local user database for login information.
Configuring Authenticated Switch Access Managing Switch Security Configuring Authenticated Switch Access Setting up Authenticated Switch Access involves the following general steps: 1 Set Up the Authentication Servers. This procedure is described briefly in this chapter. See the “Managing Authentication Servers” chapter of the OmniSwitch AOS Release 7 Network Configuration Guide for complete details. 2 Set Up the Local User Database.
Managing Switch Security Quick Steps for Setting Up ASA Quick Steps for Setting Up ASA 1 If the local user database is used for user login information, set up user accounts through the user command. In this example, user privileges are configured: -> user thomas password mypassword read-write all 2 If an external RADIUS or LDAP server is used for user login information, use the aaa radius-server or aaa tacacs+-server commands to configure the switch to communicate with these servers.
Quick Steps for Setting Up ASA Managing Switch Security The order of the server names is important here as well. In this example, the switch will use ldap2 for logging switch access sessions. If ldap2 becomes unavailable, the switch will use the local Switch Logging facility. For more information about Switch Logging, see the OmniSwitch AOS Release 7 Network Configuration Guide. Note. To verify the switch access setup, enter the show aaa authentication command.
Managing Switch Security Setting Up Management Interfaces for ASA Setting Up Management Interfaces for ASA By default, authenticated access is available through the console port. Access through other management interfaces is disabled. This chapter describes how to set up access for management interfaces. For more details about particular management interfaces and how they are used, see Chapter 2, “Logging Into the Switch.
Setting Up Management Interfaces for ASA Managing Switch Security FTP access is now denied on the switch. Note. The admin user always has switch access through the console port even if access is denied through the console port. To remove a server from the authenticated switch access configuration, enter the aaa authentication command with the relevant server names (s) and leave out the names of any servers you want to remove.
Managing Switch Security Configuring Accounting for ASA Configuring Accounting for ASA Accounting servers track network resources such as time, packets, bytes, etc., and user activity (when a user logs in and out, how many login attempts were made, session length, etc.). The accounting servers may be located anywhere in the network. Note the following: • The servers may be different types.
Verifying the ASA Configuration Managing Switch Security Verifying the ASA Configuration To display information about management interfaces used for Authenticated Switch Access, use the show commands listed here: show aaa authentication Displays information about the current authenticated switch session. show aaa accounting Displays information about accounting servers configured for Authenticated Switch Access or Authenticated VLANs.
9 Using WebView The switch can be monitored and configured using WebView, Alcatel-Lucent’s web-based device management tool.
WebView CLI Defaults Using WebView WebView CLI Defaults Web Management Command Line Interface (CLI) commands allow you to enable/disable WebView, enable/disable Secure Socket Layer (SSL), and view basic WebView parameters. These configuration options are also available in WebView. The following table lists the defaults for WebView configuration.
Using WebView WebView CLI Commands WebView CLI Commands The following configuration options can be performed using the CLI. These configuration options are also available in WebView; but changing the web server port or secured port may only be done through the CLI (or SNMP). Enabling/Disabling WebView WebView is enabled on the switch by default. If necessary, use the webview server and webview access commands to enable/disable WebView.
Quick Steps for Setting Up WebView Using WebView Quick Steps for Setting Up WebView 1 Make sure you have an Ethernet connection to the switch. 2 Configure switch management for HTTP using the aaa authentication command. Enter the command, the port type that you are authenticating (http), and the name of an external or local server that is being used for authentication.
Using WebView WebView Overview Configuration Group Banner Toolbar Configuration Feature WebView Chassis Home Page Banner The banner provides quick access to common tasks such as setting options, saving the switch configuration and using telnet to access the switch. Toolbar Switch configuration is divided into configuration groups in the toolbar (for example, Physical, Layer 2, etc.). Under each configuration group are switch features, identified by a name and an icon.
WebView Overview page 9-6 Using WebView OmniSwitch AOS Release 7 Switch Management Guide March 2015
10 Using SNMP The Simple Network Management Protocol (SNMP) is an application-layer protocol that allows communication between SNMP managers and SNMP agents on an IPv4 as well as on an IPv6 network. Network administrators use SNMP to monitor network performance and to manage network resources. In This Chapter This chapter describes SNMP and how to use it through the Command Line Interface (CLI).
SNMP Specifications Using SNMP SNMP Specifications The following table lists specifications for the SNMP protocol.
Using SNMP SNMP Defaults SNMP Defaults The following table describes the default values of the SNMP protocol parameters. Parameter Description Command Default Value/Comments SNMP Management Station snmp station UDP port 162, SNMPv3, Enabled Community Strings snmp community-map Enabled SNMP Security setting snmp security Privacy all (highest) security Trap filtering snmp-trap filter-ip Disabled Trap Absorption snmp-trap absorption Enabled Enables the forwarding of traps to WebView.
Quick Steps for Setting Up An SNMP Management Station Using SNMP Quick Steps for Setting Up An SNMP Management Station An SNMP Network Management Station (NMS) is a workstation configured to receive SNMP traps from the switch. To set up an SNMP NMS by using the switch’s CLI, proceed as follows: 1 Specify the user account name and the authentication type for that user.
Using SNMP Quick Steps for Setting Up Trap Filters Quick Steps for Setting Up Trap Filters You can filter traps by limiting user access to trap command families. You can also filter according to individual traps. Filtering by Trap Families The following example will create a new user account. This account will be granted read-only privileges to three CLI command families (snmp, chassis, and interface). Read-only privileges will be withheld from all other command families.
Quick Steps for Setting Up Trap Filters Using SNMP Filtering by Individual Traps The following example enables trap filtering for the coldstart, warmstart, linkup, and linkdown traps. The identification numbers for these traps are 0, 1, 2, and 3. When trap filtering is enabled, these traps will be filtered. This means that the switch will not pass them through to the SNMP management station. All other traps will be passed through.
Using SNMP SNMP Overview SNMP Overview SNMP provides an industry standard communications model used by network administrators to manage and monitor their network devices. The SNMP model defines two components, the SNMP Manager and the SNMP Agent. Network Management Station OmniSwitch OmniSwitch 6648 SNMP Agent SNMP Manager SNMP Network Model • The SNMP Manager resides on a workstation hosting the management application. It can query agents by using SNMP operations.
SNMP Overview Using SNMP Using SNMP for Switch Management The Alcatel-Lucent switch can be configured using the Command Line Interface (CLI), SNMP, or the WebView device management tool. When configuring the switch by using SNMP, an NMS application (such as Alcatel-Lucent’s OmniVista or HP OpenView) is used. Although MIB browsers vary depending on which software package is used, they all have a few things in common.
Using SNMP SNMP Overview The community string security standard offers minimal security and is generally insufficient for networks where the need for security is high. Although SNMPv1 lacks bulk message retrieval capabilities and security features, it is widely used and is a de facto standard in the Internet environment. SNMPv2 SNMPv2 is a later version of the SNMP protocol. It uses the same Get, Set, GetNext, and Trap operations as SNMPv1 and supports the same community-based security standard.
Using SNMP For Switch Security Using SNMP Using SNMP For Switch Security Community Strings (SNMPv1 and SNMPv2) The switch supports the SNMPv1 and SNMPv2c community strings security standard. When a community string is carried over an incoming SNMP request, the community string must match up with a user account name as listed in the community string database on the switch. Otherwise, the SNMP request will not be processed by the SNMP agent in the switch.
Using SNMP Using SNMP For Switch Security Encryption and Authentication (SNMPv3) Two important processes are used to verify that the message contents have not been altered and that the source of the message is authentic. These processes are encryption and authentication. A typical data encryption process requires an encryption algorithm on both ends of the transmission and a secret key (like a code or a password).
Using SNMP For Switch Security Using SNMP Setting SNMP Security By default, the switch is set to “privacy all”, which means the switch accepts only authenticated and encrypted v3 Sets, Gets, and Get-Nexts. You can configure different levels of SNMP security by entering snmp security followed by the command parameter for the desired security level.
Using SNMP Working with SNMP Traps Working with SNMP Traps The SNMP agent in the switch has the ability to send traps to the management station. It is not required that the management station request them. Traps are messages alerting the SNMP manager to a condition on the network. A trap message is sent via a PDU issued from the switch’s network management agent. It is sent to alert the management station to some event or condition on the switch.
Working with SNMP Traps Using SNMP Authentication Trap The authentication trap is sent when an SNMP authentication failure is detected. This trap is a signal to the management station that the switch received a message from an unauthorized protocol entity. This normally means that a network entity attempted an operation on the switch for which it had insufficient authorization. When the SNMP authentication trap is enabled, the switch will forward a trap to the management station.
Using SNMP SNMP MIB Information SNMP MIB Information MIB Tables You can display MIB tables and their corresponding command families by using the show snmp mibfamily command. The MIB table identifies the MIP identification number, the MIB table name and the command family. If a command family is not valid for the entire MIB table, the command family will be displayed on a per-object basis. For a list and description of system MIBs and Traps refer to “SNMP Trap Information” section on page -1.
Verifying the SNMP Configuration Using SNMP Verifying the SNMP Configuration To display information about SNMP management stations, trap management, community strings, and security, use the show commands listed in the following table. show snmp station Displays current SNMP station information including IP address, UDP Port number, Enabled/Disabled status, SNMP version, and user account names.
11 Web Services, CLI Scripting and OpenFlow The Web Services feature provides the ability to customize and extend the management interface on AOS devices. It supports the use of CLI scripting in AOS as well as a REST based 'web' interface that interacts with AOS management variables (MIB) and CLI commands. It provides two methods for configuration through either the direct handling of MIB variables or the use of CLI commands and supports both XML and JSON response formats.
Web Services Specifications Web Services, CLI Scripting and OpenFlow Web Services Specifications The following table lists specifications for Web Services. Platforms Supported OmniSwitch 10K, 6900 Configuration Methods • HTTP/HTTPS • Python API Response Formats • Extensible Markup language (XML) • JavaScript Object Notation (JSON) Maximum Web Services Sessions 4 Alcatel-Lucent Example Python consumer.py (Python version 2.X/3.
Web Services, CLI Scripting and OpenFlow Web Services Overview • Names Resources: all resources are named using a Uniform Resource Identifier (URI). Their location is defined using a complete URL. No URL is to be manually recreated client-side based on previous assumptions. All URLs are assumed to be canonical.
Web Services Overview Web Services, CLI Scripting and OpenFlow HTTPS is encrypted and HTTP is clear-text. Server address[:port] - Server address: the IP address typically used to access the switch’s WebView interface. If the listening port was changed, the port number should be appended after ':' The combination of Protocol + Server address[:port] constitutes the Web Service's endpoint. Domain - This this is the first element the AOS REST web service will look at.
Web Services, CLI Scripting and OpenFlow Web Services REST Examples Web Services REST Examples All requests are performed through a URL being in accordance with the principles of REST. The following elements are used to build the REST URL Query Structure • Endpoint: :// • Unified Syntax: // .. JSON or XML The response format can be returned in either JSON or XML. GET https://192.168.1.
Web Services REST Examples Web Services, CLI Scripting and OpenFlow Login Example This REST example logs a user into the switch. Domain auth URN - Verb GET Variables username, password REST URL GET https://192.168.1.1/auth/?&username=admin&password=switch Example Success Response JSON XML {"result":{ "domain":"auth (login)", "diag":200, "error":"", "output":"", "data":[]}}
Web Services, CLI Scripting and OpenFlow Web Services REST Examples Logout Example This REST example logs a user out of the switch. Domain auth URN - Verb GET Variables - REST URL GET https://192.168.1.1/auth/? Example Success Response JSON XML {"result":{ "domain":"auth (logout)", "diag":200, "error":"", "output":"", "data":[]}}
Web Services REST Examples Web Services, CLI Scripting and OpenFlow Create Table Entry Example - VLAN The following REST example creates a new VLAN using MIB objects. Domain mib URN vlanTable Verb PUT REST URL PUT https://192.168.1.1/mib/vlanTable? mibObject0=vlanNumber:2&mibObject1=vlanDescription:VLAN-2 Example Success Response JSON XML {"result":{ "domain":"mib:vlanTable", "diag":200, "output":"", "error":[ "Set operation finished successfully!"], "data":[]}}
Web Services, CLI Scripting and OpenFlow Web Services REST Examples Create Table Entry Example - IP Interface The following REST example creates an IP interface using MIB objects. Domain mib URN alaIpItfConfigTable and alaIpInterface Verb PUT REST URL PUT https://192.168.1.1/mib/alaIpItfConfigTable? mibObject1=alaIpItfConfigName:my_new_interface2&mibObject0=alaIpItfConfig IfIndex:0 POST Request: [https://192.168.1.1/mib/alaIpInterfaceTable?] mibObject1=alaIpInterfaceAddress:2.1.1.
Web Services REST Examples Web Services, CLI Scripting and OpenFlow Modify Table Entry Example - VLAN The following REST example modifies the VLAN description for an existing VLAN using MIB objects. Domain mib URN vlanTable Verb POST Variables mibObject0, mibObject1 REST URL POST https://192.168.1.
Web Services, CLI Scripting and OpenFlow Web Services REST Examples Modify Table Entry Example - Interface Speed The following REST example modifies the interface speed for a port using MIB objects. Domain mib URN esmConfigTable Verb POST Variables mibObject0, mibObject1 REST URL POST Request: https://192.168.1.
Web Services REST Examples Web Services, CLI Scripting and OpenFlow Delete Table Entry Example The following REST example deletes an existing VLAN using MIB objects. Domain mib URN vlanTable Verb DELETE REST URL DELETE https://192.168.1.1/mib/vlanTable? mibObject1=vlanNumber:2 Example Success Response JSON XML {"result":{ "domain":"mib:vlanTable", "diag":200, "output":"", "error":[ "Set operation finished successfully!"], "data":[]}}
Web Services, CLI Scripting and OpenFlow Web Services REST Examples Query Table Info Example The following REST example queries the VLAN table for an existing VLAN using MIB objects. Domain info URN vlanTable Verb GET REST URL GET https://192.168.1.1/info/vlanTable? Example Success Response JSON XML {"result":{ "domain":"info", "diag":200, "output":"", "error":"", "data":{ "table":"vlanTable", "type":"Table", "rowstatus":"vlanStatus",
Web Services REST Examples Web Services, CLI Scripting and OpenFlow CLI Example The following REST example return the output of the ‘show vlan’ command using the CLI. Domain cli URN aos Verb GET REST URL GET https://192.168.1.
Web Services, CLI Scripting and OpenFlow Using Python Using Python Python is an easy to learn, powerful, general-purpose scripting language. It combines easily readable code with an object-oriented programming approach for fast and easy development on many platforms. Additional information on Python as well as installation instructions can be found from the Python website: http://www.python.org.
Using Python Web Services, CLI Scripting and OpenFlow 'mibObject2':'chasEntTempDangerThreshold'})['result'] if api.success(): return results['data']['rows'] else: raise HTTPError("Bad Diag: %d" % api.
Web Services, CLI Scripting and OpenFlow Using Python PYTON APIs - Quick Reference AOSAPI (AOSConnection connection) Connection is an AOSConnection object being injected into AOSAPI. The client implementer can write their own connection class and use it instead. Methods login() Invoke this method to log in to the Web Service. A cookie will be created. logout() Invoke this method to log out from the Web Service. If a cookie exists, it be destroyed.
Using Python Web Services, CLI Scripting and OpenFlow success() This method will return true if the previous operation succeeded. It is a convenience method that will evolve to support all success codes returned by future versions of the AOS API. diag() This method can be used to retrieve a specific error code delivered by the Web Service Producer.
Web Services, CLI Scripting and OpenFlow Using Python AOSHeaders(Dict config) config A a dictionary that contains the current configuration: if config['json'] is True, then a mime-type of vnd.alcatellucentaos+json will be requested; if it is False, then vnd.alcatellucentaos+xml will be requested; config['api'] will be used to specify a given version of the API.
CLI Scripting Web Services, CLI Scripting and OpenFlow CLI Scripting The AOS CLI relies on Bash scripting, it can be leveraged for creating CLI scripts without the need for an external tool. This Bash-based CLI allows users to perform high-level scripting work if necessary as given in the example below. This example illustrates simple example that creates multiple, non-contiguous, through the use of loops and variables.
Web Services, CLI Scripting and OpenFlow CLI Scripting Variables and functions Variables The asterisk character ('*') and the question mark have very specific meanings in Bash. The asterisk character can be used to replace an arbitrary number of characters of a command with a file name. This file needs to be referenced in a way that lets Bash find it. For instance, the following will list all the files found in the current directory that begin with the letter 'a' and end with the letter 'c'.
CLI Scripting Web Services, CLI Scripting and OpenFlow function myvlans() { if [ $# -lt 1 ]; then echo "Please provide a paramater" else vlan $1 fi } -> myvlans This will display an error message because $#, which represents the number of arguments that were passed to the function, is less than ("-lt") one. Shift can be used to cycle through a parameter list so that multiple parameters can be used with a function. The example below creates each VLAN using the "vlan" command.
Web Services, CLI Scripting and OpenFlow CLI Scripting The $_ represents the most recently used parameter. For instance, the following would result in VLAN 5 being created and then deleted: vlan 5 no vlan $_ Adding user interaction To enhance a function even further user interaction can be added.
CLI Scripting Web Services, CLI Scripting and OpenFlow Dest Address Gateway Addr Age Protocol ?------------------+-------------------+----------+----------1.1.1.1/32 +10.1.12.1 02:19:54 OSPF +10.2.12.1 02:19:54 OSPF +10.3.12.1 02:19:54 OSPF +10.4.12.1 02:19:54 OSPF 1.1.1.2/32 10.1.22.100 02:19:54 OSPF 1.1.1.3/32 +10.11.23.3 02:19:42 OSPF +10.12.23.3 02:19:54 OSPF +10.13.23.3 02:19:54 OSPF +10.14.23.3 02:19:42 OSPF 1.1.1.4/32 10.1.24.
Web Services, CLI Scripting and OpenFlow Embedded Python Scripting Embedded Python Scripting The OmniSwitch includes many standard Python packages to access AOS and system functions. This feature allows administrators to create Python scripts and associate these scripts with specific traps. When the traps are generated by the switch, the pre-configured scripts will be run on the switch.
Embedded Python Scripting Web Services, CLI Scripting and OpenFlow -> show event-action statistics Script Launch Type Name Last Launched Count ------+---------------------------------------+--------------------+---------trap linkDown 2014-10-23 13:45:34 2 Python Examples in AOS To following is a simple interactive example of how AOS can be used to execute Python commands. -> python3 Python 3.2.2 (default, Dec 10 2014, 02:41:47) [GCC 4.8.
Web Services, CLI Scripting and OpenFlow OpenFlow Specifications OpenFlow Specifications Platforms Supported OmniSwitch 10K, 6900 Note: Not supported on OS10K-XNI-U32S module. Modes Supported Normal Hybrid (API) Versions Supported 1.0 1.3.1 Maximum number of logical switches 3 Maximum number of controllers per logical switch 3 Maximum number of logical switches in Hybrid mode 1 Support for Virtual Chassis Supported OpenFlow 1.0/1.3.1 TCP port.
OpenFlow Agent Overview Web Services, CLI Scripting and OpenFlow OpenFlow Agent Overview OpenFlow is a communications interface defined between the control and forwarding layers that is used in a Software Defined Network (SDN). OpenFlow essentially separates the control plane and the data plane in the switch. Traditionally, switches and routers have made decisions on where packets should travel based on rules local to the device.
Web Services, CLI Scripting and OpenFlow OpenFlow Agent Overview • Ethernet Source Address • VLAN Tag / VLAN Priority • Ethernet Type • IPv4 or IPv6 Protocol Number • IPv4 Source Address / IPv4 Destination Address • TCP / UDP Source & Destination Ports • ICMP Type / Code • ARP Operation Groups Groups are a way of combining a set of activities into one action. For example, a Group could be used to represent an IP next hop with all of the associated activities (MAC change, VLAN update, etc.).
Quick Steps to Configure OpenFlow Agent Web Services, CLI Scripting and OpenFlow Quick Steps to Configure OpenFlow Agent Follow the steps in this section for a quick tutorial on how to configure an OpenFlow Agent on the OmniSwitch. A logical switch in Hybrid mode does not have a VLAN or interface configured. 1 Create the logical switch and configure the mode: -> openflow logical-switch vswitch1 mode normal version 1.3.
12 Configuring Virtual Chassis A Virtual Chassis is a group of switches managed through a single management IP address that operates as a single bridge and router. It provides both node level and link level redundancy for layer 2 and layer 3 services and protocols acting as a single device. The use of a virtual chassis provides node level redundancy without the need to use redundancy protocols such as STP and VRRP between the edge and the aggregation/core layer.
In This Chapter Configuring Virtual Chassis In This Chapter This chapter describes the basic components of a Virtual Chassis and how to configure them through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of the commands, see the OmniSwitch AOS Release 7 CLI Reference Guide.
Configuring Virtual Chassis Virtual Chassis Specifications Virtual Chassis Specifications The table below lists specifications for dynamic aggregation groups and ports: Platforms Supported OmniSwitch 10K, 6900 Maximum number of physical switches in a Virtual Chassis Note: OS10Ks and OS6900s cannot be mixed in a Virtual Chassis. Note: Different OS6900 models can be mixed in a Virtual Chassis.
Virtual Chassis Default Values Configuring Virtual Chassis Virtual Chassis Default Values The table below lists default values for Virtual Chassis.
Configuring Virtual Chassis Quick Steps for Configuring A Virtual Chassis Quick Steps for Configuring A Virtual Chassis Follow the steps below for a quick tutorial on configuring two switches to operate as a Virtual Chassis. Additional information on how to configure a Virtual Chassis is provided in the section “Configuring Virtual Chassis” on page 12-18. A switch running in standalone mode can be converted to a Virtual Chassis participant by using the CLI to create the required vcsetup.cfg and vcboot.
Quick Steps for Configuring A Virtual Chassis Configuring Virtual Chassis Viewing the Virtual Chassis Configuration 1 Use the show virtual-chassis topology command to check the topology of the Virtual Chassis.
Configuring Virtual Chassis Virtual Chassis Overview Virtual Chassis Overview Virtual Chassis is a group of switches managed through a single management IP address. It provides both node level and link level redundancy for both layer 2 and layer 3 protocols and services. This section describes the main topics regarding Virtual Chassis such as benefits, components, mode of operation, configuration conversion, start up and redundancy.
Virtual Chassis Overview Configuring Virtual Chassis (CMM) of the master chassis. This parameter is stored in the vcboot.cfg configuration file in a switch operating in virtual chassis mode. It is recommended to have both the EMP-VC IP address and the Chassis EMP IP address configured. Chassis EMP Address - The local chassis management IP address (EMP-CHAS1 or EMP-CHAS2).
Configuring Virtual Chassis Virtual Chassis Overview Converting chassis mode using the CLI The following shows an example of how to convert two switches that are in standalone mode to virtual chassis mode. • The VFL member ports configuration should reflect the switch’s current physical connections. • The directory vc_dir can be any directory, including the working directory. By creating a separate directory specifically for virtual chassis operation the existing working directory is not affected.
Virtual Chassis Overview Configuring Virtual Chassis New chassis/slot/port syntax Once the switches are operating in virtual chassis mode all commands that relate to specific ports or NI modules must have a leading chassis identifier to differentiate between the physical ports on each switch as seen in the example below.
Configuring Virtual Chassis Virtual Chassis Overview License Behavior The following table describes the behavior of a Slave chassis when attempting to join a VC based on the installed licenses. A Slave chassis must have the proper license(s) when attempting to join an existing VC. Based on the type of license installed on the Master, the Slave chassis may fail to join the existing VC or may inherit the existing licenses.
Virtual Chassis Overview Configuring Virtual Chassis • If the primary CMM on the Master chassis fails the secondary CMM, if available, will takeover and the chassis will remain the Master chassis. • If all CMMs on the Master chassis fail the chassis will reboot and the first-in-line Slave chassis will take over becoming the new Master chassis. The first-in-line is derived from the same election criteria that were used to select the original Master.
Configuring Virtual Chassis Virtual Chassis Overview Note: If more than one Virtual Chassis is part of the same EMP out-of-band management network then each Virtual Chassis MUST have a unique chassis-group ID. Otherwise the RCD protocol cannot differentiate between the two Virtual Chassis and will not operate correctly. Split Chassis Detection - OS10K CMMs Directly connecting the EMP ports of the CMMs on the Slave and Master switches is not a recommended method for detecting a split chassis scenario.
Virtual Chassis Topologies Configuring Virtual Chassis Virtual Chassis Topologies This section describes the building blocks that are used to construct more flexible network topology using virtual chassis feature. Some example topologies for virtual chassis are given below. For more information on virtual chassis topologies, refer to the following sections.
Configuring Virtual Chassis Virtual Chassis Topologies Virtual Chassis Core VFL Stack of OmniSwitches Virtual Chassis at the Core Data Center VC In the topology shown below, edge switches are connected through virtual chassis and core switches are dual attached.
Interaction with Other Features Configuring Virtual Chassis Interaction with Other Features This section contains important information about how other OmniSwitch features interact with the virtual chassis feature. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature. Data Center Bridging • Priority-based Flow Control (PFC) - To support (PFC) across the VFL links of Virtual Chassis the links have to be configured in a certain manner.
Configuring Virtual Chassis Interaction with Other Features SPB • If using an OS10K-XNI-U32 module for the VFL it is recommended to use the OS10K-XNI-U32E instead of the OS10K-XNI-U32S if SPB is configured. .
Configuring Virtual Chassis Configuring Virtual Chassis Configuring Virtual Chassis This section describes commands to configure virtual chassis on an OmniSwitch.
Configuring Virtual Chassis Configuring Virtual Chassis Chassis Identifier • Each switch requires a chassis identifier that is unique within the virtual chassis group of topology. • If a duplicate chassis identifier is detected within the virtual chassis group then the chassis role will be reported as inconsistent and the chassis status will be Duplicate-Chassis.
Configuring Virtual Chassis Configuring Virtual Chassis • Explicitly configuring the VFL and the physical port members is required. It’s recommended to config- ure the VFL during network maintenance time or when the virtual chassis is first configured. Changing the VFL configuration at runtime is supported but should be performed with caution as an incorrect VFL configuration can cause undesirable disruption to traffic flows.
Configuring Virtual Chassis Configuring Virtual Chassis The virtual-chassis configured-chassis-id command is used to configure a unique chassis identifier for a switch within the virtual chassis group. For example: -> virtual-chassis configured-chassis-id 1 By default, the chassis identifier is set to “0”. This indicates the switch is running in standalone mode, which means that no virtual chassis functionality is available.
Configuring Virtual Chassis Configuring Virtual Chassis depart from the master chassis' settings to assume the Inconsistent role and Misconfigured-Hello-Interval status. To configure the hello interval between the multi-chassis peers, use the virtual-chassis hello-interval command as shown below: -> virtual-chassis hello-interval 10 Configuring the Control VLAN Under normal circumstances, it is not necessary to change the control VLAN.
Configuring Virtual Chassis Configuring Virtual Chassis Configuring the Virtual Chassis EMP IP Address - Virtual Chassis Mode Use the ip interface command to modify the Virtual Chassis EMP IP address as shown below. These commands would be issued after the virtual chassis is operational: -> ip interface master emp address 10.255.100.100 mask 255.255.255.0 EMP-VC 10.255.100.100 EMP-CHAS1 10.255.100.1 EMP-CHAS2 10.255.100.
Virtual Chassis Configuration Example Configuring Virtual Chassis Virtual Chassis Configuration Example This section provides an example of virtual chassis configuration in a network. Master - Chassid-id 1 Slave - Chassid-id 2 VFL LAG VC Example Virtual Chassis Configuration Chassis_1-> Chassis_1-> Chassis_1-> Chassis_1-> Chassis_1-> Chassis_1-> virtual-chassis configured-chassis-id 1 virtual-chassis vf-link 0 create virtual-chassis vf-link 0 member-port 1/24-25 ip interface local emp address 10.
Configuring Virtual Chassis VC_Core-> VC_Core-> VC_Core-> VC_Core-> Virtual Chassis Configuration Example vlan 100 vlan 200 ip interface vlan-100 address 100.100.100.1/24 vlan 100 ip interface vlan-200 address 200.200.200.
Virtual Chassis Configuration Example Configuring Virtual Chassis Virtual Chassis Mesh VFL Configuration Example 1 VFL=0 1/1/40 1/1/9 VFL=1 1/2/2 VFL=3 1/1/8 VFL=2 1/1/3 VFL=0 2/1/7 2/1/20 VFL=1 2/2/2 2 VFL=2 2/1/3 VFL=0 4/2//3 4 VFL=4 4/2/8 VFL=1 3/2/1 VFL=3 2/1/6 VFL=4 2/1/9 VFL=1 4/2/4 VFL=0 3/2/2 VFL=4 1/1/11 1/1/27 VFL=2 3/1/3 3 VFL=3 3/1/7 VFL=4 3/1/11 VFL=1 5/1/7 VFL=2 4/2/5 VFL=2 5/1/11 VFL=0 5/1/3 VFL=3 4/2/7 VFL=1 6/1/8 VFL=0 6/1/3 6/2/1 VFL=3 6/1/13 VFL=3 5/1/13 VFL=2 6/1
Configuring Virtual Chassis Virtual Chassis Configuration Example Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> Chassis_2-> virtual-chassis vf-link 0 member-port 1/7, 1/20 virtual-chassis vf-link 1 create virtual-chassis vf-link 1 member-port 2/2 virtual-chassis vf-link 2 create virtual-chassis vf-link 2 member-port 1/3 virtual-chassis vf-link 3 create virtual-chassis vf-link 3 member-port 1/6 virtual-chassis vf-link 4
Virtual Chassis Configuration Example Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> Chassis_6-> page 12-28 Configuring Virtual Chassis virtual-chassis configured-chassis-id 6 virtual-chassis vf-link 0 create virtual-chassis vf-link 0 member-port 1/3, 2/1 virtual-chassis vf-link 1 create virtual-chassis vf-link 1 member-port 1/8 virtual-chassis vf-link 2 create virtual-chassis vf-link 2 member-po
Configuring Virtual Chassis Automatically Setting up a Virtual Chassis Automatically Setting up a Virtual Chassis Automatic Virtual Chassis can be used to ease the required manual configuration for a VC. The automatic VC feature will allow a brand new chassis shipped from the factory or a chassis with no configuration to be setup as a VC without user configuration.
Automatically Setting up a Virtual Chassis Configuring Virtual Chassis to a chassis that is being upgraded from a previous release that doesn’t support automatic VFL. release). • Chassis must have the same VFL mode to form a VC. • An “out-of-the-box” chassis or a chassis with no configuration file will default to automatic VFL mode. For this chassis to automatically join an existing VC, the existing VC must be in VFL automatic VFL mode.
Configuring Virtual Chassis Automatically Setting up a Virtual Chassis Converting Static to Automatic After issuing the virtual-chassis vf-link-mode auto command the VFL mode is converted from static to automatic. All existing VFLs will be converted to automatic VFL ports regardless of whether the links are active or not.
Automatically Setting up a Virtual Chassis Configuring Virtual Chassis virtual-chassis auto-vf-link-port 1/1/21 virtual-chassis auto-vf-link-port 1/1/22 virtual-chassis auto-vf-link-port 1/1/23 virtual-chassis auto-vf-link-port 1/1/24 virtual-chassis auto-vf-link-port 1/1/25 (this port has not become VFL, i.e. link is down) After issuing the virtual-chassis vf-link-mode static command the VFL mode is converted from auto to static.
Configuring Virtual Chassis Automatically Setting up a Virtual Chassis Automatic Virtual Chassis Scenarios Boot up with no vcsetup.cfg file 1 Since the chassis has no configuration it will begin the automatic VFL process by default. 2 The chassis will create a new vcsetup.cfg file and temporarily use chassis ID 1 while running the discovery protocol on the default set of automatic VFL ports.
Automatically Setting up a Virtual Chassis Configuring Virtual Chassis Automatic Virtual Chassis Flow This following provides a general flow of the Automatic VC setup. Power Up Factory Y Auto VC-Mode1 - Auto-VFL - Auto Chassis ID Demo License Created Default? Write: - vcsetup.cfg - vcboot.cfg (size=0) N N Valid License Standalone Mode N VC Ready? Y Y vcsetup.cfg exists? Y N boot.cfg exists? N Continue to RCL and Auto Fabric 2,3 Y vcboot.
Configuring Virtual Chassis Displaying Virtual Chassis Configuration and Status Displaying Virtual Chassis Configuration and Status You can use Command Line Interface (CLI) show commands to display the current configuration and status of a virtual chassis group.
Displaying Virtual Chassis Configuration and Status page 12-36 Configuring Virtual Chassis OmniSwitch AOS Release 7 Switch Management Guide March 2015
13 Managing Automatic Remote Configuration Download The Automatic Remote Configuration capability automates and simplifies the deployment of large network installations eliminating the need for manual configuration of each switch. It also ensures that each switch is compliant with the centrally controlled switch configuration policies and firmware revisions.
Automatic Remote Configuration Specifications Managing Automatic Remote Configuration Download Automatic Remote Configuration Specifications Platforms Supported OmniSwitch 10K, 6900 DHCP Specifications DHCP Server required DHCP Client on OmniSwitch - VLAN 1 - Tagged VLAN 127 (all ports) - LLDP Management VLAN - Automatic LACP (tagged VLAN 127, untagged VLAN 1) File Servers TFTP FTP/SFTP Clients supported TFTP FTP/SFTP Instruction file Maximum length of: • Pathname: 255 characters • Filename: 63 c
Managing Automatic Remote Configuration Download Automatic Remote Configuration Defaults Automatic Remote Configuration Defaults Description Default Management VLAN Untagged Management VLAN VLAN 1 DHCP broadcast VLAN 802.1q tagged VLAN VLAN 127 Default Auto Link Aggregate Creation VLAN 1 (untagged) and VLAN 127 (tagged) Nearest-edge MAC Address 01:20: DA: 02:01:73 Instruction file Location: TFTP Server File name: *.
Automatic Remote Configuration Defaults Managing Automatic Remote Configuration Download Description Default Password for FTP/SFTP Server Same as username page 13-4 OmniSwitch AOS Release 7 Switch Management Guide March 2015
Managing Automatic Remote Configuration Download Quick Steps for Automatic Remote Configuration Quick Steps for Automatic Remote Configuration 1 Configure the DHCP server in the network to provide IP address, gateway, and TFTP server addresses to the OmniSwitch DHCP client. 2 Store the instruction file on the TFTP server. 3 Store the configuration, image, and script files on the primary and/or secondary FTP/SFTP servers.
Overview Managing Automatic Remote Configuration Download Overview The Automatic Remote Configuration feature provides the advantage of automatic download and installation of critical configuration and image files at initial bootup or when firmware upgrade is required for the OmniSwitch. Automatic Remote Configuration download occurs when: • There is no bootup configuration file (vcboot.cfg) on the switch. • During a takeover or reboot on the new Primary unit or CMM.
Managing Automatic Remote Configuration Download Overview Network Components The network components required for the Automatic Remote Configuration download process are: • DHCP server (mandatory) • TFTP file server (mandatory) • Primary FTP/SFTP server (mandatory) • Secondary FTP/SFTP server (optional) • Management Switch (only required for Nearest-Edge Mode) Information Provided by DHCP Server When the network interfaces or ports on the switch are ready, a DHCP client is automatically configured.
Overview Managing Automatic Remote Configuration Download File Servers and Download Process The download process from the file servers is as follows: 1 The username required to connect to the FTP/SFTP enabled servers is provided in the instruction file. The password required to connect to the servers is same as the username. 2 The required files mentioned in the instruction file are downloaded from the primary FTP/SFTP file server.
Managing Automatic Remote Configuration Download Interaction With Other Features Interaction With Other Features This section contains important information about how other OmniSwitch features interact with Automatic Remote Configuration. Refer to the specific sections if required, to get detailed information about the feature interaction process.
Automatic Remote Configuration Download Process Managing Automatic Remote Configuration Download Automatic Remote Configuration Download Process The automatic remote configuration process is initialized when an OmniSwitch is integrated in to the network as a new device or when a firmware and configuration upgrade is required. If the automatic configuration download process is not performed completely on the switch, manual intervention is required.
Managing Automatic Remote Configuration Download Automatic Remote Configuration Download Process Process Illustration For a detailed flow chart on the RCL process see “RCL Process Illustration Flow - Chart A” on page 13-23. Additional Process Notes 1 Once the switch obtains an IP interface from the DHCP server, remote access through SSH is automatically configured to allow remote access in case of any download errors during the Auto Configuration process. Note.
Download Component Files Managing Automatic Remote Configuration Download Download Component Files This section provides the details of the files downloaded and how they are utilized during the automatic configuration process. The main component files are: • Instruction file—The instruction file is the initial file required for the automatic remote configuration process to occur. The instruction file is stored in the TFTP server with the .alu extension.
Managing Automatic Remote Configuration Download Download Component Files Instruction File Syntax The instruction file is a text file containing the following information: Header Contains user information such as switch ID, file version, and so on. Header text is a type of comment. Comments Comments provide additional information for better user readability. These lines are ignored during the remote configuration download process.
Download Component Files Managing Automatic Remote Configuration Download Instruction File Usage Guidelines • The instruction file is case sensitive and can contain only the keywords provided in the instruction file output example. • The keywords can be placed in any order. • If the Keyword:Value format is incorrect, the information on that line is discarded. • Firmware version must be provided in the format as specified in the example.
Managing Automatic Remote Configuration Download Download Component Files Debug Configuration File The debug configuration file is used for setting specific OmniSwitch settings and must only be used as directed by Service and Support. During the automatic remote configuration process, the debug configuration file is downloaded with the filename AlcatelDebug.cfg. Script File The script file is downloaded and stored with the same name in the /flash/working directory.
DHCP Client Auto-Configuration Process Managing Automatic Remote Configuration Download DHCP Client Auto-Configuration Process The automatic remote configuration download feature supports the following client configuration methods to obtain an initial dynamic IP address from the DHCP server: • DHCP client on untagged VLAN 1 • DHCP client on tagged VLAN 127 • DHCP client on LLDP tagged Management VLAN • Auto Link Aggregate Detection The OmniSwitch creates a DHCP Client interface on: • the default untagged
Managing Automatic Remote Configuration Download Nearest-Edge Mode Operation Nearest-Edge Mode Operation In order for the network to propagate Nearest-Edge mode LLDP PDUs a Management Switch must be configured to send the LLDP PDUs with the Management VLAN information. Additionally, the peer switches are automatically configured to process the Nearest-Edge Mode LLDP PDU frames by the Automatic Configuration Download feature.
Nearest-Edge Mode Operation Managing Automatic Remote Configuration Download The Management Switch is connected to the network using an untagged interface and is configured to use the Nearest-edge Mode MAC address. LLDP is configured on the untagged port of the Management Switch so that the LLDP PDUs are sent with the Management VLAN information.
Managing Automatic Remote Configuration Download LACP Auto Detection and Automatic Link Aggregate Association LACP Auto Detection and Automatic Link Aggregate Association DHCP Server Association and DHCP Client creation works on fixed ports. When an OmniSwitch is newly introduced to a network, an assigned peer network device detects this device as new. If the peer device has a link aggregate configuration on the detecting port, then it sends LACP PDU to the newly connected OmniSwitch.
Troubleshooting Managing Automatic Remote Configuration Download Troubleshooting Due to errors during download, the automatic configuration process can halt, or the file download process can be incomplete. The errors that occur during the automatic remote configuration download process are displayed on the switch command prompt and also stored in switch log or the swlog.log file.
Managing Automatic Remote Configuration Download Troubleshooting Error Description Table The following table provides information on the common server connection failures and file download errors that can occur during Automatic Remote Configuration: Error Type Error Description User AutoConfig Abort Automatic Remote Config Abort received.
Troubleshooting Managing Automatic Remote Configuration Download Error Description Table The following error description table provides information about some of the common script file errors that occur during Automatic Remote Configuration: Error Type Error Description Script File Download Download of Script file from Primary Server Failed Script file cannot be downloaded from the primary server.
Managing Automatic Remote Configuration Download Troubleshooting RCL Process Illustration Flow - Chart A Switch Reload DHCP client removed from VLAN 1 and DHCP client configured on VLAN 127 A N Is it a VC? Y N Is boot.cfg present? Max Retry (6) reached? N VLAN 127 created Y Wait for System Ready and Auto-VC to complete. Y RCL Aborted Normal Switch bootup vcboot.
Troubleshooting Managing Automatic Remote Configuration Download RCL Flow - Chart B DHCP client on VLANs 1 and127 removed Received VLAN ID from LLDP Message sent to LLDP to disable Nearest Edge mode processing VPA created for VLAN received from the LLDP DHCP client configured on VLAN received from LLDP N DHCP response received? N Max Retry (6) Reached? Y Does DHCP response have TFTP server IP and file name? Y N Y Instruction file download successful? N RCL Aborted Y Instruction file is parsed
Managing Automatic Remote Configuration Download Troubleshooting RCL Flow - Chart C N Instruction file download successful? RCL Aborted Y Auto-Fabric Enabled N N Is the script file downloaded? N Is config file downloaded? Is firmware downloaded? Y Y Y The existing configuration (VPA, DHCP Client IP) is removed. Auto Linkagg mode is disabled. The script file contents are executed.
Troubleshooting page 13-26 Managing Automatic Remote Configuration Download OmniSwitch AOS Release 7 Switch Management Guide March 2015
14 Configuring Automatic Fabric The Automatic Fabric feature can be used to bring up an OmniSwitch by automating some of the tedious and error prone steps, such as link aggregate formation and Shortest Path Bridging (SPB) neighbor adjacency formation. Dynamic recognition of the neighboring elements allows for a quick, out-of-the-box configuration of the switch.
In This Chapter Configuring Automatic Fabric In This Chapter This chapter describes the basic components of Automatic Fabric and its operation and configuration through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of the commands, see the OmniSwitch AOS Release 7 CLI Reference Guide.
Configuring Automatic Fabric Automatic Fabric Specifications Automatic Fabric Specifications The Automatic Fabric functionality described in this chapter is supported on the OmniSwitch 10K and OmniSwitch 6900, unless otherwise stated in the following specifications table or specifically noted within any other section of this chapter.
Automatic Fabric Default Values Configuring Automatic Fabric Automatic Fabric Default Values The following default settings are applied for the Automatic Fabric feature: Parameter Description Command Default Value/Comments Automatic Fabric administrative state auto-fabric admin-state enabled (if no configuration file exists) Automatic Fabric protocols state auto-fabric protocols enabled Automatic Fabric configuration save auto-fabric config-save admin- disabled state administrative state Automati
Configuring Automatic Fabric Quick Steps for Configuring Automatic Fabric Quick Steps for Configuring Automatic Fabric The following steps provide a quick tutorial for setting up a basic Automatic Fabric configuration. This scenario applies to the default operation of a switch without a configuration file, as well as configuring a switch with an existing configuration file.
Quick Steps for Configuring Automatic Fabric Configuring Automatic Fabric 4 To change the status of Loopback Detection on UNP SPB access ports, use the auto-fabric protocols command with the loopback-detection parameter. For example: -> auto-fabric protocols loopback-detection admin-state disable 5 To change the Automatic Fabric discovery window time interval, use the auto-fabric discovery- interval command.
Configuring Automatic Fabric Quick Steps for Configuring Automatic Fabric Verifying the Automatic Fabric Configuration Use the show auto-fabric config command to check the global configuration for the Automatic Fabric feature.
Automatic Fabric Overview Configuring Automatic Fabric Automatic Fabric Overview The Automatic Fabric feature reduces the burden of configuration on the administrator. Dynamic recognition of the neighboring elements will allow for quick, out-of-the-box configuration and reduced administrative overhead. Automatic Fabric is used to dynamically discover and configure a switch for the LACP, SPB, MVRP, and IP protocols and is supported when the switch is operating in standalone or Virtual Chassis (VC) mode.
Configuring Automatic Fabric Automatic Fabric Overview process will start. The automatic IP protocols discovery process runs at the same time as the discovery processes for LACP, SPB, and MVRP. See “IP Protocol Discovery” on page 14-13 for more information.
Automatic Fabric Overview Configuring Automatic Fabric Automatic Fabric Port Eligibility The following conditions determine whether a switch port is eligible to participate in the Automatic Fabric discovery process: • The port has no previous configuration that would prevent the port from joining a link aggregate, forming an SPB adjacency, serving as a UNP SPB access port, and enabling MVRP to run on the port.
Configuring Automatic Fabric Automatic Fabric Overview • LACP automatic discovery will work between a configured switch and an automatic discovery enabled switch. The automatic discovery switch analyzes the LACP PDUs received from the configured switch. In this scenario, an automatic discovery switch will place all of the ports from the same switch with the same remote admin key into the same link aggregate.
Automatic Fabric Overview Configuring Automatic Fabric • The VLAN tag value is based on the Automatic Fabric setting for an SPB SAP profile. There are two types of SPB SAP profiles available: single service and auto VLAN. – The single service profile is used to create a SAP for untagged traffic received on a UNP SPB access port. – The auto VLAN profile is used to create a SAP for each VLAN ID tag received on the UNP SPB access port.
Configuring Automatic Fabric Automatic Fabric Overview • MVRP configuration learned through the Automatic Fabric process is not written to the switch configuration file. This means that dynamically learned MVRP VLANs are not saved to the switch configuration file. To retain these VLANs so that they are not lost when the switch reboots, manually convert them to static VLANs. • All VLANs are eligible for MVRP registration, except for SPB BVLANs.
Automatic Fabric Overview Configuring Automatic Fabric AF enabled? Yes No AF Starts No AF is disabled User manually enables AF? Yes STP changed to Flat mode Is IP interface enabled? No AF stops for IP protocols Yes Listen to Hello packets No Hellos received? Yes Protocol Configured OSPF/OSPF3 ISIS/IPv6 ISIS Protocol configured to match Level information learned from peer. Protocol configured on the interface to match area and timers learned from peer. If write memory and reload.
Configuring Automatic Fabric Automatic Fabric Overview • A neighbor is detected on at least one IP interface within a VRF instance. The following events will trigger the automatic IP protocol configuration process on an IP interface: • When an IP interface comes up and Automatic Fabric is enabled for protocol PDUs received on the interface. • If an IP interface is already up and Automatic Fabric is enabled for protocol PDUs received on the interface.
Automatic Fabric Overview Configuring Automatic Fabric applied to the interface, the interface does not become eligible for automatic IP configuration when the manual configuration is removed. • The UNP SPB access port configuration resulting from the SPB discovery process is saved to the configuration file unless traffic is active on the port. For more information, see “Saving the Discovered Configuration” on page 14-26.
Configuring Automatic Fabric Automatic Fabric Discovery Examples Automatic Fabric Discovery Examples This section contains the following Automatic Fabric discovery examples: • “Automatic Fabric Configured in the Network Core” on page 14-17. • “Manual Configuration of the Network Core for LACP, SPB, and MVRP” on page 14-18. • “Automatic Fabric Process for Automatic IP Configuration” on page 14-19.
Automatic Fabric Discovery Examples Configuring Automatic Fabric Manual Configuration of the Network Core for LACP, SPB, and MVRP In this example, the network core is not configured for Automatic Fabric. The LACP, SPB, and MVRP protocols have been manually configured on the core. Virtual Chassis in core with LACP, SPB, and MVRP protocols manually configured. VC - VFL 6 2 3 4 5 LAG 1 OS6900 No Automatic Fabric in the Core - To Be Updated 1 OS6900 with no boot.
Configuring Automatic Fabric Automatic Fabric Discovery Examples Automatic Fabric Process for Automatic IP Configuration When an IP interface is automatically configured for OSPF or IS-IS routing, the interface initially operates in passive mode. This means that the interface listens for Hello PDUs from neighbor switches to detect and configure OSPF neighbors or IS-IS adjacencies. The interface does not initially transmit Hello PDUs.
Automatic Fabric Discovery Examples Configuring Automatic Fabric One Configured Level 1 Router and One Automatic Configuration Router • The configured router transmits default Level 1 IS-IS Hello packets. • The automatic configuration router receives IS-IS Hello packets and sends IS-IS Hello packets with the learned information. • The configured router receives the IS-IS Hello packets and the routers become Level 1 adjacent.
Configuring Automatic Fabric Interaction with Other Features Interaction with Other Features This section contains important information about how other OmniSwitch features interact with the Automatic Fabric feature. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature. System When the Automatic Fabric feature is enabled there may be periodic changes to the switch configuration.
Interaction with Other Features Configuring Automatic Fabric Upon writing the automatically discovered configuration to the configuration file and rebooting, the automatically discovered link aggregate will become a manually configured link aggregate. SPB • If there are any BVLANs manually configured that are not in the range of 4000-4015, SPB discovery will not run. • If there are any standard VLAN IDs configured in the 4000-4015 range, SPB discovery will not run.
Configuring Automatic Fabric Interaction with Other Features • Access port configuration is reverted and the entire discovery cycle will be attempted again if any of the following events occur: – An Automatic Fabric LACP discovery LLDP TLV is received. – A synchronization LLDP TLV is received. – A port flap is observed and the UNP SPB access port has not received any traffic on the port. • Removing the UNP dynamic SAP configuration from a UNP SPB access port, moves the port into a default state.
Configuring Automatic Fabric Configuring Automatic Fabric Configuring Automatic Fabric This section describes commands to configure the Automatic Fabric capability on an OmniSwitch.
Configuring Automatic Fabric Configuring Automatic Fabric • Automatic Fabric strops trying to learn IP routing protocols and neighbors on interfaces not already configured with a routing protocol. The configuration for IP interfaces on which routing protocols were previously discovered is not removed. Use the show auto-fabric config command and the show auto-fabric config interface command to verify the Automatic Fabric status for the switch and switch ports.
Configuring Automatic Fabric Configuring Automatic Fabric By default, the discovery interval timer is set to zero, which means the timer is disabled. However, when a switch boots up without a configuration file, discovery is automatically started for a one time, initial run even when the interval timer is disabled. To change the discovery interval time, use the use the auto-fabric discovery-interval command.
Configuring Automatic Fabric Configuring Automatic Fabric When this option is set to automatic VLAN, a SAP is automatically created for each VLAN tagged received on the port. The automatic VLAN profile is recommended for tagged traffic. The single service profile is recommended for untagged traffic. To change the global default SAP profile setting for the switch, use the auto-fabric protocols spb default-profile command.
Displaying the Automatic Fabric Configuration Configuring Automatic Fabric Displaying the Automatic Fabric Configuration You can use the following Command Line Interface (CLI) show commands to display the current configuration and status of the Automatic Fabric feature: show auto-fabric config Displays details about the globally configured and operational parameters. show auto-fabric config interface Displays the Automatic Fabric port configuration applied on interfaces.
15 Configuring Network Time Protocol (NTP) Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver. It provides client time accuracies within a millisecond on LANs, and up to a few tens of milliseconds on WANs relative to a primary server synchronized to Universal Coordinated Time (UTC) (via a Global Positioning Service receiver, for example).
NTP Specifications Configuring Network Time Protocol (NTP) NTP Specifications Platforms Supported OmniSwitch 10K, 6900 RFCs supported 1305–Network Time Protocol NTP Key File Location /flash/network Maximum number of NTP servers per client 12 NTP Defaults Table The following table shows the default settings of the configurable NTP parameters: NTP Defaults Parameter Description Command Default Value/Comments Specifies an NTP server from which ntp server this switch will receive updates version: 4
Configuring Network Time Protocol (NTP) NTP Quick Steps NTP Quick Steps The following steps are designed to show the user the necessary commands to set up NTP on an OmniSwitch: 1 Designate an NTP server for the switch using the ntp server command. The NTP server provides the switch with its NTP time information. For example: -> ntp server 198.206.181.139 2 Activate the client side of NTP on the switch using the ntp client command.
NTP Quick Steps Configuring Network Time Protocol (NTP) 5 You can check the client configuration using the show ntp status command, as shown: -> show ntp client Current time: Last NTP update: Client mode: Broadcast client mode: Broadcast delay (microseconds): page 15-4 THU SEP 15 2005 17:44:54 (UTC) THU SEP 15 2005 17:30:54 enabled disabled 4000 OmniSwitch AOS Release 7 Switch Management Guide March 2015
Configuring Network Time Protocol (NTP) NTP Overview NTP Overview Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver. It provides client time accuracies within a millisecond on LANs, and up to a few tens of milliseconds on WANs relative to a primary server synchronized to Universal Coordinated Time (UTC) (via a Global Positioning Service receiver, for example).
NTP Overview Configuring Network Time Protocol (NTP) Stratum Stratum is the term used to define the relative proximity of a node in a network to a time source (such as a radio clock). Stratum 1 is the server connected to the time source itself. (In most cases the time source and the stratum 1 server are in the same physical location.) An NTP client or server connected to a stratum 1 source would be stratum 2.
Configuring Network Time Protocol (NTP) NTP Overview Examples of these are shown in the simple network diagram below: UTC Time Source Stratum 1 NTP Servers 1a 1b Stratum 2 NTP Server/Clients 2a 2b Stratum 3 NTP Clients 3a 3b Servers 1a and 1b receive time information from, or synchronize with, a UTC time source such as a radio clock. (In most cases, these servers would not be connected to the same UTC source, though it is shown this way for simplicity.
NTP Overview Configuring Network Time Protocol (NTP) • Peer associations should only be configured between servers at the same stratum level. Higher Strata should configure lower Strata, not the reverse. • It is inadvisable to configure time servers in a domain to a single time source. Doing so invites common points of failure. Note. NTP does not support year date values greater than 2035 (the reasons are documented in RFC 1305 in the data format section).
Configuring Network Time Protocol (NTP) Configuring NTP Configuring NTP The following sections detail the various commands used to configure and view the NTP client software in an OmniSwitch. Configuring the OmniSwitch as a Client The NTP software is disabled on the switch by default.
Configuring NTP Configuring Network Time Protocol (NTP) NTP Servers An NTP client needs to receive NTP updates from an NTP server. Each client must have at least one server with which it synchronizes (unless it is operating in broadcast mode). There are also adjustable server options. Designating an NTP Server To configure an NTP client to receive updates from an NTP server, enter the ntp server command with the server IP address or domain name, as shown: -> ntp server 1.1.1.
Configuring Network Time Protocol (NTP) Configuring NTP Setting the Version Number There are currently four versions of NTP available (numbered one through four). The version that the NTP server uses must be specified on the client side. To specify the NTP version on the server from which the switch receives updates, use the ntp server command with the server IP address (or domain name), version keyword, and version number, as shown: -> ntp server 1.1.1.1 version 3 The default setting is version 4.
Configuring NTP Configuring Network Time Protocol (NTP) Using Authentication Authentication is used to encrypt the NTP messages sent between the client and server. The NTP server and the NTP client must both have a text file containing the public and secret keys. (This file should be obtained from the server administrator. For more information on the authentication file, see “Authentication” on page 15-8.
Configuring Network Time Protocol (NTP) Verifying NTP Configuration Verifying NTP Configuration To display information about the NTP client, use the show commands listed in the following table: show ntp status Displays information about the current client NTP configuration. show ntp server client-list Displays the basic server information for a specific NTP server or a list of NTP servers. show ntp client server-list Displays a list of the servers with which the NTP client synchronizes.
Verifying NTP Configuration page 15-14 Configuring Network Time Protocol (NTP) OmniSwitch AOS Release 7 Switch Management Guide March 2015
A Software License and Copyright Statements This appendix contains Alcatel-Lucent and third-party software vendor license and copyright statements. Alcatel-Lucent License Agreement ALCATEL-LUCENT SOFTWARE LICENSE AGREEMENT IMPORTANT. Please read the terms and conditions of this license agreement carefully before opening this package. By opening this package, you accept and agree to the terms of this license agreement.
Alcatel-Lucent License Agreement 3. Confidentiality. Alcatel-Lucent considers the Licensed Files to contain valuable trade secrets of Alcatel-Lucent, the unauthorized disclosure of which could cause irreparable harm to Alcatel-Lucent. Except as expressly set forth herein, Licensee agrees to use reasonable efforts not to disclose the Licensed Files to any third party and not to use the Licensed Files other than for the purpose authorized by this License Agreement.
Alcatel-Lucent License Agreement Alcatel-Lucent, Licensee agrees to return to Alcatel-Lucent or destroy the Licensed Materials and all copies and portions thereof. 10. Governing Law. This License Agreement shall be construed and governed in accordance with the laws of the State of California. 11. Severability. Should any term of this License Agreement be declared void or unenforceable by any court of competent jurisdiction, such declaration shall have no effect on the remaining terms herein. 12. No Waiver.
Third Party Licenses and Notices Third Party Licenses and Notices Legal Notices applicable to any software distributed alone or in connection with the product to which this document pertains, are contained in files within the software itself located at: /flash/foss. Also, if needed, we provide all FOSS (Free and Open Source Software) source code used into this release at the following URL: https://service.esd.alcatel-lucent.
B SNMP Trap Information This appendix lists the supported SNMP traps along with their descriptions.
SNMP Traps Table SNMP Traps Table The following table provides information on all SNMP traps supported by the switch. Each row includes the trap name, its ID number, any objects (if applicable), its command family, and a description of the condition the SNMP agent in the switch is reporting to the SNMP management station. No. Trap Name Objects Family Description 0 coldStart none chassis The SNMP agent in the switch is reinitiating and its configuration may have been altered.
SNMP Traps Table No. Trap Name Objects Family Description 5 entConfigChange none module An entConfigChange notification is generated when a conceptual row is created, modified, or deleted in one of the entity tables. 6 policyEventNotification policyTrapEventDetailString policyTrapEventCode qos The switch notifies the NMS when a significant event happens that involves the policy manager. policyTrapEventDetailString—Details about the event that took place.
SNMP Traps Table No. Trap Name Objects Family Description 8 physicalIndex chassisTrapsObjectType chassisTrapsObjectNumber chassisTrapsAlertNumber chassisTrapsAlertDescr chassis A notification that some change has occurred in the chassis. chassisTrapsAlert physicalIndex—The physical index of the involved object. chassisTrapsObjectType—An enumerated value that provides the object type involved in the alert trap. chassisTrapsObjectNumber—A number defining the order of the object in the set (e.g.
SNMP Traps Table No. Trap Name Objects Family Description 13 healthModuleSlot healthMonRxStatus healthMonRxTxStatus healthMonMemoryStatus healthMonCpuStatus health Indicates a module-level threshold was crossed. healthMonModuleTrap healthModuleSlot—The (one-based) front slot number within the chassis. healthMonRxStatus—Rx threshold status indicating if threshold was crossed or no change. healthMonRxTxStatus—RxTx threshold status indicating if threshold was crossed or no change.
SNMP Traps Table No. Trap Name Objects Family Description 18 esmPortSlot esmPortIF ifInErrors ifOutErrors esmDrvTrapDrops interface This trap is sent when the Ethernet code drops the link because of excessive errors. esmDrvTrapDropsLink esmPortSlot—The physical slot number for this Ethernet Port. The slot number has been added to be used by the private trap. esmPortIF—The on-board interface number for this Ethernet port. The port number has been added to be used by the private trap.
SNMP Traps Table No. Trap Name Objects 21 dvmrpInterface- ipmr LocalAddress dvmrpNeighborCapabilities dvmrpNeighborNotPruning Family Description A non-pruning neighbor has been detected in an implementationdependent manner. This trap is generated at most once per generation ID of the neighbor. For example, it should be generated at the time a neighbor is first heard from if the prune bit is not set.
SNMP Traps Table No. Trap Name Objects Family Description 23 alarmIndex alarmVariable alarmSampleType alarmValue alarmFallingThreshold rmon An Ethernet statistical variable has dipped below its falling threshold. The variable’s falling threshold and whether it will issue an SNMP trap for this condition are configured by an NMS station running RMON. fallingAlarm alarmIndex—An index that uniquely identifies an entry in the alarm table.
SNMP Traps Table No. Trap Name Objects 27 mirmonPrima- pmm rySlot mirmonPrimaryPort mirroringSlot mirroringPort mirMonErrorNi mirrorUnlikeNi Family Description The mirroring configuration is deleted due to the swapping of different NI board type. The Port Mirroring session which was active on a slot cannot continue with the insertion of different NI type in the same slot. mirmonPrimarySlot—Slot of mirrored or monitored interface. mirmonPrimaryPort—Port of mirrored or monitored interface.
SNMP Traps Table No. Trap Name Objects 31 alaDoSType ip alaDoSDetected alaDoSTrap Family Description Indicates that the sending agent has received a Denial of Service (DoS) attack. alaDoSType—Index field for the alaDoSTable. Integer indicating the DoS Type: 0=portscan, 1=tcpsyn, 2=pingofdeath, 3=smurf, 3=pepsi, 5=land and 6=teardropBonkBoink. alaDoSDetected—Number of attacks detected pethMainPseConsumptionPower—Measured usage power expressed in Watts.
SNMP Traps Table No. Trap Name Objects Family Description 36 traplnkaggId traplnkaggPortIfIndex linkaggregation This trap is sent when any given port of the link aggregate group goes to the attached state. linkaggregation This trap is sent when any given port detaches from the link aggregate group. linkaggregation This trap is sent when any given port of the link aggregate group is removed due to an invalid configuration. lnkaggPortJoin traplnkaggId—Index value of the Link Aggregate group.
SNMP Traps Table No. Trap Name Objects Family Description 42 physicalIndex baseMacAddress chassis This trap is sent when there is a possiblity of duplicate a MAC address in the network. chassisTrapsPossibleDuplicateMac physicalIndex—The Physical index of the involved object. baseMacAddress—The base MAC Address.
SNMP Traps Table No. Trap Name Objects Family Description pimGroupMappingPimMode—The PIM mode used for groups in this group prefix. pimInvalidRegisterAddressType—The address type stored in pimInvalidRegisterOrigin, pimInvalid RegisterGroup and pimInvalidRegisterRp. If no unexpected Register messages are received, the onject is set to “Unknown”.
SNMP Traps Table No. Trap Name Objects Family Description 48 pimInterfaceAddressType pimInterfaceAddress ipmr This trap is sent when a new DR or DR has been elected on a network. PimInterfaceElection The notification is generated whenever the counter PIM Interface Elections Win Count is incremented, subject to the rate limit specified by PIM Interface Election Notification Period. pimInterfaceAddressType—The address type of the PIM interface.
SNMP Traps Table No. Trap Name Objects 51 bridge lpsTrapSwitchName lpsTrapSwitchIpAddr lpsTrapSwitchSlice lpsTrapSwitchPort lpsTrapViolatingMac lpsTrapViolationType systemServicesDate systemServicesTime lpsViolationTrap Family Description A Learned Port Security (LPS) violation has occurred. lpsTrapSwitchName—The name of the switch. lpsTrapSwitchIpAddr—The IP address of switch. lpsTrapSwitchSlice— The physical slice number for the LPS port on which the violation occurred.
SNMP Traps Table No. Trap Name Objects Family Description alaGvrpMaxVlanLimit—The maximum number of dynamic VLANs that can be created on the system by GVRP before a trap is sent. 55 alaNetSecPortTrapAnomaly alaNetSecPort- netsec TrapInfoIfId, alaNetSecPortTrapInfoAnomaly, alaNetSecPortTrapInfoType This trap is sent when and anomalout port quarantine is detected. alaNetSecPortTrapInfoIfId—The interface index of port on which anomaly is detected.
SNMP Traps Table No. Trap Name Objects 62 alaErpRingId erp alaErpRingState alaErpRingStateChanged Family Description This trap is sent when the ERP Ring State has changed from “Idle” to “Protection”. alaErpRingId—The unique Ring identifier. alaErpRingState—The current state of the Ring (0=Idle, 1=Protection). 63 alaErpRingMultipleRpl alaErpRingId erp This trap is sent when multiple RPLs are detected in the Ring. alaErpRingId erp This trap is sent when the Ring is removed dynamically.
SNMP Traps Table No. Trap Name Objects Family Description ifIndex—The interface index. ddmNotificationType—The trap type for monitored DDM parameters (clearViolation(1), highAlarm(2), highWarning(3), lowWarning(4), lowAlarm(5). ddmTxBiasCurrent—The current Transmit Bias Current of the SFP/XFP in 10s of milli-Amperes (mA).
SNMP Traps Table No. Trap Name Objects Family 75 multiChassisTrapFailure multi-chas- This trap is sent when there is an sis MCM Hello Interval consistency falure. multiChassisHelloIntervalConsisFailure Description multiChassisTrapFailure—Indicates multi-chassis failure. 76 multiChassisStpModeConsisFailure multiChassisTrapFailure multi-chas- This trap is sent when ther is an sis STP mode consistency falure. multiChassisTrapFailure—Indicates multi-chassis failure.
SNMP Traps Table No. Trap Name Objects Family Description 84 alaDHLSessionID, alaDHLPortFrom, alaDHLPortTo, alaDHLVlanMoveReason vlan When linkA or linkB goes down or comes up and both ports are are part of some vlan-map, this trap is sent to the Management Entity, with the DHL port information. alaDHLVlanMoveTrap alaDHLSessionID—The DHL Session ID for which alaDHLVlanMoveTrap needs to be sent to the Management Entity.
SNMP Traps Table No. Trap Name Objects 89 isisisis ManAreaAddrExistState vRtrIsisManualAddressDrops Family Description This trap is sent when one of the manual area addresses assigned to this system is ignored when computing routes. The object vRtrIsisManAreaAddrExistState describes the area that has been dropped. This trap is edge triggered, and should not be regenerated until an address that was used in the previous computation has been dropped.
SNMP Traps Table No. Trap Name Objects 93 isis vRtrIsisMaxAreaAddress, vRtrIsisIfIndex vRtrIsisPDUFragment vRtrIsisMaxAreaAddrsMismatch Family Description This trap is sent when a PDU with a different Maximum Area Addresses value is recieved. The notification includes the header of the packet, which may help a network manager identify the source of the problem. vRtrIsisMaxAreaAddress—The maximum number of area addresses in the PDU. vRtrIsisIfIndex—The ISIS interface on which the PDU was received.
SNMP Traps Table No. Trap Name Objects 97 vRtrIsisSystem- isis Level, vRtrIsisPDUFragment, vRtrIsisIfIndex vRtrIsisAuthFail Family Description This trap is sent when a PDU with incorrent authentication information is received. The notification includes the header of the packet, which may help a network manager identify the source of the problem. vRtrIsisSystemLevel—Identifies the level to which the notification applies.Routing within an area is referred to as Level-1 routing.
SNMP Traps Table No. Trap Name Objects Family 101 vRtrIsisLSPTooLargeToPropagate isis vRtrIsisLSPSize vRtrIsisSystemLevel vRtrIsisTrapLSPID vRtrIsisIfIndex Description This trap is sent when an LSP is larger than the Data Link Block Size for a circuit. vRtrIsisLSPSize—The size of the LSP received. vRtrIsisSystemLevel—Identifies the level to which the notification applies.Routing within an area is referred to as Level-1 routing. Routing between two or more areas is referred to as Level 2 routing.
SNMP Traps Table No. Trap Name Objects Family Description 104 vRtrIsisAdjacencyChange vRtrIsisSystemLevel vRtrIsisIfIndex vRtrIsisTrapLSPID isisISAdjState isis This trap is sent when adjacency changes state, entering or leaving state up. The first 6 bytes of the vRtrIsisTrapLSPID are the SystemID of the adjacent IS. The isisISAdjState is the new state of the adjacency. vRtrIsisSystemLevel—Identifies the level to which the notification applies.
SNMP Traps Table No. Trap Name Objects Family 108 alaHAVlanClusterPeerMismatch alaHAVlanClus- ha-vlan terId Description This trap is sent when parameteras configured for this cluster ID (Level 1 check) does not match accross the MCLAG peers. alaHAVlanClusterId—The Cluster ID Number.
SNMP Traps Table No. Trap Name Objects Family 112 unpMcLagConfigInconsistency alaDaUnpCom- da-unp mandType alaDaUnpName alaDaUnpMacAddr1 alaDaUnpMacAddr2 alaDaUnpIpAddr alaDaUnpIpMask alaDaUnpVlanTag alaDaUnpMCLAGId Description This trap is sent when a configuration becomes “Out of Sync".
SNMP Traps Table No. Trap Name Objects Family Description dot1agCfmMepHighestPrDefect—The highest priority defect that has been present since the MEPs Fault Notification Generator State Machine was last in the FNG_RESET state. 117 alaSaaIPIterationCompleteTrap alaSaaCtrlOwn- saa erIndex, alaSaaCtrlTestIndex, alaSaaIpResultsTestRunIndex, alaSaaCtrlLastRunResult, alaSaaCtrlLastRunTime This trap is sent when an IP SAA iteration is completed.
SNMP Traps Table No. Trap Name Objects Family Description virtualChassisOperChasId—The operational Virtual Chassis ID. virtualChassisStatus—The Virtual Chassis status. 121 virtualChassisRoleChange virtualChassisOperChasId, virtualChassisRole virtual chassis This trap is sent when a chassis role change is detected. virtualChassisOperChasId—The operational Virtual Chassis ID. virtualChassisRole—The Virtual Chassis role: unassigned(0): Initial chassis role and election not complete.
SNMP Traps Table No. Trap Name Objects Family Description virtualChassisOperChasId—The operational Virtual Chassis ID. virtualChassisVflIfIndex—The Virtual Fabric Link ID virtualChassisVflMemberPortIfindex—The Virtual Fabric Link Member Port ifIndex. virtualChassisDiagnostic—Indicates why a port configured as virtual-fabric member is unable to join the virtual-fabric link (Duplex Mode, Speed).
SNMP Traps Table No. Trap Name Objects Family Description evbPortId—The IfIndex that uniquely identifies this port. ieee8021BridgeEvbVSIVlanId—The bridge EVB VSI VLAN. 129 evbUnknownVsiManagerTrap evb evbPortId, ieee8021Bridge EvbSbpPortNumber This trap is sent when bridge receives a VDP packet with: - Unknown Manager ID type, or - Wrong Manager ID length. evbPortId—The IfIndex that uniquely identifies this port. ieee8021BridgeEvbSbpPortNumber—The bridge EVN SBP Port.
SNMP Traps Table No. Trap Name Objects Family Description 134 smgrServiceError alaSvcId, alaSvcType, alaSvcIsid, alaSvcBVlan, alaSvcMulticastMode service manager This trap is sent when there is a failure to create/delete a service. alaSvcId—The Service identifier. alaSvcType—The service type (e.g., vpls, spb). alaSvcIsid—The I-Domain Service Indentifier (I-SID), which identifies the service instance in a PBB network in a BEB switch.
SNMP Traps Table No. Trap Name Objects Family Description alaSvcId—The Service identifier. alaSapPortId—The ID of the access port where this SAP is defined. alaSapEncapValue—The value of the label used to identify this SAP on the access port specified by SAP Port ID. alaSvcVFI—The Virtual Forwarding Instance (VFI) allocated for a service on an LER or BEB switch. This service instance defines the forwarding plane for the data packets among virtual port members associated with the VFI.
SNMP Traps Table No. Trap Name Objects Family 141 smgrSdpBindHwError service alaSvcId, alaSdpBindId, manager alaSdpBindNetworkPort, alaSdpBindBVlan, alaSdpBindSystemId, alaSdpBindVirtualPort Description This trap is sent when there is a failure to allocate/de-allocate a hardware resource for an SDP Bind, or to program the hardware tables for an SDP Bind. alaSvcId—The Service identifier. alaSdpBindId—The SDP Binding identifier.
SNMP Traps Table No. Trap Name Objects Family 146 alaSaaPacketLossTrap alaSaaCtrlOwn- saa erIndex, alaSaaCtrlTestIndex, alaSaaCtrlLastRunResult, alaSaaCtrlLastRunTime, alaSaaMacResultsPktsSent, alaSaaMacResultsPktsRcvd Description This trap is sent when a a packet is lost during a test. alaSaaCtrlOwnerIndex—The Owner name to identify the responsibility of the entries in the table (Default = User). alaSaaCtrlTestIndex—Unique name to identify the entries in the table.
SNMP Traps Table No. Trap Name Objects Family 148 alaSaaRTTThresholdYellowTrap alaSaaCtrlOwn- saa erIndex, alaSaaCtrlTestIndex, alaSaaCtrlLastRunResult, alaSaaCtrlLastRunTime, alaSaaCtrlRTTThreshold, alaSaaMacResultsAvgRTT Description This trap is sent when the RTT Threshold crosses 90%. alaSaaCtrlOwnerIndex—The Owner name to identify the responsibility of the entries in the table (Default = User). alaSaaCtrlTestIndex—Unique name to identify the entries in the table.
SNMP Traps Table No. Trap Name Objects Family 150 alaSaaRTTThresholdRedTrap alaSaaCtrlOwn- saa erIndex, alaSaaCtrlTestIndex, alaSaaCtrlLastRunResult, alaSaaCtrlLastRunTime, alaSaaCtrlRTTThreshold, alaSaaMacResultsAvgRTT Description This trap is sent when the RTT threshold is crossed. alaSaaCtrlOwnerIndex—The Owner name to identify the responsibility of the entries in the table (Default = User). alaSaaCtrlTestIndex—Unique name to identify the entries in the table.
SNMP Traps Table No. Trap Name Objects Family 154 appFPSignatureMatchTrap alaAppFPPort, app fingerprint alaAppFPDbAppGroupName, alaAppFPDbAppName, alaAppFPDbSrcMacAddr, alaAppFPDbVlanId, alaAppFPDbSrcIpAddrType, alaAppFPDbSrcIpAddr, alaAppFPDbSrcPort Description This trap is sent when a traffic flow matches an application signature. alaAppFPPort—The port on which the flow was classified alaAppFPDbAppGroupName—The name of the application group and signature that matched the flow.
SNMP Traps Table No. Trap Name Objects Family 156 alaSIPSnoopingACLPreemptedBySO- physicalIndex, sip snoopSCall alaSIPSnoopin- ing gEndedCallIpAddrA, alaSIPSnoopingEndedCallIpAddrB, alaSIPSnoopingEndedCallL4portA, alaSIPSnoopingEndedCallL4portB Description This trap is sent when a SIP snooping RTP/RTCP ACL entry is preempted by an SOS call. physicalIndex—The physical index of the involved object. alaSIPSnoopingEndedCallIpAddrA—The Ended Call IP address for direction A to B.
SNMP Traps Table No. Trap Name Objects Family Description physicalIndex—The physical index of the involved object. 160 alaSIPSnoopingCallRecordsFileMoved alaSIPSnoopsip snoopingThreshold- ing NumberOfCa lls This trap is sent when the SIP Snooping Ended Call Records flash file is moved from /flash/ switch/sip_call_record.txt to / flash/switch/sip_call_record.txt.old. This happens when the configured call record storage limit is reached and possibly at boot-up if /flash/switch/sip_call_record.
SNMP Traps Table No. Trap Name Objects Family Description alaDhcpSrvLeaseThresholdStatus—The threshold status of subnet utilization. alaDhcpSrvSubnetDescriptor—The subnet descriptor.
SNMP Traps Table No. Trap Name Objects Family 169 smgrSdpStatusChange service alaSdpId, alaSdpOperSta- manager tus, alaSdpNetworkPort, alaSdpBVlan, alaSdpSystemId, alaSdpSystemName, alaSdpDynamicType, alaSdpIsid Description This trap is sent when there is a change in SDP operating status. For SPB, the SDP is dynamically created or destroyed as calculated by ISIS protocol when a unicast/multicast path to reach a neighbor node is determined. alaSdpId—SDP identifier.
SNMP Traps Table No. Trap Name Objects Family Description alaSvcId—The Service identifier. alaSdpBindId—The SDP Binding identifier. alaSdpBindOperStatus—The operational status of this Service-SDP binding: • up (1) • noEgressLabel (2) • noIngressLabel (3) • noLabels (4) • down (5) • svcMtuMismatch (6) • sdpPathMtuTooSmall (7) • sdpNotReady (8) • sdpDown (9) • sapDown (10) • created (11) - dynamically created for SPB • destroyed (12) - dynamically destroyed for SPB.
SNMP Traps Table No. Trap Name Objects Family 175 chasTrapsNiBPSFETStateChange chasTrapBPSS- chassis helfId, chasTrapsBPSFwType, chasTrapsBPSFwVersion Description This trap is sent when there is a BPS FET state change. chasTrapBPSShelfId—The BPS shelf ID. chasTrapsBPSFwType—The FET state. chasTrapsBPSFwVersion—The BPS firmware version.
SNMP Traps Table No. Trap Name Objects Family Description 183 alaAppMonAppRecordFileCreated NA application This trap is sent after the applicamonitoring tion records monitored in the past hour are written to the flash file. NA application This trap is sent after the premonitoring configured number of application monitoring flow records are written to the flash file.
SNMP Traps Table No. Trap Name Objects Family 190 alaVMSnoopingVMLearntAlert vm snoopalaVMSnoopingLearned- ing MacAddress, alaVMSnoopingLearnedVxlanUdpPor t, alaVMSnoopingLearnedVxlanVni Description This trap is sent when a new Virtual Machine is learned by the system. alaVMSnoopingLearnedMacAddress—The MAC address of the virtual machine. alaVMSnoopingLearnedVxlanUdpPort—The port on which the virtual machine was learned. alaVMSnoopingLearnedVxlanVni—The virtual machine network identifier.
SNMP Traps Table No. Trap Name Objects Family Description aalaDistArpNiChassis—The chassis number of the NI. alaDistArpNiSlot—The slot number of the NI. alaDistArpNiDevice—The device number of the NI. 195 smgrVxlanSdpBindStatusChange service alaSvcId, alaSdpBindId, manager alaSdpBindOperStatus, alaSdpBindFarEndIpAddress, alaSdpBindVnid This trap is sent when there is an change in SDP Bind operating status.
SNMP Traps Table page B-48 OmniSwitch AOS Release 7 Switch Management Guide March 2015
Index B banner login 2-14 pre-login text 2-15 boot.
Index configuration files 4-3, 5-2 errors 6-7 configuration snapshot all command 6-10 configuration syntax check 6-7 console port 2-4 copy flash-synchro command 4-18 copy working certified flash-synchro command D date 3-17, 6-4 Daylight Savings Time see DST defaults dynamic link aggregation 12-4, 14-4 login 2-2 NTP 15-2 SNMP 10-3 startup 7-4 switch security 8-2 user accounts 7-2 WebView 9-2 delete command 3-10 DES encryption 10-11 directories certified 4-4 flash 3-7 managing 4-11 working 4-4 DNS resolver
Index N network administrator user accounts application examples 7-6 Network Management Station see NMS Network Time Protocol see NTP NMS 10-8 NTP 15-1 application examples 15-3 configuring 15-9 client 15-9 defaults 15-2 overview 15-5 specifications 15-2 stratum 15-6 using in a network 15-6 ntp broadcast command 15-9 ntp broadcast-delay command 15-9 NTP client broadcast delay 15-9 broadcast mode 15-9 ntp client command 15-3, 15-9 NTP Configuration verify information about 15-13 ntp key command 15-12 ntp ke
Index application examples 10-4 defaults 10-3 management station 10-8 manager 10-7 security 10-10, 10-12 specifications 10-2 traps table B-2 versions 10-8 snmp community map mode command 7-16 SNMP configuration verify information about 10-16 snmp security command 7-16, 10-12 snmp trap filter command 10-6 software rollback configuration scenarios 4-5 specifications CLI 5-2, 11-2 CMM 4-2 configuration file 6-2 dynamic link aggregation 12-3, 14-3 file management 1-2, 3-2 login 2-2 NTP 15-2 SNMP 10-2 switch se