FSP 150CC-GE20x Product Training

Course 2 - Administration

FSP 150CC-GE206 R4.4.x

FSP 150CC-GE201 R4.3.x

October 2010 V1.3

Module Contents

 Connectivity

 Syslog

 Security/Alarm/Audit Logs

 SNMP

 SNTP

 Security

2 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity

 Various Options
 HTTP/HTTPS – eVision
 Telnet, SSHv2
 SNMP
 CLI
 NMS

User ID root netadmin user

Password ChgMeNOW ChgMeNOW ChgMeNOW

Privilege Superuser Provisioning Maintenance

3 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
Serial Interface

 Connection Attributes:
 Bits per second: 9600
 Data bits: 8
 Parity: None
 Stop Bits: 1
 Hardware Flow Control: None

 Straight through cable with included DB9/RJ45 adapter

 CLI

 Software download and database backup are not available via

the serial interface. IP connectivity is required for https file
transfer and FTP.

4 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
Serial Interface

 CLI login screen

5 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
CLI Basics

 Serial Port, Telnet or SSH

 Only need to enter the unique portion of the command term, not
the entire term

 “tab” can be used to auto-complete the command term once

unique portion entered, but completion is not required

 “back” takes you back one level

 “home” takes you to the main level

 “quit” logs you out from any menu/sub-menu

 Arrows can be used to scroll back/forward through previous

commands or edit (terminal emulation specific)

 “?” at any time shows available commands or validity/next

parameter of the currently entered command.

6 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
CLI Prompt Configuration

 CLI prompt can be configured via GUI and CLI

ADVA--> configure system

ADVA:system--> prompt ADVA-GE206
ADVA-GE206:system-->

7 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
Network Element Identification

 Network Element Identification can be configured via GUI and CLI

ADVA--> network-element ne-1

ADVA-NE-1--> name GE206-1
ADVA-NE-1--> location Dallas-TX
ADVA-NE-1--> contact John-Smith

8 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

Connectivity
IP Access

 The MGMT LAN port – DCN (eth0)

 Auto-MDIX supported
 Straight through or cross over will work

 There is a default ip address 192.168.0.2/24 assigned.

9 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Connectivity
HTTP GUI

Applications

Navigation
Tree

Info/Input

Alarms and
Conditions

10 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Connectivity
GE206 Naming Conventions and Navigation

 FLOW Entity ID Naming convention:

 NE  1
 Shelf  1
 Slot  1
 Access/Network port  2 (range is from 1 to 6)
 Flow  1 (range is 1 to 32)

11 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Connectivity
GE201 Naming Conventions and Navigation

 FLOW Entity ID Naming convention:

 NE  1
 Shelf  1
 Slot  1
 Access  1
 Flow  1 (range is 1 to 128)

12 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Connectivity
HTTP GUI - Usage

 Applications:
 Functionality is divided into different applications which is aligned
with user privileges

 Navigation Tree:
 Many nodes in the navigation tree have options that are selectable
by right-clicking on the node

 “OK” vs. “Apply”

 Both result in the validation of the data and the writing of changes
to the Flash copy of the database and the hardware
 “Apply” leaves you in the edit screen where as “OK” takes you
back to the display screen

13 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Security Banner

 Banner is displayed on GUI and serial/telnet sessions at login.

 In the GUI, right click System node and select “Edit Banner”

 Maximum of 2000 characters

ADVA:--> configure system

ADVA:system--> security-banner “This is a private system.
Unauthorized access or use may lead to prosecution”

14 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Security Prompt

 When logging in via the CLI, the following prompt is typically

displayed:

Do you wish to continue [Y|N]-->

 This prompt can cause issues with CLI based configuration

systems.

 The prompt can be disabled via the CLI only.

ADVA:--> configure system

ADVA:system--> security-prompt disabled

15 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Syslog Servers

ADVA--> configure system

ADVA:system--> syslog-server 1
ADVA:system:syslog-1--> configure 10.10.10.10 514
ADVA:system:syslog-1--> show syslog-server
IP Address : 10.10.10.10
port : 514

16 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Syslog Servers

 Individual controls for each log type

17 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Security Log

 Security Log contains events of the following type:

 Login/Logout/Failed Login attempts (local / remote)
 Local User creation/deletion
 Password change attempts

 Security logs can be directed to SYSLOG (configurable)

 Security log can only be cleared by a factory reset only

 Security log only visible to superuser accounts

 Security log contains 1000 records

18 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Security Log

ADVA--> show security-log

ADVA--> configure system

ADVA:system--> security-log
ADVA:system:security-log--> syslog-control disabled

19 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Alarm Log

 Alarm log (automatic output buffer) for alarms/events

 Alarm logs can be directed to a SYSLOG (configurable)

 Alarm logs can be disabled by superuser

 Alarm logs contains 1000 records

 Alarm log entries limited to 256 characters

20 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Alarm Log

ADVA--> show alarm-log

ADVA--> configure system

ADVA:system--> alarm-log
ADVA:system:alarm-log--> syslog-control disabled
ADVA:system:alarm-log--> log2file-control enabled

21 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Audit Log

 Audit Log contains events of the following type:

 all configuration related changes,
 all entity (e.g. equipment, facility, etc) state changes
 all system restarts
 all maintenance operations (e.g. loopbacks)

 Audit logs can be directed to SYSLOG (configurable)

 Audit Log can be disabled by superuser

 Audit log contains 1000 records

 Audit log entries limited to 256 characters

22 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 General
Audit Log

ADVA--> show audit-log

ADVA--> configure system

ADVA:system--> audit-log
ADVA:system:audit-log--> syslog-control disabled
ADVA:system:audit-log--> log2file-control enabled

23 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 SNMP
Simple Network Management Protocol
 The device is configurable via SNMP

 SNMP V1, V2c and V3 are supported

 V1 and V2c Defaults:

 V3 Defaults:

24 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 SNMP
Community String

ADVA--> configure snmp

ADVA:snmp--> add community noc-readonly readonly

25 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Trap community string
(GE206/GE206F)

 Community string access type can be set to Trap Only

 Can not be used for read-only or read-write access

 The following errors will be returned by the system if the trap only
community string is used to read/write access to the GE206
 noSuchName for SNMPv1
 noAccess for SNMPv2c
 noAccess for SNMPv3 USM

ADVA--> configure snmp

ADVA:snmp--> add community "traps" trap-only

26 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 SNMP
Target Parameter

 The target parameters allow us to define what SNMP protocol will be

used to populate trap information;

 And thus what SNMP protocol will be used to send traps to the
target address specified

 Target parameter must be added prior to adding the target address.

ADVA--> configure snmp
ADVA:snmp--> add target-params target-param-v1 snmpv1 snmpv1 private no-auth

27 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 SNMP
Target Address

 Up to 10 trap recipients may be defined

 Up to 10 community strings may be defined

ADVA--> configure snmp

ADVA:snmp--> add target-address NMS-US 10.10.10.10:162 2 3 trap target-param-v1 enabled

28 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 SNMP
USM (User Security Model)

ADVA--> configure snmp

ADVA:snmp--> add usm-user noc-user local r0ck3t readonly auth-priv md5 des ******** ********

 Engine ID  Auth. Key and Priv. Key

 „local‟ or beginning with 1 or 0
 Security name
 1 to 256 characters long
 only „0-9 a-z A-Z _ . –‟ are accepted
 If left blank User Name will be copied
into this field.
 8 – 32 characters long
 Contains a mix of upper and lower case alpha
characters (a-z A-Z), at least one special
character (# * %) and at least one digit (0-9).
Cannot begin with „#‟.
 No more than 2 chars. can be repeated in
consecutive positions.
 Does not contain a sequence of 3 consecutive
letters/digits in ascending/descending order.
 Can not be the same as the user ID.

29 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 SNMP
Dying Gasp Trap

 The 150CC supports the ability to generate an SNMP Dying Gasp trap on power loss
for scenarios where EFM-OAM Dying Gasp is not sufficient.

 Only one of SNMP Dying Gasp trap or EFM-OAM Dying Gasp message can be
generated on an interface.

 SNMP Dying Gasp will only be sent over a Mgmt tunnel, not the MGMT LAN (only
replaces EFM OAM Dying Gasp)

 Configure SNMP Dying Gasp on the system level and then you can enable the trap
by target address (up to 2 SNMP Dying Gasp PDUs can be configured per system).

ADVA--> network-element ne-1

ADVA-NE-1--> configure nte nte206-1-1-1
ADVA-NE-1:ge206-1-1-1--> snmp-dying-gasp enabled

30 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 NTP
Network Time Protocol

 Unicast:
 Device only attempts to connect to the configured addresses
 Support for up to 2 NTP servers

ADVA--> configure system

ADVA:system--> ntp-client
ADVA:system:ntp_client--> primary-server 10.10.10.10
ADVA:system:ntp_client--> backup-server 10.10.10.11
ADVA:system:ntp_client--> show ntp-client

31 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Security

 Secure access (defaults shown):

 Serial Port: Enabled HTTP (port 80): Enabled
 Telnet (port 23): Disabled HTTPS (port 443): Disabled
 SSH: (port 22): Enabled SFTP: (port 22): Disabled
 FTP (port 21): Disabled SCP: (port 21): Enabled

 Access Control Lists

 GUI:
 Automatic logoff is provisionable
 Cookie shared per PC user login per NID IP address

 Serial
 Automatic logoff on cable disconnect (Serial Port Auto Log off: Enable)
 Serial port can be disabled

 Authentication Traps can be enabled (disabled by default)

32 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Security
Operations

 Access by various applications can be generically enabled or disabled;

 In the configuration application right click on “System” and select- “Edit
System”

ADVA--> configure system

ADVA:system--> ftp enabled
ADVA:system--> telnet enabled
ADVA:system--> serial enabled

33 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Security
Key Management

 The device can generate unique SSL Certificates and SSH keys.
 This will replace the existing keys.

ADVA--> configure user-security

ADVA:user-sec--> regenerate-ssh-keys
ADVA:user-sec--> regenerate-ssl-certificate

34 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Security
Access Control Lists

 Up to 10 ACL entries can be activated at the system level

 Each entry allows for the specification of a subnet that can access the
unit

ADVA--> configure system

ADVA:system--> acl-entry 1
ADVA:acl-1--> configure permit 10.10.1.0 255.255.255.0
ADVA:acl-1--> control enabled

35 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 Last Reset Cause (GE201)

 System provides a last reset cause such as warm restart or cold restart.
This is available on CLI/GUI/SNMP.
 System captures the last 3 instances of an abnormal event. The 3 debug
files (binary) are stored on a single debug image which can be
downloaded for further investigation.

36 © 2010 ADVA Optical Networking. All rights reserved. Confidential.

 End of Administration

IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content,
material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations
of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or
damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by
or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.