LX Series Configuration Guide Version 5.1.
LX Series Configuration Guide April 2007 All rights reserved. No part of this publication may be reproduced without the prior written consent of MRV Communications, Inc. The information in this document is subject to change without notice and should not be construed as a commitment by MRV Communications, Inc. MRV Communications, Inc. reserves the right to revise this publication, and to make changes in content from time to time, without obligation to provide notification of such revision or changes.
iii FCC Notice CAUTION This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, can cause harmful interference to radio communications.
iv This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may arise. When such trouble occurs, the user may be required to take corrective action. VCCI Notice ! WARNING You must disconnect both power sources before you service the unit. Export Notice MRV models contain 128-bit encryption software. Export of this product is restricted under U.S.
Table of Contents v LX Series Configuration Guide About This Book xix How This Book is Organized ............................................. xix Conventions..................................................................... xxi Online Help ...................................................................... xxi PART 1 Before You Configure the LX Series Unit CHAPTER 1 Using the Command-Line Interface About Command Modes 1-3 Command Mode Descriptions 1-5 Using the Function Keys ................
vi Table of Contents Modular Adapters (RJ-45 to DB-25 and RJ-45 to DB-9)......................................................... 3-3 Configuring Ports for Remote Console Management 3-4 Configuring Asynchronous Ports for Direct Serial Connections .......................................................... 3-4 Setting Up Security for a Console Port .......................... 3-10 Verifying Serial Port Connections .................................. 3-13 Creating Subscribers for Remote Console Management ...
Table of Contents vii Saving the Image to Flash When Booting from the Network ......................................................... 4-19 Setting the Timeout in Seconds .................................... 4-20 Setting the Speed and Duplex Mode of the Ethernet Network Link .............................................................................. 4-21 Changing the ppciboot Password .................................. 4-22 Enabling/Disabling FIPS Security ..................................
viii Table of Contents Defaulting from CLI ...................................................... 4-39 Acquiring the IP Configuration 4-39 ppciboot/linuxito Downgrade 4-40 Downgrading ppciboot/linuxito ..................................... 4-40 System and Status Screens 4-43 PART 2 Configuring the LX Series Unit CHAPTER 5 Setting Up the Notification Feature Overview of the Notification Feature 5-2 Configuring the Notification Feature 5-3 Creating Service Profiles ................................
Table of Contents ix Configuring Server-Based Authentication on an IP Interface ............................................................................. 6-8 Configuring a Rotary 6-11 Removing Ports from a Rotary ...................................... 6-14 Disabling a Rotary ........................................................ 6-14 Setting Maximum Telnet Connections 6-15 Displaying Interface Information ..................................
x Table of Contents Generating the SSH Key ............................................... 8-29 Changing the SSH Key Passphrase ............................... 8-29 CHAPTER 9 Configuring Async Port Features Configuring Sensor Access for LX Ports 9-2 Displaying the Temperature and Humidity ...................... 9-2 Displaying Sensor Summaries ........................................
Table of Contents xi Enabling the Factory Reset Button .............................. 10-10 Configuring the Authentication Feature for the 5250/5150/4800 ........................................................ 10-10 Specifying the Password for the 5250/5150/4800 Unit 10-12 Enabling 5250/5150/4800 Authentication ................... 10-13 Configuring Power Boot Sequencing ...........................
xii Table of Contents Sharing and Unsharing the Telnet Client 13-25 Configuring a Remote Cluster Member 13-26 GUI Cluster 13-27 Launching the GUI Cluster Explorer ............................ 13-27 Cluster Automatic Discovery and Setup 13-29 Cluster Automatic Discovery ....................................... 13-29 Cluster Automatic Setup ............................................. 13-33 CHAPTER 14 SNMP Configuration Network Management System 14-2 Management Information .......................
Table of Contents xiii CHAPTER 15 SNMP MIB Support 14-28 References 14-28 Configuring Alarming with LX-7204T/7304T Sensor Manager and LDAM Configuring the HDAM Port 15-2 Updating the LX-7204T/7304T Firmware 15-2 Using the Alarm Input Commands 15-4 Naming Alarm Inputs .................................................... 15-4 Enabling and Disabling Audible Alarms ......................... 15-5 Configuring an Alarm Input Description String ..............
xiv Table of Contents Resetting the Analog Name to its Default ................... 15-28 Enabling and Disabling the Analog State ..................... 15-29 Displaying HDAM Information 15-32 Configuring the LDAM Port 15-41 Using the Alarm Input Commands 15-41 Naming Alarm Inputs .................................................. 15-42 Using the Control Output Commands 15-47 Naming Control Outputs .............................................
Table of Contents xv CHAPTER 19 Alarm Input/Control Output Points Configuring Control Output 19-2 Configuring Alarm Inputs via Trigger Action Rules 19-5 Using Signal Notice to Set Up a Trigger-Action-Rule ..... 19-8 LX Signal Notice Ease-of-Use ........................................ 19-8 Port Async Signal Notice GUI Configuration CHAPTER 20 19-10 Configuring IPv6 Configuring IPv6 Internet Protocol 20-2 Viewing IPv6 Status ....................................................
xvi Table of Contents Configuring the Notification Feature with Multi-Level Commands ................................................... E-3 Multi-Level Commands Examples.................................... E-5 Open Ports on the LX F-2 Changing the Default TCP Listener Ports ......................... F-3 Considerations H-3 Associated Commands .................................................... H-3 Defining rlogin Dedicated Services H-4 rlogin with Preferred Services .................................
Table of Contents xvii Using Comment Lines in the Menu File K-11 General Guidelines........................................................ K-11 Debugging the Menu File .............................................. K-11 Enabling the Menu Feature K-12 Sample File 2 ................................................................ K-15 About LXPORTD L-2 LXPORTD man Pages L-2 Applications Examples L-6 Basic LXPORTD Application .............................................
xviii Table of Contents LX-Series Configuration Guide
About This Book xix About This Book This guide describes how to manage and configure the LX unit and provides support information for each configurable feature. How This Book is Organized This book is organized in three parts. Part 2 Part 1 Part 1 contains setup information Part 2 contains configuration information Part 3 contains appendixes with additional information Chapter Describes how to...
xx How This Book is Organized Chapter Describes how to... Part 2 (Cont.) Chapter 15 Configure the LX-7204T/7304T Sensor Manager Chapter 16 Configure PPP Dial-On-Demand Chapter 17 Configure Redundant Ethernet Chapter 18 Configure the Internal Modem Chapter 19 Configure Alarm Input/Control Output Points Chapter 20 Configure the IPv6 Internet Protocol Part 3 This book also contains 12 appendixes: Appendix Provides information about...
Conventions xxi Conventions The following conventions are used throughout this guide: Convention Description Command execution Unless otherwise specified, commands are executed when you press . Command syntax where command options or command syntax are shown, keywords and commands are shown in lowercase letters. Keyboard characters (keys) Keyboard characters are represented using left and right angle brackets (< and >).
xxii Online Help For example, the following is displayed when you type the ? character at the User mode command prompt: clear Clear screen and reset terminal line cluster Superuser cluster commands connect Connect to a remote access port async on this LX unit dial Dial a dialout modem enable Turn on privileged commands exit Exit up one level menu Menu utility message Send a message to a logged on user monitor Monitor running system information no Negate a command outlet Manipulate outl
Additional Help xxiii Type the ? character (or press the Tab key) after the displayed keyword to list the options for that keyword. For example, type show ? to list the options of the show keyword. You could then type show port ? to list the next item in the syntax of the show port command. Additional Help The CLI help feature now displays more information dynamically when you request help for certain commands.
xxiv Additional Help If you have used help to list all the configured menu names, you can complete the menu names by typing the first letter of the name, then pressing the Tab key; for example: Example Config:0 >> menu open d which fills in the remainder of an existing menu's name as follows: Example Config:0 >> menu open demo_menu LX Series Configuration Guide
Part 1 PART 1 Before You Configure the LX Series Unit
Using the Command-Line Interface 1-1 CHAPTER 1 Using the Command-Line Interface The LX Series Command-Line Interface (CLI) is structured as a set of nested command modes. Each command mode is used to implement a group of related features or functions. Figure 1.1 lists the command modes available in the LX CLI.
1-2 Using the Command-Line Interface User Enter “enable” command and login to Superuser command mode Service Profile Superuser Protocol Command Modes -See Note (below) Cconfiguration Configuration Nnotification Ssnmp Pport ethernet Pport async Notification SNMP Ethernet Async Mmodem Ssubscriber Mmenu User Service Modem User Information Subscriber MenuOopen Menu Editing Iinterface Interface Ibroadcast group Broadcast Group Pppp Aauthentication cluster hdam trigger-action AAA PPP Cluster C
About Command Modes 1-3 About Command Modes Each command mode uses a unique command prompt (for example, Config:0 >>) and its own set of commands. Each command mode (except the top-level User command mode) is nested within the previous level command mode. L The User command mode is the basic command mode of the LX CLI. When you log in to the LX unit, you are in User command mode .
1-4 About Command Modes X To enter a nested command mode Enter the appropriate command from the previous command mode. For example, to enter the Configuration command mode you must enter the configuration command from the Superuser command mode. X To return to the previous command mode Type exit. For example, type the exit command in Configuration Command Mode to return to the Superuser command mode. X To display global information Execute the monitor/show commands in each of the LX command modes.
Command Mode Descriptions 1-5 Command Mode Descriptions The following sections describe the LX command modes and the commands used to access them. User Command Mode Contains commands for performing user functions on the LX unit. Accessed by Logging on to the LX unit Command prompt InReach:0 > For more information, see “User Commands” in the LX-Series Commands Reference Guide. Superuser Command Mode Contains commands for performing Superuser functions on the LX unit.
1-6 Command Mode Descriptions Configuration Command Mode L If you change a parameter in the Configuration Mode, and then exit this mode, the following message appears: You have unsaved changes in your configuration. You need to save these if you want them to be permanent through a reboot. Contains commands for configuring the LX unit at the server level and accessing nested command modes. Accessed by Command prompt Executing the configuration command in Superuser Command Mode.
Command Mode Descriptions 1-7 Asynchronous Command Mode Contains commands for configuring asynchronous ports on the LX unit. Accessed by Executing the port async command in Configuration Command Mode. Command prompt Async 4-4:0 >> For more information, see “Asynchronous Commands” in the LX-Series Commands Reference Guide. Ethernet Command Mode Contains commands for configuring the Ethernet port on the LX unit.
1-8 Command Mode Descriptions Modem Command Mode Contains commands for configuring modems on LX asynchronous ports. Accessed by Executing the modem command in Asynchronous Command Mode. Command prompt Modem 4-4:0 >> For more information, see “Modem Commands” in the LX-Series Commands Reference Guide. Subscriber Command Mode Contains commands for configuring LX subscriber accounts. Accessed by Executing the subscriber command in Configuration Command Mode.
Command Mode Descriptions 1-9 Interface Command Mode Contains commands for configuring IP interfaces on the LX unit. Accessed by Executing the interface command in Configuration Command Mode. Command prompt Intf 1-1:0 >> For more information, see “Interface Commands” in the LX-Series Commands Reference Guide. Menu Command Mode Contains commands for creating, displaying, and accessing subscriber menus. Accessed by Executing the menu command in Configuration Command Mode.
1-10 Command Mode Descriptions Notification Command Mode Contains commands for configuring the LX Notification Feature. Accessed by Command prompt Executing the notification command in Configuration Command Mode. Notification:0 >> For more information, see “Notification Commands” in the LX-Series Commands Reference Guide. Broadcast Group Command Mode Contains commands for configuring Broadcast Groups on the LX unit.
Command Mode Descriptions 1-11 Async Protocol Command Mode – Contains the port command for specifying the asynchronous port parameter for a Service Profile of the Async type. Accessed by Command prompt Executing the async command in Service Profile Command Mode. Noti_Serv_Async:0 >> For more information, see “Async Protocol Commands” in the LX-Series Commands Reference Guide.
1-12 Command Mode Descriptions SMTP Protocol Command Mode Contains the server command for configuring the server for a Service Profile of the SMTP type. Accessed by Executing the smtp command in Service Profile Command Mode. Command prompt Noti_Serv_SMTP:0 >> For more information, see “SMTP Protocol Commands” in the LX-Series Commands Reference Guide. SNPP Protocol Command Mode Contains commands for configuring a Service Profile of the SNPP type.
Command Mode Descriptions 1-13 User Service Command Mode Contains the service command for specifying a Service Profile for a User Profile. Accessed by Executing the profile user command in Notification Command Mode. Command prompt Noti_User_Service:0 >> For more information, see “User Service Commands” in the LX-Series Commands Reference Guide. User Information Command Mode Contains commands for specifying the contact, facility, and priority parameters of a User Profile.
1-14 Command Mode Descriptions Rule Command Mode Contains commands for enabling, disabling, and specifying Actions and Triggers for Rules. Accessed by Command prompt Executing the rule name command in Trigger- Action Command Mode. Rule_AC7TurnOnRule:0 >> For more information, see “Rule Commands” in the LX-Series Commands Reference Guide. Action Command Mode Contains the command command for specifying an LCX CLI command for an Action.
Command Mode Descriptions 1-15 Trigger Command Mode Contains commands for specifying the conditions for triggers. Accessed by Executing the trigger name command in Command prompt Trigger_TempPortCT30:0 >> Trigger-Action Command Mode For more information, see “Trigger Commands” in the LX-Series Commands Reference Guide. Cluster Command Mode Contains commands for creating and monitoring clusters. Accessed by Command prompt Executing the cluster command in Configuration Command Mode.
1-16 Using the Function Keys Using the Function Keys The LX Command Line Interface (CLI) supports the following function keys: Key Description Tab key Completes a partially typed command. For example, if you type the tab key after you type show ve at the Superuser command prompt, the show version command will be executed. Up arrow Recalls the last command. Ctrl-F Moves forward to the next session. Ctrl-B Moves back to the previous session. Ctrl-L Returns you to the Local Command Mode.
Performing the Initial Setup 2-1 CHAPTER 2 Performing the Initial Setup This chapter describes the initial setup of the LX unit. You can perform the tasks described in this chapter after you install and power on the LX unit as described in Chapter 1 of Getting Started with the LX Series. Then you can use the LX unit for network management.
2-2 Configuring TCP/IP Configuring TCP/IP You can let the LX unit obtain its TCP/IP parameters from the network, or you can explicitly configure TCP/IP parameters for the LX unit with the Quick Start Configurator or the IP Configuration Menu. (You can access the IP Configuration Menu from the ppciboot Main Menu.
Obtaining TCP/IP Parameters from the Network 2-3 3. Enter the superuser password system. The Quick Configuration menu displays: Quick 1 2 3 4 5 6 7 8 Enter 4. 5. 6. Configuration menu Unit IP address Subnet mask Default Gateway Domain Name Server Domain Name Suffix Cluster Secret Superuser Password Exit and Save your choice: Press the number corresponding to the parameter to set. Enter the appropriate information and press to return to the Quick Configuration menu.
2-4 DHCP Client 8. 9. 10. 11. 12. Press y (yes) and press . The following message displays: Save this information to flash? Press y (yes) and press . The information is saved to flash. Press several times to display the Login: prompt. Enter your login name (default is InReach). Enter your password (default is access). You can now use the LX unit. L The login username and password are case-sensitive.
DHCP Client 2-5 There is no DHCP enable/disable flag in Config mode. DHCP is sensed on or off based on whether ppciboot learns its IP via DHCP. If DHCP is enabled in ppciboot, but fails to get its IP via DHCP, and instead gets an IP via RARP, then after the LX loads, DHCP will not be enabled. The DHCP Client feature allows an Ethernet interface to query the DHCP server for configuration options. This was done primarily to support DHCP leasing.
2-6 DHCP Client The following information is returned from Vendor Options: 1 - Subnet Mask 3 - Gateway IP address 6 - DNS server IP addresses 12 - Our host name 17 - Root path 51 - DHCP leasetime 28 - Broadcast address The following options are recognized by DHCP, so they do not generate the unhandled option error message, although no information is saved: 2 - Time offset 4 - Time server (RFC 868, not NTP) 15 - Domain name 31 - Perform router discovery 53 - DHCP message type 54 - D
DHCP Client 2-7 where renew requests that the DHCP client renew the current lease. L You can use this command only on DHCP-enabled interfaces. Example Intf 1-1:0>>dhcp renew X To display the Interface Status Screen Use the show interface status command. Figure 2.1 shows a sample screen with the DHCP fields highlighted: Time: Interface Name: Interface_1 IP Address: 112.19.161.191 IP Broadcast Addr: 112.19.161.
2-8 Setting the TCP/IP Parameters in the IP Configuration Menu Setting the TCP/IP Parameters in the IP Configuration Menu You can use the IP Configuration Menu to set the TCP/IP parameters for the LX unit. For more information, see “Using the IP Configuration Menu” in Getting Started with the LX Series. Creating and Loading a Default Configuration File This section explains how to create a default configuration file with which you can load multiple units.
Saving the Configuration to the Network 2-9 Saving the Configuration to the Network The .zip file format can be accessed by either WinZip o UNIX Unzip. The TFTP/SFTP protocol is used to perform the operation of saving the LX configuration to a network host. If the network host is a UNIX host, a configuration file must already exist on the TFTP/SFTP server. The configuration file is a .
2-10 Setting Up Local (Onboard) Security Setting Up Local (Onboard) Security Local security is the default security method for the LX unit. Under Local security, the user is authenticated against a username/password file that resides on the LX unit. L The LX unit also supports LDAP, RADIUS, TACACS+, and RSA SecurID security. Under LDAP, RADIUS, TACACS+, and RSA SecurID, the user is authenticated against a username/password file that resides on the authentication server.
Changing the Password Defaults 2-11 See “Command MoX To change the User-level password of the InReach User Descriptions” on 1. Access the Configuration Command Mode. page 1-5 for 2. Access the Subscriber Command Mode for the InReach information about subscriber. You do this by entering the subscriber accessing Asynchronous command with InReach as the command argument: Command Mode. Config:0 >>subscriber InReach 3. 4. 5.
2-12 Setting Up Server-Based Authentication and Accounting Setting Up Server-Based Authentication and Accounting You can implement four methods of server-based authentication, and two methods of server-based accounting, for the LX unit: Server-based Server-based authentication methods accounting methods RSA SecurID RADIUS RADIUS TACACS+ TACACS+ LDAP Kerberos For more information, see the following sections: “Setting Up LDAP” (below) “Setting Up RADIUS” on page 2-19 “Setting Up TACACS+” on page 2-25 “
Setting Up LDAP 2-13 L The LDAP Version 3 clock must keep in sync with the LDAP server. X To download the valid client certificate for the primary authentication server to the LX L A valid certificate must reside on both the host and the LX. The certificates are parsed during authentication.
2-14 Installing and Configuring the LDAP Server on a Network-based Host A message is displayed, alerting you to issue the save configuration command to save the file permanently on the LX. The configurable Hostname or IP Address is used to override the Host Name or IP Address that is stored in the ppciboot menu for TFTP. If SFTP is the configured file transfer protocol, the IP address overrides the configured SFTP server address. Example InReach:0 >>ldap update secondary certificate 125.111.83.
Installing and Configuring the LDAP Server on a Network-based Host 2-15 X To specify the LDAP server settings on the LX unit 1. Choose the desired LDAP version (2 or 3). The default is 2. Example AAA:0 >>ldap version 3 2. 3. Example Verify that the primary LDAP Server has been installed on the primary LDAP Server host.
2-16 Installing and Configuring the LDAP Server on a Network-based Host 6. Example Specify the maximum number of retries that the LX unit will have for transmitting an Access Request to the LDAP primary authentication server: AAA:0 >>ldap primary authentication server retransmit 7 7. Example Specify the length of time that the LX unit will wait for the LX unit to respond before retransmitting packets to the LDAP primary authentication server: AAA:0 >>ldap primary authentication server timeout 4 8.
LDAP Command Examples 2-17 LDAP Command Examples This section provides examples of all of the commands that are used to specify settings for the LDAP servers. See the “Authentication, Accounting, and Authorization Commands” chapter of the LX Series Command Reference for detailed descriptions of the commands in this chapter. LDAP Primary Authentication Server Commands AAA:0 >>ldap primary authentication server address 143.34.87.93 AAA:0 >>ldap primary authentication server base dnO=box7.acme.boston.sqa.
2-18 LDAP Local Subscriber Feature LDAP Local Subscriber Feature Under the LDAP Local Subscriber Feature, a subscriber can be logged on as either: An LX subscriber with the attributes of that subscriber (if the LX subscriber account exists), or The default (InReach) subscriber (if the LX subscriber account does not exist). Under either scenario, the subscriber must have an LDAP account on the LDAP authentication server.
Setting Up RADIUS 2-19 Setting Up RADIUS The LX can implement RADIUS authentication and RADIUS accounting at the server level and for specific interfaces and asynchronous ports. You must configure RADIUS accounting and/or authentication at the server level before you can implement it on specific interfaces and asynchronous ports on the LX unit. X To configure RADIUS authentication on the LX unit 1. Install and configure the RADIUS server on a Network-based Host (see page 2-19). 2. 3.
2-20 Installing and Configuring the RADIUS Server on a Network-Based The daemon uses a list of clients and associated secrets that it shares with these clients. The per-client secret is used to encrypt and validate communications between the RADIUS server and the client. The file used to keep the client list and secrets is the “clients” file. Another file used by the daemon to store the users that are authenticated is the “users” file.
Installing and Configuring the RADIUS Server on a Network-Based Host 2-21 The LX listens to port 1812 by default. 5. Example Use the radius primary authentication server port command to specify the socket your RADIUS server is listening to. AAA:0 >>radius primary authentication server port 1645 6. Example AAA:0 >>radius source interface 3 7. Example Use the radius source interface command to specify the source address the LX sends when contacting the RADIUS server.
2-22 RADIUS Command Examples Table 2.1 RADIUS Settings RADIUS Settings Description address port IP address of the RADIUS server * retransmit UDP port of the RADIUS server * Maximum number of times that the LX unit attempts to retransmit a message to the RADIUS server secret The RADIUS secret shared between the LX unit and the RADIUS server timeout* Length of time that the LX unit waits for the RADIUS server to respond before retransmitting packets to it *.
RADIUS Command Examples 2-23 RADIUS Secondary Authentication Server Commands AAA:0 >>radius secondary authentication server address 178.67.82.78 AAA:0 >>radius secondary authentication server port 1812 AAA:0 >>radius secondary authentication server retransmit 3 AAA:0 >>radius secondary authentication server secret AsJkirbg AAA:0 >>radius secondary authentication server timeout 7 RADIUS Primary Accounting Server Commands AAA:0 >>radius primary accounting server address 181.28.68.
2-24 Specifying the RADIUS Period Specifying the RADIUS Period The RADIUS period is the interval at which the LX unit will update the RADIUS accounting server with the status of each RADIUS user. The RADIUS period is specified in minutes. X To specify the RADIUS period 1. Access the AAA Command Mode on the LX. (See “Command Mode Descriptions” on page 1-5 for information about accessing the AAA Command Mode.) 2.
Setting Up TACACS+ 2-25 X To set the RADIUS Local Subscriber Feature to only Use the radius local subscriber only command: Example AAA:0 >>radius local subscriber only Setting Up TACACS+ You can implement TACACS+ authentication and TACACS+ accounting at the server level and for specific interfaces and asynchronous ports on the LX unit. You must implement TACACS+ accounting and/or authentication at the server level before you can implement it on specific interfaces and asynchronous ports on the LX unit.
2-26 Installing and Configuring a TACACS+ Server on a Network-Based Host Installing and Configuring a TACACS+ Server on a Network-Based Host Before you can configure TACACS+ on your LX unit, you must configure a TACACS+ server on your network. In general, TACACS+ server implementations are available on the Internet. These implementations generally use a daemon process that interacts with TACACS+ clients (located on LX units and on other remote access devices).
Installing and Configuring a TACACS+ Server on a Network-Based Host 2-27 4. Example The LX listens to port 49 by default. Use the tacacs+ primary authentication server secret command to specify the secret that will be shared between LX unit and the TACACS+ primary authentication server: AAA:0 >>tacacs+ primary authentication server secret Goitji 5. Example Use the tacacs+ primary authentication server port command to specify the socket your TACACS+ server is listening to.
2-28 Installing and Configuring a TACACS+ Server on a Network-Based Host 3. Example Use the tacacs+ primary authorization server address command to specify the IP address of the TACACS+ primary authorization server. AAA:0 >> tacacs+ primary authorization server address 149.19.87.89 4.
TACACS+ Local Subscriber Feature 2-29 “TACACS+ Secondary Authentication Server Commands” on page 2-32 “Specifying the TACACS+ Period” on page 2-33 After you have specified the TACACS+ settings for the TACACS+ primary authentication server, you can configure the TACACS+ primary accounting server and the TACACS+ secondary authentication and accounting servers. Table 2.
2-30 TACACS+ Local Subscriber Feature Under either scenario, the subscriber must have a TACACS+ account on the TACACS+ server. If the subscriber account also exists on the LX unit, the subscriber is logged on under that account and with the attributes of that account. If the subscriber account does not exist on the LX unit, the subscriber is logged on under his TACACS+ account with the attributes of the default (InReach) account.
TACACS+ Command Examples 2-31 TACACS+ Command Examples This section provides examples of all of the commands that are used to specify settings for the TACACS+ servers. See the “Configuration Commands” chapter of the LX Series Command Reference for detailed descriptions of the commands in this chapter. TACACS+ Primary Authentication Server Commands AAA:0 >>tacacs+ primary authentication server address 182.36.98.
2-32 TACACS+ Command Examples TACACS+ Secondary Authentication Server Commands AAA:0 >>tacacs+ secondary authentication server address 182.57.32.58 AAA:0 >>tacacs+ secondary authentication server port 1842 AAA:0 >>tacacs+ secondary authentication server retransmit 3 AAA:0 >>tacacs+ secondary authentication server secret L3498reiu AAA:0 >>tacacs+ secondary authentication server timeout 7 TACACS+ Secondary Authorization Server Commands AAA:0 >>tacacs+ secondary authorization server address 182.57.32.
Specifying the TACACS+ Period 2-33 Specifying the TACACS+ Period The TACACS+ period is the interval at which the LX unit will update the TACACS+ accounting server with the status of each TACACS+ user. This value is specified in minutes. X To specify the TACACS+ period 1. Access the AAA Command Mode on the LX. (See “Command Mode Descriptions” on page 1-5 for information about accessing the AAA Command Mode.) 2.
2-34 Installing and Configuring the RSA SecurID Server on a Network-based X To configure RSA SecurID authentication 1. Install and configure the RSA SecurID server on a Network-based Host (see page 2-26). 2. Specify the RSA SecurID server settings on the LX (see page 2-26). For more information about RSA SecurID authentication, go to the RSA SecurID website at http://www.rsasecurity.com/products/ securid/index.html. You can also configure a SecurID Local Subscriber.
Installing and Configuring the RSA SecurID Server on a Network-based Host 4. Example If the RSA SecurID authentication version is “legacy”, you must specify a Example Master authentication server instead of a Primary authentication server. Use the rsa securid authentication port command to specify the socket your RSA SecurID server is listening to: The LX listens to port 1812 default. AAA:0 >>rsa securid authentication port 1687 5.
2-36 RSA SecurID Command Examples RSA SecurID Command Examples This section provides examples of all of the commands that are used to specify settings for the RSA SecurID servers. See the “Configuration Commands” chapter of the LX-Series Commands Reference Guide for detailed descriptions of the commands in this chapter. RSA SecurID Commands AAA:0 >>rsa securid primary authentication server address 138.30.65.
RSA SecurID Command Examples 2-37 Table 2.3 describes each setting that you can specify for a RSA SecurID server. Table 2.
2-38 RSA SecurID Local Subscriber Feature RSA SecurID Local Subscriber Feature Under the RSA SecurID Local Subscriber Feature, a subscriber can be logged on in one of two ways: As an LX subscriber with the attributes of that subscriber (if the LX subscriber account exists) Or, if the LX subscriber account does not exist, as the default (InReach) subscriber. Under either scenario, the subscriber must have a RSA SecurID account on the RSA SecurID server.
RSA SecurID sdconf.rec File 2-39 RSA SecurID sdconf.rec File The RSA SecurID known replica information displayed on the show rsa securid status screen is now saved through a reboot. After the initial contact, the replica information is saved automatically to flash. If power is lost or a reboot occurs and the primary is down, the replica is contacted instead. The LX software supports the sdconf.
2-40 Setting Up KerberosV5 Setting Up KerberosV5 KerberosV5 is a computer network authentication protocol that allows users communicating between machines to securely prove their identity to one another and ensure data integrity. It is aimed at a client-server model in which both the user and the server verify each other's identity. For a detailed explanation of Kerberos, go to http://web.mit.edu/kerberos.
Setting Up KerberosV5 2-41 X To add or remove a KerberosV5 Realm Name Use the kerberosv5 realm name command to create a KerberosV5 realm. The name can be up to 31 characters long, and should be in uppercase letters. Removing the realm name deletes all servers in that realm. Example AAA:0 >>kerberosv5 realm name KrbV5Realm_REALM Use the no kerberosv5 realm name command to delete a KerberosV5 realm. Removing the realm name deletes all servers in that realm.
2-42 Setting Up KerberosV5 Use the no kdc slave command to delete up to two KDC servers (specify an address OR a hostname): Example KrbV5Realm_REALM:0 >> no kdc slave 1 X To retrieve the KerberosV5 Keytab L Before configuring the KerberosV5 keytab, configure a username, password, and server as explained in “Configuring TCP/IP” on page 2-2.
Setting Up KerberosV5 2-43 X To enable or disable accepting and sending of Forwardable Tickets Use the kerberosv5 forward credentials enable command to enable the accepting and sending of forwardable tickets. This is so you do not have to enter your password multiple times when SSHing from the LX. This applies only to ssh/sshd/sftp session established from the LX outbound to another host with KerberosV5 enabled. The default is disabled.
2-44 KerberosV5 Local Subscriber Feature To disable this command, enter authentication local enable. KerberosV5 Local Subscriber Feature Under the KerberosV5 Local Subscriber Feature, a subscriber can be logged on as either: An LX subscriber with the attributes of that subscriber (if the LX subscriber account exists), or The Default subscriber (if the LX subscriber account does not exist). Under either scenario, the subscriber must have a KerberosV5 account on the KerberosV5 server.
KerberosV5 Local Subscriber Feature 2-45 Use the kerberosv5 local subscriber only command to enable KerberosV5 only on the local subscriber: Example AAA:0 >>kerberosv5 local subscriber only If the KerberosV5 subscriber does not exist on the LX, the LX terminates the session.
2-46 KerberosV5 Local Subscriber Feature X To display KerberosV5 Status Use the show kerberosv5 status command to display the KerberosV5 status: Example InReach:0 > show kerberosv5 status The KerberosV5 Status screen appears. Time: Kerberos V5 Status & Counters Successful Logins: Failed Logins: Fallback Logins: Mon, 09 Oct 2006 13:36:19 UTC 0 0 0 Figure 2.
Resetting the Unit to Factory Defaults 2-47 Resetting the Unit to Factory Defaults If you misconfigure the unit or believe that the configuration might have been corrupted, you can reset the unit to its factory defaults from either an LX asynchronous port, from the LX DIAG port, or from a Web browser. See “Command Mode Descriptions” on page 1-5 for information about accessing Asynchronous Command Mode.
2-48 Syslog Overview X To reset the unit to factory defaults from a Web browser 1. Browse to the LX unit’s IP address. 2. Log in to the LX unit and bring up the console. L After you select a default option, the LX displays a confirmation prompt to warn you that the unit will be rebooted. If you answer “yes” at the confirmation prompt, the LX unit will be defaulted and rebooted. See “Booting from Defaults” on page 4-38 for more information about defaulting from ppciboot and defaulting from the CLI.
Assigning an Asset Tag 2-49 Assigning an Asset Tag The assettag and no assettag commands allows you to assign a label (up to 32 characters, all printable characters are valid except spaces) to the unit, or to delete the label. This tag is typically used for system inventory purposes, to identify each LX on the network. Syntax Config:0 > assettag Config:0 > no assettag Example Config:0 > assettag AST-001-001 The Asset Tag is displayed on the System Characteristics screen.
2-50 Assigning a Contact Assigning a Contact The contact and no contact commands allows you to add a contact name string (e.g., a person or place) up to 32 characters long (all printable characters are valid), or to delete the contact. Syntax Config:0 > contact Config:0 > no contact Example Config:0 > contact bill smith The Contact is displayed on the System Characteristics screen. Use the show system characteristics command to display the System Characteristics screen.
Setting Up Remote Console Management 3-1 CHAPTER 3 Setting Up Remote Console Management Network Elements can be managed by using Telnet connections, or by using SSH connections, to the LX asynchronous ports on which the network elements are attached. This method of managing network elements is known as remote console management. This chapter describes how to set up remote console management on an LX unit.
3-2 Connecting the Console Port to the Network Element Connecting the Console Port to the Network Element Network elements can be connected to LX asynchronous ports by a modem or by a direct serial line. The LX asynchronousport connectors are female RJ-45 connectors. Use a crossover cable to connect a direct serial line from an LX console port to the serial management port on a network element. Use a straight-through cable to connect a console port to a modem.
Making Straight-through Cables 3-3 Making Straight-through Cables To make an MRV-supplied crossover cable into a straightthrough cable Lay the modular cable on a table or on some other flat surface. L The modular cable should lie flat (no rolls or twists). RJ-4 Connectors Crimp the RJ-45 connector in opposite directions at both ends as shown in Figure 3.1. Straight Through Cable RJ-45 Connectors Figure 3.
3-4 Configuring Ports for Remote Console Management Configuring Ports for Remote Console Management This section describes how to configure LX asynchronous ports for remote console management. Configuring Asynchronous Ports for Direct Serial Connections The default settings for LX asynchronous ports will support direct serial connections to most Network Elements. However, when conditions warrant, you can explicitly set an asynchronous port to non-default values.
Explicitly Setting LX Asynchronous Port Characteristics 3-5 3. In Asynchronous Command Mode, enter the appropriate command to set the speed, parity, data bits, stop bits, flow control, or autohangup setting for the asynchronous port. Table 3.1 lists the commands that you can use to set the port characteristics that pertain to remote console management of directly connected Network Elements. For the full syntax of each command listed in Table 3.1, see the LX Series Command Reference. Table 3.
3-6 Explicitly Setting LX Asynchronous Port Characteristics X To set up a modem port for remote console management 1. 2. Example Execute the access remote command to set the port access to remote. Async5:0 >>access remote 3. Example Execute the modem enable command to enable modem control on the port. Async5:0 >>modem enable 4. Example Execute the flow control command to set the port flow control to CTS. Async5:0 >>flowcontrol cts 5. 6.
Configuring Modem Caller ID 3-7 8. Example In Modem Command Mode, execute the initstring command to specify the initialization string for the modem. Modem 5-5:0 >>initstring S0=1 V1 X4 E1 Q0=1 \J0 &K3 L The initialization string may vary between modem types. 9. Example Modem 5-5:0 >> retry 6 10. Example In Modem Command Mode, execute the retry command to specify the Retry value for the modem. In Modem Command Mode, execute the timeout command to specify the Timeout value for the modem.
3-8 Configuring Modem Caller ID X To specify a caller id security number Execute the caller id security number command: Example Modem41:0 >> caller id security number 1-508-555- 1212 Enter no caller id security number to remove the security number.
Configuring Modems for the RAS Dial Feature 3-9 Modem Caller ID Troubleshooting Tips If you are having trouble connecting, make sure that Caller ID is enabled on the line (contact your phone company). Connect to a remote port and then dial in from another location.
3-10 Setting Up Security for a Console Port L The symbols in the initialization string may be different for your type of modem. See your modem manual for the correct symbols for your modem. step 8 (above) provides an example of an initstring command that configures a modem string to support the RAS Dial Feature. Setting Up Security for a Console Port See “Command Mode Descriptions” on page 1-5 for more information about accessing Asynchronous Command Mode.
Setting Up TACACS+ Authentication 3-11 X To enable RADIUS authentication on a console port 1. 2. Example Access the Asynchronous Command Mode for the asynchronous port to configure. RADIUS authentication is disabled by default on console ports. Execute the following command: Async5:0 >>authentication outbound radius enable L If RADIUS authentication is enabled, you may want See “Command Mode Descriptions” on page 1-5 for more information about accessing Asynchronous Command Mode.
3-12 Setting Up RSA SecurID Authentication Setting Up RSA SecurID Authentication See “Command Mode Descriptions” on page 1-5 for more information about accessing Asynchronous Command Mode. Under RSA SecurID authentication, a username/ PPP CHAP is not supported with password combination is validated against the authentication RSA SecurID user and client database. The RSA SecurID. SecurID security database is stored on the RSA SecurID server for the LX unit.
Verifying Serial Port Connections 3-13 The LX unit will make three attempts to log in the user by using LDAP, RADIUS, TACACS+, or RSA SecurID before it implements Fallback. After the third attempt at logging in by using the configured authentication method (RADIUS, TACACS+, or RSA SecurID), the username/password combination will be validated against the LOCAL security database for the LX unit. LDAP, RADIUS, TACACS+, or RSA SecurID must be enabled on a port in order for Fallback to function on the port.
3-14 Verifying Serial Port Connections X To validate cable configurations: Execute the following command to test the connection: Example InReach:0 >>test port async [width ] [lines ] [loopback] There are several ways to execute the command 1. Example Test the port async port: InReach:0 >>test port async 4 This option generates 23 lines of 80 characters each of a printable sequence of ASCII characters to be sent to the destination port. The general rules are: 2.
Verifying Serial Port Connections 3-15 This option generates 15 lines of 50 characters each of a printable sequence of ASCII characters to be sent to the destination port. You can enter values from 0-65535. The default is 23. If you enter 0, the test port runs continuously until you enter CTRL-C. An end of test message is displayed. L You must use the “width” parameter in the same command if you want to use the “lines” parameter. 4.
3-16 Verifying Serial Port Connections When you enter any of these commands, the test port output is displayed automatically. A sample screen follows: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop "#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq #$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr $%&'()*+,-.
Creating Subscribers for Remote Console Management 3-17 Creating Subscribers for Remote Console Management L The administrator must configure the first password for a new subscriber in order for that subscriber account to be active. In order for a subscriber to do remote console management, he/ she must have specific access rights. If RADIUS is the outbound authentication method, configure a Service-type of OutboundUser for the subscriber on the RADIUS server.
3-18 Specifying Access Methods 6. Example To create a login password for the subscriber, execute the password command: Subs_mark:0 >>password The following prompts are displayed: Enter your NEW password : Re-enter your NEW password : 7. Enter the new password at the Enter prompt, and re-enter it at the Re-enter prompt. L This is the password that the subscriber is required to enter when the user logs on to a console port.
Connect Port Escape Character 3-19 Connect Port Escape Character You can configure an escape character in the local subscriber database. The default value is ^Z. X To configure an escape character Change the escape sequence: Example Subs_Tom:0 >>connect escape ^ where is a character from A-Z.
3-20 Connect Port Escape Character X To display the Subscriber Characteristics Screen Use the following command syntax: show subscriber characteristic The Connect Escape Char field displays the escape character. Figure 3.
System Administration 4-1 CHAPTER 4 System Administration This chapter describes backup and recovery, applying default configurations to other units, how to use the Main menu and Configuration menu, booting from defaults, and how to upgrade the software and also describes some basic maintenance functions.
4-2 Backup and Recovery Backup and Recovery This section explains how to save, edit, and load the configuration file. Saving the Configuration File The configuration file (Config.prm) is saved in a format that is readable in WordPad and the vi editor in UNIX. Because anyone can easily modify it, the file is signed with a digest using the SHA-1 hashing algorithm.
Saving the Configuration to the Network 4-3 Saving the Configuration to the Network The .zip file can be accessed by either WinZip or UNIX Unzip. The TFTP/SFTP protocol is used to save the LX configuration to a network host. Consequently, if you are saving to a UNIX host, a configuration file must already exist on the TFTP/SFTP server. Use the touch command to create the configuration file as a .zip file. Windows-based workstations will automatically create the .
4-4 Editing the Files in Windows 2. 3. 4. 5. 6. The filenames within the .zip file are displayed as they are extracted, including the Config.prm file. If you have configured menus, the Menu file also appears. Open the Config.prm file with any text editor (such as vi or emacs). Select and copy the section of the Config.
Editing the Files in Windows 4-5 4. 5. • PPP configurations • Broadcast Groups • Interface configurations • LDAP, RADIUS, RSA SecurID, or TACACS+ configurations • Specific Async Port configurations If you are adding a new user to the Config.prm file, copy an existing user, paste it into the section directly below the last user, and make the necessary modifications to the copy. Follow the same steps for any other changes you make to the Config.prm file. X To recreate the .
4-6 Editing the Files in Windows L You must define an LX address in the ppciboot menu before loading a saved configuration from a TFTP/ SFTP server. See “Changing the Unit IP Address” on page 4-28. 2. 3. Example After the LX has reloaded, check the System Load Status screen to make sure that the LX loaded from the proper place.
Loading the Configuration from Network 4-7 Loading the Configuration from Network You can load a configuration .zip file that was previously saved to network into flash on the LX. This enables the LX to boot from the saved configuration from flash from this point forward. X To load the configuration from network 1.
4-8 Applying Default Configurations to Other Units 4. If you enter y, the LX reboots, loading the new configuration from flash upon reboot. If you enter n, the command ends and returns to the prompt. The new configuration is now written in flash, and upon the next reboot loads the new configuration. Applying Default Configurations to Other Units This section explains how to create a default configuration file with which you can load multiple units.
Configuring SFTP 4-9 Configuring SFTP Secure File Transfer Protocol (SFTP) allows you to securely update images and load/save configuration files. X To configure the File Transfer Protocol Use this command to configure the file transfer protocol to either TFTP or SFTP. Syntax Config:0 >>file transfer protocol Example Config:0 >>file transfer protocol sftp X To configure an SFTP Server IPv4 Address Use this command to configure the SFTP server IPv4 address.
4-10 Configuring SFTP Example Config:0 >>sftp password ottos_secret X To generate an SFTP Public/Private Key This command lets you avoid entering a password every time you log in. You can use one password for all the units in your network, but you can use that password only from the station where you configured the key. The key identifies a unit on the network to all its available clients.
Configuring SFTP 4-11 2. 3. Enter a new passphrase (this will not appear on the screen). The following message appears: Enter the same passphrase again: Enter your passphrase again. The following message appears: Your identification has been saved in config/ sftp_identity. The File Transfer Protocol Type is displayed on the System Load Characteristics screen. Use the show system load characteristics command to display the System Load Characteristics screen.
4-12 Configuring Telnet Server Configuring Telnet Server You can enable telnet server and configure telnet server to send urgent data. X To enable telnet server Use the telnet server enable command in the Configuration Command Mode to configure the LX unit to accept inbound Telnet connections. The default is enable. For example: Example Config:0 >> telnet server enable Enter no telnet server to disable telnet server. The status of the Telnet Server is displayed in Figure 4.6, “System Summary Screen".
Scripting On External Units 4-13 Scripting On External Units The LX unit supports Expect scripting. Expect is a common, simple, command-line scripting language. You can use it to write simple scripts to automate interactive applications. For example, you can write an Expect script that can automatically log you in, modify the IP configuration, set up the configuration for any port, make the LX unit dial out, and establish a PPP configuration to a remote site.
4-14 Upgrading Software and ppciboot using the Command-Line Interface Upgrading Software and ppciboot using the Command-Line Interface Before you upgrade the software or ppciboot, a check is performed in Superuser mode to ensure that there is adequate space is available to update the software (8 MB) or ppciboot (1 MB). L The default filename for the software is linuxito.img. The ppciboot filename is ppciboot.img. L The ppciboot.img.sign and linuxito.img.
Upgrading Software and ppciboot using the Command-Line Interface 4-15 By default, the software stores in memory the IP address of the TFTP/SFTP server from which it has booted. If your file transfer protocol is TFTP, the “TFTP Download complete, verifying file integrity” message appears. If your file transfer protocol is SFTP, the “SFTP Download complete, verifying file integrity” message appears. 2. The loaded file is checked for integrity.
4-16 ppciboot Factory Default Settings L You can load a default configuration file from a TFTP/ SFTP server while the unit is at its default setting. ppciboot Factory Default Settings The following table lists the factory default settings. Table 4.
Upgrading Software with the ppciboot Main Menu 4-17 Upgrading Software with the ppciboot Main Menu This section explains how to use the ppciboot Main menu to set up the boot configuration. Use it as a reference for how to use specific menu entries. You can access the ppciboot commands through the DIAG port (port 0), the graphic user interface (GUI), or in the Configuration Command Mode of the CLI. When you set ppciboot parameters, the software is not loaded on the unit yet.
4-18 Booting from the Network Main Menu [1] Boot from network: Network, Flash Image currently in flash: [f] Save software image to flash when boot from network:no [2] Time Out, in seconds (0=disabled): 8 [3] IP Configuration Menu [4] Update ppciboot Firmware [5] Ethernet Network Link Auto [6] Change ppciboot Password [7] FIPS 140-2 Security: no [8] EM316LX Configuration [9] ppciboot image name: ppciboot.img [0] software image name: linuxito.
Saving the Image to Flash When Booting from the Network 4-19 2. Choose this option to load from... If unsuccessful... Network, Flash Automatically attempts to load from Flash Flash, Network Automatically attempts to load from the Network Press B to boot the system. Do this only after you have made all configuration changes to the LX and saved the configuration. L MRV recommends that you leave Boot from network flash on if you are booting from the network.
4-20 Setting the Timeout in Seconds Setting the Timeout in Seconds The Time Out, in seconds option lets you set the amount of time the system waits for you to press Boot before booting automatically. L The default timeout is 8 seconds. X To set the timeout 1. Press the number 2 (Time Out, in seconds). 2. An Enter Time Out prompt appears. 3. Add a time, in seconds, and then press . L If you enter 0 you will disable the timeout.
Setting the Speed and Duplex Mode of the Ethernet Network Link 4-21 3. Press B to boot the system. Setting the Speed and Duplex Mode of the Ethernet Network Link The Ethernet Network Link option lets you set the speed and duplex mode of the Ethernet Network Link. X To set the speed or duplex mode of your Ethernet Network Link 1. 2. Press number 5 (Ethernet Network Link) repeatedly to toggle between the following speed/duplex options (the default is Auto): Set to... for...
4-22 Changing the ppciboot Password Changing the ppciboot Password IMPORTANT! If you change the ppciboot password, be sure to write it down. If you do not remember your password, or the password is lost, you must return the unit to MRV to be defaulted. Defaulting the unit yourself will not clear the ppciboot password - you must return the unit to MRV. In FIPS Mode the password must be at least six characters long. The Change ppciboot Password option lets you change the ppciboot password for the unit.
EM316LX Configuration Menu 4-23 X To enable or disable FIPS security 1. Press the number 7 (FIPS 140-2 Security). The following prompt appears: Enabling FIPS security will reset run-time configuration to defaults. Are you sure? (y/n): 2. 3. If you select y (this defaults the flash immediately), a Resetting Linux Configuration message appears, and the Main Menu reappears after a few seconds. If you select n, the Main Menu reappears immediately.
4-24 Entering a Software Image Name X To enter a ppciboot image name 1. 2. Press the number 9 (ppciboot image name). The Enter ppciboot image name prompt appears. Enter the ppciboot image name (the file must exist on your TFTP/SFTP server): ppciboot.370 3. The image name can contain a path as well as a file name: /tmp/ppciboot.370). 4. Press S to save your configuration. The next time a ppciboot image is loaded over the network, the LX requests the assigned filename from the TFTP/SFTP server.
Resetting System Defaults 4-25 Resetting System Defaults The Reset to System Defaults option lets you reset the unit to system defaults. X To reset to the system defaults 1. Press the asterisk (*) (Reset to System Defaults). You are prompted for the password, which is access. The following options appear: [1] Reset ppciboot Configuration [2] Reset Linux System Configuration [3] Reset PPCiBoot and Linux configurations Warning: Options 1 and 3 will cause system reset in the end!! 2. 3. Select 1, 2, or 3.
4-26 Booting the System Booting the System The Boot System option lets you boot the system. Be sure to save the configuration and choose a boot method before you boot the system. Press B to boot the system. L Do this only after you finish configuring all necessary ppciboot options and save the configuration. Using the IP Configuration Menu The IP Configuration Menu option lets you change addresses and settings if you do not want to accept the defaults. X To configure the IP settings 1. 2.
Using the IP Configuration Menu 4-27 Welcome to LX ppciboot Version x.x IP Configuration Menu [1] IP Assignment method #1: DHCP [2] IP Assignment method #2: BOOTP [3] IP Assignment method #3: RARP [4] IP Assignment method #4: User Defined [5] Unit IP Address: [6] Network mask: [7] Gateway: [8] TFTP Server IP Address: [S] Save Configuration [R] Return to Main menu Make a choice: Figure 4.
4-28 Choosing an IP Assignment Method Choosing an IP Assignment Method The IP Assignment Method option lets you set the method by which to assign IPs. X To configure an IP Assignment method 1. 2. 3. Press 1, 2, 3, or 4 to see the options for IP Assignment method #1-4:. Select the IP Assignment method to change, and toggle the options (DHCP, BOOTP, RARP, User Defined, and None) by repeatedly pressing the option number.
Changing the Network Mask 4-29 Changing the Network Mask The Network Mask option lets you change the Network Mask (this applies only to the user-defined IP method). X To change a Network Mask 1. 2. 3. 4. Press the number 6 (Network Mask). A Network Mask prompt displays. Type the new network mask and press . If you are finished configuring the IP settings, press S to save the configuration. The IP Configuration menu redisplays. Press R to return to the Main Menu.
4-30 Changing the TFTP Server IP Address Changing the TFTP Server IP Address The TFTP Server IP Address option lets you change the TFTP Server IP address (the address from where you load the boot image). This applies only to the user-defined IP method. X To change the TFTP Server IP address 1. 2. 3. 4. Press the number 8 (TFTP Server IP address). A TFTP Server IP address prompt appears. Type the new TFTP Server IP address and press .
Using EM316LX Configuration Menu 4-31 Using EM316LX Configuration Menu The EM316LX Configuration Menu option lets you control and configure module settings. X To configure the EM316LX settings 1. At the Main Menu, enter 9 to open the EM316LX Configuration Setup menu.: [0] Module Restart: [1] Management Enable: [2] External I2C Bus Enable yes yes yes [S] Save New Configuration [R] Return to Main menu Make a choice: 2. Choose the number of the field to change.
4-32 Disabling the External I2C Bus X To enable the management port 1. 2. 3. Press the number 1 (Management Enable) to enable management. Pressing 1 toggles between Management enabled and Management disabled, shown on the EM316LX Configuration Menu as yes or no. Press S to save the configuration. The EM316LX Configuration menu reappears. Press R to return to the Main Menu.
Configuring Image Names 4-33 Configuring Image Names These commands allow you to configure and default ppciboot and software image names, or update software and ppciboot using the configured image names. If you have several LX units and want to load different images on different units, you can rename image names so the same image is not loaded on all units by default. Therefore, you must configure ppciboot image names and software image names before you can use them to update an LX unit.
4-34 Updating the Software Image Name X To default the software image name Use the following command to default the configurable software image name to linuxito.img. Syntax Config:0>>default image software name Updating the Software Image Name There are several paths by which you can update the software image name. The name can consist of any printable character (other than a space). The name can be 1 to 32 characters long.
Updating the ppciboot via a specific image name 4-35 X To update the software using the software image name and host IP address Use the following command syntax to update the software by using an explicit software image name and host IP address: Syntax InReach:0>>update software image name Example InReach:0>>update software 111.222.33.44 image name linux370.
4-36 Updating the ppciboot via a specific image name L A Host TFTP/SFTP server must be configured for this update to work. Example InReach:0>>update ppciboot image name ppciboot.370 X To update ppciboot via the ppciboot image name and host name Use the following command syntax to update the ppciboot using the ppciboot image name and by supplying a host name. Syntax InReach:0>>update ppciboot image name Example InReach:0>>update ppciboot timshost image name ppciboot.
Updating the ppciboot via a specific image name 4-37 Example InReach:0>>update ppciboot ipv6 2001:123:lf00:1266:220: ebff:feba:3cbd image name ppciboot.50 The software image name and the ppciboot image name are displayed in the System Ppciboot screen. Use the show system ppciboot command to display the System Ppciboot Screen. Figure 4.
4-38 Booting from Defaults Booting from Defaults When you boot a unit from defaults, it can take up to four minutes because the system must regenerate the SSH keys. The SSH keys are saved into the flash. You can default the configuration from either the: Main Menu Command-Line Interface (CLI) Depending on where you default the configuration from, the effect is not the same. Defaulting from the Main Menu When you default from the Main Menu the entire configuration, including the SSH keys, is erased.
Defaulting from CLI 4-39 Defaulting from CLI When you default from the CLI, only the configuration (Config.prm) is erased. The SSH keys are preserved. X To default from the CLI Enter the default configuration command in Configuration command mode. Acquiring the IP Configuration The LX software gets its IP configuration from ppciboot or from the configuration. If the configuration is not loaded yet, the LX unit uses the IP configuration from ppciboot.
4-40 ppciboot/linuxito Downgrade ppciboot/linuxito Downgrade This feature allows you to downgrade to previous versions of ppciboot/linuxito. This feature makes downgrading easier for sites that need to run a particular version. Downgrading to versions earlier than 3.6.0 is not supported. IMPORTANT Please read the following bulleted list before moving on to the Downgrading ppciboot/linuxito procedure. There are several issues to keep in mind while downgrading ppciboot/linuxito.
Downgrading ppciboot/linuxito 4-41 1. 2. 3. Save your configuration to a network tftp server (see "Saving the Configuration to the Network" earlier in this chapter. Put the appropriate matching ppciboot/linuxito on your tftp server as filenames ppciboot.img and linuxito.img. To default the configuration, enter: InReach:0>>config default config This reboots the LX. 4. 5. 6. 7. 8. 9. Connect a terminal using a console port cable to the DIAG port (port 0) and press one or two times.
4-42 Downgrading ppciboot/linuxito 12. Type "r" to return to the main menu screen and make sure the Boot from network field (1) is set to "Network, Flash". 13. Type "f" to save the software image to flash, then "b" to boot the LX. This causes the LX to load the image from the tftp server and (this time only) write it into flash in the proper location for this version. 14.
System and Status Screens 4-43 System and Status Screens Other system characteristics screens and system status screens display important system information. Use the show system summary command to display the System Summary screen. An example of this screen follows: Time: Fingerd: NTP: SSH: Web Server: Disabled Enabled Enabled Enabled Rlogin Client: Telnet Client: Disabled Enabled LPD: SNMP: Timed: Thu, 01 Mar 2007 10:32:13 UTC Enabled Disabled Disabled Telnet Server: Enabled Figure 4.
4-44 System and Status Screens Use the show system ip status command to display the System IP Status screen. An example of this screen follows: Time: Active System Gateway: Primary DNS: Secondary DNS: Tue, 13 Feb 2007 10:25:58 US/EASTERN 120.159.169.1 120.159.128.17 120.159.176.254 Figure 4.
Configuring the LX Series Unit Part 2 PART 2
Setting Up the Notification Feature 5-1 CHAPTER 5 Setting Up the Notification Feature The Notification Feature is used to send syslog messages of LX system events to pagers, email addresses, cell phones, SNMP trap clients, outbound asynchronous ports, and local or remote syslogd files.
5-2 Overview of the Notification Feature Overview of the Notification Feature The Notification Feature uses the syslog daemon (syslogd) to generate event messages. Event Messages can be generated for events that occur in any of the Linux facilities listed in Table 5.1. Table 5.1 Sources of Event Messages Facility all authpriv daemon kern local0—local7 syslog user Description All system syslog messages Superuser authentication process A system daemon, such as in.
Configuring the Notification Feature 5-3 Configuring the Notification Feature In order to use the Notification Feature, you must create a Service Profile and a User Profile. Create a Service Profile—A Service Profile defines a method for sending event messages to a destination. This method is a protocol (such as SMTP) or an on-board feature (such as outbound asynchronous ports).
5-4 Creating Service Profiles You can create more than one Service Profile for each method of sending event messages. For example, you can create several Service Profiles of the TAP type, each specifying a different Short Message Service Center (SMSC). The LX unit supports a maximum of 20 Service Profiles.
Creating Service Profiles 5-5 X To create a Service Profile See “Command Mode Descriptions” on page 1-5 for information about accessing Notification Command Mode. Access the Notification Command Mode. 2. Use the profile service command to create a Service Profile. For example, the following command creates a Service Profile called Messagedirect: Notification:0 >>profile service messagedirect 1. When you execute the profile service command, the CLI enters the Service Profile command mode.
5-6 Creating Service Profiles X To configure a LOCALSYSLOG service profile Execute the profile service command. The CLI enters the Service Profile command mode. 2. Then execute the following command in Service Profile command mode to configure a Service Profile as LOCALSYSLOG: 1. Example Noti_Serv_Protocol:0 >>localsyslog 3. Example The CLI enters the LOCALSYSLOG Protocol command mode.
Creating Service Profiles 5-7 3. Example Execute the server command to specify the SNPP server to which notifyd will send the log messages. (The pager messages will be forwarded to the user by the service provider’s server.) The service provider’s server can be specified as an IP Address or as any symbolic name that can be resolved by DNS. Noti_Serv_SNPP:0 >>server 118.28.118.34 L If you specify a symbolic name (for example, snpp.Skytel.
5-8 Creating Service Profiles 3. Example Use the smsc command to specify the provider SMSC that will be used to send the event messages to the pager. Noti_Serv_TAP:0 >>smsc 18668230501 4. Example Use the parity command to specify the bit parity setting for the Service Profile. Noti_Serv_TAP:0 >>parity even 5. Example Use the bits command to specify the bits-per-byte setting for the Service Profile. Noti_Serv_TAP:0 >>bits 7 6.
Creating Service Profiles 5-9 External Modem Settings For an internal modem, the default configuration is usually sufficient to support a TAP Service Profile. However, the following guidelines are recommended for external modems: All External Modems: S0=1 Autoanswer on one ring. V1 Displays result codes as words. The modem code looks for word responses, not numbered responses. X4 Extended result codes. The modem code looks for word responses that the extended result codes provide.
5-10 Creating Service Profiles US Robotics Courier V. Everything modem: • The port needs CTS flow control. • The port speed should be set to a speed that the modem supports. • The initstring should be ^MAT S0=1 V1 X4 &K0 &B1^M where: S0=1 Autoanswer on one ring. V1 Displays result codes as words. X4 Extended result codes. &K0 No data compression. &B1 Makes the modem use the speed of the LX port.
Creating Service Profiles 5-11 3. Example In ASYNC Protocol command mode, execute the port command to specify the asynchronous port(s) to which event messages will be sent: Noti_Serv_Async:0 >>port 2 3 4 5 You can create User Profiles to filter, by facility and priority, the event messages that will be sent to the asynchronous ports. For more information, see “To create a user profile” on page 5-14.
5-12 Creating Service Profiles 7. Example Optionally, the SYSLOG Notification Source Interface allows you to configure which configured interface’s IPv4 source address to report when contacting the target server. In each case, this value defaults to interface 1. To use this feature, return to the Configuration Mode and use the log source interface command to specify the source address the LX sends when contacting the SYSLOG Notification server.
Creating Service Profiles 5-13 L If you specify a symbolic name (such as mrv.com) as the SMTP server, the LX first tries to resolve the name in its local service table. If there is no matching name, then the LX must have a primary DNS server and a domain name suffix configured for the LX unit. See the dns primary command in the LX-Series Commands Reference Guide for more information on configuring a DNS server for the LX unit.
5-14 Overview of User Profiles Overview of User Profiles A User Profile filters event messages by the type (facility) and severity level (priority) of the event message. A User Profile also specifies the destinations (for example, addresses and telephone numbers) for event notification processes that send event messages by email, cell phones, and pagers. The LX unit supports a maximum of 20 User Profiles. X To create a user profile 1. 2.
Overview of User Profiles 5-15 The contact field specifies the destination (such as pager or cell phone) for User Profiles that are created for Service Profiles of the SNPP, SMTP, or TAP type. The allowable values for this field are the following: Value Pager Pin Number For user profiles based on Service Profiles of the SNPP type Email Address Service Profiles of the SMTP type Pager Number or Service Profiles of the TAP Telephone Number type 5. Example Example 8875551212 jsmith@mrv.
5-16 User Profile Name Restrictions User Profile Name Restrictions The following characters can not be included in a User Profile name that will be associated with a Service Profile of the SMTP, TAP, or SNPP type: ( ) { } , . ; : @ All text strings are caseinsensitive.
Configuration Examples 5-17 Figure 5.2 shows an example of the User Profile Screen. UserProfile: messages ServiceProfile: messages Contact: Facility: all Priority: notice UserProfile: debug ServiceProfile: debug Contact: Facility: all Priority: debug UserProfile: grogers ServiceProfile: N/A Contact: Facility: kern Priority: emerg UserProfile: jacklocal ServiceProfile: jacklocal Contact: Facility: user Priority: warning Figure 5.
5-18 syslogd Message Configuration Example syslogd Message Configuration Example There are no prerequisites for this task. This example shows how to change the text field, facility, and priority of a configurable syslogd message. X To access the Notification command mode 1. Execute the following commands: Example Login: InReach Password: access InReach:0>enable Password>> system InReach:0 >>config Config:0 >>notification Notification:0 >> 2.
Localsyslog Example 5-19 Localsyslog Example The following commands are used to configure the logging of events to the local syslog. In the following example, the locallog home directory is /var/log/Build5.
5-20 SNPP Example In order to resolve the provider’s address, DNS must be configured on the LX unit. Create an empty log file as follows: #touch /tftpboot/log/user.warning.log #chmod 777 /tftpboot/log/user.warning.log Restart the syslog daemon, using the following commands, to make changes to the syslog.conf take effect.
Email Example 5-21 Email Example The following commands configure the logging of events to an email address: Example You may need to configure the LX with a Domain suffix, a DNS server address, and a primary gateway address. Notification:0 >>profile service youremail Noti_Serv_Protocol:0 >>smtp Noti_Serv_SMTP:0 >>server 10.10.10.
5-22 TAP Example TAP Example The following sequence of commands could be used to configure the logging of events via a wireless provider such as Verizon, Sprint, or AT&T: Example Notification:0 >>profile service verizon Noti_Serv_Protocol:0 >>tap Noti_Serv_TAP:0 >>smsc 18668230501(provider’s service phone #) Noti_Serv_TAP:0 >>bits 7 Noti_Serv_TAP:0 >>stopbit 1 Noti_Serv_TAP:0 >>parity even Noti_Serv_TAP:0 >>modem port 6 Noti_Serv_TAP:0 >>exit Notification:0 >>profile user jmscell Noti_User_Service:0 >>us
SNMP Example 5-23 MRV Communications is not responsible for these SMSC phone numbers and can’t guarantee their service. Contact your provider for a local number. Table 5.3, “Wireless SMSC Phone Numbers” is provided for your convenience. Table 5.3 Wireless SMSC Phone Numbers Carrier SMSC Number AT&T 7, 1, e Not Available Email Address SMSC Phone#@ @mobile.att.net Cingular 7, 1, e 800-909-4602 @Cingular.com Nextel 7, 1, e 801-301-6683 @messaging.nextel.com Sprint 7, 1, e 888-656-1727 @sprintpcs.
5-24 SSHD and DNS SSHD and DNS SSHD uses DNS to resolve the IP address of an incoming connection. In the previous release this feature was enabled by default. It is now disabled by default in the 4.0 release. If you have already saved your LX configuration, the new defaults will not be used, and must be set up manually. To configure SSHD to just use the IP address, rather than the resolved DNS name, enter the shell and edit the /config/ sshd_config file using "vi".
Configuring IP Interfaces 6-1 CHAPTER 6 Configuring IP Interfaces An IP interface is a logical interface for accessing the LX unit from a network. The maximum number of IP interfaces on an LX unit is the number of serial ports on the LX unit, plus 2. For example, the maximum number of IP interfaces on an 8-port unit is 11 or 12 (if the unit has a modem port); the maximum number of IP interfaces on a 16-port unit is 20, and so on.
6-2 Configuring IP Interfaces For example, you could have an LX unit with an IP address of 117.19.23.5, a Broadcast address of 117.255.255.255, and the subnet mask of 255.0.0.0 in ppciboot. You could then create the IP interfaces shown in Table for the LX unit. Table 6.1 IP Interface Examples Interface Number IP Address Broadcast Address Subnet Mask 1 119.20.112.3 119.255.255.255 255.0.0.0 2 124.45.65.23 119.255.255.255 255.0.0.0 3 178.123.87.123 119.255.255.255 255.0.0.
Configuring IP Interfaces 6-3 It is possible for a subscriber with superuser privileges to log into the interface using SSH. The client SSH command line can include an LX CLI command. Once the SSH session is established, the CLI command is performed. The return from that screen is sent to the user and the session is then terminated. This capability is not supported by all SSH applications. The syntax follows: Syntax ssh -l -p 22 Example ssh -l InReach 1.2.3.
6-4 Setting Up IP Interfaces Setting Up IP Interfaces IP interfaces are created and configured in the Interface Command Mode. You can enter the Interface Command Mode by executing the interface command in the Configuration Command Mode. When you are in the Interface Command Mode, the Interface Command prompt (such as Intf 1-1:0 >>) is displayed. X To configure an IP interface 1.
Re-Using IP Addresses 6-5 See the following sections to configure optional parameters for an IP interface: “Specifying SSH Keepalive Parameters” on page 6-5 “Specifying Socket Numbers” on page 6-6 “Specifying Maximum Transmission Units (MTU)” on page 6-7 Re-Using IP Addresses Unless you configure an IP address, with the address command, the IP interface will obtain its IP address from the First Available interface or from the interface that you specify in the unnumbered interface command.
6-6 Specifying Socket Numbers Specifying Socket Numbers IP interfaces have a default SSH Socket Number of 22 and a default Telnet Socket Number of 23. Table 6.2 lists the default SSH and Telnet Socket Numbers for LX serial ports. Table 6.
Specifying Maximum Transmission Units (MTU) 6-7 X To specify an SSH socket number for a serial port Example Execute the serial command with the ssh modifier. In the following example, the SSH Socket Number for serial port 4 is set to 983: Intf 1-1:0 >>serial 4 ssh 983 X To specify a Virtual Port Socket Number for SSH Example Execute the ssh port command.
6-8 Configuring Local Authentication on an IP Interface Configuring Local Authentication on an IP Interface Local authentication can be used when a subscriber logs in to a specific asynchronous port via an IP interface. In order to use local authentication, it must be enabled as the method of inbound authentication for the asynchronous port. Then it must be enabled for the IP interface.
Configuring RADIUS Accounting on an Interface 6-9 X To enable LDAP authentication on the IP interface Example Execute the authentication ldap enable command in Interface Command Mode: Intf 1-1:0 >>authentication ldap enable X To enable RADIUS authentication on the IP interface Example Execute the authentication radius enable command in Interface Command Mode: Intf 1-1:0 >>authentication radius enable X To enable RSA SecurID authentication on the IP interface Example Execute the authentication rsa secu
6-10 Configuring TACACS+ Accounting on an Interface RADIUS accounting can be used when a subscriber logs in to an asynchronous port via an IP interface. In order to enable RADIUS accounting for an IP interface, RADIUS accounting must be configured for the LX unit. For more information, see “Setting Up RADIUS” on page 2-19.
Configuring a Rotary 6-11 LDAP, RADIUS, TACACS+, or RSA SecurID must be enabled on an IP interface in order for Fallback to function on the interface. See “Configuring Server-Based Authentication on an IP Interface” on page 6-8 for information on enabling LDAP, RADIUS, TACACS+, or RSA SecurID. When all four methods (for example, LDAP, RADIUS, TACACS+, or RSA SecurID) are disabled on the interface, Fallback is ignored by the interface.
6-12 Configuring a Rotary Figure 6.1 illustrates a rotary on an LX unit. The user initiates a Telnet connection, or an SSH connection, to the IP address of an IP interface that has been configured as a rotary. The user is connected to an available port in the rotary port list. LX Unit Figure 6.1 Rotary Connections on an IP Interface The rotary is transparent to users.
Configuring a Rotary 6-13 In the preceding example, Rotary 1 is created and the LX asynchronous ports 1, 2, and 3 are assigned to it. (You can execute the rotary port command on an existing rotary to add asynchronous ports to it.) 4. Example 5. 6. Example 7. Example 8. Use the rotary type command to specify the rotary type (round robin or first available). For example: Intf 1-1:0 >>rotary 1 type round robin The rotary type is identifies the port search method for the rotary.
6-14 Removing Ports from a Rotary Removing Ports from a Rotary X To remove ports from a rotary 1. Example Execute the rotary port command in Interface command mode. In the following example, ports 2 and 3 are removed from rotary 1: Intf 1-1:0 >>rotary 1 port 1 In the next example, port 3 is removed from rotary 1: Example Intf 1-1:0 >>rotary 1 port 1 2 You can verify that asynchronous ports have been removed from a rotary by executing the monitor/show interface rotary command.
Setting Maximum Telnet Connections 6-15 X To verify that a rotary has been disabled Execute the monitor/show interface rotary command. If the rotary is actually disabled, it will say in the Rotary State column of the screen will show as Disabled. For more information about the monitor/show interface rotary command, see “To display rotary information for an IP interface” on page 6-19.
6-16 Displaying Interface Information X To display the interface characteristics of all IP interfaces Example Use the following command: Intf 1-1:0 >>show interface all characteristics Figure 6.2 shows an example of the Interface Characteristics screen. Time: Interface Name: Interface_1 Configured IP Address: Configured IP Mask: Configured IP Broadcast: Configured System Gateway: IP MTU Size: 1500 Interface Status: In Use Banner: banner.default Authentication: Local Auth.
Displaying Interface Information 6-17 X To display interface port mapping Example Use the monitor/show interface port mapping command to display the Telnet Socket Number, and the SSH Socket Number, associated with each serial port on the LX unit.
6-18 Displaying Interface Information X To display interface status for an IP interface Example Use the monitor/show interface status command. In the following example, the status information for IP interface 1 is displayed: Intf 1-1:0 >>show interface 1 status X To display the status information for all IP interfaces Use the show interface all status command: Example Intf 1-1:0 >>show interface all status Figure 6.4 shows an example of the Interface Status screen.
Telnet Client 6-19 X To display rotary information for an IP interface Use the monitor/show interface rotary command. In the following example, the rotary information for IP interface 1 is displayed: Intf 1-1:0 >>show interface 1 rotary L An interface can contain up to four rotaries. X To display the rotary information for all IP interfaces Use the following command: Intf 1-1:0 >>show interface all rotary Figure 6.6 shows a sample Rotary Characteristics screen. Rotary IP Address 147.132.145.
6-20 Setting the Banner Setting the Banner This feature allows the administrator to configure a warning banner upon login. X To specify the Login Banner File Name Example Use the banner file [contents] command to specify the inbound or outbound banner file name and message. Intf 1-1:0 >>banner file new_banner.
Message of the Day Commands 6-21 Message of the Day Commands The Message of the Day allows you to display a message to the user upon login. This message could be, for example, You are on a proprietary system, or We are shutting down at 4PM today. The message you specify appears on the screen just after the user logs in.
6-22 Message of the Day Commands LX Series Configuration Guide
Configuring the Data Broadcast Feature 7-1 CHAPTER 7 Configuring the Data Broadcast Feature All Slave Ports and Master Ports belong to a Broadcast Group. The Slave Ports in a Broadcast Group can only receive data broadcasts from a Master Port in the same Broadcast Group. When a port is configured as a Slave Port, it can still receive data from sources other than the Master Ports in its Broadcast Group. By default, any data that a Slave Port receives is forwarded to the Master Ports in the Broadcast Group.
7-2 Setting Up Broadcast Groups Setting Up Broadcast Groups X To set up a Broadcast Group See “Command Mode Descriptions” on page 1-5 for more information. 1. 2. Access the Configuration Command Mode in the LX CLI. Execute the interface command to enter the Interface command mode for an IP interface: Config:0 >>interface 1 3. Use the broadcast group command to create a Broadcast Group.
Guidelines for Adding Ports 7-3 BrGroups 4:0 >>mode line 7. Use the exit command to return to the Interface Command Mode: BrGroups 4:0 >>exit 8. Use the broadcast group enable command to enable the Broadcast Group that you just created: Intf 1-1:0 >>broadcast group 4 enable L In order to enable a Broadcast Group, the Broadcast Group must contain at least one Master Port and one Slave Port.
7-4 Specifying Port Options Specifying Port Options You can specify that a timestamp will be appended to each line of data that is broadcast from a Master Port. You can also specify that non-broadcast data will be discarded by Slave Ports and that Slave Ports will echo any data that comes into them. This section describes how to configure these features.
Specifying Port Options 7-5 X To echo incoming data at slave ports Use the localecho option in the slave port command to specify that Slave Ports will echo any data that comes into them: Example BrGroups BrGroups BrGroups BrGroups 4:0 4:0 4:0 4:0 >>slave >>slave >>slave >>slave port port port port async 5,7 localecho tcp 2500 localecho telnet 2500 localecho ssh 2500 localecho X To remove Master Ports from a Broadcast Group Execute the no master port command in Broadcast Group Command Mode.
7-6 Specifying Port Options BrGroups 4:0 >>virtual authentication radius enable BrGroups 4:0 >>virtual authentication rsa securid enable BrGroups 4:0 >>virtual authentication tacacs+ enable X To set the maximum number of virtual connections for a Broadcast Group Execute the virtual max connections command in the Broadcast Group Command Mode.
Specifying Port Options 7-7 X To display Broadcast Group characteristics for a single Broadcast Group Use the monitor/show interface broadcast group characteristics command.
7-8 Specifying Port Options X To display a Broadcast Group summary for all Broadcast Groups Use the monitor/show interface broadcast group summary command in Superuser Command Mode: Example BrGroups 4:0 >>show interface 1 broadcast group summary Figure 7.2 shows an example of the Broadcast Group Summary screen. Interface number 1 Broadcast group number: 1 2 3 4 5 State: Enabled Disabled Disabled Disabled Disabled Figure 7.
Configuring Subscriber Accounts 8-1 CHAPTER 8 Configuring Subscriber Accounts In order for a user (subscriber) to use the LX unit, he/she must log in to the unit under a subscriber account. The subscriber account defines a User Profile that includes the subscriber’s username and password. The User Profile also defines the subscriber’s Security Level (User or Superuser) and contains all of the settings that affect the subscriber’s use of the LX unit.
8-2 Configuring Subscriber Accounts Configuring Subscribers with the Default Template Users who connect to the LX and are authenticated with a remote authentication mechanism can have some modifiable, inherited rights as defined by the new subscriber Default template. Default is a new subscriber that comes with the software. You cannot create or login as this subscriber, but you can modify the template characteristics.
Configuring Subscriber Accounts 8-3 When using a connect port async NUMBER from the CLI, if the Outbound authentication is set to none, the default template name is used, instead of the connect port authentication. L If the "Default" template is used and you authenticate via RSA SecurID, LDAP, or AUTH_NONE, you are made a superuser when you log in. L Authentications using the "Default" template increment the same "Max Connections" counter. This is a counter only, and cannot be configured.
8-4 Configuring Subscriber Accounts Subscriber Name: Preferred Service: Security: Login Mode : Command Logging: Idle Timeout: Rlogin Transparent: Forward Switch: Backward Switch: Dialback Feature: Menu Name: Web Menu Name: Port Access list: Port Read Only list: Remote Access list: Outlet Access list: Outlet Group Access list: Web Access List: Default User Cli Disabled 0 Disabled ^F ^B Disabled Rlogin Ded.
Creating Subscriber Accounts and Entering Subscriber Command Mode 8-5 Creating Subscriber Accounts and Entering Subscriber Command Mode The administrator must configure the first password for a new subscriber in order for that subscriber account to be active. The subscriber name must contain at least two characters, and no more than 15 characters. The reserved words super and subscriber, and any variation of super and subscriber, can’t be used as subscriber names.
8-6 Subscriber Account Settings L When you create a new subscriber with the copy subscriber command, all subscriber characteristics are copied over except the user password, user prompt, menu name, and web menu name. X To delete a subscriber account Use the no subscriber command in Configuration Command Mode. In the following example, the subscriber account jack is deleted: Config:0 >>no subscriber jack Example L You can’t delete the subscriber InReach unless you create another superuser account.
Specifying the Subscriber Access Methods 8-7 Specifying the Subscriber Access Methods You can specify up to four methods for the subscriber to access the LX unit. The methods include Telnet, SSH, Web Browser, and Console.
8-8 Specifying the Subscriber Access Methods The preceding example of the ssh log level command specifies that SSH messages of the debug class will be logged to syslogd for the subscriber. You can also specify SSH log levels of error, fatal, info, quiet, verbose. After you have executed the preceding commands, the subscriber will have SSH access to virtual ports on the LX unit.
Specifying the Subscriber Access Methods 8-9 When a subscriber has a unique SSH key, he/she can log on to the LX unit, via SSH, without entering a password. L The only requirement is that the user must log on from the host on which his or her SSH key was generated.
8-10 Specifying the Subscriber Access Methods A subscriber X To configure a subscriber account for outlet access must have 1. Execute the security level outlet command to specify access to outlet management privileges for the subscriber: specific outlets in Subs_jack:0 >>security level outlet order to 2. Execute the outlet access command to specify the manage those outlets outlets that the subscriber can manage. In the following from the LX example, the subscriber is given outlet management unit.
Dialback Access 8-11 Dialback Access The LX unit supports Dialback as an access method for LX subscribers. Under Dialback, the subscriber dials in to the LX unit and logs in as he/she would if he/she were a dialin subscriber. The LX unit then validates the login and terminates the call. If the subscriber login is valid, the LX unit calls the subscriber back. The subscriber is then logged in to the LX unit.
8-12 Setting Up Session and Terminal Parameters See “Command Mode Descriptions” on page 1-5 for information about accessing Example Modem Command Mode. X To create a Modem Pool 1. 2. Access the Modem Command Mode for the modem ports to add to the Modem Pool. Execute the pool enable command to enabled for the modem ports to add to the Modem Pool.
Setting Up Session and Terminal Parameters 8-13 X To enable the screen pause feature for a subscriber Example Use the pause enable command.
8-14 Setting Up the Session Switch Characters X To set the Inactivity Timeout Example Use the idletime command to set the Inactivity Timeout to any value from 0 through 65535. The Inactivity Timeout is the length of time (in seconds) that the subscriber has to enter keyboard data. If the subscriber does not enter keyboard data before the expiration of the Inactivity Timeout, the subscriber is logged out. Subs_jack:0 >>idletime 1200 L A value of 0 means that the Inactivity Timer is effectively disabled.
Setting Up the Session Switch Characters 8-15 X To configure session switch characters for a subscriber Use the following commands: Command To switch to the... backward_switch Previous session Example forward_switch Next session local_switch Local Command Mode Subs_jack:0 >>backward_switch ^I Subs_jack:0 >>forward_switch ^J Subs_jack:0 >>local_switch ^K The Session Switch character can be specified as an uppercase alphabetical character with, or without, a caret (^) before it.
8-16 Configuring the Subscriber Password Configuring the Subscriber Password The administrator must configure the first password for a new subscriber. New subscribers can no longer assign their own first password. The new subscriber Example may subsequently change the password created by the administrator. The default password for the LX InReach subscriber account is access.
Warning Banner 8-17 X To add Superuser privileges to a subscriber account Example Use the security level superuser command: Subs_jack:0 >>security level superuser Warning Banner This feature allows the administrator to configure a warning banner that appears when a subscriber enters superuser mode. A warning file is in the LX /config directory named banner.su_ warning. This file is initially empty, but you can enter the shell and edit the file by adding whatever message to appear.
8-18 Specifying Escape Characters Specifying Escape Characters You can configure an SSH or Telnet escape character in the local subscriber database. When this character is typed by the subscriber in a remote SSH or Telnet session, will cause the SSH or Telnet host to return to the operating system command prompt.
Specifying a Dedicated Service 8-19 Specifying a Dedicated Service You can use a domain name when configuring a subscriber’s Dedicated Service. There is also no longer a restriction on the server name being in the local service table. MRV recommends that the LX be configured with a DNS and a domain name, and that the service name(s) be in the local service table. You can permanently assign the subscriber to a dedicated service.
8-20 Specifying a Security Level Specifying a Security Level The Security Level specifies the privileges that the subscriber has on the LX unit. The highest security level is “superuser”. A subscriber with superuser privileges can execute all of the commands in the LX CLI. By default, subscribers without superuser privileges can execute all of the commands in the User command mode, except for the monitor/show commands.
Enabling the Menu Feature 8-21 X To display the contents of the audit log Execute the show audit log command in Superuser Command Mode. For more information, see “Displaying the Audit Log for a Subscriber” on page 8-26. Enabling the Menu Feature A Subscriber Menu is a preconfigured menu that displays for a subscriber when he/she logs in to the LX unit. A menu is displayed when the subscriber logs into a physical port.
8-22 Displaying Subscriber Information Displaying Subscriber Information This section describes how to display subscriber characteristics, subscriber status and TCP information, subscriber summaries, and the audit log and command log for a subscriber. X To display subscriber characteristics Use the monitor/show subscriber characteristics command.
Displaying Subscriber Information 8-23 Time: Wed, 18 Oct 2006 09:08:19 US/EASTERN Subscriber Name: Preferred Service: Security: Login Mode: Maximum Connections: Command Logging: Idle Timeout: Screen Pause: Local Switch: Rlogin Transparent: Dialback Feature: Dialback Number: Menu Name: Web Menu Name: Port Access list: Port Read Only list: Remote Access list: Outlet Access list: Outlet Group Access list: Web Access List: InReach SuperUser Cli 50 Disabled 0 Enabled ^L Disabled Disabled Rlogin Ded.
8-24 Displaying Subscriber Information X To display the subscriber status Use the monitor/show subscriber status command. In the following example, the show subscriber status command is used to display the status information for the subscriber tim: Subs_jack:0 >>show subscriber tim status X To display the subscriber status for all subscribers Use the following command: Subs_jack:0 >>show subscriber all status Figure 8.3 shows an example of the Subscriber Status Screen. Time: Subs.
Displaying Subscriber Information 8-25 X To display subscriber TCP information for all subscribers Use the following command: Subs_jack:0 >>show subscriber all tcp Figure 8.4 shows an example of the Subscriber TCP Screen.
8-26 Displaying the Audit Log for a Subscriber See the monitor/show subscriber summary command in the LX Series Command Reference for detailed descriptions of the fields in the Subscriber Summary Screen. Displaying the Audit Log for a Subscriber An audit log records all of the port activity for a subscriber. This includes the commands that the subscriber enters as well as the data that is output on the port for the subscriber.
Assigning a Public Key to a Subscriber 8-27 X To display the command log for a subscriber Use the monitor/show command log command in Superuser Command Mode to display an audit trail of subscriber input in a subscriber session. In the following example, the show command log command is used to display the command log for the subscriber tim: Subs_jack:0 >>show command log tim Figure 8.7 shows an example of the Command Log.
8-28 Assigning a Public Key to a Subscriber L In the preceding example, the attribute -f is for filename and the attribute -t is for type of encryption. The dsa encryption type is for SSH Version2. The ssh-keygen command creates the files sshgina and sshgina.pub. The file sshgina is the identity file and sshgina.pub is the public key. 4. 5. 6. 7. 8. 9. When you are prompted for a passcode, press . Open the file that contains the Public Key (sshgina.
Generating the Key and Assigning it to a Subscriber 8-29 This should allow the subscriber gina to connect straight into their user prompt, without being prompted for a password. Generating the Key and Assigning it to a Subscriber The LX may function as the client for SSH public key authentication. The LX can generate its own SSH key pair. One use for this is so you do not have to enter a password when you log in.
8-30 Changing the SSH Key Passphrase To create a new passphrase, do the following: 1. Enter ssh keygen passphrase and press . The following messages appear: Key has comment (config/identify/In-Reach) Enter new passphrase (empty for no passphrase): 2. Enter a new passphrase, or press for no passphrase (this will not appear on the screen). The following message appears: Enter the same passphrase again: 3. Enter your passphrase again, or press for no passphrase.
Configuring Async Port Features 9-1 CHAPTER 9 Configuring Async Port Features You can configure ports to act as temperature and humidity monitors when connected to an In-Reach Temperature/Humidity Sensor. The Temperature/ Humidity Sensor provides an accurate measurement of the temperature and humidity in the area in which your LX Series unit is placed. See Getting Started with the LX Series to connect a Temperature/Humidity Sensor to an LX port.
9-2 Configuring Sensor Access for LX Ports Configuring Sensor Access for LX Ports You need to configure an LX port’s access as sensor before you can perform any temperature/humidity monitoring on the port. X To configure sensor access for an LX port Execute the access command in Asynchronous Command Mode: Example Async 4-4:0 >>access sensor L The DIAG port (port 0) can’t be configured as a Sensor port.
Displaying Sensor Summaries 9-3 Figure 9.1 shows an example of the Device Status Screen for a Sensor port. Time: Mon, 12 Dec 2005 21:14:29 UTC Port Name: Port_25 Device Type: Humidity Level(%): Temperature (Celsius): Temperature (Fahrenheit): Device Number: 5 Sensor 65.00 25.00 77.00 Figure 9.
9-4 Configuring the IdleBuffer Configuring the IdleBuffer The IdleBuffer is enabled by default. Therefore, the async port will buffer data before a TCP connection arrives when autohangup is disabled. To flush (discard) all data upon a TCP connection's arrival, disable the IdleBuffer feature. If IdleBuffer is disabled, the port will not buffer erroneous data that enters the port prior to a telnet session.
Configuring the IdleBuffer 9-5 Figure 9.3, “Port Characteristics Screen for IdleBuffer” shows this screen with the IdleBuffer field highlighted: Time: Port Number: 1 Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: DTR Drop Time: Remote 9600 8 1 None Xon Disabled Enabled 2 Authentication: Auth.
9-6 Customizing Asynchronous Port Settings Customizing Asynchronous Port Settings The default settings for an LX asynchronous port meet the defacto standard for Console Access ports. The default settings for an LX asynchronous port are as follows: The default port settings are sufficient to support most remote console applications. However, for some applications you may need to specify a customized (non-default) value for one or more asynchronous port settings.
Customizing Asynchronous Port Settings 9-7 2. Example Access the Asynchronous Command Mode for the asynchronous ports for which to specify non-default settings: Config:0 >>port asynchronous 4 3. Execute any of the following commands to specify nondefault values for port settings: To...
9-8 Configuring Asynchronous Ports for Data Buffering Configuring Asynchronous Ports for Data Buffering This example shows how to configure an asynchronous port on the LX unit for data buffering. For more information about this task, see the following commands in the LX Series Command Reference.
Configuring Asynchronous Ports for Data Buffering 9-9 4. Example Specify that a timestamp will be added to every line of data that is printed from the port to the connected client: Async 3-3:0 >>databuffer timestamp enable 5. Example Specify the size, in bytes, for the data buffer on the port: Async 3-3:0 >>databuffer size 1024 6.
9-10 Configuring Asynchronous Ports for Data Buffering Figure 9.4, “Port Databuffer Characteristics Screen” shows the highlighted fields on the following Port Characteristics screen indicate that databuffer access has been configured on port 3: Time: Port Number: 3 Size: Syslog: 1024 Disabled Tue, 01 Aug 2006 16:00:17 US/EASTERN Port Name: Port_1 Display: Timestamp: Prompt Disabled Figure 9.4 Port Databuffer Characteristics Screen 10.
RS-485 CLI Support 9-11 RS-485 CLI Support The LX-1004 Series supports an RS-485 option. Commands and show screens have been added to support this feature. These Asynchronous Mode commands allow you to configure the RS-485 for Duplex Mode (half or full duplex), Transmitter Mode, or Echo Mode. X To configure RS-485 duplex mode Use the following duplex mode commands to set the RS-485 port to a duplex mode of either half or full (default).
9-12 RS-485 CLI Support Async1:0 >>rs485 transmitter rts enable X To view RS-485 information Use the show port async rs485 command to display the RS-485 Characteristics Screen. Figure 9.5 shows a sample screen. Time: Device Name: Port Type: Duplex Mode: Transmitter: /dev/ttyCPM2 Physical Full Always Enabled Sun, 02 Jan 2005 01:34:16 UTC Port Number: 49 Port Name: Port_49 Echo Mode: Disabled Module Status: Operational Figure 9.
Telnet Serial-Over-IP (RFC2217) Support 9-13 Telnet Serial-Over-IP (RFC2217) Support Telnet Serial-Over-IP (RFC2217) allows numerous network entities (clients) to connect via telnet to an LX serial port and use the connected device (e.g., Cisco console port) in many different ways. RFC2217 eliminates the need to statically define the Serial port information (i.e., Speed, databits…etc.).
9-14 Default TCP Transmit Mode X To view RFC2217 information Use the show port async rfc2217 command to display the RFC2217 Characteristics Screen. Figure 9.6 shows a sample screen. Time: Port Number: 8 Telnet RFC2217 Server: Client Modemstate Mask: Flow Control State: Client Signature: Mon, 17 Jul 2006 09:58:47 US/EASTERN Port Name: Port_8 Enabled Telnet RFC2217 Signature: 0x0 Client Linestate Mask: Normal Disabled 0x0 Figure 9.
Port Mirroring 9-15 Port Mirroring The Port Mirroring feature allows multiple subscribers to connect to the same port to view the same data and interact with a common device. A maximum of 10 connections is allowed (default is 1). After the maximum number of connections has been reached, any additional users are refused. To use this feature, the port access must be set to either remote or databuffer, and the serial device must echo all user-typed characters.
9-16 Port Mirroring X To enable mirroring on async ports Use the max mirror connections command to determine the maximum number of simultaneous connections to the target remote access or databuffer port. The number of connections allowed is 1 to 10 (default is 1).
Port Mirroring 9-17 X To display the Port Async Characteristics screen Use the show port async characteristics command. Figure 9.7, “Show Port Async Characteristics Screen” shows this screen with the Max Mirror Connections field highlighted: Time: Port Number: 1 Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: DTR Drop Time: Remote 9600 8 1 None Xon Disabled Enabled 2 Authentication: Auth.
9-18 Port Mirroring X To display the Subscriber Characteristics screen Use the show subscriber characteristics command. Figure 9.
Displaying Port Async Summaries 9-19 Displaying Port Async Summaries Use the show port async summary command to display the Port Async Summary Screen.
9-20 Port Async Connect Port Async Connect Previously, the Port Async connect command would connect automatically when it was configured. Since you might want to initiate the command only upon user request, this could cause issues. The Port Async connect command now has an additional feature to prompt the user for a character before it initiates the command. This displayed prompt is configurable.
Setting the Banner 9-21 Setting the Banner This feature allows the administrator to configure a warning banner that appears when a subscriber logs in. Commands that make the banner feature more robust have replaced the old banner commands. The only time you must use inbound and outbound is when the port access is dynamic.
9-22 Setting the Banner Use the show port async characteristics command to display the Show Port Async Characteristics screen. The Banner field appears in the upper right side of the screen if the async port is remote or local. An example of this screen follows: Time: Port Number: 2 Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: Dtr Drop Time: Local 9600 8 1 None Xon Disabled Enabled 2 Authentication: Auth.
Setting the Banner 9-23 The Inbound and Outbound Banner Display fields appear in the lower left side of the screen if the async port is dynamic. An example of this screen follows: Time: Port Number: Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: Dtr Drop Time: Inbound Authentication: Outbound Authentication: Auth.
9-24 Setting the Banner Use the show port async login command to display the Port Async Login screen for a port that is anything other than a Dynamic Access port: Time: Port Number: 1 Wed, 07 Feb 2007 10:47:36 UTC Port Name: Port_1 Banner: Contents: Welcome to MRV Communications, LX-Series Console Server MOTD: Contents: Connected to console: banner.default motd.default Figure 9.
Inbound and Outbound Authentication 9-25 Inbound and Outbound Authentication A command has been added to simplify setting port async authentication to inbound and outbound. With these commands, setting authentication to inbound or outbound is no longer necessary. The appropriate authentication field is now set based on the port access type. Inbound applies to port access Dynamic, Local, Broadcast Master, and APD. Outbound applies to port access Dynamic, Remote, Databuffer, and Edap.
9-26 Message of the Day Commands Message of the Day Commands The Message of the Day allows you to display a message to the user upon login. This message could be, for example, You are on a proprietary system, or We are shutting down at 4PM today. The message you specify appears on the screen just after the user logs in.
Message of the Day Commands 9-27 Use the show port async characteristics command to display the Port Async Characteristics screen. Time: Port Number: Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: Dtr Drop Time: Authentication: Auth.
9-28 Message of the Day Commands The Inbound and Outbound MOTD Display fields appear in the lower left side of the screen if the async port is dynamic. An example of this screen follows, with the Inbound MOTD and Outbound MOTD fields highlighted: Time: Port Number: 1 Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: Dtr Drop Time: Inbound Authentication: Outbound Authentication: Auth.
DSR Wait 9-29 DSR Wait This feature allows you to proceed with port connection without waiting until DSR is up. There are several issues of which you should be aware: Autohangup must be enabled for this feature to work. If Autohangup is disabled, the port will not wait for DSR to come up, regardless of how you set this feature. If modem is enabled, this feature is not applicable. An error message is sent if this feature is disabled.
9-30 DSR Wait Use the monitor/show port async characteristics command to display the Show Port Async Characteristics screen. An example of this screen follows, with the new DSR Wait field highlighted: Time: Port Number: Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: DTR Drop Time: 1 Remote 9600 8 1 None Xon Enabled Enabled 2 Authentication: Auth.
Configuring Power Control Units 10-1 CHAPTER 10 Configuring Power Control Units The Power Control Units (5250, 5150, and 4800) can be managed remotely from asynchronous ports on an LX unit. The management tasks that can be performed remotely include rebooting outlets and turning outlets on and off. (For information on performing these tasks, see the outlet command, and the outlet group command in the “Superuser Commands” chapter of the LX-Series Commands Reference Guide.
10-2 Configuring Power Control Units X To configure an LX asynchronous port as a POWER port Use the access power command in Port Async Command Mode. When the target port is set to power, it will auto-detect which power device (4800, 5150, or 5250) is connected to that port Example Async5:0 >>access power When you enter this command, the LX autodetects which power device you are connecting to and sets the access to the appropriate type.
Default Name for an Outlet 10-3 Default Name for an Outlet The default name for an outlet is derived from its POWER port and the number of the outlet on the Power Control unit. For example, 5:7 is the default name of the 7th outlet on the Power Control Unit that is managed from POWER port 5. You can specify a descriptive name for an outlet or an outlet group. A descriptive name is a unique text name of up to 15 alphanumeric characters.
10-4 Specifying the Off Time The Power Control unit must be serially attached to the LX asynchronous port when you create outlet groups. This allows for the LX to poll the Power Control unit to determine the maximum number of outlets available. Checks have been put in place to prevent a user from configuring outlet groups with outlet numbers that do not exist. Specifying the Off Time The Off Time is the length of time, in seconds, that outlets must remain off before they can be turned back on.
Naming an Outlet 10-5 Naming an Outlet You can assign a descriptive name of up to 15 alphanumeric characters to an outlet. X To specify a descriptive name for an outlet Use the outlet name command in Asynchronous Command Mode.
10-6 Rebooting or Turning Outlets On or Off Rebooting or Turning Outlets On or Off This section describes how to reboot a single outlet or outlets within a group, or turn them on or off. X To turn on or off or reboot an outlet by number Use the outlet : on|off|reboot command in the Superuser Command Mode.
Disabling the Off Option for Power Outlets 10-7 Disabling the Off Option for Power Outlets Mission-critical outlets are those outlets that must remain on at all times. You can ensure that mission-critical outlets remain on by disabling the Off option for them. Outlets that have their Off option disabled can’t be turned off with the outlet command or the outlet group command. X To disable the Off option for outlets Example Use the no outlet off command in Asynchronous Command Mode.
10-8 Accessing the 5250/5150/4800 CLI Accessing the 5250/5150/4800 CLI In order to access the 5250/5150/4800 CLI from an LX unit, the port to which the 5250/5150/4800 unit is attached must be configured for remote access. See “Configuring a Port for 5250, 5150 and 4800 CLI Access” on page 10-9 to configure a port for 5250/5150/4800 CLI access. X To access the 5250/5150/4800 CLI from an LX unit 1. Configure async port 5 as the default port: InReach:0 >>config port async 5 default port 2. Example 3.
Configuring Unique 5250, 5150 and 4800 Features 10-9 Configuring Unique 5250, 5150 and 4800 Features This section describes how to configure the unique 5250/5150/ 4800 Features from the LX CLI. The unique 5250/5150/4800 Features include power boot sequencing, control of the Factory Reset button, the ability to change the 5250/5150/4800 username and password, and the ability to access the 5250/ 5150/4800 CLI.
10-10 Enabling the Factory Reset Button Enabling the Factory Reset Button See “Command Mode Descriptions” on page 1-5 for information about accessing Asynchronous Command Mode. The 5250/5150/4800 unit includes a Factory Reset Button, which is used to reset the 5250/5150/4800 unit to factorydefault values. However, you must enable the Factory Reset Button in order to use it for this purpose. X To enable the Factory Reset Button 1. 2.
Specifying the 5250/5150/4800 Admin Name 10-11 X To specify the 5250/5150/4800 Admin Name 1. Example 2. Example See “Command Mode Descriptions” on page 1-5 for information about accessing Asynchronous Command Mode.
10-12 Specifying the Password for the 5250/5150/4800 Unit Specifying the Password for the 5250/5150/4800 Unit The Password for the 5250/5150/4800 is passed transparently, with the 5250/5150/4800 Admin Name, to the 5250/5150/4800 unit when the LX attempts to communicate to the Power unit. X To specify the administrator login password 1. Example Create a Power port: Async7:0 >>access power 2. Example Execute the power scp admin password command: Async7:0 >>power scp admin password 3.
Enabling 5250/5150/4800 Authentication 10-13 Enabling 5250/5150/4800 Authentication After you have specified the 5250/5150/4800 Admin Name and the 5250/5150/4800 Login Password for a POWER port, you can enable 5250/5150/4800 authentication on the port. X To enable 5250/5150/4800 authentication 1. 2. Example Access the Asynchronous Command Mode for an asynchronous port that is configured as a POWER port for a 5250/5150/4800 unit.
10-14 Enabling SCP Enabling SCP If you are unable to communicate to the Power unit, SCP may be disabled on the unit. X To enable SCP 1. Examples Default the LX async port to default parameters: LX:0 >>config port async 3 default port LX:0 >>logout port 3 2. Example Connect and log into the (remote access) port to talk directly to the 5250/5150/4800 CLI: LX:0 >>connect port async 3 Then press at least three times. 3. 4. 5.
Displaying Information on Power Control Units 10-15 Displaying Information on Power Control Units This section describes how to display information on Power Control units and outlets. The information that can be displayed includes statuses and summaries for Power Control units, and statuses for groups of outlets.
10-16 Displaying Information on Power Control Units Figure 10.2 shows an example of the Device Status Screen for a 5250 POWER port. Time: Thu, 25 May 2006 13:14:14 UTC Device Type: Firmware: Outlet Minimum Off Time: 1 Power Cli: Enabled SCP Admin name: Not configured Power Factory Reset Button: Enabled Total Load: 1.50 11 IR5250 MRV LX Series LX-5250 Version 5.
Displaying Information on Power Control Units 10-17 Figure 10.2 shows an example of the Device Status Screen for a 5150 POWER port. Time: Tue, 08 Jul 2006 21:12:06 UTC Device Number: 9 Device Type: IR5150 Firmware: MRV Comm In-Reach IR-5150 Version 1.0k Total Outlet Strip Load: 0.25A Total Outlet % Current Utilization (%): 21.
10-18 Displaying Information on Power Control Units Figure 10.3 shows an example of the Device Status Screen for a 4800 POWER port. Time: Fri, 04 Aug 2006 01:57:09 UTC Device Type: Firmware: Outlet Minimum Off Time: 5 Power Cli: Disabled SCP Admin name: Not configured Power Factory Reset Button: Enabled Total Load: 7.50 Device Number: Enclosure: Status: 1 12 IR4800 MRV LX Series LX-4800 Version 5.
Displaying Information on Power Control Units 10-19 X To display status information for outlet groups Example Use the monitor/show outlet group |name status command to display status information for outlet groups.
10-20 Displaying Information on Power Control Units L The monitor/show device summary command displays summary information for all Power Control units and Temperature/Humidity sensors that are connected to the LX unit. See “Displaying the Temperature and Humidity” on page 9-2 for the Summary Screen for a Temperature/Humidity Sensor port.
Configuring the Trigger-Action Feature 11-1 CHAPTER 11 Configuring the Trigger-Action Feature The Trigger-Action Feature is an LX feature that executes LX commands in response to triggering events. The LX command execution is an automated process, in the background, in response to a triggered event. A triggering event is associated with an Action in a Rule. When the triggering event occurs, the LX unit executes the action command that is associated with it by an enabled rule.
11-2 Configuring the Trigger-Action Feature The following events can be configured as triggering events (for example, triggers) for a Rule: A humidity reading that is equal to, greater than, or less than a specified threshold. A temperature reading that is equal to, greater than, or less than a specified threshold. The system clock of the LX unit reaches a certain instant of time. The system calendar of the LX unit reaches a specified date or day of the week.
Greenwich Time Display 11-3 Greenwich Time Display MRV uses POSIX-style signs in the Zone names and the output abbreviations, although this is the opposite of what many users may expect. POSIX uses a positive (+) sign for times west of Greenwich, but many users expect a positive sign for times east of Greenwich. For example, TZ='Etc/GMT+4' uses the abbreviation "GMT+4" and corresponds to four hours behind UTC (i.e. west of Greenwich) even though many users expect it to mean four hours ahead of UTC (i.e.
11-4 Guidelines for Creating or Modifying Actions Guidelines for Creating or Modifying Actions Keep the following in mind when you create or modify an Action: Example If an Action is associated with an enabled Rule, you must disable the Rule before you can modify the Action. For more information, see “Disabling Rules” on page 11-18. If you specify the send trap message command in an Action, you must have SNMP enabled and trap client(s) configured.
Guidelines for Creating or Modifying Actions 11-5 After you have specified an LX command for the Action, you can bind a Trigger with the Action by a Rule. For more information, see “To create or modify a rule” on page 11-17. X To display information about actions Example Use the show trigger-action action command: Action_TurnOnAC7:0 >>show trigger-action action name TurnonAC7 Figure 11.1 shows an example of the Action Information Screen.
11-6 Guidelines for Creating or Modifying Actions To configure a trigger for...
Guidelines for Creating or Modifying Actions 11-7 The Alarm Condition is true if the state of the faulted state is equal to the signal state of CTS or DSR on the configured LDAM async port alarm point. X To configure an analog trigger Example An Analog Trigger is used to initiate an Action in response to an HDAM analog sensor reading. Execute the analog command in the Trigger Command Mode.
11-8 Guidelines for Creating or Modifying Actions X To configure a clock-based duration Example Execute the duration time command to specify a Duration Trigger that is based on a range of hours and minutes in the LX system clock.
Guidelines for Creating or Modifying Actions 11-9 X To configure a humidity trigger Execute the humidity command in the Trigger Command Mode. The following example also includes an optional hysteresis value of 7: Example A Humidity Trigger is used to initiate an Action in response to a humidity reading. Trigger_HumPort4GT60:0>>humidity port 3 > 60 hysteresis 7 The hysteresis is a range that exists preceding and below the actual threshold setting.
11-10 Guidelines for Creating or Modifying Actions X To configure a day-based trigger Example Execute the instant day command to specify a Trigger that is based on the LX system calendar reaching a specified day of the week. In the following example, the Instant Condition is true when the LX system calendar reaches midnight (12:00 AM) on Tuesday: Trigger_Tuesday:0 >>instant day tue X To configure a Pattern Trigger 1.
Guidelines for Creating or Modifying Actions 11-11 A Ping Trigger is used to initiate an Action in response to a network Example device being available (up) or not (down). X To configure a ping trigger 1. 2. Example 3. Example A Power Trigger is used to initiate an Action in response to a power failure (no power) or Example power restore (powered) on Power Input A or Power Input B of an LX8000 Series unit.
11-12 Guidelines for Creating or Modifying Actions A Power Port Async lost contact Trigger is used to detect a timeout on a specific port. Example X To configure a power port async lost contact trigger L This command applies to all power units. Execute the power port async lost contact command from the Trigger-Action Command Mode to poll the power device with status commands (every 10 seconds).
Guidelines for Creating or Modifying Actions 11-13 A Power Port Async Total Load Trigger is used to perform monitoring on the total load against a given threshold. Example X To monitor the power threshold based on the sum of the load on multiple power units attached to an LX L This command applies to all power units.
11-14 Guidelines for Creating or Modifying Actions A Power Input Threshold Trigger is used to initiate an action when power input falls outside a threshold. Example X To configure a power input voltage threshold trigger Execute the power input A|B voltage <|> [hysteresis ] command from the Trigger-Action Command Mode to define a threshold based off of the current voltage reading.
Guidelines for Creating or Modifying Actions 11-15 A Signal Trigger is used to initiate an Action in response to a signal transition on the CTS pin, or the DSR/DCD pin, of an LX Example asynchronous port. X To configure a CTS signal trigger Execute the signal port cts command in Trigger Command Mode to specify a signal transition on the CTS pin of a specified port as the condition for a signal Trigger.
11-16 Guidelines for Creating or Modifying Actions A Temperature OnBoard Trigger is used to initiate an Action in response to an LX internal temperature threshold. ELXLX X To configure a temperature onboard trigger Execute the onboard temperature command in the Configuration Command Mode. Use this command to change the LX onboard temperature low and high thresholds and, optionally, the hysteresis: 1.
Guidelines for Creating or Modifying Actions 11-17 X To display information about triggers Example See “Command Mode Descriptions” on page 1-5 for information about accessing the Trigger-Action Command Mode. Use the show trigger-action trigger command: Trigger_TempPort3GT34:0 >>show trigger-action trigger name TempPort3GT34 Figure 11.2 shows an example of the Trigger Information Screen.
11-18 Disabling Rules 4. Example 5. Example Execute the action command to specify an Action for the Rule: Rule_ACTurnOnRule7:0 >>action TurnonAC7 Execute the enable command to enable the Rule: Rule_ACTurnOnRule7:0 >>enable When the Rule is enabled, it is put into use by the Trigger-Action Feature; the Trigger-Action Feature executes the Action associated with the Rule when the condition specified for the Rule Trigger is true.
Disabling Rules 11-19 X To display information about rules Example Use the show trigger-action rule characteristics command: Rule_ACTurnOnRule7:0 >>show trigger-action rule name ACTurnOnRule7 characteristics Figure 11.3 shows a sample Trigger Information Screen. Rule Name: ACTurnOnRule7 State: enabled Trigger Name: TempPort3GT34 Type: Temperature (F) Action Name: TurnOnAC7 Command: outlet 5:7 on You must have port 5 configured for sensor. Figure 11.
11-20 Disabling Rules 6. Example 7. Execute the following command at the Trigger-action:0 >> prompt: Trigger-action:0 >>rule name high-temp-off Execute the following command at the Rule_high-temp- off:0 >> prompt: Examples Rule_high-temp-off:0 >>trigger check4-temp Rule_high-temp-off:0 >>action temp-ac-power-off Rule_high-temp-off:0 >>enable 8. 9. Example At the Rule_high-temp-off:0 >>prompt, type exit three times.
Disabling Rules 11-21 X To display information about power input: Example Use the show system power command: InReach:0 >show system power Figure 11.5 shows a sample System Power Screen.
11-22 Disabling Rules LX Series Configuration Guide
Configuring iptables and ip6tables 12-1 CHAPTER 12 Configuring iptables and ip6tables This chapter describes how to configure iptables and ip6tables using the MRV Graphical User Interface (GUI). L ip6tables commands are for use with IPv6 support on the LX-Series.
12-2 IP Firewall IP Firewall The MRV Graphical User Interface (GUI) provides a simple, limited method for configuring iptables. The following IP Firewall GUI feature procedure uses terms which may not be familiar. These terms are defined as follows: Term Definition Example Chain A grouping of rules that specifies when the rules should be applied to traffic (INPUT, OUTPUT) source ip address x.x.x.x destination port 23 Rule The actual filter definition source ip address x.x.x.
IP Firewall 12-3 Figure 12.1 shows the confirmation window that appears in a blank input table. Figure 12.
12-4 IP Firewall Figure 12.2 shows a “loaded” input table. Figure 12.
IP Firewall 12-5 Figure 12.3 shows a “loaded” output table. Figure 12.3 Loaded output table After you are in the Firewall window (whether it contains input/ output or is blank), use the New, Delete, and Modify buttons to make changes, and use the up and down (KandL) arrows on the right side of the window to change the order of the entries within the list. When you finish configuring, press Commit to update the configuration to the LX unit.
12-6 IP Firewall X To create a firewall and rules 1. Set the policy for both Input and Output by selecting one option from the Policy dropdown box under the Input and Output tabs. The options are ACCEPT and DROP. The policy is the default action that occurs to all traffic entering the chain. This action accepts or drops all traffic, and then executes the specific rules that you created. 2. 3. Click New. The NewRule window displays.
IP Firewall 12-7 5. Optionally, click the question mark button in the upperright corner of the screen to display some information about the format of specific fields in the window. A sample informational message window displays: Figure 12.5 Message Window X To delete a rule 1. Select one or more entries in the table. 2. Click Delete. The entries are removed from the table.
12-8 IP Firewall X To modify a rule 1. Select one entry (rule) from the Firewall table and press the Modify button. The Modify Rule window (with pre-filled values) appears. 2. 3. Modify the values and click OK. The Firewall window reappears, with the changes reflected in the table. Click on Commit to save the changes to this rule. Figure 12.6 Modify Rule window X To change the rule order 1. Select an entry in the table. 2.
Updating the Firewall 12-9 Updating the Firewall All the preceding operations are first changed locally; nothing has yet been changed on the LX unit. When you click Commit, the GUI updates the local firewall configuration to the LX unit iptables, and also creates a firewall configuration copy in the LX unit. Click... To...
12-10 Configuring Packet Filters Using the iptables and ip6tables Commands A chain consists of a series of rules that specify the criteria for accepting, denying, or dropping a packet. The criteria for accepting, denying, or dropping a packet can include the source IP Address, the destination IP Address, and other characteristics.
Configuring Packet Filters Using the iptables and ip6tables Commands 12-11 where -A Specifies that the rule is to be appended to the specified chain (in this case, the INPUT chain). See “Using iptables and ip6tables Command Options” on page 12-13 for alternatives to the -A option. -s Specifies that the rule applies to the specified source IP Address (in this case, 10.240.10.240). -j Specifies the action that is to be taken when a packet matching this criteria is received.
12-12 Configuring Packet Filters Using the iptables and ip6tables Commands X To create a rule that prevents Telnet requests from a specific IP address Example Example Use the iptables command. The following example creates a rule that ignores Telnet requests from the IP address 143.114.56.104: Config:0 >> iptables -A INPUT -s 143.114.56.104 -p tcp --destination-port telnet -j DROP Use the ip6tables command.
Using iptables and ip6tables Command Options 12-13 Using iptables and ip6tables Command Options You can use the -I option or the -R option, instead of the -A option, to specify how a rule is added to the chain. -I Inserts the rule at a specified location before the end of the chain. -R Replaces a specific rule in the chain with the new rule. In the following example, the -I option specifies that to insert the rule as the 11th rule in the INPUT chain: Examples iptables -I INPUT 11 -s 10.240.10.
12-14 Using iptables and ip6tables Command Options X To save changes to a rule Example Execute the save configuration command in Superuser Command Mode to save the iptables file either to flash or to the network: InReach:0 >>save configuration flash L You can use the network option of the save configuration command to save the configuration to a network server. For more information, see the save configuration command in the LX Series Command Reference.
Configuring the Cluster Configuration and Control Feature 13-1 CHAPTER 13 Configuring the Cluster Configuration and Control Feature The Cluster Configuration and Control (C3) feature saves time and effort by allowing you to propagate changes to any or all units in a cluster, without having to script or manually configure each unit individually. This also allows rapid recovery and replacement if there should be a problem anywhere within the cluster.
13-2 What is a Cluster? Each LX unit can get a software update from the TFTP server and write it to flash. The reboot image is downloaded to all cluster members. Again, Cluster Configuration and Control provides update status. What is a Cluster? L Up to 1000 nodes are allowed in a single LX cluster. Some performance degradation will occur for large clusters, depending on specific network characteristics.
How the Protocol Works 13-3 How the Protocol Works Cluster Configuration and Control uses Distributed Shared Memory. The memory exchange is done via TCP/IP protocol (fully routable via LAN/WAN routers and switches). The data exchange is encrypted via the TLS protocol using 128-bit AES encryption and SHA hashing.
13-4 Cluster Configuration and Control Rules Table 13.1 Cluster Configuration and Control Terms Term Definition Show Cluster Status This displays the attributes that are currently being shared with the cluster, and the status of each node in the cluster. In Sync is normal status for the nodes, which means they agree with the master’s configuration. If there is a node out of sync, there is a brief description of why it does not agree with the master.
Creating a Cluster Secret 13-5 Select a unit with the highest density port count in the cluster to be your master, because if you have varying port density units in your cluster, the number of ports information to be shared will be the lowest common denominator. For example, if you have a 2-port unit, and you share ALL ports configurations and send it to the cluster containing 48 port units, only ports 1 and 2 will be shared to the cluster.
13-6 Creating a Cluster Secret 2. If the unit has loaded from defaults, the following message displays: The unit has loaded to factory defaults, would you like to run Initial Connectivity Setup? y/n 3. 4. Press y (yes) and press . The Superuser Password prompt appears. Enter password system.
Creating a Cluster Secret 13-7 9. Press y (yes) and press . The word Configured appears on the Quick Configuration menu to the right of Cluster Secret. The following message displays: Save this information to flash? 10. Press y (yes) and press . The information is saved to flash. CONFIGURATION SUMMARY 1 Unit IP address 2 Subnet mask 3 Default Gateway 4 Domain Name Server 5 Domain Name Suffix 6 Cluster Secret 7 Superuser Password 8 Exit and Save Is this information correct? 10.80.1.5 255.
13-8 Creating a Cluster Secret Example X To create a cluster 1. In Cluster Command Mode, enter the address of all LX units (including your local address) in which you created a secret: Cluster:0 >> address A.B.C.D 2. Share attributes to propagate to the other members of the cluster, then type cluster save config to send the attributes to the other members. See “Sharing Attributes with Other Nodes Within the Cluster” on page 13-9 for more information about sharing attributes.
Sharing Attributes with Other Nodes Within the Cluster 13-9 Sharing Attributes with Other Nodes Within the Cluster Whichever node you make changes from becomes the master node. Valid attributes are listed in Figure 13.2. The following sections describe how to: Example Share an attribute Unshare an attribute locally or globally Display cluster information X To share an attribute 1.
13-10 Sharing Attributes with Other Nodes Within the Cluster System Attributes Port Async Attributes All, Number Access Banner Transparent Mode Flow Control Stop Bits, Parity, Bits per Character Port Prompt String Autobaud Break Autobaud Retry Special Break String Auto Dial Inbound Authentication, Outbound Authentication Autohangup Radius Accounting, Tacacs+ Accounting Authentication FallBack Break String, Telnet Negotiations, Cr filter Data Buffer Size,
Sharing Attributes with Other Nodes Within the Cluster 13-11 X To unshare an attribute locally Example Type the following command in Cluster Command Mode: Cluster:0 >> locally unshare telnet daemon This unshares the telnet daemon state on the local machine and all other cluster nodes remain shared. You do not need to save the configuration to the cluster, because you are only unsharing the attribute on a local node. Example X To unshare an attribute globally (across the entire cluster) 1.
13-12 Sharing Attributes with Other Nodes Within the Cluster Figure 13.3 shows a Cluster Characteristics Screen. System Name: In-Reach Time: Mon, 12 Dec 2005 22:22:47 UTC Cluster Name: ClusterDAone Cluster Secret: Configured Cluster Debug: Disabled Cluster Member Addresses: 111.222.33.44 111.222.33.55 111.222.33.66 112.223.33.
Updating the Software 13-13 Updating the Software You can update the software on an individual node, or on all members across an entire cluster. The cluster update commands allow you choose between loading the image from an SFTP server or a TFTP server. The choice is made automatically, based on the File Transfer Protocol displayed on the System Load Characteristics screen. Syntax X To update the software 1.
13-14 Updating the ppciboot 2. Example 3. To run the new image, you must perform a reboot. Enter the following command: InReach:0 >> cluster reload The message Are you sure you want to reload the cluster? y/n displays. Enter y to reload the cluster. Updating the ppciboot You can update the ppciboot on an individual node, or on all members across an entire cluster. Syntax X To update the software 1.
User Graphical User Interface (GUI) 13-15 2. Example 3. To run the new image, you must perform a reboot. Enter the following command: InReach:0 >> cluster reload The message Are you sure you want to reload the cluster? y/n displays. Enter y to reload the cluster. User Graphical User Interface (GUI) The User GUI simplifies the sometimes complex process of providing menu-defined access and connectivity.
13-16 User Graphical User Interface (GUI) L Set the Web Access Mode to “Menu” if the subscriber wants to access the defined menu. Set the Web Access Mode to “Config” if the subscriber wants to access the standard configuration GUI. 3.
User Graphical User Interface (GUI) 13-17 5. Access the LX GUI via the web and login with the username and password. The User Console window displays. When the Subscriber Login Mode is set to Menu, the subscriber is presented with the first menu level of the named Menu Name. This user level offers the subscriber access to up to ten user menu sessions. To open a new menu session, click on the New User Menu button to open the LX GUI User Menu Template: Figure 13.
13-18 User Graphical User Interface (GUI) Select Cluster from the View menu at the top right side of the window to view a menu tree of the cluster. Based on permissions, you can also look at sensor values, power module outlet status, and have Telnet and SSH access to Remote Access Ports. 123.456.789.40 123.456.789.48 123.456.789.49 Figure 13.
User Graphical User Interface (GUI) 13-19 X To enable or disable generating debug information Use the debug cluster enable command in Superuser Command Mode to generate debug messages for troubleshooting. Use the no debug cluster command to disable this feature (default). L When debug cluster is enabled and the LX is rebooted, the debug cluster reverts to the default state of off.
13-20 User Graphical User Interface (GUI) X To search a cluster for a port name or access method Use the cluster search command. L The cluster search command is now accessible at both the user and superuser levels. At the User level, you do not need to enter a superuser name or password, but you can’t execute Superuser commands. The searches you can perform are different, depending on the level. See the LX Series Command Reference for details.
Sharing and Unsharing Interfaces 13-21 X To name a cluster Example In Superuser Command Mode, use the config cluster name command to share an attribute: Config:0 >>config cluster name cluster_name where cluster_name is a name from 1 to 31 characters long. This name is shared after you execute cluster save config. Sharing and Unsharing Interfaces You can share the characteristics of one interface with any or all other interfaces in the cluster.
13-22 Sharing and Unsharing Subscribers X To view which interfaces are shared or unshared Type show cluster characteristics to display the Cluster Characteristics screen. See Figure 13.3 on page 13-12 for an example of this screen. Sharing and Unsharing Subscribers You can share the characteristics of one subscriber with any or all other subscribers in the cluster.
Sharing and Unsharing the Authenticate Image 13-23 Sharing and Unsharing the Authenticate Image You can share the authenticate image with any or all other members in the cluster. X To share the authenticate image Example In Cluster Mode, share the authenticate image: Cluster:0 >>share authenticate image The image is shared after you execute cluster save config.
13-24 Sharing and Unsharing the Message Sharing and Unsharing the Message You can share the message with any or all other members in the cluster. X To share the message In Cluster Mode, share the message: Cluster:0 >>share message The message is shared after you execute the cluster save config command. X To unshare the message In Cluster Mode, unshare the message: Cluster:0 >>[globally|locally] unshare message The message is unshared after you execute the cluster save config command.
Sharing and Unsharing the Telnet Client 13-25 Sharing and Unsharing the Telnet Client You can share the Telnet client with any or all other members in the cluster. X To share the Telnet client In Cluster Mode, share the Telnet client: Example Cluster:0 >>share telnet client The Telnet client is shared after you execute the cluster save config command.
13-26 Configuring a Remote Cluster Member Configuring a Remote Cluster Member You can issue a CLI command to any remote cluster member without having to log in to that cluster member. This command is available only at the Superuser level. L The cluster command command is now accessible at both the user and superuser levels. At the User level, you don’t need to enter a superuser name or password, but you can’t execute Superuser commands. See theLX Series Command Reference for more information.
GUI Cluster 13-27 GUI Cluster The LX GUI displays information on nodes, port types, and ports in an explorer menu tree on the left of the window. This feature is available only if you have cluster permissions. Launching the GUI Cluster Explorer X To access the GUI Cluster Explorer windows: 1. Open your browser and login. The LX Console window appears. 2. Select Cluster from the View pulldown menu on the top right side of the window.
13-28 Launching the GUI Cluster Explorer 123.456.789.40 123.456.789.48 123.456.789.49 3. You can right-click on any host, port, or group of ports in the list and select from a pull-down menu to manage or monitor that selected item.
Cluster Automatic Discovery and Setup 13-29 Cluster Automatic Discovery and Setup This ease of use feature helps you to set up a cluster or to add nodes to an existing cluster. There are two sections to this feature: Cluster Automatic Discovery and Cluster Automatic Setup. Cluster Automatic Discovery Cluster Automatic Discovery allows you to gather a list of IP addresses belonging to LX units within a range of IP addresses.
13-30 Cluster Automatic Discovery If you attempt to add an address to the cluster, but it was already a cluster member, the following error message appears: This address has already been defined in the cluster If none of the IP addresses are reachable, the following error message appears: Unit(s) with given address(es) not available X To use Cluster Automatic Discovery via the GUI To use the Cluster Automatic Discovery feature via the GUI, do the following: 1. Open your browser and login.
Cluster Automatic Discovery 13-31 5. 6. Click the Add Known Unit button (to open the Add Single Unit window and add an address you know exists) or click on the Discover Available Units button to open the Auto-Discover IP Address Range window. Add a Starting IP Address and an Ending IP Address and click OK.
13-32 Cluster Automatic Discovery 7. 8. 9. All LX units that Cluster Automatic Discovery finds within the range you specified are displayed in the listbox labeled Units Not in Cluster on the Cluster Setup screen. Select newly found units you want to add to the cluster, and click the [>>] button to move them to the Units in Cluster listbox. Note that, unlike when you run the Cluster Automatic Discovery via the CLI, no newly found units are part of the cluster at this stage.
Cluster Automatic Setup 13-33 Cluster Automatic Setup The Cluster Automatic Setup feature automatically configures and sets up a cluster based on a list of IP addresses known to belong to LX units. The Cluster Automatic Discovery steps should be performed first. X To use Cluster Automatic Setup via the CLI Setting up a set of LXs into a cluster grouping requires the following steps: 1. Configure all LX members with the same cluster secret . 2. 3. 4.
13-34 Cluster Automatic Setup where is the username used to log into the remote systems, is the password used to log into the remote systems, is the superuser password used on the remote systems, and is the new cluster secret (restricted to 16 to 32 characters).
SNMP Configuration 14-1 CHAPTER 14 SNMP Configuration This chapter provides information about SNMP and MIBs, and includes procedures for configuring the LX unit to provide SNMP management.
14-2 Network Management System Network Management System Network Management Systems monitor and control network elements. Network Elements (NE) are devices, such as hosts, routers, and terminal servers, that are monitored and controlled through access to their management information. The NMS can potentially monitor several nodes, each with a processing entity termed an agent. An agent is a network management software module that resides in a managed device.
Management Information 14-3 A managed object is one of any number of characteristics of a managed device. Managed objects are comprised of one or more object instances. A managed object is identified by an object identifier (OID). The tree consists of a root connected to a number of labeled nodes via edges. Each node may, in turn, have children of its own which are labeled. In this case, we may term the node a subtree.
14-4 OID Structure Example MIBs are organized into MIB modules. A MIB module is a file defining managed MIB objects. In addition to the standard MIBs, companies usually provide vendor specific enterprise MIBs which define additional MIB objects used to manage the network devices. OID Structure Example A sample Object identifier follows: Example Internet OBJECT IDENTIFIER ::= (6) internet (1) 1} (iso (1) org (3) dod In tree format, the same object appears as follows: Figure 14.
OID Structure Example 14-5 Table 14.1 Standard MIBs RFC Number Description RFC 1213 MIB-2 RFC 1658 Character MIB RFC 2465 IPv6 MIB RFC 3411 SNMP V3 Framework MIB RFC 3414 SNMP V3 User-based Security Model (USM) MIB RFC 3415 SNMP V3 View-based Access Control Model (VACM) MIB Table 14.
14-6 OID Structure Example Table 14.4 LX Enterprise-Specific SNMP Traps ID Name Indicates that 1 irNotifyEvent A text message is being sent to an SNMP client. 2 irTempHighTholdAlarmRaised A configured high threshold has been raised. 3 irTempHighTholdAlarmCleared A configured high threshold has been cleared. 4 irTempLowTholdAlarmRaised A configured low threshold has been raised. 5 irTempLowTholdAlarmCleared A configured low threshold has been cleared.
LX Fault/Cleared Alarm SNMP Trap Pairings 14-7 Table 14.4 LX Enterprise-Specific SNMP Traps (Continued) ID Name Indicates that 28 irAdminLoginFailed Administrator login failed. 29 irEnetPortBondLinkStatusChanged Enet port bonding link status changed. 30 irHdamAnalogHighAlarmRaised Analog high threshold alarm was raised. 31 irHdamAnalogHighAlarmCleared Analog high threshold alarm was cleared. 32 irHdamAnalogLowAlarmRaised Analog low threshold alarm was raised.
14-8 Security Security Additional security is provided by only allowing SNMP requests from hosts that are configured in the GET/SET client table. The SNMP agent is disabled by default. An SNMP Client must be configured on the device before it can communicate with the SNMP agent. An SNMP Client is configured via the Command Line Interface (CLI). The SNMP agent must be enabled via the CLI to accept SNMP requests.
Adding or Removing an SNMP GET Client 14-9 X To configure a source interface on SNMP Optionally, the SNMP Interface allows you to indicate the IPv4 source address to use when contacting the server. In each case, this value defaults to interface 1. Use the following command syntax to specify the source address the LX sends when contacting the SNMP server.
14-10 Adding or Removing an SNMP SET Client Examples Snmp:1 >>get client 0 Snmp:1 >>get client 0 community Snmp:1 >>get client 0 version Snmp:1 >>get client 0 mask 255.255.255.0 Snmp:1 >>no get client 0 L A community string can be up to 32 characters long. Adding or Removing an SNMP SET Client Before an SNMP client can send SNMP SET requests to the agent, it must be configured in the SNMP SET client table. Execute this command at the SNMP command mode.
Adding and Removing SNMP Trap Clients 14-11 Adding and Removing SNMP Trap Clients A Trap Client is a specific NOC to which the device sends Trap messages. Execute this command at the SNMP command mode. An LX will not generate an SNMP Trap message until a Trap Client is defined. You can configure up to 16 Trap Clients. X To add an SNMP Trap client Use the following command syntax: Syntax Snmp:0 >>trap client ip_address where number ip_address is a value from 0 to 15.
14-12 Adding and Removing SNMP V3 Group Entries where number user_name is a value from 0 to 9. identifies the name of the user.
Adding and Removing SNMP V3 Access Entries 14-13 Examples SNMP V3 Group Configuration Examples Snmp:1 >>v3 group 3 group grpAll Snmp:1 >>v3 group 3 user 3 Adding and Removing SNMP V3 Access Entries You can configure up to 10 V3 Access Entries using the v3 access command. X To add an SNMP V3 access entry Use the following command syntax: Syntax Snmp:0 >>v3 access name where number group_name is the entry in the access table being configured.
14-14 Adding and Removing SNMP V3 View Entries Adding and Removing SNMP V3 View Entries Use this command to configure an SNMP V3 view entry. Up to 10 V3 View Entries can be configured. X To add an SNMP V3 View Entry Use the following command syntax: Syntax Snmp:1 >>v3 view name where number string is the entry in the view table being configured. identifies the name assigned to the entry.
MIB-II System Group Configuration 14-15 MIB-II System Group Configuration This section describes how to configure the MIB-II sysContact and sysLocation object values. Type the following commands at the CLI Config prompt. Config:0 >>contact Config:0 >>location SNMP V3 Overview The LX Series supports SNMP V3. The following structures are used to set up an SNMP V3 entity. User This is where the user is defined, as well as the security levels to be applied to this user.
14-16 Access Access This defines the abilities available to a GROUP that is bound to a specific access entry. Access defines which VIEW from the VIEW table is used to determine READ/WRITE capabilities. View This is where you limit what a user can view. You can specify a certain OID; for example, 1.3.6.1. This means as long as the user request attempts to read or write to a value that has 1.3.6.1 beginning the string, they will be able to do so.
SNMP V3 Commands 14-17 SNMP V3 Commands The LX supports SNMP V3.
14-18 SNMP V3 Commands X To configure SNMP V3 for No Authentication and No Privacy 1. Example Configure the user: Snmp:0 >>v3 user 0 name tim 2. Example Configure group: Snmp:0 >>v3 group 0 user tim Snmp:0 >>v3 group 0 group groupall 3. Example Configure access: Snmp:0 >>v3 access 0 name groupall Snmp:0 >>v3 access 0 readview viewall Snmp:0 >>v3 access 0 writeview viewall 4. Example Configure view: Snmp:0 >>v3 view 0 name viewall Snmp:0 >>v3 view 0 subtree 1.3.6.
SNMP V3 Commands 14-19 6. Example Configure access: Snmp:0 >>v3 access 2 name groupall Snmp:0 >>v3 access 2 readview viewall Snmp:0 >>v3 access 2 writeview viewall 7. Example Configure view: Snmp:0 >>v3 view 2 name viewauthnopriv Snmp:0 >>v3 view 2 subtree 1.3.6.1 8.
14-20 SNMP V3 Commands 5. Example Configure protocols and passwords: Snmp:0 >>v3 user 1 privproto des Snmp:0 >>v3 user 1 privpass privpass Snmp:0 >>v3 user 1 authproto md5 Snmp:0 >>v3 user 1 authpass authpass X To configure SNMP V3 for Authentication and Privacy with Read-Only Access 1. Example Configure user: Snmp:0 >>v3 user 3 name tim 2. Example Configure group: Snmp:0 >>v3 group 3 user tim Snmp:0 >>v3 group 3 group groupall 3.
Configuring a Trap Client User Index 14-21 Configuring a Trap Client User Index The trap client user index command has been added. L You only need to set this field if this entry is for a V3 trap client. Syntax Snmp:0 >>trap client v3userindex where Example points to the entry in the v3 user table on whose behalf this trap client is configured. The range is from 0 to 9.
14-22 Displaying SNMP Information Displaying SNMP Information The following sections explain how to access the SNMP Show screens. X To show whether SNMP is enabled or disabled Use the show snmp characteristics command: Example In-Reach:0 >>show snmp characteristics Figure 14.3, “Show SNMP Characteristics Display” shows the “SNMP Daemon” field which indicates whether SNMP is enabled or disabled. Time: SNMP Daemon: Source Interface: Disabled 1 Tue, 13 Feb 2007 09:45:25 US/EASTERN Port: 16 Figure 14.
Displaying SNMP Information 14-23 X To show SNMP clients Use the show snmp client command syntax to display the SNMP client information: Syntax In-Reach:0 >>show snmp client [number | all] where: Example is any valid client number from 0 to 15 In-Reach:0 >>show snmp client all Time: Wed, 18 Oct 2006 09:08:19 US/EASTERN Get Client: Version: Community: 1 v1 Address: NetMask: 140.111.222.111 255.255.255.255 public Set Client: Version: Community: 1 v1 Address: NetMask: 140.111.222.
14-24 Show the SNMP V3 Settings Show the SNMP V3 Settings The following sections explain how to access the SNMP V3 Show screens. X To show all SNMP V3 users Use the show snmp v3 user all command in either of the following command modes: Example InReach:0 >>show snmp v3 user [number|all] Figure 14.5 shows an example of the SNMP V3 User All Screen.
Show the SNMP V3 Settings 14-25 X To show all SNMP V3 view Use the snmp v3 view all command: Example InReach:0 >>show snmp v3 view all Time: viewEntry: viewName: subTree: mask: type: 0 Wed, 28 Mar 2007 10:23:30 US/EASTERN status: notReady ddd .1.3.6.1 included Figure 14.
14-26 Show the SNMP V3 Settings X To show the SNMP V3 group settings Use the following command syntax: Syntax In-Reach:0 >>show snmp v3 group entry_number where entry_ number Example is any valid SNMP V3 entry number from 0 to 9. In-Reach:0 >>show snmp v3 group 0 Time: Entry: userName: groupName: secModel: 0 Wed, 28 Mar 2007 10:29:44 US/EASTERN status: notReady ddd ddd usm Figure 14.
Show the SNMP V3 Settings 14-27 X To show the SNMP V3 user settings Use the following command: Syntax In-Reach:0 >>show snmp v3 user entry_ number where entry_ number Example is any valid SNMP V3 entry number from 0 to 9. In-Reach:0 >>show snmp v3 user 0 Time: Wed, 18 Oct 2006 09:08:19 US/EASTERN userEntry: userName: authProtocol: authPassword: privPassword (Key): 0 md5 status: active bob des Configured Configured privProtocol: Figure 14.
14-28 Dual Power Supply SNMP Traps Dual Power Supply SNMP Traps SNMP traps notify you of a Power Supply state change (on/off). SNMP MIB Support LX SNMP software supported the ability to read the total current load per power device. Additional SNMP support has been added to read current loads for 5250 devices with 3-phase (A, B and C) power support. References Understanding SNMP MIBs by Dave Perkins, Prentice Hall. The Simple Book, by Marshall Rose, Prentice Hall.
Configuring Alarming with LX-7204T/7304T Sensor Manager and LDAM 15-1 CHAPTER 15 Configuring Alarming with LX-7204T/7304T Sensor Manager and LDAM This chapter describes how to configure the LX-7204T/7304T Sensor Manager and Option Modules, as well as Low-Density Alarm Management (LDAM). IMPORTANT The LX-7204T sensor Manager High-Density Alarm Management (HDAM) is compatible only with the LX-Series. It is no longer compatible with In-Reach legacy products.
15-2 Configuring the HDAM Port Configuring the HDAM Port The LX-7204T and Option Modules are managed from a port on the LX Master Unit that is configured as an HDAM port. All ports on an LX-Series unit other than port 0 (diagnostic/management port) can be configured as HDAM ports. Only four total ports can be HDAM ports at one time.
Updating the LX-7204T/7304T Firmware 15-3 port_number The number of the LX port connected to the HDAM on which to update firmware. For example, a value of 1 means that the LX-7204T/7304T connected to port 1 of the Master LX Unit will have its firmware updated. ip_address Specifies the IP address of the TFTP server from which the firmware update will be obtained. If no IP address is given, the LX unit’s default TFTP server address is used.
15-4 Using the Alarm Input Commands Using the Alarm Input Commands This section explains how to configure the alarm input commands, including the following: Naming Alarm Inputs Enabling and Disabling Audible Alarms Configuring an Alarm Input Description String Defaulting the Description for an Alarm Input Enabling and Disabling SNMP Traps for Alarm State Changes Configuring the Debounce Interval for an Alarm Configuring the Fault State for Alarm Inputs Configuring a Severity
Enabling and Disabling Audible Alarms 15-5 X To configure a descriptive name for any Alarm Input in the LX-7204T/7304T Use the following Privileged command syntax: hdam alarm name hdam alarm port slot point name Syntax where alarm_name_1 Name of the alarm input to rename alarm_name_2 New alarm name to assign to the alarm input L The name must start with a letter, and the remainder of the name can contain only letters an
15-6 Enabling and Disabling Audible Alarms 2. Syntax Use the following command syntax to enable and disable the audible alarm for multiple alarms: hdam alarm audible enable hdam alarm no audible where alarm_name Name of the alarm on which to enable/disable the audible alarm. This entry is in the order port_slot_alarm (such as 5_2_31, or BankVaultDoor).
Configuring an Alarm Input Description String 15-7 Configuring an Alarm Input Description String Use the following commands configure an Alarm Description String for a specific alarm or for multiple alarms. X To configure an alarm input description string Use the following command syntax to configure an alarm input description string for a specific alarm: hdam alarm description 2.
15-8 Defaulting the Description for an Alarm Input Defaulting the Description for an Alarm Input Use the following commands default an Alarm Input Description for a specific alarm or for multiple alarms. X To default the description for an alarm input Use the following command syntax to default the description for an alarm input for a specific alarm: hdam alarm description 2.
Enabling and Disabling SNMP Traps for Alarm State Changes 15-9 Enabling and Disabling SNMP Traps for Alarm State Changes Use the following commands to enable or disable the sending of an SNMP trap for a change in Alarm state for a specific alarm or for multiple alarms.
15-10 Configuring the Debounce Interval for an Alarm point_list Specifies a list of Points about which you want to send SNMP traps. The list can contain single items, lists (such as 1,3,4) or ranges (such as 1-32), or a combination. all Specifies that Slots or Points managed by the LX Master Unit will be as specified in this command. enable This is the default setting. An SNMP trap will be sent when the Alarm Input specified changes state.
Configuring the Fault State for Alarm Inputs 15-11 where alarm_name Specifies an Alarm Input Name. The value of name can be a descriptive name or a default name. port_number Specifies the LX HDAM port managing the LX-7204T/ 7304T. slot_list Specifies a list of Slots on which you want to set the debounce interval. The list can contain single items, lists (such as 1,3,4) or ranges (such as 1-4), or a combination. point_list Specifies a list of Points on which you want to set the debounce interval.
15-12 Configuring the Fault State for Alarm Inputs X To configure the fault state for alarm inputs for multiple alarms Use the following command syntax: Syntax hdam alarm hdam alarm port slot [|all] point [|all]fault state [open|closed] where alarm_name The name of the alarm on which you want to open or close the fault state. This entry is in the order port_slot_ alarm (e.g., 5_2_31, or BankVaultDoor).
Configuring a Severity Level for Alarm Inputs 15-13 Configuring a Severity Level for Alarm Inputs Use the following commands to configure a severity level for Alarm Inputs for a specific alarm or for multiple alarms.
15-14 Resetting the Alarm Input Name to Its Default Example Config:0 Config:0 Config:0 Config:0 >>hdam >>hdam >>hdam >>hdam alarm alarm alarm alarm SafedepositDoor trap severity critical 5_2_31 trap severity informational port 2 slot 1,2 point 1,2,3,4 trap severity minor port 2 slot 1-4 point 6-18 trap severity major Resetting the Alarm Input Name to Its Default Use the following commands to reset the Alarm Inputs to their default names for a specific alarm or for multiple alarms.
Resetting Alarm Inputs to the Defaults 15-15 Example Config:0 Config:0 Config:0 Config:0 Config:0 >>hdam >>hdam >>hdam >>hdam >>hdam alarm alarm alarm alarm alarm port 2 slot 1,2 point 1,2,3,4 default name port 2 slot 1-4 point 6-18 default name port 2 slot all point all default name port 2 slot 1-4 point 6-18 default name fan_window default name Resetting Alarm Inputs to the Defaults Use the following commands to reset Alarm Inputs to the default settings for a specific alarm or for multiple alarms.
15-16 Using the Control Output Commands Example Config:0 Config:0 Config:0 Config:0 Config:0 Config:0 >>hdam >>hdam >>hdam >>hdam >>hdam >>hdam alarm alarm alarm alarm alarm alarm BankVaultDoor default 3_1_22 default point port 2 slot 1,2 point port 2 slot 1-4 point port 2 slot all point port 2 slot 1-4 point point 1,2,3,4 default point 6-18 default point all default point 6-18 default point Using the Control Output Commands This section explains how to configure the control output commands, includin
Naming Control Outputs 15-17 Example X To configure a name for a control output for multiple controls Use the following command syntax: hdam control port slot point name Syntax where control_name_1 Specifies that the point being named is a control output. control_name_2 The new control name to assign to the control output. The names must be unique across the Master LX Unit.
15-18 Setting Control Output as Open or Closed Setting Control Output as Open or Closed Use the following commands to set LX-7204T/7304T Control Output signals as Open or Closed for a specific control or for multiple controls.
Configuring a Control Output Description String 15-19 Configuring a Control Output Description String Use the following commands to configure a Control Output Description String for a specific control or for multiple controls.
15-20 Defaulting the Description for a Control Output Example Config:0 >>hdam control Floor2Lab description lab door 1 Config:0 >>hdam control 3_1_8 description lab door 2 Config:0 >>hdam control port 2 slot 1,2 point 1-4 description lab1 Config:0 >>hdam control port 2 slot all point all description library second floor Defaulting the Description for a Control Output Use the following commands to default a Control Output Description for a specific control or for multiple controls.
Setting the Active State of a Named Control 15-21 point_list Specifies a list of Points for which to configure a description. The list can contain single items (such as 1,3,4) or ranges (such as 1-8), or a combination. all Specifies that all Slot or control outputs managed by the LX Master Unit will be as specified in this command.
15-22 Resetting Control Outputs to the Defaults point_list Specifies a list of Points whose active state to set open or closed. The list can contain single items, lists (such as 1,3,4) or ranges (such as 1-8), or a combination. all The Active State specified in this command will apply to all Slots or Points (or both) managed by this LX Master Unit.
Resetting the Control Output Name to its Default 15-23 Examples Config:0 Config:0 Config:0 Config:0 Config:0 Config:0 >>hdam >>hdam >>hdam >>hdam >>hdam >>hdam control control control control control control AuxAcDown default point 6_1_8 default point port 2 slot 1,2 point 1,2,3,4 default poin port 2 slot 1-4 point 6-8 default point port 2 slot all point all default point port 2 slot 1-4 point 6-8 default point Resetting the Control Output Name to its Default Use the following commands to reset control
15-24 Using the Analog Input Commands Using the Analog Input Commands This section explains how to configure the analog input commands, including the following: Naming Analog Inputs Configuring an Analog Input Description String Defaulting the Description for an Analog Input Resetting Analog Inputs to the Defaults Resetting the Analog Input Name to Its Default Enabling and Disabling the Analog State Configuring Analog Calibration Naming Analog Inputs You can use each point name
Configuring an Analog Input Description String 15-25 port_number Specifies the individual LX port number to which the LX-7204T/7304T is attached. slot_number Specifies a Slot for which to configure a name. point_number Specifies a Point for which to configure a name. L All names across the Master LX Unit must be unique.
15-26 Defaulting the Description for an Analog Input all Specifies that all Slots or Points managed by the LX Master Unit will be as specified in this command. string The description of the analog input (a maximum of 63 characters long).
Resetting Analog Inputs to the Defaults 15-27 all Specifies that all Slots or Points managed by the LX Master Unit will be as specified in this command.
15-28 Resetting the Analog Name to its Default Examples Config:0 Config:0 Config:0 Config:0 Config:0 >>hdam >>hdam >>hdam >>hdam >>hdam analog analog analog analog analog BankVaultDoor default 3_1_8 default point port 2 slot 1,2 point port 2 slot 1-4 point port 2 slot all point point 1,2,3,4 default point 6-8 default point all default point Resetting the Analog Name to its Default Use the following commands to reset a specified analog input or multiple analog inputs to its default name.
Enabling and Disabling the Analog State 15-29 The default command will apply to all Slots or Points (or both) managed by this LX Master Unit.
15-30 Enabling and Disabling the Analog State X To calibrate analog inputs Use the following command syntax: Syntax hdam analog calibrate minimum maximum units [margin ] hdam analog port slot [|all] point [|all] calibrate minimum maximum units [margin ] where analog_name Specifies an Analog Input name.
Enabling and Disabling the Analog State 15-31 Examples Config:0 >>hdam analog 5_2_8 calibrate minimum 5 maximum 140 units DegF Config:0 >>hdam analog 5_2_7 calibrate minimum 5 maximum 95 units %RH Config:0 >>hdam analog port 2 slot 1,2 point 1,2,3,4 calibrate minimum 20.8 maximum 32.0 units Hg Config:0 >>hdam analog port 2 slot 3-4 point 6-8 calibrate minimum 5 maximum 140 units TempF margin 1.
15-32 Displaying HDAM Information Displaying HDAM Information This section explains how to display HDAM show screens. X To view HDAM alarm input characteristics using the alarm name Use the following command syntax: Syntax show hdam alarm characteristics Example Config:0 >>show hdam alarm 5_4_20 characteristics InReach:0 >>show hdam alarm 5_2_31 characteristics Figure 15.1 shows an example of the HDAM Alarm Name Characteristics Screen.
Displaying HDAM Information 15-33 X To view HDAM port characteristics information Use the show hdam characteristics command to display alarm and analog input, and control output characteristics at either of the following command modes: Examples Config:0 >>show hdam 4 characteristics InReach:0 >>show hdam 1 characteristics Figure 15.3 shows an example of the HDAM Port Characteristics Screen.
15-34 Displaying HDAM Information X To view HDAM control name information Use the show hdam control characteristics command at either of the following command modes: Examples Config:0 >>show hdam control 5_4_8 characteristics InReach:0 >>show hdam control 5_2_8 characteristics Figure 15.4 shows an example of the HDAM Control Name Characteristics Screen. Port Slot Point 8 1 5 Description: Name 8_1_5 Active State Open Figure 15.
Displaying HDAM Information 15-35 Figure 15.6 shows an example of the HDAM Analog Name Characteristics Screen. Port Slot Point 10 1 1 Description: Name OfficeTemp State Min Enabled 5.0000 Max Margin 140.0000 1.0000 Units TempinF Figure 15.6 HDAM Analog Name Characteristics Screen X To display analog status information using a specific analog name Use the show hdam analog status command at either of the following command modes.
15-36 Displaying HDAM Information Figure 15.8 shows an example of the HDAM Mapping Screen. Name 8_1_1 8_1_2 8_1_3 8_1_4 8_1_5 8_1_6 8_1_7 8_1_8 Port 8 8 8 8 8 8 8 8 Slot 1 1 1 1 1 1 1 1 Point 1 2 3 4 5 6 7 8 Figure 15.8 HDAM Mapping Screen X To view HDAM port/slot/point characteristics Use the show hdam slot point characteristics command to display alarm, analog, and/or control characteristics on HDAM ports at either of the following command modes.
Displaying HDAM Information 15-37 Figure 15.10, “HDAM Port/Slot/Point Characteristics Alarm Card Screen” shows an example of the HDAM Port/Slot/Point Characteristics Screen, if Slot 2 contains an Alarm Card.
15-38 Displaying HDAM Information Figure 15.11, “HDAM Port/Slot/Point Characteristics Analog Card Screen” shows an example of the HDAM Port/Slot/Point Characteristics Screen, if Slot 1 contains an Analog Card Port Slot Point Name State Minimum 1 1 1 Description: OfficeTemp Enabled 1 1 2 Description: NothingConnected Disabled -14.0000 100.0000 0.5000 PSI 1 1 3 Description: NothingConnected Disabled 20.8000 32.0000 2.5000 BP 5.0000 Maximum Margin 140.0000 Units 1.0000 TempinF . . .
Displaying HDAM Information 15-39 Figure 15.13 shows an example of the HDAM Port/Slot/Point Status Screen, if Slot 2 contains an Alarm Card.
15-40 Displaying HDAM Information X To view HDAM status information Use the show hdam status command to display both alarm, analog, and control status information on an HDAM port at either of the following command modes. Examples Config:0 >>show hdam 4 status InReach:0 >>show hdam 1 status Figure 15.15 shows a sample HDAM Port Status Screen. Time: Port Name: Temperature (Celsius): Power Supply A: Power A Input Status: Power A Output: Power A Input Voltage: Port_1 34.
Configuring the LDAM Port 15-41 Configuring the LDAM Port All ports on an LX-Series unit other than port 0 (diagnostic/ management port and internal modem or RS485 port) can be configured as LDAM ports. X To configure ports as LDAM ports Use the following command syntax: Config:0 >>port async access ldam Syntax where port_list Specifies the port(s) to use to control the LDAM. The list can contain single items (such as 1,3,4) or ranges (such as 1-8), or a combination.
15-42 Naming Alarm Inputs Naming Alarm Inputs The default name for an alarm input is canonically derived from the port number and point number. You can configure by the default name (if known). L You can use each point name after on the LX. You can’t use the same name on multiple ports or points.
Naming Alarm Inputs 15-43 X To configure an alarm input description string for a specific alarm Use the following command syntax: ldam alarm description Syntax ldam alarm port point description where alarm_name Specifies an Alarm Input Name. The default name for an alarm input or control output is canonically derived from the port number and point number. port_number Specifies the LDAM port number.
15-44 Naming Alarm Inputs point_ number Specifies the Point for which you want to default the description. The options are 1 and 2.
Naming Alarm Inputs 15-45 where alarm_name Specifies an Alarm Input Name. The value of alarm_ name can be a descriptive name or a default name. port_number Specifies the LDAM port number. point_number Specifies the point on which you want to change the fault state. Options are 1 and 2. open The point will be in Alarm when it is open. This is the default setting. closed The point will be in Alarm when it is closed.
15-46 Naming Alarm Inputs X To reset the alarm input name to default for a specific alarm or multiple alarms Use the following command syntax: Syntax ldam alarm default name ldam alarm port point default name where alarm_name Specifies an Alarm Input Name. The value of alarm_ name can be a descriptive name or a default name. port_number Specifies the LDAM port number. point_number Specifies the point you want to reset to the default name.
Using the Control Output Commands 15-47 Using the Control Output Commands This section explains how to configure the control output commands, including the following: Naming Control Outputs Configuring a Control Output Energize as Assert or Deassert Set Control Output Signal to Assert or Deassert Configuring a Control Output Description String Defaulting a Control Output Description Resetting Control Output Name to Default Setting Naming Control Outputs The default name for a control
15-48 Naming Control Outputs X To set the energize state of a named control to assert or deassert for a specific control Use the following command syntax: Syntax ldam control energize state [assert|deassert] X To set the energize state of a named control to assert or deassert for multiple controls Use the following command syntax: Syntax ldam control port point energize state [assert|deassert] where port_number The number of the LDAM port.
Naming Control Outputs 15-49 X To configure control output signal to assert or deassert for a specific control Use the following command syntax: ldam control set [assert|deassert] Syntax X To configure control output signal as assert or deassert for multiple controls Use the following command syntax: ldam control port point set [assert|deassert] Syntax where port_number Number of the LDAM port control_name Specifies a Control Output Name.
15-50 Naming Control Outputs X To configure a control output description string for a specific control Use the following command syntax: Syntax ldam control description ldam control port point description where Examples control_name Specifies a Control Output Name. The default name for an alarm input or control output is canonically derived from the port number, slot number and point number.
Naming Control Outputs 15-51 X To default a control output default description for a specific control Use the following command syntax: ldam control default description Syntax ldam control port point default description where Examples control_name Specifies a Control Output Name. The default name for an alarm input or control output is canonically derived from the port number, slot number and point number.
15-52 Naming Control Outputs X To reset a control output point to its default settings for a specific control Use the following command syntax: Syntax ldam control default point ldam control port point default point where Examples port_number Specifies the LDAM port number. point_number Specifies points you want to reset to the default. The only option is 1.
Displaying LDAM Information 15-53 Displaying LDAM Information This section explains how to display LDAM show screens. X To view the LDAM alarm input characteristics using the alarm name Use the show ldam alarm all characteristics command: Examples Config:0 >>show ldam alarm all characteristics InReach:0 >>show ldam alarm all characteristics Figure 15.16 shows an example of the LDAM Alarm All Characteristics Screen.
15-54 Displaying LDAM Information X To display alarm characteristics for a specific alarm name or port/point Use the following command syntax: Syntax show ldam alarm characteristics show ldam alarm port point characteristics Examples Config:0 >>show ldam alarm 4_1 characteristics InReach:0 >>show ldam alarm port 4 point 1 characteristics Figure 15.17 shows an example of the LDAM Alarm Name Characteristics Screen.
Displaying LDAM Information 15-55 Figure 15.18 shows an example of the LDAM Alarm All Status Screen Time: Mon, 12 Dec 2005 01:34:16 UTC Port Name: Port_4 Alarm Port: 4 Point: 1 (CTS:LOW) Name: Door_alarm_for_Lab4 Current State: Normal Faulted Count: 10 Last time faulted: Mon, 12 Dec 2005 01:34:16 UTC Alarm Port: 4 Point: 2 (DSR:HIGH) Name: window_alarm_for_lab4 Current State: Faulted Faulted Count: 10 Last time faulted: Mon, 12 Dec 2005 01:34:16 UTC Figure 15.
15-56 Displaying LDAM Information X To display all LDAM control output characteristics Use the following command syntax: Syntax show ldam control all characteristics Examples Config:0 >>show ldam control all characteristics InReach:0 >>show ldam control all characteristics Figure 15.20 shows an example of the LDAM Control All Characteristics Screen.
Displaying LDAM Information 15-57 Figure 15.21 shows an example of the LDAM Control Name Characteristics Screen. Time: Mon, 12 Dec 2005 01:34:16 UTC Port Name: Port_4 Control Port: 4 Point: 1 (DTR) Name: Fan_control_Lab_1 Description: The fan controlling Lab1 Current State: Deassert Energized State: Deassert Figure 15.
15-58 Displaying LDAM Information X To display control status using a specific control name or port/point Use the following command syntax: Syntax show ldam control status show ldam control port point status Examples Config:0 >>show ldam control 4_1 status InReach:0 >>show ldam control port 4 point 1 status Figure 15.23 shows an example of the LDAM Control Name Status Screen.
Configuring PPP 16-1 CHAPTER 16 Configuring PPP This chapter describes how to configure PPP features.
16-2 Configuring an IP Interface for PPP Configuring an IP Interface for PPP You can bind an IP interface to PPP and specify a dedicated asynchronous port for the IP interface to use for PPP Links. In addition, you can configure CHAP or PAP authentication, CCP negotiation, IPCP and LCP parameters, the PPP Mode, and the Remote IP address for PPP Links on an IP interface. The LX unit also supports PPP routing via static routing.
Re-binding an IP Interface to Eth0 16-3 Example Ppp 2-2:0 >>authentication chap 5. Example Execute the outbound secret command to specify the outbound secret for PPP Links on the IP interface: Ppp 2-2:0 >>outbound chap secret wtrrrbbbba L Because CHAP is the authentication method specified in step 4, an outbound CHAP secret is specified in the preceding command. 6. Example Ppp 2-2:0 >>outbound username HenryW 7.
16-4 Setting Optional PPP Parameters Setting Optional PPP Parameters The LX supports several optional parameters for PPP sessions, including Compression Control Protocol (CCP) negotiation and several settings for the Link Control Protocol (LCP) and Internet Protocol Control Protocol (IPCP). This section describes how to specify values for these parameters. L If you do not specify values for the optional parameters, the LX unit will use default values.
IPCP Accept Address 16-5 IPCP Accept Address You can configure the PPP link to accept negotiation of local or remote addresses. X To enable address negotiation on PPP Links Execute the ipcp accept address enable command in PPP Command Mode: Examples Ppp 2-2:0 >>ipcp accept local address enable Ppp 2-2:0 >>ipcp accept remote address enable By default, an LX IP interface does not accept the negotiation of local or remote addresses.
16-6 IPCP Failure Limit IPCP Failure Limit The IPCP Failure Limit is the number of attempts at IPCP option negotiation that can be made by the IP interface. X To specify the IPCP Failure Limit Use the ipcp failure limit command in PPP Command Mode: Example Ppp 2-2:0 >>ipcp failure limit 6 IPCP Timeout The IPCP Timeout is the length of time that the IP interface has for IPCP option negotiation.
LCP Compression 16-7 LCP Compression By default, an IP interface will not try to negotiate the use of LCP compression over a PPP link.
16-8 LCP Echo Interval LCP Echo Interval The LCP Echo Interval is the interval between the sending of LCP echo requests. X To specify the LCP echo interval Use the lcp echo interval command in PPP Command Mode: Example Ppp 2-2:0 >>lcp echo interval 20 LCP Failure Limit The LCP Failure Limit is the number of attempts at LCP option negotiation that can be made by the IP interface.
PPP Routing on the LX 16-9 PPP Routing on the LX PPP Routing makes it possible to access remote LX units that do not have Ethernet connections. PPP is established when the router dials your LX and pre-configured routes are activated to allow your NOC to manage the remote LX. In Figure 16.1, the NOC telnets to 197.168.1.1 2100-2300 to manage the serial devices. PPP 192.168.1.2 192.168.1.1 1 192.168.100.1/24 2 3 modem link router serial devices Figure 16.
16-10 PPP Routing on the LX X To implement PPP Routing See “Command Mode Descriptions” on page 1-5 for information about accessing Configuration Command Mode. 1. L You must specify the IP address of your NOC as the remote partner for PPP Links with the remote address command in the PPP Command Mode. 2. 3. Example Configure an IP interface for PPP as described in “Configuring an IP Interface for PPP” on page 16-2. Access the Configuration Command Mode.
PPP Routing on the LX 16-11 Figure 16.2 shows an example of the PPP Characteristics Screen. Time: Interface Name: Interface_1 Mode: Passive CCP: Disabled Dialback Mode: ----------------IPCP----------------Remote IP Address: 0.0.0.
16-12 Configuring PPP Dial-On-Demand Figure 16.3 shows an example of the PPP Status Screen. Time: Interface Name: Local Address: Remote Address: Interface_1 N/A N/A LCP Link: LCP Compression: CCP Link: IPCP Link: VJ Compression: Backup Link: Closed Closed Closed Closed Closed N/A Thu, 27 Jul 2006 14:39:51 US/EASTERN Bound to: eth0 --------------TRANSMIT--------------Bytes: N/A Frames: N/A Errors: N/A ---------------RECEIVE--------------Bytes: N/A Frames: N/A Errors: N/A Figure 16.
Configuring PPP Dial-On-Demand 16-13 Router X Port 17 LX Phone Number 1234 Modem Serial Serial Serial Figure 16.4 illustrates the sample used in the following procedure. Modem No LAN A.B.C.D Interface 2 X.Y.Z NMS Figure 16.4 PPP Dial-On-Demand Diagram X To configure PPP Dial-On-Demand 1. Example 2. Example Enter the Interface Mode: Config:0 >> interface 2 3. Example 4.
16-14 Configuring PPP Dial-On-Demand 5. Example 6. Example 7. Example Put the port into Dial on Demand mode using the existing mode. When you do this, the port only attempts to dial a modem and negotiate PPP when there is a demand to do so, such as when IP network traffic matching the interface’s PPP Remote IP Address appears on the unit. Intf 2-2:>> ppp mode demand When a timeout is set, the PPP link is up and no data packets are being sent or received across the link.
PPP Backup 16-15 PPP Backup PPP Backup allows an LX to dial a “backup” PPP connection if contact to a given host is lost. The PPP connection is enabled as a dial-on-demand, and thus is only active as needed. The PPP backup system uses the trigger-action-rule subsystem to detect when contact to the ping host is lost, and then activate the dialon-demand service. Figure 16.5 PPP Dial Backup Diagram PPP backup becomes a Demand Circuit when LX B can’t ping its ping host 10.242.131.
16-16 PPP Backup The appropriate settings for the diagram shown in Figure 16.5 are as follows: LX A Settings InReach:0 >> config int 1 address 10.242.131.32 mask 255.255.255.0 InReach:0 >> config int 2 address 130.1.1.100 mask 255.255.255.0 InReach:0 >> config int 3 bind port async 33 protocol ppp InReach:0 >> config int 3 ppp remote address 10.242.131.48 LX B Settings InReach:0 >> config gateway 10.242.131.32 InReach:0 >> config int 1 address 10.242.131.48 mask 255.255.255.
PPP Backup 16-17 X To activate the ping backup link when both ping targets are lost Use the following command: InReach:0 >>config int 2 ppp backup activate operand and X To deactivate the ping backup link when one or the other ping targets returns Use the following commands: InReach:0 >>config int 2 ppp backup deactivate operand or InReach:0 >>config int 2 ppp backup enable InReach:0 >>config po as 49 modem dialout number 2760 (phone# of LX A) InReach:0 >>config route address 130.1.1.0 mask 255.255.255.
16-18 Displaying PPP Backup Information Displaying PPP Backup Information Use the show interface ppp characteristics command to display the PPP Characteristics Screen. An example of this screen follows: Time: Interface Name: Interface_1 Mode: Passive CCP: Disabled Dialback Mode: ----------------IPCP----------------Remote IP Address: 0.0.0.
PPP Dialback 16-19 X To display the PPP Status Screen Use the show interface ppp status command.
16-20 PPP Dialback Figure 16.9 shows an example of this screen: Time: Interface Name: Interface_1 Mode: Passive CCP: Disabled Dialback Mode: ----------------IPCP----------------Remote IP Address: 0.0.0.
RSA SecurID PPP Fallback 16-21 RSA SecurID PPP Fallback The LX PPP connection required you to type your username/ password prior to dialing/negotiating the link. This worked reliably for most forms of authentication. RSA SecurID, however, is a token based authentication, and is very time sensitive. Occasionally, the dial time/modem train/negotiation time was too variable, and sometimes took too long for the token to be valid once the connection was established.
16-22 Sample Configuration Sample Configuration L Make sure you have a local user configured with which to authenticate. X To configure this feature 1. Example 2. Example Define an interface: Config:0 >>int 3 3. Example Define port async 3 to PPP: Intf 3-3:0 >>bind port async 3 protocol ppp 4. Example Set interface 3 to PPP: Intf 3-3:0 >>ppp 5. Example Define the address to be assigned to the dial-in peer: Ppp 3-3:0>> remote addr 1.2.2.2 6. Example Exit PPP mode: Ppp 3-3:0>> exit 7.
Sample Configuration 16-23 X To configure any form of authentication as if it were a Local port Use the following commands: Async3:0 >>access local Async3:0 >>authentication inbound rsa securid enable Async3:0 >>authentication fallback enable When the port is set up as a Special PPP-Local, you must authenticate via Local methods in order to move on to PPP. If there is no login at the local level, PPP will not attempt to connect. This is a security measure to enforce proper login.
16-24 Sample Configuration X To display the Port Async Characteristics Screen Use the show port async characteristics command: Figure 16.10 shows an example of this screen: Time: Port Number: 1 Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: DTR Drop Time: Remote 9600 8 1 None Xon Disabled Enabled 2 Authentication: Auth.
Configuring Redundant Ethernet 17-1 CHAPTER 17 Configuring Redundant Ethernet This chapter describes how to configure Redundant Ethernet. L It is considered normal to see a small number of carrier errors occur on the ethernet port during system initialization. These errors are benign and can be safely ignored.
17-2 Redundant Ethernet Redundant Ethernet This feature applies only to the LX-8000. MRV supports use of the Ethernet 2 port on a LX-8000 or LX4000T series unit. The second Ethernet port may be used as a normal network interface or to provide fault tolerance for Ethernet 1. If used as a second network interface, the LX can be connected to two IP networks at the same time and accept connections on either interface.
Configuring Ethernet 2 as a Redundant Ethernet Link for Ethernet 1 17-3 X To configure Ethernet 2 as a second Ethernet port 1. Create Interface 2 (since Interface 1 is already configured): InReach:0 >> conf interface 2 2. Change interface 2 to use eth1: Intf 2-2:>> bind port ethernet 2 3. Configure an IP address and Mask: Intf 2-2:>>address 192.168.10.1 mask 255.255.255.0 4. Configure a Broadcast Address: Intf 3-3:>>broadcast 192.168.10.
17-4 Configuring Ethernet 2 as a Redundant Ethernet Link for Ethernet 1 L Because only one link is active at one time, the IP address and the MAC address are mapped to the active link. Therefore, in a fail over condition, the MAC address will change locations on your network. Older switches have difficulty with this dynamic change, and require time to age out the old MAC address. Use some caution when doing this. X To configure Ethernet 2 as a redundant Ethernet link for Ethernet 1 1.
Bonding Link 17-5 Bonding Link This command monitors the physical link of the primary ethernet port if it goes down and the secondary ethernet port comes up. When the secondary ethernet port comes up, the Mac address and the IP address are shifted to the secondary link.
17-6 Bonding Link ARP Interval Bonding Link ARP Interval Use the bonding link arp interval command to configure an ARP interval of one second. X To configure an ARP interval Use the following command syntax: Syntax Intf:1-1>> bonding link arp interval Example Intf:1-1>> bonding link arp interval 1000 X To display the Bonding Characteristics Screen Use the show interface bonding characteristics command. Figure 17.
Defaulting the Binding 17-7 L The second Ethernet port is inactive during boot, whether it is being used as a second segment or as a redundant connection. Booting the image or parameters over the second segment is not supported. Defaulting the Binding X To delete a current binding 1. At the Interface level, enter: Intf 10-10:0 >> default bind 2. Save the configuration. 3. Perform reboot. l L Reboot is necessary in this software version, but will not be in a future release.
17-8 Defaulting the Binding LX Series Configuration Guide
Internal Modem 18-1 CHAPTER 18 Internal Modem This chapter describes how to configure the internal modem.
18-2 Configuring the Internal Modem for Dial-Out Configuring the Internal Modem for Dial-Out L When configuring ports for modems, autohangup should be enabled and modem control enabled. This is true for both dial-in and dial-out configurations. If you use this modem for either dial-in/dial-out circuit data, you do not need to configure anything on the LX other than port access.
Configuring the Internal Modem for Dial-Out 18-3 8. Enter an outbound PAP secret: Ppp 10-10:0 >>outbound pap secret 9. Use the show interface ppp characteristics command to display the PPP Characteristics Screen. An example of this screen follows: Time: Interface Name: Interface_1 Mode: Passive CCP: Disabled Dialback Mode: ----------------IPCP----------------Remote IP Address: 0.0.0.
18-4 Viewing Internal Modem Characteristics Viewing Internal Modem Characteristics L The following fields appear on the Port Async Modem screen only if a GSM/GPRS Internal Modem is installed. The “Modem Type”, “GSM/GPRS Received Signal Strength”, and “GSM/GPRS Channel Bit Error Rate” fields reside in the Show Port Async Modem screen. The fields show the modem type, as well as the Received Signal Strength and Channel Bit Error Rate of the modem.
Alarm Input/Control Output Points 19-1 CHAPTER 19 Alarm Input/Control Output Points This chapter describes how to configure control output. The LX Series can be configured to provide two low voltage/low current Control Output signals per port using the DTR and RTS signals. By using a customer specialized interface design, you can control facility equipment on the LX Series product.
19-2 Configuring Control Output Configuring Control Output You can configure exclusive control over DTR and/or RTS output signals. X To configure control output 1. Dedicate the port to the use of controlling DTR/RTS: InReach>>config port async access control This disables modem control, flow control, autohangup, and autobaud. Telnet and SSH connections to the port will be denied, and you can’t log out of the port. Syntax 2.
Configuring Control Output 19-3 X To display the Port Async Characteristics screen Use the show port async characteristics command. The word Control is displayed in the Access field when this feature is enabled. Figure 19.1, “Port Async Characteristics Screen" shows an example of this screen: Time: Port Number: 1 Access: Speed: Bits per Character: Stop Bits: Parity: Flow Control: Autohangup: DSR Wait: DTR Drop Time: Remote 9600 8 1 None Xon Disabled Enabled 2 Authentication: Auth.
19-4 Configuring Control Output X To view DTR/RTS States Use the show port async status command to display the Port Async Status Screen. The Output Signals: RTS and the Output Signals: DTR fields display the current setting. Figure 19.
Configuring Alarm Inputs via Trigger Action Rules 19-5 Configuring Alarm Inputs via Trigger Action Rules See the SignalNotice Example for more information. You can configure the LX-Series unit using the console CLI or by using the Graphical User Interface (GUI). You can configure the Alarm Inputs function using Signal-Notice or by using the CLI commands Trigger-Action-Rule. The following examples set up an Alarm Input using CTS and utilize the port DTR Control Output as the controlling voltage on Port 10.
19-6 Configuring Alarm Inputs via Trigger Action Rules 3. Example Create rules to bind the trigger and the action: InReach:0 >> config Config:0 >> trigger Trigger-Action:0 >> rule name pa10ctsh Rule_pa10ctsh:0 >> trigger pa10ctsh Rule_pa10ctsh:0 >> action pa10ctsh Rule_pa10ctsh:0 >> exit Trigger-Action:0 >> rule name pa10ctsl Rule_pa10ctsl:0 >> trigger pa10ctsl Rule_pa10ctsl:0 >> action pa10ctsl Rule_pa10ctsl:0 >> end InReach:0 >> L The rules must be enabled.
Configuring Alarm Inputs via Trigger Action Rules 19-7 L See the LX-Series Configuration Guide for more information. 6. Example Create the Notification Profile for the user: InReach:0 >> config Config:0 >> notification Notification:0 >> profile user ricksnmp service ricksnmp Noti_User_Info:0 >> facility user Noti_User_Info:0 >> priority notice Noti_User_Info:0 >> exit Notification:0 >> end InReach:0 >> 7. Enable the Rules: L Each rule can be enabled when it is created with the single command enable.
19-8 Using Signal Notice to Set Up a Trigger-Action-Rule Using Signal Notice to Set Up a Trigger-Action-Rule The Trigger-Action-Rule setup can be simplified through the use of the Signal-Notice capability. X To create the Trigger, Rule and Action Use the following commands: Example This command creates two Triggers, two Rules and two Actions for the target signal on the target port with the form pa10ctsup and pa10ctsdn. A port range can be specified.
LX Signal Notice Ease-of-Use 19-9 The substitution is translated into the correct command message for the applicable port, signal, and state. For this action command to function, notification profiles must be configured. The following is an ease-of-use example: 1. Example Enter the range of ports on which to configure signal notification: Config:0 >>port async 1 2 2.
19-10 Port Async Signal Notice GUI Configuration Port Async Signal Notice GUI Configuration Several changes were made to the Port Async Signal Notice Configuration window. X To access the Port Async Signal Notice Configuration window 1. 2. 3. 4. Go to Port: Async and then choose a Port tab. At the Console window, click Signal Notif at the bottom of the window. The Signal Notif window appears. Select the number of the port(s) on which to configure or remove Signal Notification. Select Signal Notify.
Configuring IPv6 20-1 CHAPTER 20 Configuring IPv6 This chapter describes how to configure IPv6. L The minimum MTU (Maximum Transmission Unit) size is 1280 (bytes) for an IPv6 interface. Setting the size below 1280 turns off IPv6. It also describes the command syntax for the ping, ssh, and telnet commands, which now support IPv6.
20-2 Configuring IPv6 Internet Protocol Configuring IPv6 Internet Protocol The major changes from IPv4 to IPv6 fall primarily into the following categories: Scope-Global Addressing Scope-Local Addressing 6to4 Tunneling X To configure IPv6 stateless autoconfiguration Example Use the following command syntax to enable or disable stateless auto-configuration of the IPv6 Scope-Global Address: Intf 1-1:0 >>ipv6 stateless autoconfiguration Intf 1-1:0 >>no ipv6 stateless autoconfiguration X To con
Configuring IPv6 Internet Protocol 20-3 X To configure the number of duplicate address detection probes to send Use the following command syntax to define the number of duplicate address detection probes to send when attempting to configure an IPv6 address on an interface. The range is 1-5.
20-4 Configuring IPv6 Internet Protocol X To configure or delete a route Use the following command syntax to configure or delete a route for the ipv6_address/prefixLength via the ipv6_address of the specified ethernet device.
Configuring IPv6 Internet Protocol 20-5 X To configure standard on-link tunneling Use the following command syntax to configure Standard OnLink tunneling on an interface going to any remote IPv4 host supporting tunneling on your local link. The command word “any” generates the tunnel’s local IPv6 address automatically. Syntax Config:0 >>ipv6 tunnel remote any local enable Example Config:0 >>ipv6 tunnel 6to4local remote any local 140.179.100.
20-6 Configuring IPv6 Internet Protocol X To configure a remote tunnel via a tunnel broker Use the following command syntax to configure a remote tunnel via a tunnel broker: Syntax Config:0 >>ipv6 tunnel remote ipv6 address local enable L MRV Communications is not responsible for acquiring the broker service for the end user.
Configuring IPv6 Internet Protocol 20-7 X To delete a tunnel Use the following command syntax to delete a tunnel, or to delete all tunnels: Syntax Config:0 >>no ipv6 tunnel all| Example Config:0 >>no ipv6 tunnel all Config:0 >>no ipv6 tunnel rem-6to4 X To configure the tunnel packet TTL Use the following command syntax to define the value for the packet TTL.
20-8 Configuring IPv6 Internet Protocol X To configure IPv6 on Network Time Protocol (NTP) Use the following command syntax to configure an NTP Server IPv6 address, or to delete all NTP Server addresses: Syntax Config:0 >>ntp server ipv6 address Config:0 >>no ntp server address Example Config:0 >>ntp server ipv6 address 3ffe:303:14:4:2a0:9cff:fe00:8ad X To configure an alternate IPv6 address on Network Time Protocol (NTP) Use the following command syntax to configure an alternate NTP Ser
Configuring IPv6 Internet Protocol 20-9 Example Config:0 >>ntp source interface 1 X To configure a service name and address Use the following command syntax to configure an IPv6 Service Name and Address: Syntax Config:0 >>service name ipv6 address port Example Config:0 >>service name Finance_Server ipv6 address 3ffe:303:14:4:2a0:9cff:fe00:8ad port 23 X To view the Service Enter the show service command.
20-10 Configuring IPv6 Internet Protocol X To configure a RADIUS Secondary Accounting Server IPv6 address Use the following command syntax to configure a secondary RADIUS accounting server IPv6 address: Syntax AAA:0>> radius secondary accounting server ipv6 address Example AAA:0>> radius secondary accounting server ipv6 address 3ffe:303:14:4:2a0:9cff:fe00:8ad X To delete a RADIUS Secondary Accounting Server IPv6 address Use the following command: AAA:0>>radius secondary accounting server
Configuring IPv6 Internet Protocol 20-11 Syntax AAA:0>> radius secondary authentication server ipv6 address Example AAA:0>> radius secondary authentication server ipv6 address 3ffe:303:14:4:2a0:9cff:fe00:8ad X To delete a RADIUS Secondary Authentication Server IPv6 address Use the following command: AAA:0>>radius secondary authentication server ipv6 address ::0 X To configure the Primary DNS address Use the following command syntax to configure a primary DNS IPv6 server address: Syntax C
20-12 Viewing IPv6 Status X To view IPv6 characteristics Use the show interface ipv6 characteristics command to display the Interface IPv6 Configured Characteristics Screen. Figure 20.
Viewing the IPv6 NTP Address 20-13 X To view IPv6 tunnel information Use the show ipv6 tunnel all| command to display the IPv6 Tunnel Information Screen. Use the show ipv6 tunnel all command to display information about all current tunnels. Use the show ipv6 tunnel command to display information on a specific tunnel. Figure 20.
20-14 Viewing IPv6 Routes Viewing IPv6 Routes Use the show ipv6 routes device command to display the IPv6 route information. Figure 20.
Viewing IPv6 Routes 20-15 X To view the Primary and Secondary Radius IPv6 addresses Use the show radius characteristics command to display the Radius Characteristics screen. Figure 20.7, “Radius Characteristics Screen" shows an example with the IPv6 addresses highlighted: Time: Tue, 11 Jul 2006 09:09:48 US/EASTERN Primary RADIUS Authentication Server: IP Address: 0.0.0.0 RADIUS Auth.
20-16 Viewing IPv6 Routes X To view the Primary and Secondary DNS IPv6 server addresses Use the show system ip characteristics command to display the System IP Characteristics screen. Figure 20.8, “System IP Characteristics Screen" shows an example of this screen with the Primary and Secondary DNS IPv6 addresses highlighted: Time: Hostname: Domain Name suffix: Gateway: Primary DNS: Secondary DNS: Primary IPv6 DNS: Secondary IPv6 DNS: Wed, 21 Feb 2007 14:02:29 US/EASTERN aspdemo bos.mrv.com 0.0.0.0 120.
IPv6 Additions to Ping, SSH, and Telnet 20-17 IPv6 Additions to Ping, SSH, and Telnet This section describes the syntax for the User level and Superuser level commands ping, ssh, and telnet, which now support IPv6. Table 20.
20-18 Web Browser Support for IPv6 Web Browser Support for IPv6 The following web browsers have been validated to support IPv6 mode of operation with the LX-Series GUI: Mozilla (V1.7.8 for Linux) Microsoft Internet Explorer for Windows XP and preceding Mozilla supports the use of literal non Link-Local IPv6 addresses, as well as DNS names that translate to IPv6 addresses. Internet Explorer does not support literal IPv6 addresses, but does support DNS names and translate into IPv6 addresses.
PART 3 Part 3 Additional Information
A-1 APPENDIX A RADIUS Authentication RADIUS authentication occurs through a series of communications between the LX unit and the RADIUS server. After RADIUS authenticates a user, the LX unit provides that user with access to the appropriate network services. The RADIUS server maintains a database that contains user authentication and network service access information.
A-2 RADIUS Authentication Process RADIUS Authentication Process The following example describes the steps in the RADIUS authentication process. In this example, the user attempts to gain access to an LX asynchronous port. 1. 2. The LX unit prompts the user for a username and password. The LX unit takes the username and password and creates an access-request packet identifying the LX unit making the request, the username and password, and the port being used.
RADIUS Authentication Process A-3 If at any point in the authentication process conditions are not met, the RADIUS server sends an authentication rejection to the LX unit and the user is denied access to the network. Figure 2.A.1, “RADIUS Authentication Process” shows an example of the RADIUS authentication process. User attempts to gain ac cess. Ac c ess to desired services is granted. LX unit sends access-request pac ket for authentic ation. Ac c ess-ac c ept returned to LX unit.
A-4 RADIUS Authentication Attributes RADIUS Authentication Attributes Figure A.1 lists the RADIUS Authentication Attributes that are supported on the LX unit. L Some attributes appear in start records, but the majority of attributes appear in stop records (a few also appear in acct-on and acct-off records). RADIUS allows most authentication and configuration attributes to be logged. Table A.
RADIUS Authentication Attributes A-5 Table A.1 Supported RADIUS Authentication Attributes (Continued) Attribute Name Description No-Service-Type Allows local port access for interactive sessions, user is prohibited from accessing the Superuser Command Mode. Administrative-User Allows local port access for interactive sessions. The user is allowed access to Superuser and Configuration Command Modes. This is true for local port access, Interface virtual port access and access using the GUI.
A-6 RADIUS Authentication Attributes Table A.1 Supported RADIUS Authentication Attributes (Continued) Attribute Name Description 24 State (challenge/ response) Sent by the server to the client in an Access-Challenge, and must be sent unmodified from the client to the server in any Access-Request reply. 25 Class Sent by the server , and then sent unmodified by the client to the accounting server. 28 Idle Timeout The amount of time (in seconds) before the idle user is disconnected.
RADIUS Access Request Packet Service Type A-7 RADIUS Access Request Packet Service Type If you telnet or SSH to a remote port, the service type is: Outbound For a PPP connection, the service type is: Framed User For any other access method, the service type is: NAS Prompt This allows the RADIUS service to distinguish where the client is connecting to.
A-8 RADIUS Access Request Packet Service Type LX Series Configuration Guide
B-1 APPENDIX B About RADIUS and TACACS+ Accounting RADIUS Accounting, and TACACS+ Accounting, are client/server account logging schemes that allow you to log user account information to a remote server in a per-client file. The file or record can contain information such as the user who logged in, the duration of the session, port number, Client IP address, and the number of bytes/packets that were processed by the LX unit.
B-2 RADIUS Accounting Client Operation RADIUS Accounting Client Operation If a user is validated under RADIUS, an accounting request (a start request) is sent to the RADIUS accounting server.
RADIUS Accounting Attributes B-3 RADIUS Accounting Attributes Table 1 lists the RADIUS Accounting Attributes that are supported on the LX unit. Table 1 Supported RADIUS Accounting Attribute Description 01 User-Name Name of the user to authenticate. 04 NAS-IP-Address IP address associated with the LX unit. 05 NAS-Port Port or circuit number associated with the request. 32 NAS-Identifier The ID that identifies the LX unit to the RADIUS server.
B-4 TACACS+ Accounting Client Operation TACACS+ Accounting Client Operation If a user is validated under TACACS+, an accounting request (a start request) is sent to the TACACS+ accounting server.
TACACS+ Accounting Attributes B-5 TACACS+ Accounting Attributes Table 2 lists the TACACS+ Accounting Attributes that are supported on the LX unit.
B-6 TACACS+ Accounting Attributes LX Series Configuration Guide
C-1 APPENDIX C TACACS+ Authentication and Authorization TACACS+ authentication occurs through a series of communications between the LX unit and the TACACS+ server. Once TACACS+ has authenticated a user, the LX unit provides that user with access to the appropriate network services. The TACACS+ server maintains a database that contains user authentication and network service access information. TACACS+ uses the Transport Control Protocol (TCP) on port 49 to ensure reliable transfer.
C-2 TACACS+ Authentication Example The TACACS+ superuser request attribute is independent from the TACACS+ login. The TACACS+ superuser request attribute is used to indicate which database to authenticate the superuser password against after a user is logged in. When a user types the enable command, and the TACACS+ superuser request is enabled, the enable password will be authenticated against the TACACS+ server database; otherwise it is checked against the LX database "system".
TACACS+ Authentication Attributes C-3 TACACS+ Authentication Attributes Table 1 lists the TACACS+ Authentication Attributes that are supported on the LX unit. Table 1 Supported TACACS+ Authentication Attributes Attribute Description 01 User-Name Name of the user to authenticate. 02 User-Password The password for the user to authenticate. If at any point in the authentication process conditions are not met, the TACACS+ server denies access to the network. Figure C-C.
C-4 TACACS+ Authorization Attributes The LX implementation of TACACS+ supports the use of TACACS+ secondary servers. The TACACS+ secondary server is used when the TACACS+ primary server can’t be accessed. TACACS+ Authorization Attributes Table C.1 lists the TACACS+ Authorization Attributes that are supported on the LX unit. Table C.1 Supported TACACS+ Authorization Attributes Attribute Description 01 Auto-cmd Sends an auto-command. 02 Priv-level Set this value to 15 to enable rights.
Privilege Level C-5 Privilege Level L You must configure an authorization server address to access this privilege level. Refer to “Installing and Configuring a TACACS+ Server on a Network-Based Host” on page 2-26 for further information. You must set this value to the Superuser level. The level must be set to 15.
C-6 Privilege Level LX Series Configuration Guide
D-1 APPENDIX D Linux Man Pages for iptables and ip6tables Commands This appendix contains the Linux man pages for the iptables command and the ip6tables command. See the man pages in this appendix for detailed information about the iptables command, which was introduced in Chapter 12, “Configuring iptables and ip6tables”.
D-2 iptables man Pages iptables man Pages IPTABLES(8) IPTABLES(8) NAME iptables - IP packet filter administration SYNOPSIS iptables iptables iptables iptables iptables iptables iptables -[ADC] chain rule-specification [options] -[RI] chain rulenum rule-specification [options] -D chain rulenum [options] -[LFZ] [chain] [options] -[NX] chain -P chain target [options] -E old-chain-name new-chain-name DESCRIPTION Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the
iptables man Pages D-3 drop the packet on the floor. QUEUE means to pass the packet to userspace (if supported by the kernel). RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
D-4 iptables man Pages into several different groups. COMMANDS These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long ver sions of the command and option names, you need to use only enough letters to ensure that iptables can differen tiate it from all other options. -A, --append Append one or more rules to the end of the selected chain.
iptables man Pages D-5 the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. -F, --flush Flush the selected chain. This is equivalent to deleting all the rules one by one. -Z, --zero Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) -N, --new-chain Create a new user-defined chain by the given name.
D-6 iptables man Pages the command syntax. PARAMETERS The following parameters make up a rule specification (as used in the add, delete, insert, replace and append com mands). -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, repre senting one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test.
iptables man Pages D-7 a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the coun ters on the rule will be incremented.
D-8 iptables man Pages -c, --set-counters PKTS BYTES This enables the administrater to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations) OTHER OPTIONS The following additional options can be specified: -v, --verbose Verbose output. This option makes the list command show the interface address, the rule options (if any), and the TOS masks.
iptables man Pages D-9 command to load any necessary modules (targets, match extensions, etc). MATCH EXTENSIONS iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module.
D-10 iptables man Pages ine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. [!] --syn Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared.
iptables man Pages D-11 --icmp-type [!] typename This allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names shown by the command iptables -p icmp -h mac --mac-source [!] address Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets entering the PREROUTING, FORWARD or INPUT chains for packets coming from an ethernet device.
D-12 iptables man Pages --destination-port [port[,port]] Match if the destination port is one of ports. the given --port [port[,port]] Match if the both the source and destination ports are equal to each other and to one of the given ports. mark This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below).
iptables man Pages D-13 --sid-owner sessionid Matches if the packet was created by a the given session group. state This module, when combined with connection allows access to the connection tracking state packet. process in tracking, for this --state state where state is a comma separated list of the con nection states to match.
D-14 iptables man Pages are included in the standard distribution. LOG Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with dmesg or syslogd(8)). --log-level level Level of logging (numeric or see syslog.conf(5)).
iptables man Pages D-15 error packet returned: --reject-with type The type given can be icmp-net-unreachable, icmphost-unreachable, icmp-port-unreachable, icmpproto-unreachable, icmp-net-prohibitedor icmp-hostprohibited, which return the appropriate ICMP error message (port-unreachable is the default). The option echo-reply is also allowed; it can only be used for rules which specify an ICMP ping packet, and generates a ping reply.
D-16 iptables man Pages POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one option: --to-source [-][:port-port] which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp).
iptables man Pages D-17 querading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).
D-18 iptables man Pages This target is used to modify the time to live field in the IP header. It is only valid in the mangle table. --ttl-set ttl Set the TTL to the given value. --ttl-dec ttl Decrement the TTL by the given value. --ttl-inc ttl Increment the TTL by the given value. ULOG This target provides userspace logging of matching pack ets. When this target is set for a rule, the Linux kernel will multicast this packet through a netlink socket.
iptables man Pages D-19 DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2, and other errors cause an exit code of 1. BUGS Check is not implemented (yet). COMPATIBILITY WITH IPCHAINS This iptables is very similar to ipchains by Rusty Rus sell.
D-20 iptables man Pages exit code is 0 for correct functioning. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2, and other errors cause an exit code of 1. BUGS Check is not implemented (yet). COMPATIBILITY WITH IPCHAINS This iptables is very similar to ipchains by Rusty Rus sell. The main difference is that the chains INPUT and OUTPUT are only traversed for packets coming into the local host and originating from the local host respec tively.
iptables man Pages D-21 Rusty Russell wrote iptables, in early consultation with Michael Neuling. Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables, then wrote the mangle table, the owner match, the mark stuff, and ran around doing cool stuff everywhere. James Morris wrote the TOS target, and tos match. Jozsef Kadlecsik wrote the REJECT target. Harald Welte wrote the ULOG target, TTL libipulog.
D-22 iptables man Pages restrict output to only one table. If output includes all available tables. not specified, BUGS None known as of iptables-1.2.1 release AUTHOR Harald Welte SEE ALSO iptables-restore(8), iptables(8) The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hackingHOWTO which details the internals.
ip6tables man Pages D-23 AUTHOR Harald Welte SEE ALSO iptables-restore(8), iptables(8) The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hackingHOWTO which details the internals. See the man pages in this appendix for detailed information on the ip6tables command, which is introduced in Chapter 12, “Configuring iptables and ip6tables”.
D-24 ip6tables man Pages of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a “target”, which may be a jump to a user-defined chain in the same table. TARGETS A firewall rule specifies criteria for a packet, and a target.
ip6tables man Pages D-25 routed ets). through the box), and OUTPUT (for locally-generated pack- mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.
D-26 ip6tables man Pages rule number is specified. -R, --replace chain rulenum rule-specification Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. -L, --list [chain] List all rules in the selected chain. If no chain is selected, all chains are listed.
ip6tables man Pages D-27 -P, --policy chain target Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor userdefined chains can be policy targets. -E, --rename-chain old-chain new-chain Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect on the structure of the table. the -h Help.
D-28 ip6tables man Pages -d, --destination [!] address[/mask] Destination specification. See the description of the s(source) flag for a detailed description of the syntax. flag --dst is an alias for this option. The -j, --jump target This specifies the target of the rule; i.e., what to do if the packet matches it.
ip6tables man Pages D-29 interface name, the rule options (if any), and the TOS masks. The packet and byte counters are also listed, with the suffix “K”, “M” or “G” for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change this). For appending, insertion, deletion and replacement, this causes detailed information on the rule or rules to be printed. -n, --numeric Numeric output. IP addresses and port numbers will be printed in numeric format.
D-30 ip6tables man Pages tcp These extensions are loaded if “--protocol tcp” is specified. provides the following options: It --source-port [!] port[:port] Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format port:port. If the first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed. If the second port greater then the first they will be swapped.
ip6tables man Pages D-31 udp These extensions are loaded if “--protocol udp” is specified. provides the following options: It --source-port [!] port[:port] Source port or port range specification. See the description of the --source-port option of the TCP extension for details. --destination-port [!] port[:port] Destination port or port range specification. See the description of the --destination-port option of the TCP extension for details.
D-32 ip6tables man Pages default is 3/hour. --limit-burst number Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. multiport This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with -p tcp or -p udp. --source-ports port[,port[,port...]] Match if the source port is one of the given ports.
ip6tables man Pages D-33 --uid-owner userid Matches if the packet was created by a process effective user id. with the given --gid-owner groupid Matches if the packet was created by a process with the given effective group id. --pid-owner processid Matches if the packet was created by a process process id. with the given --sid-owner sessionid Matches if the packet was created by a process in the given session group.
D-34 ip6tables man Pages Log TCP sequence numbers. This is a security risk if the log readable by users. is --log-tcp-options Log options from the TCP packet header. --log-ip-options Log options from the IPv6 packet header. MARK This is used to set the netfilter mark value associated with the packet. It is only valid in the mangle table.
ip6tables man Pages D-35 otherwise). DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2, and other errors cause an exit code of 1. BUGS Bugs? What’s this? ;-) on sparc64. Well... the counters are not reliable COMPATIBILITY WITH IPCHAINS This ip6tables is very similar to ipchains by Rusty Russell.
D-36 ip6tables man Pages Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables, then wrote the mangle table, the owner match, the mark stuff, and ran around doing cool stuff everywhere. James Morris wrote the TOS target, and tos match. Jozsef Kadlecsik wrote the REJECT target. Harald Welte wrote the ULOG target, TTL match+target and libipulog.
E-1 APPENDIX E Advanced Features
E-2 Multi-Level Command Execution Multi-Level Command Execution Multi-Level Command Execution is the ability to execute a command that resides in a command mode other than the current command mode. A command that is executed in this way is called a target command, and it must reside in a command mode that is nested in the current one. Figure 1.1 on page 1-2 shows the nesting of command modes in the LX CLI. In the following examples, the mode-access commands are configuration and menu.
Executing Multi-Level Commands from the User Command Mode E-3 Executing Multi-Level Commands from the User Command Mode You can execute multi-level commands in the User command mode if you are logged in with an account that gives you access to the Configuration commands. When you execute a multi-level command from the User command mode, the command string must begin with enable system. This is an access-mode command that consists of the enable command and the Superuser password (system).
E-4 Configuring the Notification Feature with Multi-Level Commands The restart notification command regenerates the notification configuration and re-starts syslogd. It is necessary to do this when you configure the Notification Feature from outside of the Notification context. (You are outside of the Notification context when you configure the Notification Feature from outside of the Notification command mode or one of its subordinate command modes.
Multi-Level Commands Examples E-5 The following are examples of multi-level commands in which the Service-Profile type (protocol) is specified before the target command: Config:0 >>notification profile service email smtp server 140.179.169.20 Config:0 >>notification profile service onboard async port 2 Config:0 >>notification profile service pager tap smsc 3776809977 Multi-Level Commands Examples The following are examples of multi-level commands.
E-6 Multi-Level Commands Examples Multi-Level Commands in Configuration Command Mode Config:0 >>interface 1 broadcast group 4 slave port async 2 Config:0 >>subscriber mark command log enable Config:0 >>menu open mark1 Config:0 >>subscriber mark access console enable Config:0 >>snmp get client 4 125.65.45.
F-1 APPENDIX F Enabling and Disabling TCP and IR Listener Ports
F-2 Open Ports on the LX Open Ports on the LX Table 1 lists the ports that can be open on the LX. An asterisk (*) indicates the port is open by default Table 1 Open LX Ports Port Description Listener Port Setting fingerd---79 Disable fingerd to close port. snmp---161 Disable SNMP to close port. *ssh---22 Disable SSH to close port. *telnet---23 Disable telnet to close port. *http---80 Disable web to close port. *GUI---5040 Closes if 80 is disabled.
Changing the Default TCP Listener Ports F-3 Changing the Default TCP Listener Ports X To change the default async TCP listener port settings Type the following command in Interface Command Mode: Intf 1-1:0 >>serial 1 telnet port_number where 1 is the async port port_number is the open TCP port to switch to X To change the SSH port Type the following command in Interface Command Mode: Intf 1-1:0 >>serial 1 ssh port_number where 1 is the async port port_number is the open TCP port to switch to
F-4 Changing the Default TCP Listener Ports LX Series Configuration Guide
G-1 APPENDIX G RADIUS Vendor Dictionary Files IMPORTANT! The following example may not fit your specific RADIUS format. See your RADIUS server manual for more information. The standard MRV.dict file is available on your LX CDROM. The RADIUS server uses a dictionary file to convert between the numeric attributes and values used in RADIUS packets and human-readable ones. Most RADIUS packages uses a modular dictionary, consisting of the file named dictionary and vender specific files in sub-dictionaries.
G-2 To get started, you must have your vendor's ID, and the list of attributes with possible values. X To edit the RADIUS file to include your vendor file 1. Open the file that contains the list of vendor ID numbers; for example, dict.vendors. 2. Add the following line for MRV: $add vendor 33 MRV 3. Add 4. the sub-dictionary MRV.dict to the dictionary. Either cut and paste the MRV.dict file into the primary dictionary file, or add the following line to the dictionary file: $include MRV.dict 5.
G-3 # # dictionary.mrv # # Version:$Id: dictionary.mrv,v 1.
G-4 RADIUS Vendor-Specific Attribute Settings RADIUS Vendor-Specific Attribute Settings The possible settings for RADIUS vendor-specific attribute are: MRV-Remote-Access-List = [telnet ssh web_server console] MRV-Port-Access-List = [# or Range] (example 1-48) MRV-Outlet-Access-List = [port async # :outlet #] (example: 8:1, 8:4) MRV-Outlet-Group-Access-List = [group#] (example: 3, 7) MRV-Login-Mode = [cli], [shell], [menu], or [raw menu] MRV-Menu-Name = [menu file name] (example: /config/M_demo_ menu) MRV-
RADIUS Vendor-Specific Attribute Settings G-5 L Radius Accounting must be configured on the serial port for the new vendor specific attributes “MRVCommand-Logging” and “MRV-Audit-Logging” to work. L A login mode of “menu” is required to run a menu on the CLI. A Web Access list containing “menu” is required to run a menu when logging into the GUI. Some values are mandatory for you to be granted access, and have definable defaults on the host. The mandatory attributes are Username and Password.
G-6 RADIUS Vendor-Specific Attribute Settings #ATTRIBUTE MRV-Remote-Access-List "bob" User-Password == "bob" Service-Type = NAS-Prompt-User, MRV-Remote-Access-List = "ssh" #ATTRIBUTE MRV-Port-Access-List (simple user on port 8) "bob" User-Password == "bob" Service-Type = NAS-Prompt-User, MRV-Port-Access-List = "8" #ATTRIBUTE MRV-Outlet-Access-List (power unit on port 8) "bob" User-Password == "bob" Service-Type = NAS-Prompt-User, MRV-Outlet-Access-List = "8:1-8" #ATTRIBUTE MRV-Outlet-Group-Access-List
RADIUS Vendor-Specific Attribute Settings G-7 #ATTRIBUTE MRV-Login-Mode "bob" User-Password == "bob" Service-Type = Administrative-User, MRV-Login-Mode = "shell" #ATTRIBUTE MRV-Menu-Name (file demo_menu) "bob" User-Password == "bob" Service-Type = NAS-Prompt-User, MRV-Menu-Name = "/config/M_demo_menu", MRV-Login-Mode = “menu” #ATTRIBUTE MRV-Web-Menu-Name "bob" User-Password == "bob" Service-Type = NAS-Prompt-User, MRV-Web-Access-List = “menu”, MRV-Web-Menu-Name = "/config/M_demo_menu" #ATTRIBUTE MRV-
G-8 RADIUS Vendor-Specific Attribute Settings LX Series Configuration Guide
H-1 APPENDIX H Configuring rlogin Support rlogin establishes a remote login session from your terminal on the LX to a remote machine named hostname. Each remote machine may have a file named /etc/hosts.equiv containing a list of trusted hostnames with which it shares usernames. The remote authentication procedure determines whether a user from a remote host should be allowed to access the local system with the identity of a local user.
H-2 UNIX Host Remote Network Local Network In-Reach LX Unit User Terminal - User specifies domain name or host’s internet address, and an optional username. Figure H.1 Connecting to a Host through rlogin The user enters the domain name or IP address of the host system, and an optional different username, one that the host recognizes. The LX unit passes its IP address to the host, along with the username entered on the CLI rlogin command line or the LX login username.
Considerations H-3 Considerations Each user must have an account on the remote host. Additionally, setting up the rlogin feature on the host may require you to modify other files. For example, on some UNIX hosts, you include an entry in /etc/hosts and the /etc/ hosts.equiv file and, optionally, each user’s .rhosts file. Then, when a user attempts to login to an account – using rlogin from an LX unit that matches an entry in the etc/hosts.
H-4 Defining rlogin Dedicated Services Defining rlogin Dedicated Services L With dedicated rlogin service, you can’t specify a different username for rlogin. the only valid username is the port’s username. L When you define a port for dedicated service the user will not be able to access the In-Reach prompt when disconnected from the preferred host. When you define a port as preferred service the user will see the LX prompt when the rlogin session is disconnected.
rlogin Transparent Mode H-5 rlogin Transparent Mode Use this feature to enable the LX to complete a ZMODEM binary file transfer using the rlogin feature. rlogin transparent enable L Within an rlogin session, characters are passed raw (without interpretation) and transparently. This allows the ZMODEM transfer to complete.
H-6 rlogin Transparent Mode LX Series Configuration Guide
References I-1 FIPS 140-2 Support APPENDIX I This appendix describes how to configure your LX-Series software to run in FIPS 140-2 mode of operation. Specific versions of the LX Series Software and associated ppciboot in conjunction with specific LX-Series Models will be FIPS 140-2 validated. MRV LX-Series FIPS 140-2 approval is software version and hardware platform specific. See product data sheets, MRV FIPS 140-2 literature, Web information and/or consult you sales representative for details.
I-2 FIPS 140-2 Standard FIPS 140-2 Standard FIPS 140-1 and its successor FIPS 140-2 are U.S. Government standards that provide a benchmark for implementing cryptographic software and hardware. They specify best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.
Prerequisites I-3 The FIPS 140-2 approval is tied to both the specific Hardware platform and Software version. All LX-Series platforms such as the LX-4000 Series and LX-1000 Series can run the FIPS 140-2 version of LX software (linuxito and ppciboot). However, it is important to note that the FIPS 140-2 certification will apply only to the FIPS 140-2 validated version of software specifically configured to run in FIPS 140-2 mode of operation on MRV LX-Series listed platforms.
I-4 Applying Tamper Evident Labels If using an SNMP NMS or SNMP MIB browser, the application must support SNMPV3 and must support AES encryption. By default SNMP is disabled for security reasons. SNMP V3 must be enabled and configured fully on the LX in order to function with the NMS. SSH Clients must support sshV2, AES or 3DES ciphers, and HMAC-SHA1 or HMAC-SHA1-96 message authentication codes.
Applying Tamper Evident Labels I-5 2. Apply two labels each to the bottom left and right sides of the unit, as shown in Figure I-I.1. Place two tamper-evident seals on the lower left and right side edges of the LX. Make sure that half of each label covers the side surface of the LX, and that the other half of the label covers the bottom surface. Figure I.1 Location of the Tamper Evident Labels 3. 4. Record the serial numbers of the labels you attached to the LX unit.
I-6 Enabling FIPS 140-2 Mode of Operation The Show Version screen appears, with the relevant fields highlighted. Time: Wed, 21 Feb 2007 14:02:29 US/EASTERN Linux Kernel Version: Linux In-Reach Version: Software Version (Runtime): Software Version (Flash): Ppciboot Version: x.x.x.x xxx x.x.x.x (FIPS 140-2) x.x.x.x (FIPS 140-2) x.x.x.x (FIPS 140-2) Figure I.
Enabling FIPS 140-2 Mode of Operation I-7 Config ppciboot Radius Secret TACACS+ Secret PAP/CHAP Outgoing Secret SSH Public Key must be at least 1024 bits. The FIPS 140-2 Security option lets you enable or disable FIPS 140-2 mode of operation.
I-8 Changing the Default ppciboot Password 4. Press B to Boot the system. Do this only after you have configured the ppciboot options and saved the configuration. Changing the Default ppciboot Password IMPORTANT! If you change the ppciboot password, be sure to write it down. If you do not remember your password, or the password is lost, you must return the unit to MRV to be defaulted. Defaulting the unit yourself will not clear the ppciboot password - you must return the unit to MRV.
Changing the Default Subscriber Password I-9 Changing the Default Subscriber Password It is widely known that the default password for the InReach user is access. If an unauthorized user knew this username/ password combination, he/she could log on to your LX unit. For this reason, you must change the InReach user’s password to something other than access. The password must be at least six characters long. X To change the default password for the InReach user 1. 2. Access the Configuration Command Mode.
I-10 FIPS 140-2 Mode Console Access X To change the Configuration password for the LX unit 1. Access the Configuration Command Mode. 2. Enter the password command at the Config:0 >> prompt: Config:0 >>password 3. Enter a new Superuser password at the Enter your NEW password: prompt. The password will be displayed as asterisks, as in the following example: Enter your NEW password:*************** 4. Re-enter the new Superuser password at the Re-Enter your NEW password: prompt.
Applications Unsupported in FIPS 140-2 Mode of Operation I-11 Table I.
I-12 Upgrading Software Table I.1 Unsupported FIPS 140-2 Protocols and Features (Continued) Feature Impact Reason TCP Pipe Disabled In plain text Upgrading Software The ppciboot.img.sign and linuxito.img.sign digital signature files are used to authenticate during loading. Place these files on the TFTP server. The LX unit will download them automatically. See “Upgrading the Software” on page 4-13 for more information on upgrading the software.
Configuring a Web Server FIPS 140-2 JCE Module Name I-13 Configuring a Web Server FIPS 140-2 JCE Module Name Use the following command to configure a Web Server FIPS 140-2 JCE Module name. The module name is set by the module vendor. For example, if you are using RSA’s JSafe cryptographic module, the module name would be JSafeJCE. Enter no web_ server fips jcemodule to reset to the default, which is “null”. The module name can be up to 16 characters long.
I-14 Viewing the Web Server FIPS 140-2 JCE Module Name LX Series Configuration Guide
J-1 APPENDIX J NTP Client Overview For NTP to function, an LX Series NTP client must be able to access an NTP timeserver on the network. NTP runs over User Datagram Protocol (UDP), which in turn runs over IP. NTP is a tiered time distribution system with redundancy capability, and measures delays within the network and within the algorithms on the machine on which it is running.
J-2 How NTP Works How NTP Works After a Primary Time Server address and the (optional) Alternate Time Server target address(es) are configured and NTP is enabled, the LX begins exchanging messages with the server(s) in order to calibrate propagation delay and coordinate Universal Time (UTC), which is the same as Greenwich Mean Time. Using engineered algorithms, the client (LX) adjusts its time and then continues a regular client/server campaign to maintain synchronization with the timeserver(s).
How NTP Works J-3 The LX Series syslog can be displayed when it polls the configured servers and notes time adjustments. This is seen in the log listing in the CLI show log command. Additionally, the show ntp status command lists specific data on the query between the LX and the configured and reachable NTP timeservers.
J-4 How NTP Works LX Series Configuration Guide
K-1 APPENDIX K Using Nested Menus This section explains how to use the Nested Menu feature. It covers the following topics: About the Nested Menu Feature Creating the Nested Menu File Configuring the LX to Support Nested Menus Sample Nested Menu Files You can enable or require nested menus for specific users.
K-2 About the Nested Menu Feature About the Nested Menu Feature The Nested Menu Feature enables you to create menus, in up to 64 levels. Each menu level can have up to 40 entries. To enable the Nested Menu feature on the LX, you configure the subscriber profile with the menu file name for either or both a CLI session and for a GUI session to the LX. You can assign the same menu for each session or configure a different menu for each subscriber access type. You specify a menu file by name.
About the Nested Menu Feature K-3 Figure K.1 shows a eight-level menu structure. The top level menu is Menu 1. Each menu level can include individual commands to be performed, and menu items linking to the other menu levels, to execute more menu options. Menu 1 Menu 8 Main Menu 1 21 . . . . . . 20 40 Menu Options Menu 2 21 . . . 40 Menu 3 Show Commands 1 . . . 20 1 . . . 20 Menu 4 Port Characteristics Connect Commands 1 . . . 20 21 . . . 40 Menu 6 1 . . . 20 21 . . . 40 21 . . .
K-4 How a Subscriber Obtains the Menus Figure K.2 shows what Menu 1 might look like: Menu1 1. 2. 3. 4. Show Commands Connect Commands Port Characteristics Enable Features Main Menu 21. Set Session Mode 26. Resume a Session 27. Disconnect a Session 40. Help Up one level:^U Top of Menu:^T Repaint:^R Logout:^L Enter number of selection or use arrow keys: Figure K.
Creating the Menu File K-5 Creating the Menu File L Depending on which version of Windows Hyperterminal you are running, extra characters may appear in the automated terminal commands, and screen pauses may not work correctly. You can create menus in two ways: Import an existing menu to a new menu name - This quick and easy method makes a copy of an existing menu file. Refer to the LX-Series Configuration Guide and the LX-Series Commands Reference Guide for further details.
K-6 Creating the Menu File Table K.1 lists the commands used within the menu file itself for creating nested menus: Table K.1 Nested Menu Commands Command Description %menu_file Defines the beginning of a menu file. %menu_start Defines the beginning of a menu. %menu_entry n Defines a menu entry. %menu n Opens a menu from within a menu. %menu_wait Waits for one command to complete, then prompt the user for input before executing the next command.
%menu_file K-7 %menu_file The menu file must begin with %menu_file or the LX will not recognize it as a menu file. %menu_start n header This command indicates the beginning of a menu and specifies the menu number and menu header. The value of n is the menu number. Valid values are from 1 through 64. The specified header appears at the top of a menu. The default menu header is a maximum seven character string “Menu #”(where # indicates the menu number).
K-8 %menu n The command-string can include up to 135 characters. If you include more than one command, separate the commands with a semi-colon (;). If the command to be run is a shell level command, the command must begin with the @ character. For example, the following command shows the port characteristics and then the server time: show port characteristics;show clock You can include a wildcard character in a command to prompt for user input.
%menu_eof K-9 %menu_eof Indicates the end of a file. You can begin another file after this command appears, or use other menu commands. %menu_prompt prompt-text This command specifies a text string that explains how to select a menu option. This prompt appears at the bottom of the menu where the user enters an option number. The prompt text can include up to 64 characters.
K-10 %menu_logout x text-string %menu_logout x text-string This command specifies the menu key character that the user types to log out of the menu. The text-string, which can include up to 19 characters, describes the purpose of the character. A typical entry might be %menu_logout Q Logout (this is the default). The key and the text appear at the bottom of the menu. %menu_repaint x text-string This command specifies the menu key character that the user types to refresh the menu screen.
Using Comment Lines in the Menu File K-11 Using Comment Lines in the Menu File Begin a comment line with an exclamation point (!) and follow it with the comment text. An example follows: %menu_end !start Menu 3. Menu 3 displays CONNECT commands. %menu_start 3 Connect Commands The first line specifies the end of a menu. The second line is a comment explaining that the next section of the file defines a new menu, Menu 3. The third line is a menu command that begins Menu 3.
K-12 Enabling the Menu Feature Enabling the Menu Feature A Subscriber Menu is a preconfigured menu that displays for a subscriber when he/she logs in to the LX unit. A menu is displayed when the subscriber logs into a physical port or establishes a GUI session, if configured for them. In order for a menu to be displayed automatically, their profile must have a menu name configured, and login mode set to menu. L A subscriber can be presented with a menu when they log into the LX CLI or login via the GUI.
Enabling the Menu Feature K-13 You can also have menu access if you login to the LX via the GUI. 1. Configure the menu name you will need to gain access when you log in via the GUI: Subs_jack:0 >>web menu name 2. Configure web access to be in the menu mode: Subs_jack:0 >>web access menu enable Table K.2 Sample File 1 Sample file Command description %menu_file Indicates a valid menu file. !Start Menu 1 - Main Menu Comment line.
K-14 Enabling the Menu Feature Table K.2 Sample File 1 (Continued) Sample file Command description %menu_entry 2 Connect to Hosts connect # Defines Menu Entry number 2, and assigns the name “Connect to Hosts” to it. The wildcard character # means “prompt for a destination when the user selects this entry.” %menu_entry 3 Port Information show port characteristics; %menu_wait;show port status Defines Menu Entry number 3, and assigns the name “Port Information” to it.
Sample File 2 K-15 Table K.2 Sample File 1 (Continued) Sample file Command description %menu_logut Q Logout Specifies Q as the character that a user types to logout of the server port/menu. %menu_repaint R Repaint Specifies R as the character that a user types to repaint the screen.
K-16 Sample File 2 %menu_entry 14 Access Remote Devices %menu 7 ! %menu_entry 15 Power Outlet Control %menu 8 ! %menu_entry 17 Server Tools %menu 2 ! %menu_entry 18 Server Information %menu 3 ! %menu_end ! !---------------------------------------------------------!Level 2 Menu 2 Server/Network Tools !---------------------------------------------------------! %menu_start 2 System Tools %menu_entry 1 Ping set priv system;ping #;set nopriv ena system ping # %menu_entry 2 List service table show service %menu_
Sample File 2 K-17 !---------------------------------------------------------! Level 2 Menu 3 Server Information !---------------------------------------------------------! %menu_start 3 Server Information %menu_entry 1 Main Parameters show system characteristics %menu_entry 2 Current Status show server status %menu_entry 3 Network Statistics show port eth 1 status %menu_entry 4 Domain Information ena system;show system characteristics %menu_entry 5 IP Information show interface 1 status; show interface 1 c
K-18 Sample File 2 show port async 5 users %menu_entry 30 logout port 10 ena system logout port async 10 %menu_entry 34 show port 34 status show port async 34 status %menu_entry 11 Show Users show users %menu_entry 20 Help ? %menu_end ! !---------------------------------------------------------!Level 2 Menu 5 Set/Show Port Parameters !---------------------------------------------------------! %menu_start 5 Port Parameters %menu_entry 1 Show port Parameters show port characteristics %menu_entry 3 Show port
Sample File 2 K-19 Connect port async 3 %menu_entry 3 Telnet port 3 on LX 3 telnet 1.2.3.4 2300 %menu_entry 4 ssh to remote LX-4 ssh 1.2.3.
K-20 Sample File 2 ! !---------------------------------------------------------!Level 2 menu 9 Set/Show PPP Parameters !---------------------------------------------------------! %menu_start 9 System Parameters %menu_entry 1 Show Logged in users show users %menu_entry 2 Show Port Status show port status %menu_entry 3 Show Ethernet Status show interface 1 status %menu_entry 4 Show IP Parameters show interface 1 status;%menu_wait;show system ppciboot %menu_entry 6 Show System Software show version %menu_entr
L-1 APPENDIX L Using LXPORTD This section explains how to use the LXPORTD feature. It covers the following topics: About LXPORTD LXPORTD man Pages Applications Examples You can enable LXPORTD for specific users.
L-2 About LXPORTD About LXPORTD LXPORTD is a host utility that provides you with TCP connectivity between the IP/IPv6 host and the LX. Depending on how it is invoked, LXPORTD can read data from standard in (stdin), a pseudo terminal device, or a FIFO (named pipe) and send that data to the LX serial port or broadcast master port. Since the LX can turn off telnet negotiations, LXPORTD may be used to pass unaltered data.
LXPORTD man Pages L-3 3. Password: - this is the standard Linux password prompt the connection partner should present to Lxportd. 4. password - this entry is the valid password of the connection partner. -c config-file Read pseudo terminal names from config-file instead of using the Lxportd's allocation algorithm. This may be useful in restricting which PTYs are used or if your system has a unique PTY naming strategy. This option may only appear after the -T option.
L-4 LXPORTD man Pages -k Use the keepalive function to detect the connection to the Remote Access no data transfer has taken place for the keepalive function will do the the loss of Server. When 60 seconds, following: 1. Attempt to connect - if the connection is refused, then it is still active and another keepalive will be sent after another 60 seconds of inactivity. 2.
LXPORTD man Pages L-5 does not alter data in any way (transparent(raw) mode). Note that with pipes, a FIFO opened for reading will be in a pending state until the other end is opened for writing, and a FIFO opened for writing will be in a pending state until the other end is opened for reading. The -P and -T options are mutually exclusive. L The -a option and the -r option are mutually exclusive. -r Reset connection to Remote Access Server before sending data. -s create a symbolic link for ptyname.
L-6 Applications Examples Applications Examples LXPORTD configuration uses the existing LX CLI configuration commands. The communication parameters between the LX async port(s) and the attached device must agree. You must configure IP parameters to communicate with the host in question via the network. Any LXPORTD option used that requires a change in a parameter on the LX must be adhered to.
Basic LXPORTD Application L-7 Lxportd - Linux Host IP Address: 1.2.3.5 Ethernet Port 7 LX Communication Server IP Address: 1.2.3.4 Workstation Figure L.1 Basic LXPORTD Application X To configure the basic LXPORTD application: L It is assumed that there is IP connectivity between the Host and the LX in question. Therefore, the configuration for this is not explained here. 1.
L-8 Advanced LXPORTD Application Config:0>>port async 7 no autohangup - This is needed if the device on the port is not providing the DSR signal to the port. Config:0>>port async 7 no telnet negotiations 2. At the host prompt, the user can now invoke Lxportd using the following syntax: cat (file) | ./lxportd (ip-address) (port number)" cat file.foo | ./lxportd 1.2.3.4 7" The contents of the file is piped to LXPORTD, which performs a TCP connection to port 7 of the remote LX whose IP address is 1.2.3.4.
Advanced LXPORTD Application L-9 Linux Host IP Address: 1.2.3.5 Ethernet LX 32 Port Master Unit TV Monitor TV Monitor TV Monitor TV Monitor TV Monitor Port 32 to Port 1 Port 32 to Port 1 Port 32 to Port 1 LX 32 Port Slave Unit #2 LX 32 Port Slave Unit #1 TV Monitor TV Monitor TV Monitor TV Monitor TV Monitor TV Monitor TV Monitor LX 32 Port Slave Unit #3 TV Monitor TV Monitor TV Monitor TV Monitor Figure L.
L-10 Advanced LXPORTD Application Config:0>>port async 1-32 no authentication outbound Config:0>>port async 1-32 no autohangup Config:0>>port async 1-32 no telnet negotiations Config:0>>port async 1-32 speed 57600 Config:0>>port async 1-32 flowcontrol cts Config:0>>port async 1-32 parity none Config:0>>port async 1-32 character 8 Config:0>>interface 1 broadcast group 1 master port tcp 1024 - this is the TCP port Lxportd will connect to at start-up time.
Advanced LXPORTD Application L-11 Config:0>>port async 1 no authentication inbound Config:0>>port async 1 no authentication outbound Config:0>>port async 1 no autohangup Config:0>>port async 1 no telnet negotiations Config:0>>port async 1 speed 57600 Config:0>>port async 1 flowcontrol cts Config:0>>port async 1 parity none Config:0>>port async 1 character 8 Config:0>>port async 2-32 access remote Config:0>>port async 2-32 no authentication inbound Config:0>>port async 2-32 no authentication outbound Config:
L-12 Advanced LXPORTD Application Config:0>>interface 1 broadcast group 1 slave port async 2-32 - ports 2-32 will be slaves. Ports 2-31 will have TV monitors attached. Port 32 will have a crossover cable attached that will go to port 1 of the next LX32 slave unit in line. An exception to this is if it is the last LX slave unit in the chain. Config:0>>interface 1 broadcast group 1 enabled this enables the broadcast group. At the host prompt, you can now invoke LXPORTD using the following syntax.
M-1 APPENDIX M Using LPD MRV supports the Line Printer Daemon (LPD) for network to serial port printing.
M-2 Line Printer Daemon (LPD) Protocol Support Line Printer Daemon (LPD) Protocol Support The LX supports LPD based on RFC 1179 for network to serial port printing. LPD, or Line Printer Daemon, is the standard serial port printing protocol on Unix. It is available for every style of Unix, and is useful as a basic print spooler.
Line Printer Daemon (LPD) Protocol Support M-3 X To configure standard LPD print queues Example Use this command to create a standard, non-load balancing print queue named for port and enable it for printing. The can be up to 15 characters in length. Different queue names can be configured per port. A maximum of 50 queues can be configured on the LX.
M-4 Line Printer Daemon (LPD) Protocol Support Example When disabled, this command does not perform any linefeed conversions when jobs are sent to the print queue named on . Async1:0 >> lpd no queue lf->lfcr Example The following command example converts every linefeed contained in the print file to a carriage return/linefeed when sent to queue lxserial on port 1.
Line Printer Daemon (LPD) Protocol Support M-5 Example The following command deletes a slave print queue named for and disassociates it with respect to the master. Async1:0 >> lpd no queue slave Example The following command example configures a slave print queue named printer1 for port 1 and associates it with the master print queue lbanner.
M-6 Line Printer Daemon (LPD) Protocol Support Example Async1:0 >> lpd no queue slave lf->lfcr Example The following sample command results in the conversion of every linefeed contained in the print file to a carriage return/ linefeed sent to queue printer1 on port 1. Async1:0 >> lpd queue slave printer1 lf->lfcr enable Example The following sample command results in no conversion being done on any linefeed contained in the print file sent to queue printer1 on port 1.
Line Printer Daemon (LPD) Protocol Support M-7 Example Config:0 >> lpd queue |all spooling disable Example The following sample command enables spooling on a print queue named lxserial. Config:0 >> lpd queue lxserial spooling enable Example The following sample command disables spooling on a queue named lxserial.
M-8 Line Printer Daemon (LPD) Protocol Support Example Use the following example to enable printing and queueing on all print queues: Config:0 >> lpd queue all up Example Use the following example to disable printing and queueing on a print queue named lxserial: Config:0 >> lpd queue lxserial down X To remove print jobs from queues Syntax Example Use this command from Superuser Mode on the LX to remove spooled jobs from a queue.
Line Printer Daemon (LPD) Protocol Support M-9 Example Use the following example to redirect the print jobs from a print queue named lxprinter to a print queue named backup-printer: Config:0 >> lpd queue lxprinter redirect backupprinter X To cancel a redirection of print jobs on a print queue to another print queue Syntax Example Use this command from Configuration Mode on the LX to cancel the redirection of all print jobs on a print queue to another print queue.
M-10 Line Printer Daemon (LPD) Protocol Support X To display LPD information for a specific print queue or all print queues. Use the show lpd queue characteristics command to display the LPD Queue Characteristics screen for a specific queue. An example of this screen follows: Printer lxserial@LX Printing enabled Spooling enabled Jobs 0 Server none Subserver Redirect Status/(Debug) none Figure M.
Line Printer Daemon (LPD) Protocol Support M-11 Use the show lpd queue all alternate characteristics command to display the LPD Queue Alternate Characteristics screen for all queues. An example of this screen follows: Time: Mon, 29 Jan 2007 07:55:29 UTC Print Queue Queue Type Master Queue Redirect Queue Port lxprinter testfor2 lxserial3 lxserial Standard Standard Slave Slave N/A N/A lbalance lbalance backup-printer N/A N/A N/A 2 3 3 4 Figure M.
M-12 Line Printer Daemon (LPD) Protocol Support Use the show lpd queue all status command to display the LPD Queue Status screen for all queues. An example of this screen follows: Time: Mon, 29 Jan 2007 07:55:29 UTC Printer: lxtcp@LX Queue: no printable jobs in queue Printer: lbalance@LX (subservers printer1, printer2) Queue: no printable jobs in queue Status: no more jobs to process in load balance queue at 02:33:32.
N-1 Semicolons Embedded within Data Strings APPENDIX N The LX is ideal for making serial devices available for network access and service. Devices such as modems may be required to receive data strings to initiate dialout services. Some modems, as well as other serial devices, may be required to receive periodic serial data strings for synchronization purposes. In many cases, a semicolon is required within this data string.
N-2 L You must have a script file prepared prior to using the script command. The script files must be in /config. Example Example LX:/config# cat datatoport.script An example of the shell echo command within a script follows: “shell command echo -n “AT&F +CBST=7,0,1; SO=1”>/dev/ ttyGN10” L Note that the quotation marks at the beginning and end of the line in the script are required. The previous commands execute the shell echo command once.
Setting Up Your Environment to Work with LDAP Version 3 O-1 LDAP Version 3 Environment Setup and Troubleshooting APPENDIX O Setting Up Your Environment to Work with LDAP Version 3 Use the following sample procedure to configure your LDAP Linux server for version 3 support. IMPORTANT! It is assumed that you are well versed in system administration, especially regarding installing packages, as well as LDAP itself. This procedure is intended only as a basic guide specific to the Linux environment.
O-2 Setting Up Your Environment to Work with LDAP Version 3 In the /usr/local/etc/openldap directory, there is a slapd.conf file. The SLAPD daemon reads the contents of the slapd.conf file at startup. MAN pages for slapd and slapd.conf are available and contain vital information. There is also a schema sub-directory. MRV requires that certain schemas be added to the slapd.conf file (see the provided example of the slapd.conf file below). 3.
Sample Slapd.conf File O-3 IMPORTANT! Whatever method you choose, you must do the following: During certificate(s) creation, when you are prompted for the Common Name, you must enter either the hostname or the Host's IP Address. This Common Name must be the same in all certificates, and must match the hostname or Host IP Address configured as the LDAP server on the LX. Sample Slapd.conf File This section shows part of a slapd.conf file, and explains at a minimum what the LX requires.
O-4 Sample Slapd.conf File In the following screen, HIGH means "all ciphers using key lengths greater than 128 bits"; MEDIUM is short for "all ciphers using key lengths equal to 128 bits", and +SSLv2:+SSL3 means "all ciphers specified in the SSL protocol, version 2 and 3, regardless of key strength". For a complete explanation of OpenSSL ciphers, including all supported wild cards, see the ciphers(1) man page.
Troubleshooting LDAP Connections O-5 The following screen is an example of a database (which was used for testing with the LX). Yours may be different. ####################################################################### # BDB database definitions ####################################################################### databasebdb suffix"dc=mrv,dc=com" rootdn"cn=Manager,dc=my-dom,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details.
O-6 Troubleshooting LDAP Connections If the issue is not resolved by information provided in these logs, then you must capture the log(s) output and provide it to MRV support. You can save the above logs on your host via the LX CLI if you have the SFTP server running on your host with the following: 1. 2. 3. 4. Enter sftp and follow the login instruction. At the sftp prompt, enter get /var/log/syslog to place the syslog file on your host.
List of Procedures 1 Alphabetical List of Procedures X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X To display the PPP status of all IP interfaces........................ 16-11 To display the port mapping for all IP interfaces ..................... 6-17 To enable and disable audible alarms .................................... 15-5 To access Cluster Configuration and Control............................ 13-5 To access SNMP commands ................................................
2 List of Procedures X To cancel a redirection of print jobs on a print queue to another print X X X X X X X X X X X X X X X X X X X X X X X X X X X X X queue ............................................................................... M-9 To change a Gateway address ............................................... 4-29 To change a Network Mask ................................................... 4-29 To change an IP Address ......................................................
List of Procedures 3 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X To configure a date-based trigger .......................................... 11-9 To configure a day-based duration......................................... 11-8 To configure a day-based trigger ......................................... 11-10 To configure a descriptive name for a specific control output ... 15-16 To configure a descriptive name for any Alarm Input in the LX-7204T/7304T ...........................................
4 List of Procedures X To configure a service name and address ............................... 20-9 X To configure a severity level for alarm inputs for a specific alarm ...... X X X X X X X X X X X X X X X X X X X X X X X X X X X ..................................................................................... 15-13 To configure a severity level for alarm inputs for a specific alarm ...... .....................................................................................
List of Procedures 5 X X X X X X X X X X X X X X X X X X X X X X X X X X X X To configure an SFTP Server IPv4 Address ................................ 4-9 To configure an SFTP Username .............................................. 4-9 To configure an SMTP service profile ...................................... 5-12 To configure an SNPP service profile ........................................ 5-6 To configure any form of authentication as if it were a Local port .............................................
6 X X X X X X X X X X X X X X X X X X X X X X X X X X X X List of Procedures To configure RS-485 duplex mode ......................................... 9-11 To configure RS-485 echo mode ............................................ 9-11 To configure RSA SecurID authentication................................ 2-34 To configure sensor access for an LX port ................................. 9-2 To configure session switch characters for a subscriber.............
List of Procedures 7 X To configure the LXPORTD application with RADIUS security and Broadcast Groups: ............................................................... L-9 X To configure the number of duplicate address detection probes to send X X X X X X X X X X X X X X X X X X X X X X X X X X ....................................................................................... 20-3 To configure the number of IPv6 addresses on an interface ....... 20-2 To configure the ppciboot image name .............
8 List of Procedures X To default a control output default description for a specific control ... X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X ..................................................................................... 15-51 To default a named control output ....................................... 15-22 To default a named control output ....................................... 15-22 To default from the CLI ........................................................
List of Procedures 9 X To disable an SNMP agent .................................................... 14-8 X To disable CCP negotiation ................................................... 16-4 X To disable SNMP traps for alarm state changes for a specific alarm ... ....................................................................................... 15-9 X To disable SNMP traps for alarm state changes for multiple alarms.... ...............................................................................
10 List of Procedures X To display control status information using a specific control name ... ..................................................................................... 15-57 X To display control status using a specific control name or port/point.. X X X X X X X X X X X X X X X X X X X X X X X X X X X ..................................................................................... 15-58 To display debug information ..............................................
List of Procedures 11 X To display summary information for all power control units ..... 10-19 X To display summary information for all X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Temperature/Humidity Sensors ............................................. 9-3 To display the audit log for a subscriber ................................. 8-26 To display the Bonding Characteristics Screen ......................... 17-6 To display the Bonding Status screen .....................................
12 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X List of Procedures To display the subscriber status ............................................ 8-24 To display the subscriber summary information ....................... 8-25 To display the subscriber TCP information............................... 8-24 To display User Profile characteristics for a specific user ........... 5-16 To display User Profile characteristics for all users ...................
List of Procedures 13 X To enable or disable accepting and sending of Forwardable Tickets ... ....................................................................................... 2-43 X To enable or disable display of the Command Prompt on an async port X X X X X X X X X X X X X X X X X X X X X X X X X X X X X during a connect ............................................................... 9-20 To enable or disable FIPS 140-2 security ..................................
14 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X List of Procedures To enter a ppciboot image name ........................................... 4-24 To enter a software image name ........................................... 4-24 To execute the shell echo command........................................ N-1 To explicitly set the characteristics of an LX asynchronous port.... 3-4 To generate an SFTP Public/Private Key.................................. 4-10 To implement PPP Routing ........
List of Procedures 15 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X To remove Master Ports from a Broadcast Group ....................... 7-5 To remove ports from a rotary .............................................. 6-14 To remove print jobs from queues .......................................... M-8 To remove Slave Ports from a Broadcast Group ......................... 7-5 To renew the current lease .....................................................
16 X X X X X X X X X X X X X X X X X X X X X X X X X X X X List of Procedures To save the configuration ..................................................... 4-30 To save the configuration ..................................................... 4-32 To save the software image to flash ....................................... 4-19 To seal the cover of the LX ..................................................... I-4 To search a cluster for a port name or access method ............
List of Procedures 17 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X To set the terminal type for a subscriber ................................ 8-12 To set the timeout ............................................................... 4-20 To set the tunnel packet TTL to default................................... 20-7 To set up a Broadcast Group ................................................... 7-2 To set up a connection between a serial console port and a port on the LX unit ..........
18 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X List of Procedures To To To To To To To To To To To To To To To To To To To To To To To To To To To To To To To To To To To To specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify specify a Telnet socket nu
List of Procedures 19 X To specify the TACACS+ period ............................................. 2-33 X To specify the TACACS+ server authentication settings on the LX unit X X X X X X X X X X X X X X X X X X X X X X X X X X X ....................................................................................... 2-26 To specify the TACACS+ server authorization settings on the LX unit. .......................................................................................
20 List of Procedures X To update the software using the software image name and host name X X X X X X X X X X X X X X X X X X X X X X X X X X X X X ....................................................................................... 4-34 To update the software using the software image name............ 4-34 To update the software ...................................................... 13-13 To update the software ......................................................
List of Procedures 21 X X X X X To To To To To view view view view view whether the authenticate image is shared or unshared 13-23 whether the message is shared or unshared .............. 13-24 whether the Telnet client is shared or unshared ......... 13-25 which interfaces are shared or unshared ................... 13-22 which subscribers are shared or unshared .................
22 List of Procedures LX Series Configuration Guide
Index-1 Index . See IP interfaces Symbols 5250 units. See Power control units.
Index-2 15-24, 15-47 creating a default configuration file, 2-8, 4-8 D Data Broadcast feature broadcast groups, 7-2 broadcast groups, setting up, 7-2 discard parameter, 7-4 master ports, 7-1 master ports. See master ports slave ports.
Index-3 configuring a name for a control output, 15-17 configuring analog input description string, 15-25, 15-26 configuring calibration, 15-30 configuring the debounce interval for an alarm, 15-10 configuring the default point for a named control output, 1522 configuring the fault state for alarm inputs, 15-11, 1512, 15-13, 15-14 configuring the HDAM port, 15-2 displaying HDAM information, 1532 enabling and disabling audible alarms, 15-5, 15-6, 15-7, 15-8 enabling and disabling SNMP traps for alarm state c
Index-4 configuring, 18-2 IP configuration acquiring, 4-39 IP Configuration menu changing the gateway address, 429 changing the network mask, 4-29 changing the TFTP server IP address, 4-30 changing the unit IP address, 428 choosing an IP assignment method, 4-28 IP configuration menu saving the configuration, 4-30 using, 4-26 IP firewall, 12-2 IP interfaces, 6-1 characteristics, displaying, 6-15 Local authentication, configuring, 6-8 port mapping, displaying, 6-17 RADIUS authentication, configuring, 6-8 Rota
Index-5 viewing alarm input characteristics, 15-53, 1554 viewing alarm input status, 15-55 viewing control all status, 15-57 viewing control output all characteristics, 15-56 viewing control output characteristics, 15-56 viewing control output status, 1558 LDAP authentication setting up, 2-12 LDAP Version 3 setting up the environment, O-1 troubleshooting connections, O-5 Line Printer Daemon (LPD), M-1 loading a default configuration file, 28, 4-8 loading configuration from network, 4-7 loading the configura
Index-6 O R Online help, displaying, xxi open LX ports, F-2 outlets, 10-3 grouping, 10-3 naming, 10-3, 10-5 off time, specifying, 10-4 rebooting, 10-6 status information, displaying, 10-19 turning on or off, 10-6 RADIUS accounting attributes, B-3 overview, B-1 setting up, 2-19 RADIUS Accounting Client Operation, B-2 RADIUS authentication attributes, A-4 overview, A-1 setting up, 2-19 REBOOT AMST PORT command, 15-3 rebooting the LX-7104, 15-3 Redundant Ethernet configuring, 17-1 remote console management
Index-7 strings, N-1 Sensors. See Temperature/Humidity sensors serial port connections verifying, 3-13 Service Profile types ASYNC, 5-4 LOCALSYSLOG, 5-4, 5-6, 5-7, 510, 5-11, 5-12 REMOTESYSLOG, 5-4 SMTP, 5-4 SNMP, 5-4 TAP, 5-4 Service Profiles, 5-3 characteristics, displaying, 5-13 configuring, 5-5 creating, 5-5 Service Profiles. See Service Profiles.
Index-8 viewing SNMP V3 view settings, 14-27 SNMP MIB support, 14-28 SNMP V3 configuration, 14-15 software upgrading, 4-13 SSH Public Key authentication, 8-29 Subscriber accounts, 8-1 audit log, displaying, 8-26 characteristics, displaying, 8-22 command log, displaying, 8-27 creating, 8-5 deleting, 8-6 summary information, displaying, 8-25 TCP information, displaying, 8-25 Subscriber accounts.
Index-9 superuser privileges, 8-16 User Profiles. See User Profiles.
