2. Logging Into the Switch. Alcatel-Lucent OmniSwitch 6800 Series, OmniSwitch 9000 Series, OmniSwitch 6850 Series
Add to My manuals292 Pages
advertisement
2 Logging Into the Switch
Logging into the switch may be done locally or remotely. Management tools include: the Command Line
Interface (CLI), which may be accessed locally via the console port, or remotely via Telnet; WebView, which requires an HTTP client (browser) on a remote workstation; and SNMP, which requires an SNMP manager (such as Alcatel-Lucent’s OmniVista or HP OpenView) on the remote workstation. Secure sessions are available using the Secure Shell interface. File transfers can be done via FTP or Secure Shell
FTP.
Note. The current release supports IPv6 client session for Telnet, FTP, SSH, SFTP, and SNMP on
OmniSwitch 6850 or 9000.
In This Chapter
This chapter describes the basics of logging into the switch to manage the switch through the CLI. It also includes the information about using Telnet, FTP, and Secure Shell in both IPv4 and IPv6 environments for logging into the switch as well as information about using the switch to start a Telnet or Secure Shell session on another device. It also includes information about managing sessions and specifying a DNS resolver. For more details about the syntax of referenced commands, see the OmniSwitch CLI Reference
Guide.
Configuration procedures described in this chapter include:
•
“Quick Steps for Logging Into the Switch” on page 2-5
•
•
•
“Using Secure Shell” on page 2-12
•
“Modifying the Login Banner” on page 2-20
•
“Configuring Login Parameters” on page 2-22
•
“Enabling the DNS Resolver” on page 2-23
Management access is disabled (except through the console port) unless specifically enabled by a network administrator. For more information about management access and methods, use the table here as a guide:
For more information about...
Enabling or “unlocking” management interfaces on the switch
Authenticating users to manage the switch
See...
Getting Started Guide or
Chapter 8, “Managing Switch Security”
Chapter 8, “Managing Switch Security”
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-1
In This Chapter Logging Into the Switch
For more information about...
Creating user accounts directly on the switch
Using the CLI
Using WebView to manage the switch
Using SNMP to manage the switch
See...
Chapter 7, “Managing Switch User Accounts”
page 2-2 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch
Secure Shell clients supported
Secure Shell DSA public key authentication
SNMP clients supported
Login Specifications
Login Specifications
Note. The functionality described in this chapter is supported on the OmniSwitch 6800, 6850, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted within any section of this chapter.
Telnet clients supported
FTP clients supported
HTTP (WebView) clients supported
Any standard Telnet client
Any standard FTP client
– Internet Explorer for Windows NT, Windows
XP, and Windows 2000, version 6.0
– Netscape for Windows NT, Windows XP, and
Windows 2000, version 7.1
– Netscape for Sun OS 2.8, version 4.79
– Netscape for HP-UX 11.0, version 4.79
Any standard Secure Shell client (Secure Shell
Version 2)
Password
DSA Public Key
Any standard SNMP manager (such as HP Open-
View)
Login Defaults
Access to managing the switch is always available for the admin user through the console port, even if management access to the console port is disabled.
Parameter Description
Session login attempts allowed before the TCP connection is closed.
Time-out period allowed for session login before the TCP connection is closed.
Inactivity time-out period. The length of time the switch can remain idle during a login session before the switch will close the session.
Command session login-attempt session login-timeout session timeout
Default
3 attempts
55 seconds
4 minutes
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-3
Login Defaults Logging Into the Switch
The following table describes the maximum number of sessions allowed on an OmniSwitch:
Session
Telnet (v4 or v6)
FTP (v4 or v6)
SSH + SFTP (v4 or v6 secure sessions)
HTTP
Total Sessions
SNMP
OS-9000
4
4
8
4
20
50
OS-6850 OS-6800
4
4
8
4
20
50
(supports only
4
4
8
4
20
50 v4) page 2-4 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Quick Steps for Logging Into the Switch
Quick Steps for Logging Into the Switch
The following procedure assumes that you have set up the switch as described in your OmniSwitch Getting
Started Guide and Hardware Users Guide. Setup includes:
• Connecting to the switch via the console port.
• Setting up the Ethernet Management Port (EMP) through the switch’s boot prompt.
• Enabling (or “unlocking”) management interfaces types (Telnet, FTP, HTTP, SNMP, and Secure
Shell) through the aaa authentication command for the interface you are using. Note that Telnet, FTP, and Secure Shell are used to log into the switch’s Command Line Interface (CLI). For detailed information about enabling session types, see
Chapter 8, “Managing Switch Security.”
1 If you are connected to the switch via the console port, your terminal will automatically display the switch login prompt. If you are connected remotely, you must enter the switch IP address in your Telnet,
FTP, or Secure Shell client (typically the IP or IPv6 address of the EMP). The login prompt then displays.
2 At the login prompt, enter the admin username. At the password prompt, enter the switch password.
(Alternately, you may enter any valid username and password.) The switch’s default welcome banner will display, followed by the CLI prompt.
Welcome to the Alcatel-Lucent OmniSwitch 6000
Software Version 6.3.1.733.R01 Development, October 05, 2007.
Copyright(c), 1994-2007 Alcatel-Lucent. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent registered in the United States Patent and Trademark Office.
You are now logged into the CLI. For information about changing the welcome banner, see
“Modifying the Login Banner” on page 2-20 .
For information about changing the login prompt, see
For information about setting up additional user accounts locally on the switch, see
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-5
Overview of Switch Login Components Logging Into the Switch
Overview of Switch Login Components
Switch access components include access methods (or interfaces) and user accounts stored on the local user database in the switch and/or on external authentication servers. Each access method, except the console port, must be enabled or “unlocked” on the switch before users can access the switch through that interface.
OmniSwitch
Authentication
Server local user database local user
Login via the console port.
Switch Login Components remote user
Login via Secure Shell, Telnet,
FTP, HTTP, or SNMP
Management Interfaces
Logging into the switch may be done locally or remotely. Remote connections may be secure or insecure, depending on the method. Management interfaces are enabled using the aaa authentication command.
This command also requires specifying the external servers and/or local user database that will be used to authenticate users. The process of authenticating users to manage the switch is called Authenticated
An overview of management methods is listed here:
Logging Into the CLI
• Console port—A direct connection to the switch through the console port. The console port is always enabled for the default user account. For more information about connecting to the console port, see your OmniSwitch Hardware Users Guide.
• Telnet—Any standard Telnet client may be used for remote login to the switch. This method is not secure. For more information about using Telnet to access the switch, see
• FTP—Any standard FTP client may be used for remote login to the switch. This method is not secure.
See
.
• Secure Shell—Any standard Secure Shell client may be used for remote login to the switch. See
“Using Secure Shell” on page 2-12 .
page 2-6 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Overview of Switch Login Components
Using the WebView Management Tool
• HTTP—The switch has a Web browser management interface for users logging in via HTTP. This management tool is called WebView. For more information about using WebView, see
Using SNMP to Manage the Switch
•
SNMP—Any standard SNMP browser may be used for logging into the switch. See Chapter 10,
User Accounts
User accounts may be configured and stored directly on the switch, and user accounts may also be configured and stored on an external authentication server or servers.
The accounts include a username and password. In addition, they also specify the user’s privileges or enduser profile, depending on the type of user account. In either case, the user is given read-only or read-write access to particular commands.
• Local User Database
The user command creates accounts directly on the switch. See
Chapter 7, “Managing Switch User
Accounts,” for information about creating accounts on the switch.
• External Authentication Servers
The switch may be set up to communicate with external authentication servers that contain user information. The user information includes usernames and passwords; it may also include privilege information or reference an end-user profile name.
For information about setting up the switch to communicate with external authentication servers, see the
OmniSwitch 6800/6850/9000 Network Configuration Guide.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-7
Using Telnet Logging Into the Switch
Using Telnet
Telnet may be used to log into the switch from a remote station. All of the standard Telnet commands are supported by software in the switch. When Telnet is used to log in, the switch acts as a Telnet server. If a
Telnet session is initiated from the switch itself during a login session, then the switch acts as a Telnet client.
Logging Into the Switch Via Telnet
Before you can log into the OmniSwitch using a Telnet interface, the telnet option of the aaa authentication command must be enabled. Once enabled, any standard Telnet client may be used to log into the switch. To log into the switch, open your Telnet application and enter the switch’s IP address
(the IP address will typically be the same as the one configured for the EMP). The switch’s welcome banner and login prompt is displayed.
Note. A Telnet connection is not secure. Secure Shell is recommended instead of Telnet or FTP as a secure method of accessing the switch.
Starting a Telnet Session from the Switch
At any time during a login session on the switch, you can initiate a Telnet session to another switch (or some other device) by using the telnet CLI command and the relevant IP address or hostname. You can also establish a Telnetv6 session by using the telnet6 command and the relevant IPv6 address or hostname. Telnetv6 sessions are supported only on OmniSwitch 6850 or 9000.
The following shows an example of telnetting to another OmniSwitch with an IP address of
10.255.10.123:
-> telnet 10.255.10.123
Trying 10.255.10.123...
Connected to 10.255.10.123.
Escape character is '^]'.
login :
The following is an example of telnetting to another OmniSwitch with an IPv6 address of fe80::a00:20ff:fea8:8961 :
-> telnet6 fe80::a00:20ff:fea8:8961 intf1
Trying fe80::a00:20ff:fea8:8961...
Connected to fe80::a00:20ff:fea8:8961.
Escape character is '^]'.
login :
Note. It is mandatory to specify the name of the particular IPv6 interface, if the target has been specified using the link-local address.
page 2-8 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Using Telnet
Note. You can establish up to 5 concurrent IPv4 or IPv6 telnet client sessions. You can establish up to 4 concurrent IPv4 or IPv6 telnet sessions towards an OmniSwitch 6850 or 9000 i.e., when the switch acts as a telnet server.
Here, you must enter a valid username and password. Once login is complete, the OmniSwitch welcome banner will display as follows: login : admin password :
Welcome to the Alcatel-Lucent OmniSwitch 6000
Software Version 6.3.1.733.R01 Development, October 05, 2007.
Copyright(c), 1994-2007 Alcatel-Lucent. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent registered in the United States Patent and Trademark Office.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-9
Using FTP Logging Into the Switch
Using FTP
The OmniSwitch can function as an FTP server. Any standard FTP client may be used.
Note. An FTP connection is not secure. Secure Shell is recommended instead of FTP or Telnet as a secure method of accessing the switch.
Using FTP to Log Into the Switch
You can access the OmniSwitch with a standard FTP application. To login to the switch, start your FTP client. Where the FTP client asks for “Name”, enter the IP address of your switch. Where the FTP client asks for “User ID”, enter the username of your login account on the switch. Where the FTP client asks for
“Password”, enter your switch password.
You can use the switch as an FTP client in a case where you do not have access to a workstation with a
FTP client. You can establish an FTP session locally by connecting a terminal to the switch console port.
You can also establish an FTP session to a remote switch by using a Telnet session. Once you are logged into the switch as an FTP client, you can use standard FTP commands.
You can use the switch ftp command to start an FTP session followed by the relevant IP address or hostname, and the ftp6 command to start an FTPv6 session followed by relevant IPv6 address or hostname over an IPv6 environment. You have to specify the name of the particular IPv6 interface, if the target has been specified using the link-local address. FTPv6 sessions can be established only from an OmniSwitch
6850 and 9000.
Note. If you are using Authenticated Switch Access (ASA), the port interface must be authenticated for
FTP use and the username profile must have permission to use FTP. Otherwise the switch will not accept an FTP login. For information about ASA, refer to
Chapter 8, “Managing Switch Security.”
The following is an example of how to start an FTP session to an OmniSwitch with an IP address of
198.23.9.101
.
->ftp 198.23.9.101
Connecting to [198.23.9.101]...connected
220 cosmo FTP server (UNIX(r) System V Release 4.1) ready
Name:
You need to enter a valid user name and password for the host you specified with the ftp command, after which you will get a screen similar to the following display:
Name:Jsmith
331 Password required for Jsmith
Password: *****
230 User Jsmith logged in.
The following is an example of how to start an FTPv6 session to an OmniSwitch with an IPv6 address of fe80::a00:20ff:fea8:8961 .
-> ftp6 fe80::a00:20ff:fea8:8961 intf1
Connecting to [fe80::a00:20ff:fea8:8961]...connected
220 cosmo FTP server (UNIX(r) System V Release 4.1) ready
Name: page 2-10 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Using FTP
You have to enter a valid user name and password for the host you specified with the ftp6 command, after which you will get a screen similar to the following display:
Name:Jsmith
331 Password required for Jsmith
Password: *****
230 User Jsmith logged in.
Note . It is mandatory to specify the name of the particular IPv6 interface, if the target has been specified using the link-local address.
After logging in, you will receive the ftp-> prompt, where you can execute the FTP commands that are supported on the switch. For further information refer to the OmniSwitch 6850/9000 CLI guide.
Note . You must use the binary mode (bin) to transfer image files via FTP.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-11
Using Secure Shell Logging Into the Switch
Using Secure Shell
The OmniSwitch Secure Shell feature provides a secure mechanism that allows you to log in to a remote switch, to execute commands on a remote device, and to move files from one device to another. Secure
Shell provides secure, encrypted communications even when your transmission is between two untrusted hosts or over an unsecure network. Secure Shell protects against a variety of security risks including the following:
• IP spoofing
• IP source routing
• DNS spoofing
• Interception of clear-text passwords and other data by intermediate hosts
• Manipulation of data by users on intermediate hosts
Note. The OmniSwitch supports Secure Shell Version 2 only.
Secure Shell Components
The OmniSwitch includes both client and server components of the Secure Shell interface and the Secure
Shell FTP file transfer protocol. SFTP is a subsystem of the Secure Shell protocol. All Secure Shell FTP data are encrypted through a Secure Shell channel.
Since Secure Shell provides a secure session, the Secure Shell interface and SFTP are recommended instead of the Telnet program or the FTP protocol for communications over TCP/IP for sending file transfers. Both Telnet and FTP are available on the OmniSwitch but they do not support encrypted passwords.
Note. Secure Shell may only be used to log into the switch to manage the switch. It cannot be used for
Layer 2 authentication through the switch.
Secure Shell Interface
The Secure Shell interface is invoked when you enter the ssh command, and the Secure Shellv6 interface is invoked by using the ssh6 command in an IPv6 environment. After the authentication process between the client and the server is complete, the remote Secure Shell interface runs in the same way as Telnet.
Refer to
“Starting a Secure Shell Session” on page 2-15
to for detailed information.
Secure Shell File Transfer Protocol
Secure Shell FTP is the standard file transfer protocol used with Secure Shell version 2. Secure Shell FTP is an interactive file transfer program (similar to the industry standard FTP) which performs all file transfer operations over a Secure Shell connection.
You can invoke the Secure Shell FTP session by using the sftp command, and the SFTPv6 session by using the sftp6 command in an IPv6 environment. Once the authentication phase is complete, the Secure
Shell FTP subsystem runs. Secure Shell FTP connects and logs into the specified host, then enters an interactive command mode. Refer to
“Starting a Secure Shell Session” on page 2-15
for detailed information. page 2-12 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Using Secure Shell
Secure Shell Application Overview
Secure Shell is an access protocol used to establish secured access to your OmniSwitch. The Secure Shell protocol can be used to manage an OmniSwitch directly or it can provide a secure mechanism for managing network servers through the OmniSwitch.
The drawing below illustrates the Secure Shell being used as an access protocol replacing Telnet to manage the OmniSwitch. Here, the user terminal is connected through the network to the switch.
Secure Shell
Network
Terminal OmniSwitch
Secure Shell Used as an Access Protocol
The drawing below shows a slightly different application. Here, a terminal connected to a single
OmniSwitch, which acts as a Secure Shell client is an entry point to the network. In this scenario, the client portion of the Secure Shell software is used on the connecting OmniSwitch and the server portion of
Secure Shell is used on the switches or servers being managed.
Terminal
Secure Shell
Access Protocol
Network
OmniSwitch Secure
Shell Client
OmniSwitch as a Secure Shell Client
Secure Shell
Secure Shell
Server
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-13
Using Secure Shell Logging Into the Switch
Secure Shell Authentication
Secure Shell authentication is accomplished in several phases using industry standard algorithms and exchange mechanisms. The authentication phase is identical for Secure Shell and Secure Shell FTP. The following sections describe the process in detail.
Protocol Identification
When the Secure Shell client in the OmniSwitch connects to a Secure Shell server, the server accepts the connection and responds by sending back an identification string. The client will parse the server’s identification string and send an identification string of its own. The purpose of the identification strings is to validate that the attempted connection was made to the correct port number. The strings also declare the protocol and software version numbers. This information is needed on both the client and server sides for debugging purposes.
At this point, the protocol identification strings are in human-readable form. Later in the authentication process, the client and the server switch to a packet-based binary protocol, which is machine readable only.
Algorithm and Key Exchange
The OmniSwitch Secure Shell server is identified by one or several host-specific DSA keys. Both the client and server process the key exchange to choose a common algorithm for encryption, signature, and compression. This key exchange is included in the Secure Shell transport layer protocol. It uses a key agreement to produce a shared secret that cannot be determined by either the client or the server alone. The key exchange is combined with a signature and the host key to provide host authentication. Once the exchange is completed, the client and the server turn encryption on using the selected algorithm and key.
The following elements are supported:
Host Key Type
Cipher Algorithms
Signature Algorithms
Compression Algorithms
Key Exchange Algorithms
DSA
AES, Blowfish, Cast, 3DES, Arcfour, Rijndael
MD5, SHA1
None Supported diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1
Note. The OmniSwitch generates a 512 bit DSA host key at initial startup. The DSA key on the switch is made up of two files contained in the /flash/network directory; the public key is called
ssh_host_dsa_key.pub, and the private key is called ssh_host_dsa_key. To generate a different DSA key, use the Secure Shell tools available on your Unix or Windows system and copy the files to the /flash/
network directory on your switch. The new DSA key will take effect after the OmniSwitch is rebooted.
Authentication Phase
When the client tries to authenticate, the server determines the process used by telling the client which authentication methods can be used. The client has the freedom to attempt several methods listed by the server. The server will disconnect itself from the client if a certain number of failed authentications are attempted or if a time-out period expires. Authentication is performed independent of whether the Secure
Shell interface or the SFTP file transfer protocol will be implemented.
page 2-14 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Using Secure Shell
Connection Phase
After successful authentication, both the client and the server process the Secure Shell connection protocol. The OmniSwitch supports one channel for each Secure Shell connection. This channel can be used for a Secure Shell session or a Secure Shell FTP session.
Using Secure Shell DSA Public Key Authentication
The following procedure is used to set up Secure Shell (SSH) DSA public key authentication between an
OmniSwitch and a client device:
1 Use the PuTTYgen SSH software on the client device to generate a type SSH2 DSA private and public key pair.
2 Do not save the public key on the client device using PutTTYgen. Instead, copy the key from the
PuTTYgen public key window and paste the key into a text file with the filename userid_dsa.pub. Specify a valid OmniSwitch user login name for the userid portion of the filename. For example, the following public key filename is for OmniSwitch user Thomas: thomas_dsa.pub
3 Use PuTTYgen to save the private key on the client device.
4 Verify that the userid specified as part of the filename in Step 2 is a valid user name on the
OmniSwitch. If the username does not already exist in the switch configuration, create the user name with the appropriate privileges.
5 FTP in ASCII mode the userid_dsa.pub file from the client device to the flash/network/pub directory on the OmniSwitch. Create the flash/network/pub directory first if it does not already exist.
6 Using PuTTY software on the client device, access SSH, then Auth, and then select the private key generated in Step 1 to start the authentication process.
Note that if public key authentication fails, the user is prompted for a password. This is the password that was specified when the user name was created on the OmniSwitch.
Note. To enforce Secure Shell Public Key Authentication on a switch use the ssh enforce pubkey-auth command.
Starting a Secure Shell Session
To start a Secure Shell session, issue the ssh command and identify the IP address or hostname for the device you are connecting to.
You can use the ssh6 command to start an SSHv6 session followed by the relevant IPv6 address or the hostname, over an IPv6 environment.
Note. You can only use a host name instead of an IP address if the DNS resolver has been configured and enabled. If not, you must specify an IP address. See
Chapter 1, “Managing System Files,” for details.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-15
Using Secure Shell Logging Into the Switch
Note. Use of the cmdtool OpenWindows support facility is not recommended over Secure Shell connections with an external server.
The following command establishes a Secure Shell interface from the local OmniSwitch to IP address
11.133.30.135:
-> ssh 11.133.30.135
login as:
Note. If Secure Shell is not enabled on a switch, use the ssh enable command to enable it.
You must have a login and password that is recognized by the IP address you specify. When you enter your login, the device you are logging in to, will request your password as shown here:
-> ssh 11.133.30.135
login as: rrlogin1 rrlogin1's password for keyboard-interactive method:
Once the Secure Shell session is established, you can use the remote device specified by the IP address on a secure connection from your OmniSwitch.
Note. The login parameters for Secure Shell session login parameters can be affected by the session login-attempt and session login-timeout CLI commands.
The following drawing shows an OmniSwitch, using IP address 11.233.10.145, establishing a Secure Shell session across a network to another OmniSwitch, using IP address 11.133.30.135. To establish this session from the console in the figure below, you would use the CLI commands shown in the examples above.
Once you issue the correct password, you are logged into the OmniSwitch at IP address 11.133.30.135.
Console
OmniSwitch
11.233.10.145
OmniSwitch
11.133.30.135
Secure Shell Session between Two OmniSwitches
To view the parameters of the Secure Shell session, issue the who command. The following will display:
-> who
Session number = 0
User name = (at login),
Access type = console,
Access port = Local, page 2-16 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Using Secure Shell
IP address = 0.0.0.0,
Read-only domains = None,
Read-only families = ,
Read-Write domains = None,
Read-Write families = ,
End-User profile =
Session number = 1
User name = rrlogin1,
Access type = ssh,
Access port = NI,
IP address = 11.233.10.145,
Read-only domains = None,
Read-only families = ,
Read-Write domains = All ,
Read-Write families = ,
End-User profile =
This display shows two sessions currently running on the remote OmniSwitch at IP address
11.133.30.135. Session number 0 is identified as the console session. Session number 1 indicates the
User name is rrlogin1, the IP address is 11.233.10.145, and the Access type is “ssh” which indicates a
Secure Shell session.
Note. You can use the ssh6 command followed by the IPv6 address or the hostname of the SSHv6 server to start an SSHv6 session. It is mandatory to specify the name of the particular IPv6 interface, if the
SSHv6 server has been specified using its link-local address. SSHv6 sessions are supported only on
OmniSwitch 6850 or 9000.
Closing a Secure Shell Session
To terminate the Secure Shell session, issue the exit command. The following will display:
-> exit
Connection to 11.133.30.135 closed.
Using the example shown above, this display indicates the Secure Shell session between the two switches is closed. At this point, the user is logged into the local OmniSwitch at IP address 11.233.10.145.
Note. Establishing and closing the Secure Shellv6 connection is similar to that of the Secure Shell connection.
Log Into the Switch with Secure Shell FTP
To open a Secure Shell FTP session from a local OmniSwitch to a remote device, issue the sftp command and identify the IP address or hostname for the device you are connecting to.
You can use the sftp6 command to start an Secure Shell FTPv6 session followed by the relevant IPv6 address or hostname, over an IPv6 environment.
The following example describes how a Secure Shell interface is established from the local OmniSwitch to IP address 10.222.30.125
:
1 Log on to the OmniSwitch and issue the sftp CLI command. The command syntax requires you to
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-17
Using Secure Shell Logging Into the Switch identify the IP address or hostname for the device to which you are connecting. The following command establishes a Secure Shell FTP interface from the local OmniSwitch to IP address 10.222.30.125.
-> sftp 10.222.30.125
login as:
Note. If SFTP is not enabled, use the scp-sftp command to enable it.
2 You must have a login and password that is recognized by the IP address you specify. When you enter your login, the device you are logging in to, will request your password as shown here.
-> sftp 10.222.30.125
login as: rrlogin2 rrlogin2's password for keyboard-interactive method:
Note. You can use the sftp6 command followed by the IPv6 address or hostname of the SFTPv6 server to start an SFTPv6 session. It is mandatory to specify the name of the particular IPv6 interface, if the SFTPv6 server has been specified using its link-local address. SFTPv6 sessions are supported only on OmniSwitch
6850 or 9000.
3 After logging in, you will receive the sftp> prompt. You may enter a question mark (?) to view available Secure Shell FTP commands and their definitions as shown here. sftp>?
Available commands: cd path Change remote directory to 'path' lcd path Change local directory to 'path' chmod mode path Change permissions of file 'path' to 'mode' help Display this help text get remote-path [local-path] Download file lls [path]] Display local directory listing ln oldpath newpath Symlink remote file lmkdir path Create local directory lpwd Print local working directory ls [path] Display remote directory listing mkdir path Create remote directory put local-path [remote-path] Upload file pwd Display remote working directory exit Quit sftp quit Quit sftp rename oldpath newpath Rename remote file rmdir path Remove remote directory rm path Delete remote file symlink oldpath newpath Symlink remote file version Show SFTP version
? Synonym for help
Note. Although Secure Shell FTP has commands similar to the industry standard FTP, the underlying
ple.
page 2-18 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Using Secure Shell
Closing a Secure Shell FTP Session
To terminate the Secure Shell FTP session, issue the exit command. The following will display:
-> exit
Connection to 11.133.30.135 closed.
This display indicates the Secure Shell FTP session with IP address 11.133.20.135 is closed. The user is now logged into the OmniSwitch as a local device with no active remote connection.
Note. Establishing and closing the Secure Shell FTPv6 connection is similar to that of the Secure Shell
FTP connection.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-19
Modifying the Login Banner Logging Into the Switch
Modifying the Login Banner
The Login Banner feature allows you to change the banner that displays whenever someone logs into the switch. This feature can be used to display messages about user authorization and security. You can display the same banner for all login sessions or you can implement different banners for different login sessions. You can display a different banner for logins initiated by FTP sessions than for logins initiated by a direct console or a Telnet connection. The default login message looks similar to the following: login : user123 password :
Welcome to the Alcatel-Lucent OmniSwitch 6000
Software Version 6.3.1.733.R01 Development, October 05, 2007.
Copyright(c), 1994-2007 Alcatel-Lucent. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent registered in the United States Patent and Trademark Office.
Here is an example of a banner that has been changed: login : user123 password :
Welcome to the Alcatel-Lucent OmniSwitch 6000
Software Version 6.3.1.733.R01 Development, October 05, 2007.
Copyright(c), 1994-2007 Alcatel-Lucent. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent registered in the United States Patent and Trademark Office.
********** LOGIN ALERT ************************
This switch is a secure device. Unauthorized use of this switch will go on your permanent record.
Two steps are required to change the login banner. These steps are listed here:
• Create a text file that contains the banner you want to display in the switch’s /flash/switch directory.
• Enable the text file by entering the session banner CLI command followed by the filename.
To create the text file containing the banner text, you may use the vi text editor in the switch. (See
Chapter 1, “Managing System Files,”
for information about creating files directly on the switch.) This method allows you to create the file in the /flash directory without leaving the CLI console session. You can also create the text file using a text editing software package (such as MS Wordpad) and transfer the
If you want the login banner in the text file to apply to FTP switch sessions, execute the following CLI command where the text filename is firstbanner.txt.
-> session banner ftp /flash/firstbanner.txt
If you want the login banner in the text file to apply to CLI switch sessions, execute the following CLI command where the text filename is secondbanner.txt.
-> session banner cli /flash/secondbanner.txt
page 2-20 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Modifying the Login Banner
If you want the login banner in the text file to apply to HTTP switch sessions, execute the following CLI command where the text filename is thirdbanner.txt.
-> session banner http /flash/thirdbanner.txt
The banner files must contain only ASCII characters and should bear the .txt extension. The switch will not reproduce graphics or formatting contained in the file.
Modifying the Text Display Before Login
By default, the switch does not display any text before the login prompt for any CLI session.
At initial bootup, the switch creates a pre_banner.txt file in the /flash directory. The file is empty and may be edited to include text that you want to display before the login prompt.
For example:
Please supply your user name and password at the prompts.
login : user123 password :
In this example, the pre_banner.txt file has been modified with a text editor to include the Please supply
your user name and password at the prompts message.
The pre-banner text cannot be configured for FTP sessions.
To remove a text display before the login prompt, delete the pre_banner.txt file (it will be recreated at the next bootup and will be empty), or modify the pre_banner.txt file.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-21
Configuring Login Parameters Logging Into the Switch
Configuring Login Parameters
You can set the number of times a user may attempt unsuccessfully to log in to the switch’s CLI by using the session login-attempt command as follows:
-> session login-attempt 5
In this example, the user may attempt to log in to the CLI five (5) times unsuccessfully. If the user attempts to log in the sixth time, the switch will break the TCP connection.
You may also set the length of time allowed for a successful login by using the session login-timeout command as follows:
-> session login-timeout 20
In this example, the user must complete the login process within 20 seconds. This means that the time between a user entering a login name and the switch processing a valid password must not exceed 20 seconds. If the time-out period exceeds, the switch will break the TCP connection.
Configuring the Inactivity Timer
You can set the amount of time that a user must be inactive before the session times out. By default, the time-out for each session type is 4 minutes. To change the setting, enter the session timeout command with the type of session (cli, http, or ftp) and the desired number of minutes. In the following example, the
CLI time-out is changed from the default to 8 minutes.
-> session timeout cli 8
This command changes the inactivity timer for new CLI sessions to 8 minutes. Current CLI sessions are
not affected. In this example, current CLI sessions will be timed out after 4 minutes. (CLI sessions are initiated through Telnet, Secure Shell, or through the switch console port.)
and
“Using Secure Shell” on page 2-12
. For information about connecting to the CLI through the console port, see your Getting Started Guide. For information about using the CLI in general, see
The ftp option sets the time-out for FTP sessions. For example, to change the FTP time-out to 5 minutes, enter the following command:
-> session timeout ftp 5
This command changes the time-out for new FTP sessions to 5 minutes. Current FTP sessions are not affected. For more information about FTP sessions, see
The http option sets the time-out for WebView sessions. For example, to change the WebView inactivity timer to 10 minutes, enter the following command:
-> session timeout http 10
In this example, any new WebView session will have a time-out of 10 minutes. Current WebView
sessions are not affected. For more information about WebView sessions, see Chapter 9, “Using
page 2-22 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
Logging Into the Switch Enabling the DNS Resolver
Enabling the DNS Resolver
A Domain Name System (DNS) resolver is an optional internet service that translates host names into IP addresses. Every time you enter a host name when logging into the switch, a DNS service must look up the name on a server and resolve the name to an IP address. You can configure up to three IPv4 domain name servers and three IPv6 domain name servers that will be queried in turn to resolve the host name. If all servers are queried and none can resolve the host name to an IP address, the DNS fails. If the DNS fails, you must either enter an IP or IPv6 address in place of the host name or specify the necessary lookup tables on one of the specified servers.
Note . You do not need to enable the DNS resolver service unless you want to communicate with the switch by using a host name. If you use an IP or IPv6 address rather than a host name, the DNS resolver service is not needed.
You must perform three steps on the switch to enable the DNS resolver service.
1 Set the default domain name for DNS lookups with the ip domain-name CLI command.
-> ip domain-name mycompany1.com
2 Use the ip domain-lookup CLI command to enable the DNS resolver service.
-> ip domain-lookup
You can disable the DNS resolver by using the no ip domain-lookup command. For more information, refer to the OmniSwitch CLI Reference Guide.
3 Specify the IP addresses of up to three servers with the ip name-server CLI command. These servers will be queried when a host lookup is requested.
-> ip name-server 189.202.191.14 189.202.191.15 189.255.19.1
You can also specify IPv6 DNS servers to query on a host lookup. The following example describes the steps to enable the IPv6 DNS resolver service on the switch.
1 Set the default domain name for IPv6 DNS lookups with the ip domain-name CLI command.
-> ip domain-name mycompany1.com
2 Use the ip domain-lookup CLI command to enable the IPv6 DNS resolver service.
-> ip domain-lookup
You can disable the IPv6 DNS resolver by using the no form of the ip domain-lookup command. For more information, refer to the OmniSwitch CLI Reference Guide.
3 Specify the IPv6 addresses of up to three servers with the
IPv6 servers will be queried when a host lookup is requested.
ipv6 name-server CLI command. These
-> ipv6 name-server fe2d::2c f302::3de1:1 f1bc::202:fd40:f3
Note. You cannot use multicast, loopback, link-local and unspecified IPv6 addresses for specifying IPv6
DNS servers. You can specify IPv6 DNS servers only on an OmniSwitch 6850 or 9000.
OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 2-23
Verifying Login Settings Logging Into the Switch
Verifying Login Settings
To display information about login sessions, use the following CLI commands: who whoami show session config show dns
Displays all active login sessions (e.g., console, Telnet, FTP, HTTP,
Secure Shell, Secure Shell FTP).
Displays the current user session.
Displays session configuration information (e.g., default prompt, banner file name, inactivity timer, login timer, login attempts).
Displays the current DNS resolver configuration and status.
For more information about these commands, refer to the OmniSwitch CLI Reference Guide. page 2-24 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007
advertisement
Related manuals
advertisement
Table of contents
- 1 (START page)
- 1 Home
- 2 Front Matter
- 2 Copyright Information
- 2 Patents
- 2 Contacting Alcatel
- 3 Contents
- 13 About This Guide
- 13 Supported Platforms
- 14 Who Should Read this Manual?
- 14 When Should I Read this Manual?
- 14 What is in this Manual?
- 14 What is Not in this Manual?
- 15 How is the Information Organized?
- 15 Documentation Roadmap
- 17 Related Documentation
- 19 User Manual CD
- 19 Technical Support
- 21 1. Managing System Files
- 21 In This Chapter
- 22 File Management Specifications
- 23 Switch Administration Overview
- 23 File Transfer
- 24 Switch Directories
- 25 File and Directory Management
- 27 Using Wildcards
- 27 Multiple Characters
- 27 Single Characters
- 28 Directory Commands
- 28 Determining Your Location in the File Structure
- 29 Changing Directories
- 30 Displaying Directory Contents
- 32 Making a New Directory
- 33 Displaying Directory Contents Including Subdirectories
- 33 Copying an Existing Directory
- 34 Removing a Directory and its Contents
- 35 File Commands
- 35 Creating or Modifying Files
- 35 Copy an Existing File
- 36 Secure Copy an Existing File
- 36 Move an Existing File or Directory
- 38 Change File Attribute and Permissions
- 38 Delete an Existing File
- 39 Managing Files on Switches
- 40 Utility Commands
- 40 Displaying Free Memory Space
- 40 Performing a File System Check
- 40 Deleting the Entire File System
- 41 Loading Software onto the Switch
- 41 Using the Switch as an FTP Server
- 43 Using the Switch as an FTP Client
- 45 Using Secure Shell FTP
- 46 Closing a Secure Shell FTP Session
- 47 Using Zmodem
- 48 Registering Software Image Files
- 48 Directories on the Switch
- 49 Available Image Files
- 50 Application Examples for File Management
- 50 Transferring a File to the Switch Using FTP
- 51 Creating a File Directory on the Switch
- 52 FTP Client Application Example
- 54 Creating a File Directory Using Secure Shell FTP
- 56 Transfer a File Using Secure Shell FTP
- 56 Closing a Secure Shell FTP Session
- 56 Verifying Directory Contents
- 57 Setting the System Clock
- 57 Setting Date and Time
- 57 Date
- 57 Time Zone
- 58 Time
- 59 Daylight Savings Time Configuration
- 60 Enabling DST
- 63 2. Logging Into the Switch
- 63 In This Chapter
- 65 Login Specifications
- 65 Login Defaults
- 67 Quick Steps for Logging Into the Switch
- 68 Overview of Switch Login Components
- 68 Management Interfaces
- 68 Logging Into the CLI
- 69 Using the WebView Management Tool
- 69 Using SNMP to Manage the Switch
- 69 User Accounts
- 70 Using Telnet
- 70 Logging Into the Switch Via Telnet
- 70 Starting a Telnet Session from the Switch
- 72 Using FTP
- 72 Using FTP to Log Into the Switch
- 74 Using Secure Shell
- 74 Secure Shell Components
- 74 Secure Shell Interface
- 74 Secure Shell File Transfer Protocol
- 75 Secure Shell Application Overview
- 76 Secure Shell Authentication
- 76 Protocol Identification
- 76 Algorithm and Key Exchange
- 76 Authentication Phase
- 77 Connection Phase
- 77 Using Secure Shell DSA Public Key Authentication
- 77 Starting a Secure Shell Session
- 79 Closing a Secure Shell Session
- 79 Log Into the Switch with Secure Shell FTP
- 81 Closing a Secure Shell FTP Session
- 82 Modifying the Login Banner
- 83 Modifying the Text Display Before Login
- 84 Configuring Login Parameters
- 84 Configuring the Inactivity Timer
- 85 Enabling the DNS Resolver
- 86 Verifying Login Settings
- 87 3. Configuring Network Time Protocol (NTP)
- 87 In This Chapter
- 88 NTP Specifications
- 88 NTP Defaults Table
- 89 NTP Quick Steps
- 91 NTP Overview
- 92 Stratum
- 92 Using NTP in a Network
- 94 Authentication
- 95 Configuring NTP
- 95 Configuring the OmniSwitch as a Client
- 96 NTP Servers
- 98 Using Authentication
- 99 Verifying NTP Configuration
- 101 4. Managing CMM Directory Content
- 101 In This Chapter
- 102 CMM Specifications
- 103 CMM Files
- 103 CMM Software Directory Structure
- 104 Where is the Switch Running From?
- 104 Software Rollback Feature
- 105 Software Rollback Configuration Scenarios for a Single Switch
- 109 Redundancy
- 109 Redundancy Scenarios
- 113 Managing the Directory Structure (Non-Redundant)
- 113 Rebooting the Switch
- 116 Copying the Running Configuration to the Working Directory
- 118 Rebooting from the Working Directory
- 121 Copying the Working Directory to the Certified Directory
- 122 Copying the Certified Directory to the Working Directory
- 123 Show Currently Used Configuration
- 124 Show Switch Files
- 125 Managing Redundancy in a Stack and CMM
- 125 Rebooting the Switch
- 126 Copying the Working Directory to the Certified Directory
- 127 Synchronizing the Primary and Secondary CMMs
- 128 CMM Switching Fabric
- 129 Swapping the Primary CMM for the Secondary CMM
- 130 Show Currently Used Configuration
- 131 NI Module Behavior During Takeover
- 132 Emergency Restore of the boot.cfg File
- 132 Can I Restore the boot.file While Running from Certified?
- 133 Displaying CMM Conditions
- 135 5. Using the CLI
- 136 CLI Specifications
- 136 CLI Overview
- 136 Online Configuration
- 137 Offline Configuration Using Configuration Files
- 137 Command Entry Rules and Syntax
- 137 Text Conventions
- 138 Using “Show” Commands
- 138 Using the “No” Form
- 138 Using “Alias” Commands
- 139 Partial Keyword Completion
- 139 Command Help
- 141 Tutorial for Building a Command Using Help
- 143 CLI Services
- 143 Command Line Editing
- 143 Deleting Characters
- 144 Recalling the Previous Command Line
- 144 Inserting Characters
- 145 Syntax Checking
- 145 Prefix Recognition
- 146 Example for Using Prefix Recognition
- 147 Prefix Prompt
- 147 Command History
- 149 Logging CLI Commands and Entry Results
- 149 Enabling Command Logging
- 149 Disabling Command Logging
- 150 Viewing the Current Command Logging Status
- 150 Viewing Logged CLI Commands and Command Entry Results
- 151 Customizing the Screen Display
- 151 Changing the Screen Size
- 151 Changing the CLI Prompt
- 152 Displaying Table Information
- 153 Filtering Table Information
- 154 Multiple User Sessions
- 154 Listing Other User Sessions
- 155 Listing Your Current Login Session
- 156 Terminating Another Session
- 157 Application Example
- 157 Using a Wildcard to Filter Table Information
- 158 Verifying CLI Usage
- 159 6. Working With Configuration Files
- 159 In This Chapter
- 160 Configuration File Specifications
- 160 Tutorial for Creating a Configuration File
- 162 Quick Steps for Applying Configuration Files
- 162 Setting a File for Immediate Application
- 162 Setting an Application Session for a Date and Time
- 163 Setting an Application Session for a Specified Time Period
- 164 Configuration Files Overview
- 164 Applying Configuration Files to the Switch
- 164 Verifying a Timed Session
- 165 Cancelling a Timed Session
- 165 Configuration File Error Reporting
- 166 Setting the Error File Limit
- 166 Syntax Checking
- 167 Displaying a Text File
- 167 Text Editing on the Switch
- 167 Invoke the “Vi” Editor
- 168 Creating Snapshot Configuration Files
- 168 Snapshot Feature List
- 169 User-Defined Naming Options
- 169 Editing Snapshot Files
- 172 Verifying File Configuration
- 173 7. Managing Switch User Accounts
- 173 In This Chapter
- 174 User Database Specifications
- 174 User Account Defaults
- 176 Overview of User Accounts
- 177 Startup Defaults
- 178 Quick Steps for Network Administrator User Accounts
- 179 Quick Steps for Creating Customer Login User Accounts
- 180 Default User Settings
- 180 Account and Password Policy Settings
- 181 How User Settings Are Saved
- 182 Creating a User
- 182 Removing a User
- 182 User-Configured Password
- 184 Configuring Password Policy Settings
- 184 Setting a Minimum Password Size
- 184 Configuring the Username Password Exception
- 185 Configuring Password Character Requirements
- 185 Configuring Password Expiration
- 185 Default Password Expiration
- 186 Specific User Password Expiration
- 186 Configuring the Password History
- 186 Configuring the Minimum Age for a Password
- 187 Configuring Global User Lockout Settings
- 187 Configuring the User Lockout Window
- 187 Configuring the User Lockout Threshold Number
- 188 Configuring the User Lockout Duration Time
- 188 Manually Locking and Unlocking User Accounts
- 189 Configuring Privileges for a User
- 190 Setting Up SNMP Access for a User Account
- 190 SNMP Access Without Authentication/Encryption
- 191 SNMP Access With Authentication/Encryption
- 191 Removing SNMP Access From a User
- 192 Setting Up End-User Profiles
- 193 Creating End-User Profiles
- 193 Setting Up Port Ranges in a Profile
- 193 Setting Up VLAN Ranges in a Profile
- 194 Associating a Profile With a User
- 194 Removing a Profile From the Configuration
- 195 Verifying the User Configuration
- 197 8. Managing Switch Security
- 197 In This Chapter
- 198 Switch Security Specifications
- 198 Switch Security Defaults
- 199 Switch Security Overview
- 200 Authenticated Switch Access
- 200 AAA Servers-RADIUS or LDAP
- 200 Authentication-only-ACE/Server
- 201 Interaction With the User Database
- 201 ASA and Authenticated VLANs
- 202 Configuring Authenticated Switch Access
- 203 Quick Steps for Setting Up ASA
- 205 Setting Up Management Interfaces for ASA
- 206 Enabling Switch Access
- 206 Configuring the Default Setting
- 207 Using Secure Shell
- 208 Configuring Accounting for ASA
- 209 Verifying the ASA Configuration
- 211 9. Using WebView
- 211 In This Chapter
- 212 WebView CLI Defaults
- 212 Browser Setup
- 213 WebView CLI Commands
- 213 Enabling/Disabling WebView
- 213 Changing the HTTP Port
- 213 Enabling/Disabling SSL
- 214 Changing the HTTPS Port
- 215 Quick Steps for Setting Up WebView
- 215 WebView Overview
- 215 WebView Page Layout
- 216 Banner
- 216 Toolbar
- 217 Feature Options
- 217 View/Configuration Area
- 218 Configuring the Switch With WebView
- 218 Accessing WebView
- 219 Accessing WebView with Internet Explorer Version 7
- 220 Home Page
- 221 Configuration Page
- 221 Global Configuration Page
- 222 Table Configuration Page
- 224 Table Features
- 228 Adjacencies
- 229 WebView Help
- 229 General WebView Help
- 229 Specific-page Help
- 231 10. Using SNMP
- 231 In This Chapter
- 232 SNMP Specifications
- 232 SNMP Defaults
- 234 Quick Steps for Setting Up An SNMP Management Station
- 235 Quick Steps for Setting Up Trap Filters
- 235 Filtering by Trap Families
- 236 Filtering by Individual Traps
- 237 SNMP Overview
- 237 SNMP Operations
- 238 Using SNMP for Switch Management
- 238 Setting Up an SNMP Management Station
- 238 SNMP Versions
- 238 SNMPv1
- 239 SNMPv2
- 239 SNMPv3
- 240 SNMP Traps Table
- 257 Using SNMP For Switch Security
- 257 Community Strings (SNMPv1 and SNMPv2)
- 257 Configuring Community Strings
- 258 Encryption and Authentication (SNMPv3)
- 258 Configuring Encryption and Authentication
- 259 Setting SNMP Security
- 260 Working with SNMP Traps
- 260 Trap Filtering
- 260 Filtering by Trap Families
- 260 Filtering By Individual Trap
- 261 Authentication Trap
- 261 Trap Management
- 261 Replaying Traps
- 261 Absorbing Traps
- 261 Sending Traps to WebView
- 262 SNMP MIB Information
- 262 MIB Tables
- 262 MIB Table Description
- 263 Industry Standard MIBs
- 268 Enterprise (Proprietary) MIBs
- 273 Verifying the SNMP Configuration
- 275 A. Software License and Copyright Statements
- 275 Alcatel-Lucent License Agreement
- 275 ALCATEL-LUCENT SOFTWARE LICENSE AGREEMENT
- 278 Third Party Licenses and Notices
- 278 A. Booting and Debugging Non-Proprietary Software
- 278 B. The OpenLDAP Public License: Version 2.4, 8 December 2000
- 279 C. Linux
- 279 D. GNU GENERAL PUBLIC LICENSE: Version 2, June 1991
- 284 E. University of California
- 284 F. Carnegie-Mellon University
- 284 G. Random.c
- 285 H. Apptitude, Inc.
- 285 I. Agranat
- 285 J. RSA Security Inc.
- 285 K. Sun Microsystems, Inc.
- 286 L. Wind River Systems, Inc.
- 286 M. Network Time Protocol Version 4
- 287 Index