Initial System Configuration: Operating Instructions

Initial System Configuration
Operating Instructions
3/1543-AXI 101 09/1-V1 Uen T3

Copyright
© Ericsson AB 2018-2019. All rights reserved. No part of this document may be

reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use of this
document.
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Contents
Contents
1 Overview 1
1.1 Command-Line Interface 1
1.2 Accessing the CLI 2
1.3 Field-Support Account 3
1.4 Local Administrator Accounts 3
2 Configuring Administrator Access 4

2.1 Connect to the Console Port 4
2.2 Configure a Field-Support Account 4
2.3 Access Global Configuration Mode 5
2.4 Configure a Local Administrator Account 6
2.5 Assign a User Role 9
2.6 Configure the Ethernet Management Port 10
2.7 Log On Remotely 11
3 Configuring System-Wide Settings 13

3.1 Identify the System 13
3.2 Set Management Context 13
3.3 Enable Multiple Contexts 14
3.4 Configure the System Clock 14
3.5 Create System Banners 16
3.6 Modify the TCP Keepalive Parameters 16
3.7 Modify the Maximum Number of Concurrent SSH Sessions 17
3.8 Modify the Duration of the Login Timeout 18
3.9 Modify Session Inactivity Timers 18
4 Installing License Key Files 19
5 Initial System Configuration Glossary 25
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Overview
1 Overview
This document provides an overview of the initial configuration recommended for

a new system.
Before initial configuration, you should be familiar with the router's basic
concepts of Contexts and Interfaces and Bindings.
1.1 Command-Line Interface

Most administration is done through the Command-Line Interface (CLI) to the
operating system. This document provides the minimum information about using
the CLI for users familiar with similar interfaces. For more detailed information,
see Use the CLI.
1.1.1 Commands and Case Sensitivity

Keywords in CLI commands are not case-sensitive. For example, you can enter
the show version command as show version, SHOW VERSION, or Show
Version.
Arguments are case-sensitive. For example, if you use Customers for the <ctx-
name> argument in the context <ctx-name> command, the system does not
recognize customers as the same context.
1.1.2 Partially Typed Commands

In all modes, the system recognizes partially typed commands and keywords, if
you have entered sufficient text to be unique. For example, rather than typing
configure, you can type conf and press Enter to enter configuration mode.
However, if you enter only con, an Ambiguous command error is returned because
you have entered insufficient characters to distinguish between the configure
and context commands.
1.1.3 No and Default Forms of Commands

Many configuration commands support the no keyword. Typing the no keyword
in front of a command disables the function, removes the command from the
configuration, or sets the command to its default state. For example, to enable
Bidirectional Forwarding Detection (BFD), enter the bfd command. To
subsequently disable the BFD function and remove the command from the
configuration, enter the no bfd command.
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 1

Many configuration commands support the default keyword. Typing the

default keyword in front of a command returns a parameter or feature to the
default state.
1.1.4 Committing Transactions

The commit command is required to write configuration changes to the database.
For information about this command and other database transactions, see Use
the CLI.
1.2 Accessing the CLI

You can access the CLI through any of the following means:
— Console port— Connect either directly or through a terminal server.
— Ethernet management port— Connect a terminal to the system over LAN

using this port. By default, all access services are disabled, and must be
enabled using the service <access protocol> command. For information
on supported access services, refer to the section describing service
commands in Commands: S (sa-filter to sham link). Secure Shell (SSH)
sessions are encrypted with the single Data Encryption Standard (DES)
algorithm.
Remote access enables remote file operations, such as downloading and

uploading files from and to a remote server, with utilities such as File Transfer
Protocol (FTP), or Secure Copy Protocol (SCP) client service. Remote access
through the Ethernet management port is disabled by default. Before using it,
configure the management port and at least one administrator.
If you have configured the management port, you can establish a Telnet or SSH
session to the system. Many tools provide Telnet and SSH access to remote
systems. These tools are beyond the scope of this document. In general, provide
the system name (the hostname configured for the system) or IP address
configured for the system management port, and an administrator name and
password.
Note: You may encounter login problems if you perform successive logins on a
remote system. For details, see Modify the Maximum Number of
Concurrent SSH Sessions on page 17.
If you forget the password, delete the administrator account and create a new
one. You cannot modify the password for an administrator account. See
Password Recovery.
The operating system provides default settings for local console sessions. You
can customize these settings for the duration current session using the terminal
length, terminal monitor, and terminal width commands.
After you are logged on to the system, you have access to the CLI based on the
context to which you are logged on, the privilege level of your account.
2 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Overview
Note: To enter the Telnet shell (with the Telnet prompt), enter the ^]
characters. The telnet prompt is displayed.
1.3 Field-Support Account

When you connect to the console port for the first time, it pops up the message to
create a field-support account. The field-support account has the highest CLI
privilege, and by default it is restricted to logging in from console port only. To log
on from either Telnet or SSH session remotely, use field-support remote-access
command to enable the remote access. Field-support account is unique. The
field-support account is only for the following two use cases:
— Field-support account is a Linux user and only for field support engineer to
get the root access.
— Field-support account is used to create or recover CLI account, when CLI

account is not available to access during initial configuration, missing
configuration, or configuration failure.
Note: Linux user root is disabled.
Users who own both the SudoUser role and TechSupport role could
change the FSA password.
1.4 Local Administrator Accounts

To secure the local console and enable remote access, configure at least one local
administrator account on the system. For a newly installed system with only the
local context available, configure—at a minimum—one administrator account in
the local context. You can manage administrator authentication locally or
through external servers. For more information about administrator access and
authentication, see Authentication, Authorization, and Accounting for
Administrators.
You can also create additional administrator accounts in the local context or in
nonlocal contexts to further restrict access to the CLI; see Restrict Access to the
CLI. To further secure the router, see Key Chains and TACACS+.
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 3

2 Configuring Administrator Access
This section describes how to access the system through the CLI and configure
the minimum necessary for administrator access.
2.1 Connect to the Console Port
Steps
1. When you log on for the first time, connect a terminal to the console port
either directly or through a terminal server. See the appropriate hardware
guide for your system for information about connecting and configuring a
terminal for use with the console port.
2.2 Configure a Field-Support Account

The following example is to configure a field-support account.
Note: Enter the user name and password. Each operation is performed within
2 minutes. If the time is out, the system continues to boot.
Steps
1. On the console, input field-support account name and password.
Example
Field-Support Account does not exist on this Node. Please create it first.
Please Input Field-Support Name: xxx
Field Support Name must start with "_"
Please Input Field-Support Name:xxxx
Please Input Field-Support Password:************
Please Retype your Password:************
2. Display the field-support account name.
Example
[local]Ericsson#show field-support name
The field-support account is: xxxx
[local]Ericsson#
3. Log out the console, you can log in with the field-support account from
console again.
For more information about Field-Support Account configuration, refer to
Modify a Field-Support Account in Password Recovery.
4 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Configuring Administrator Access
Note: In case of local authentication is used and there is no user with

SudoUser role configured, administrators at the privilege of 15 can
execute field-support modify and field-support remote-
access with the password of FSA.
2.3 Access Global Configuration Mode

Use the configure command to enter global configuration mode. This mode
provides access to commands that allow you to make changes that are universal
to the system, such as configuring the system clock and creating logon banners.
It also provides access to the commands that allow you to enter other
configuration modes.
To access global configuration mode, do the following starting from exec mode.
Steps
1. Enter global configuration mode.
Example
[local]Ericsson#configure
Enter configuration commands, one per line, 'end' to exit
[local]Ericsson(config)#
2. List the commands available from this mode.
Example
[local]Ericsson(config)#?
aaa Authentication, Authorization and Accounting
abort Abort this configuration - backout from running config
alarm-port Configure external alarm IO port attributes
alias Command level aliases
asp Enter the asp configuration mode
backup-housekeeping Configure backup restore management housekeeping model
backup-scheduler Configure backup restore management scheduler model
banner banner configuration command
boot Set boot parameters
bridge Configure a bridge
bs-cb-periodic-event Configure backup restore management calender base
periodic event model
bs-periodic-event Configure backup restore management periodic event model
bs-single-event Configure backup restore management single event model
card Select card to configure
circuit-group Configure a circuit group
comment Comment current transaction
commit Commit configuration transactions to running config
context Configure an operational context
default Return a parameter to its default value
default-linecard Configure default linecard for routing local traffic
dhcp Configure DHCP
dhcpv6 Configure DHCPv6
diag Set Diagnostics mode
dot1q dot1q configuration commands
dscp Configure dscp profile
end Commit configuration changes and return to exec mode
ethernet-ring Configure ethernet-ring protection
ethernet-segment Configure an ethernet segment group
exit Exit global configuration mode
export Backup and Restore Management Configuration Mode
flow Configure Flows
forward Configure forward policy parameters
global Global synchronization parameters
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 5

help Description of the interactive help system

icr Configure ICR, Inter Chassis Redundancy. Default is
bgp-based ICR
ipv6 Set IPv6 parameters
isp-log Configure the in-service performance log parameters
l2 Layer-2 global configuration
licensing Manage licensing
link-group Define a link group
logging Logging configuration command
macro Command level macros
malicious-traffic Configure malicious traffic parameters
mirror Configure mirror policy parameters
monitor Monitoring option
nameserver Configure nameserver
netconf Security management about Netconf
netdebug Configure netDebug parameters
no Disable or remove a parameter
oam OAM Config
pki Pki configuration mode
pm Performance management
port Select port to configure
privilege Command privilege parameters
pseudowire Configure Pseudowire
qos Configure Global QoS parameters
radius Radius global configs
rate-limit Set rate-limit parameters
release Configure Software Management Model
resequence Resequence a policy
rmon Configure RMON Alarm/Event
router Configure a routing protocol
security Global security
service Service commands
service-instance Service Instance configuration commands
service-policy Configure service-policies
show Show configuration or system information
sla Service Level Agreement Configuration
snmp Configure the Simple Network Management Protocol
ssh Set ssh attributes
stats-collection Configure Statistics Collection
synchronization Synchronization configuration mode
system Set system parameters
tcp Set TCP parameters
timeout Set timeouts
tls Security management about tls
tracked-object Configure tracked object
tunnel Create and configure tunnels
validate Validate the configuration changes in this transaction
xc-group Configure crossconnect group
2.4 Configure a Local Administrator Account

This example configures an administrator account in the local context with the
administrator name super, the password icandoanything, an initial privilege
level set to 10, the maximum privilege level set to 15, and permission to change
their password. In addition, the password to enable higher privilege levels is set
to pwd_for_priv_level_15 and telnet service is enabled in the local context.
Every time the administrator super logs on to the system, the administrator is at
privilege level 10, which allows the administrator to enter configuration
commands. The maximum privilege level of 15, which can be enabled after initial
login, allows the administrator access to the complete system. This administrator
can view and modify the entire system configuration, and view all running
information on the system after enabling access to the maximum privilege level
because this account is created in the local context.
To configure a local administrator account, do the following starting in global

configuration mode.
6 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Steps
1. Enter the local context.
Example
[local]Ericsson(config)#context local
2. Configure the administrator account.
Example
[local]Ericsson(config-ctx)#administrator super password icandoanything
[local]Ericsson(config-administrator)#full-name "Fred P. Lynch x.1234"
[local]Ericsson(config-administrator)#privilege start 10
[local]Ericsson(config-administrator)#privilege max 15
[local]Ericsson(config-administrator)#allow-password-change
[local]Ericsson(config-administrator)#commit
3. Confirm the configuration.
Example
[local]Ericsson(config-administrator)#show configuration
administrator super encrypted 1 $1$........$dVif8R0QofOH8Waz/xuB40
full-name Fred Q. Lynch x1234
privilege start 10
privilege max 15
allow-password-change
4. Configure the password pwd_for_priv_level_15 to allow the administrator

to access the maximum privilege level.
Example
[local]Ericsson(config-administrator)#exit
[local]Ericsson(config-ctx)#enable password level 15 pwd_for_priv_level_15
[local]Ericsson(config-ctx)#commit
5. Confirm the configuration of the previous command.
Example
[local]Ericsson(config-ctx)#show configuration
-
-
-
enable encrypted 1 $1$........$AGSXlr2Tk5AsG92NBXzqi0
6. Enable Telnet service in the context.
Example
[local]Ericsson(config-ctx)#service telnet
[local]Ericsson(config-ctx)#commit
[local]Ericsson(config-ctx)#exit
[local]Ericsson(config)#
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 7

2.4.1 Save the Configuration File

To retain the user account information between reloads of the node, the currently
active configuration file must be saved after you complete creating administrator
accounts. The configuration file is saved in exec mode. Only an administrator
with a privilege level of 10 or higher can save the configuration file.
Steps
1. To save the configuration file, execute the following command starting in

exec mode.
Example
[local]Ericsson#save configuration
Save to file: ericsson.cfg
Target file exists, overwrite?y
2.4.2 Change the Administrator Password or Privilege Level

After logging on (seeLog On Remotely on page 11) as the administrator super,
you can change the account password in exec mode or modify the privilege level
up to 15.
Steps
1. Use the change-password command to change the account password (in

this example icandoanything). This command is available only if the
allow-password-change command was used when the account was
created. This is an interactive command that prompts you to enter the old
and new password. Your passwords are not displayed as you type them.
Example
[local]Ericsson#change-password
Changing password for user: super
Current password:
New password:
Verifying New password:
Password changed successfully
Example
[local]Ericsson#change-password platadmin _cde
New password: **************
Retype new password: **************
Field-Support Account has been modified successfully.
As an administrator, you can also change the password for field-support account,
if you have the required privileges. Use platadmin <username> keyword with the
change password command.
2. Issue the enable command to allow access to privilege level 15. You are
prompted to provide the enable password configured for privilege level 15 (in
this example pwd_for_priv_level_15). The password is not displayed as
you type it in.
8 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Example
[local]Ericsson#enable 15
password:
2.5 Assign a User Role

You can assign user roles to local system administrators. By default, all Ericsson
IP Operating System administrators in a local context with privilege level 15
without any role configured are auto-assigned with SystemAdministrator role.
The Field-Support Account (FSA) created at installation time always has

SudoUser and TechSupport roles
An administrator other than Field-Support Account (FSA) should be assigned

with SudoUser role and the TechSupport role only if it needs to be used in one of
the following scenarios.
— The administrator need to run the system critical commands factory-reset

and bootloader password.
— The administrator need to change the password of the FSA.
— The administrator need to access Linux shell.
The other roles except SudoUser and TechSupport roles are recommended if
none of the above three situations are needed.
Note: — If any role is assigned by configuration already, the

SystemAdministrator role is not assigned automatically.
— To facilitate node management, it’s suggested to configure one

administrator besides FSA to assign SudoUser role and TechSupport
role. See the role to configure the role.
The following example configures a system administrator with

SystemAdministrator role, SudoUser role, and TechSupport role for the Ericsson
CLI. To assign a user role, perform the following steps, starting in global
configuration mode:
Steps
Example
2. Access the administrator account.
Example
[local]Ericsson(config-ctx)#administrator admin1 password supersecret1
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 9

3. Assign the user role.
Example
[local]Ericsson(config-administrator#role SystemAdministrator
[local]Ericsson(config-administrator)#role SudoUser
[local]Ericsson(config-administrator)#role TechSupport
[local]Ericsson(config-administrator)#commit
[local]Ericsson(config-administrator)#exit
[local]Ericsson(config)#exit
[local]Ericsson#
2.6 Configure the Ethernet Management Port

The Ethernet port is designated for system management. Configuring the
management port involves binding it to an interface in the local context and
enabling it. Administrators can use this port to connect to the system remotely
through SSH or Telnet.
This example creates the management interface in the local context and binds it
to the management port.
Note: Use the port ethernet management command only once. Your access to
the system automatically switches to the management port if it
becomes active during normal operation.
To configure the management port, do the following starting in global

configuration mode.
Steps
Example
2. Create an interface and assign an IP address.
Example
[local]Ericsson(config-ctx)#interface management
[local]Ericsson(config-if)#ip address 192.168.1.1/16
[local]Ericsson(config-if)#exit
[local]Ericsson(config-ctx)#exit
3. Access the management port and bind it to the interface. Enable the port.
Example
[local]Ericsson(config)#port ethernet management
[local]Ericsson(config-port)#bind interface management local
[local]Ericsson(config-port)#no shutdown
[local]Ericsson(config-port)#commit
10 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Note: You can also bind the management interface to a non-local context.
This facilitates the usage of a separate management context with
out-of-band router management.
Example
[local]Ericsson(config-port)#show configuration
context local
...
interface management
ip address 192.168.1.1/16
...
2.7 Log On Remotely

After you configure the management port, you can log on remotely using either
SSH or Telnet.
Steps
1. You must have an administrator account to log on to the management port.

See Configure a Local Administrator Account on page 6. To enable an
administrator in a nonlocal context to log on to the router, also configure a
Telnet or SSH service for the context; see the service command. Telnet and
SSH services are disabled by default in the local context. For a description of
the difference between administrators configured in local and nonlocal
contexts see the "Assigning Administrators Different Privilege Levels" section
in Restrict Access to the CLI.
Note: The separator character between the <admin-name> and the <ctx-
name> argument is configurable. It can be %, -, @, _, \, #, $, or /. The
default character is @. To configure the character, see aaa
username-format.
2.7.1 Log on through SSH

To log on to the system using SSH:
Steps
1. If you are logging on to a router on which the IP address and SSH service are
configured in a context different from that of the administrator, enter the
administrator name in the following format, using the context name in which
the user is configured for authentication.
<admin-name>@<ctx-name>
2. If you are logging on to a router on which the IP address and SSH service are
configured in the same context as the administrator, enter the administrator
name in the following format:
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 11

<admin-name>
3. When you connect to the system, the password you enter is not echoed.
Passwords are stored in the configuration file in encrypted format.
2.7.2 Log on through Telnet

To log on to the system using Telnet:
Steps
1. If you are logging on to a router that has the administrator configured in a

nonlocal context, enter the administrator name in the following format:
<admin-name>@<ctx-name>
2. If you are logging on to a router that has the administrator configured in a

local context, enter the administrator name in the following format:
<admin-name> [@<ctx-name> ]
Note: The <ctx-name> argument is optional.
12 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Configuring System-Wide Settings
3 Configuring System-Wide Settings
This section describes how to configure system-wide settings.
3.1 Identify the System

This example defines the system contact information, hostname, description, and
location.
To identify the system, do the following starting in global configuration mode.
Steps
1. Identify the system.
Example
[local]Ericsson(config)#system contact IS hotline 1-800-555-1234
[local]Ericsson(config)#system hostname freebird
[local]Ericsson(config)#system description router-gold
[local]Ericsson(config)#system location Building 2, 2nd fl. lab 3
[local]Ericsson(config)#commit
2. Confirm the configuration. Note that the system prompt reflects the new
hostname.
Example
[local]freebird(config)#show configuration | grep system
...
system contact IS hotline 1-800-555-1234
system hostname freebird
system description router-gold
system location Building 2, 2nd fl. lab 3
3.2 Set Management Context

To import and export backup-package, download software package, and
download and distribute certificates through FTP, SCP, or SFTP from network
management system, operations are in management context. By default, the
operations are in local context.
To set management context, perform the following steps:
Steps
1. Set context to-mgr as the management context.
Example
[local]Ericsson(config)#management context to-mgr
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 13

Transaction complete.
[local]Ericsson(config)#exit
3.3 Enable Multiple Contexts

You cannot create a context until you have enabled the multiple-context service.
Optionally, you can configure the system to prompt the administrator for
confirmation on each attempt to create a new context. This example enables
both services.
To enable multiple contexts, do the following starting in global configuration

mode.
Steps
1. Enable multiple contexts.
Example
[local]Ericsson(config)#service multiple-contexts
2. Enable the system prompt when a new context is created.
Example
[local]Ericsson(config)#system confirmations context
Example
[local]Ericsson(config)#show configuration | grep system
...
service multiple-contexts
...
system confirmations context
4. Confirm the system behavior by attempting to create a new context.
Example
[local]Ericsson(config)#context newcontext
Are you sure you want to create context newcontext? y
[local]Ericsson(config-ctx)#
3.4 Configure the System Clock

This example configures the system clock as follows:
— Sets the clock to 12:01 p.m. on 30 June, 2013.
— Defines Atlantic Standard Time (AST), Eastern Standard Time (EST), Central
Standard Time (CST), Mountain Standard Time (MST), Pacific Standard Time
14 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

(PST), and Hawaii Standard Time (HST) time zones. Identifies PST as the
local time zone.
— Enables the system to switch to daylight saving time (summertime) on the

first Sunday in April at 7:00 a.m. and end on the last Sunday in October at
3:00 a.m. for the PST and MST time zones.
To configure the system time zone, do the following starting in exec mode.
Steps
1. Set the clock.
Example
[local]Ericsson#clock set 2013:06:30:12:01
2. Enter global configuration mode and configure the time zones.
Example
[local]Ericsson#configure
[local]Ericsson(config)#system clock timezone AST -4
[local]Ericsson(config)#system clock timezone EST -5
[local]Ericsson(config)#system clock timezone CST -6
[local]Ericsson(config)#system clock timezone MST -7
[local]Ericsson(config)#system clock timezone PST -8 local
[local]Ericsson(config)#system clock timezone HST -10
3. Enable the system to automatically switch to daylight saving time or

standard time.
Example
[local]Ericsson(config)#system clock summer-time PST PDT recurring first Sunday April 6 last \
Sunday October 2
[local]Ericsson(config)#system clock summer-time MST MDT recurring first Sunday April 6 last \
Sunday October 2
Example
[local]Ericsson(config)#show configuration
...
system clock timezone AST -4 0
system clock timezone CST -6 0
system clock timezone FST -5 0
system clock timezone HST -10 0
system clock timezone MST -7 0
system clock summer-time MST MDT recurring first Sunday April 6 last Sunday O→
ctober 2
system clock timezone PST -8 0 local
system clock summer-time PST PDT recurring first Sunday April 6 last Sunday O→
ctober 2
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 15

3.5 Create System Banners

You can communicate with system users using banners. This example creates the
following banners:
— The login banner Freebird system, which is displayed before the user logs
on.
— The exec banner Welcome to the freebird system., which displays after
a user logs on.
In addition, you can use the banner motd command to create ad hoc messages.
To create system banners, do the following starting in global configuration mode.
Steps
1. Create the banners.
Example
[local]Ericsson(config)#banner login /Freebird system/
[local]Ericsson(config)#banner exec /Welcome to the freebird system./
Example
...
banner login /Freebird system/
banner exec /Welcome to the freebird system./
3.6 Modify the TCP Keepalive Parameters

Optionally, you can change the default TCP keepalive parameters. See the tcp
keepalive command for the default values. This example changes the maximum
number of times that the system tries to reestablish a dropped TCP connection to
4.
To modify the TCP keepalive parameters, do the following starting in global

configuration mode.
Steps
1. Change the number of times that the system tries to reestablish a dropped
TCP connection.
Example
[local]Ericsson(config)#tcp keepalive count 4
16 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Example
...
tcp keepalive count 4
3.7 Modify the Maximum Number of Concurrent SSH

Sessions
The operating system supports up to 32 concurrent administrative sessions
(Telnet and SSH), plus one connection to the console port. In addition,
administrators at privilege level 15 are allowed beyond this value up to a
maximum of 36 total sessions. By default, the maximum number of system-wide,
concurrent SSH sessions is 16. The system drops all SSH connection requests
after the maximum number is established. For more information, see the
ssh server full-drop command. You can also specify context-specific maximums
for administrative sessions in one or more contexts using the aaa authentication
administrator command in context configuration mode.
If you use automated scripts to establish multiple Telnet or SSH sessions, note
that the router supports a maximum of one login every 30 seconds. If you
encounter a login error, wait 5-10 minutes before establishing another Telnet or
SSH session.
This example limits the number of concurrent SSH sessions to 17.
To modify the maximum number of concurrent SSH sessions, do the following

starting in global configuration mode.
Steps
1. Modify the maximum number of concurrent SSH sessions.
Example
[local]Ericsson(config)#ssh server full-drop 17
[local]Ericsson(config)#ssh server start-drop 17
Note: Restricting maximum number of sessions using the ssh server full-
drop command does not restrict the maximum number of SFTP
sessions. The maximum number of SFTP sessions remains 32.
Example
[local]Ericsson(config)#show configuration | in ssh
...
ssh server full-drop 17
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 17

3.8 Modify the Duration of the Login Timeout

During logon attempt after a Telnet session starts, you can change the duration
that the system waits for a response before timing out. The time is set in minutes
and a valid range is from 0 to 99,999. The default value is 10. The following
example changes the duration to 5 minutes.
To change the duration of time that the system waits for a response before
timing out:
Steps
1. Configure the timeout.
Example
[local]Ericsson(config)#timeout login response 5
Example
...
timeout login response 5
3.9 Modify Session Inactivity Timers

Optionally, you can change the number of minutes before a session times out
because of inactivity. The default is 10 minutes. You can set this value globally or
for a particular administrator record. This example configures the system to
disconnect any administrator session after 30 minutes of idle time.
To configure session inactivity timers, do the following starting in global

configuration mode.
Steps
1. Configure the timer.
Example
[local]Ericsson(config)#timeout session idle 30
Example
...
timeout session idle 30
18 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Installing License Key Files
4 Installing License Key Files
To install a license key file, follow these steps:
Steps
1. Check the license fingerprint.
a. Check the serial number of the backplane.
Example
[local]Ericsson>show hardware
Slot Type Product No Serial No Rev M →
fg Date Payload
----- -------------------- ---------------- -------------- ------- --------- →
-- -------
N/A backplane C920757845 D825663644 R1A 08-JAN-2018 N →
/A
PFT1 pft-ac BML 901 374/1 BR84839677 R1A 08-F →
EB-2018 N/A
PFT2 pft-dc BMR 911 86/1 BR84555748 R1A 25- →
FEB-2018 N/A
RP1 rp ROA 128 6130/1 ENCD826387 R1A 22-S →
EP-2017 OK
RP2 rp ROA 128 6130/1 ENCD826388 R1A 22-S →
EP-2017 OK
1 1-10ge-48-port ROA 128 6028/1 ENCD823439 R1A 01- →
FEB-2018 OK
2 1-10ge-48-port ROA 128 6028/1 ENCD823440 R1A 01- →
FEB-2018 OK
3 10-100ge-32-4-port ROA 128 6188/1 ENCD823526 R1A 13- F →
EB-2018 OK
b. Check the license fingerprint.
Example
[local]Ericsson#show licensing
Capacity alarm hysteresis(%) : 5
Capacity alarm threshold(%) : 80
Fingerprint : D825663644
Fingerprint updatable : true
Last inventory change : NULL
Last license inventory refresh : 2018-05-12T04:50:30+00:00
License expiration warning(day) : 7
State : INTEGRATION_UNLOCK
Locking code :
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 19

Reconnect attempt interval(sec) : 30

Synchronization interval(sec) : 30
Note: — If the serial number of the backplane is identical to the fingerprint, it means that
the fingerprint is the initial configuration. By default, the fingerprint is the serial
number of the backplane if you don't set the fingerprint manually. If it requires to
replace a failed router, use the fingerprint command to reset the fingerprint. For
details, refer to fingerprint in Commands: F.
— License expiration warning(day) means the number of days before the

license key expires when License Manager raises the License Key Not Available
alarm. For details, refer to notification expiration in Commands: N.
2. Set the fingerprint for the router.
Example
[local]Ericsson(config)#licensing
[local]router6000(config-licensing)#fingerprint C920757834
Note: The fingerprint is no longer than 256 characters and contains only letters, numbers,
hyphens (-), and underscores (_).
Step 2 and Step 3 are exclusive. Follow either Step 2 or Step 3, depending on whether the license
key file is installed from a remote or local URI.
3. Install the license key file from a local URI. Skip this step if you install the license key file from a
remote URI.
a. Copy the license key file from the license server to the local URI with the password
1234.
Example
[local]Ericsson#copy scp://admin@132.196.28.228//home/LKF/C920757834_171212_093034.xml /flash
Enter Windows password:****
C920757834_171212_093034.xml 100% 1184 9.2KB/s 00:00
Note: Enable Secure Copy Protocol (SCP) client if you use SCP to copy the license
key file.
b. Install the license key file from the URI of file:///flash/
C920757834_171212_093034.xml with password admin.
Example
[local]Ericsson#licensing install keyfile uri file:///flash/C920757834_171212_093034.xml password →
admin
4. Install the license key file from the remote URI of sftp://admin@132.196.28.228/home/LKF/
C920757834_171212_093034.xml. Use the password 1234. Skip this step if you install the
license key file from a local URI.
20 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Example
[local]Ericsson#licensing install keyfile uri sftp://admin@132.196.28.228/home/LKF/C920757834_171212_093034. →
xml password 1234
5. Check the license installation process.
Example
[local]Ericsson#show licensing keyfile progress
Report progress :
Action name : loadLicKeyFile
Additional info :
Progress info :
Progress percentage : 100
Result : SUCCESS
Result info : Successfully loaded the new LKF
State : FINISHED
Action id : 0
Time action started : 2018-05-14T15:44:07+00:00
Time action completed : 2018-05-14T15:44:07+00:00
Time of last status update : 2018-05-14T15:44:07+00:00
Note: When installing the license key file from a remote URI, ensure the progress percentage
is 100 before starting the second installation.
6. Refresh and update the license key file.
Example
[local]Ericsson#licensing inventory refresh
[local]Ericsson#licensing inventory publish
7. Check the license status.
Example
This example displays general license management information.
[local]Ericsson#show licensing
Capacity alarm hysteresis(%) : 5
Capacity alarm threshold(%) : 80
Fingerprint : C920757834
Fingerprint updatable : false
Last inventory change : 2018-05-14T11:59:57+0000
Last license inventory refresh : 2018-08-29T03:08:43+00:00
License expiration warning(day) : 7
State : NORMAL
Locking code :
Reconnect attempt interval(sec) : 30
Synchronization interval(sec) : 30
Example
This example displays detailed license key information.
[local]Ericsson#show licensing capacity-key

Capacity key : 1
Licensed capacity limit :
Value : 0
No limit : false
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 21

Capacity unit : token

Granted capacity level : 0
Licensed capacity limit reached : false
Key id : FAT1023230/1
Name : Capacity Key, L3-VPN-1
Product type : Router 6000
Valid from : 1970-01-01
Expiration : 1970-01-01
Shared : false
Version :
Capacity key : 2
Value : 0
No limit : false
Key id : FAT1023467/1
Name : Capacity Key, L2-VPN-1
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 3
Value : 0
No limit : false
Key id : FAT1023250/1
Name : Capacity Key, IPsec Activation
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 4
Value : 0
No limit : false
Key id : FAT1023458/1
Name : Capacity Key, 10GE port
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 5
Value : 0
No limit : false
Key id : FAT1024053/25
Name : Capacity Key, R6000 - 1x25G port cap license
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 6
Value : 0
No limit : false
Key id : FAT1023483/100
Name : Capacity Key, R6000-1x100G port lic
Valid from : 1970-01-01
22 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Shared : false
Version :
Capacity key : 7
Value : 0
No limit : false
Key id : FAT1023953/1
Name : Capacity Key, 1 x Abis/IP Attach Unit license
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 8
Value : 0
No limit : false
Key id : FAT1023955/1
Name : Capacity Key, 1 x CES Attach Unit license
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 9
Value : 0
No limit : false
Licensed capacity limit reached : true
Key id : FAT1023253/1
Name : Feature Key, IPOS
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 10
Value : 0
No limit : false
Key id : FAT1023871/1
Name : Feature Key, Shortest Path Based Segment Routing
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 11
Value : 0
No limit : false
Key id : FAT1023595/1
Name : Feature Key, 1588/PTP
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 12
Value : 0
No limit : false
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 23


Key id : FAT1023872/1
Name : Feature Key, Segment Routing for Traffic Engineering
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 13
Value : 0
No limit : false
Key id : FAT1024069/1
Name : Feature Key, SLA_LICENSE_KEY
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 14
Value : 0
No limit : false
Key id : FAT1024107/1
Name : Feature Key, EVPN Advanced Functions
Valid from : 1970-01-01
Shared : false
Version :
Capacity key : 15
Value : 0
No limit : false
Key id : FAT1024122/1
Name : Feature Key, Enable license usage monitoring
Valid from : 1970-01-01
Shared : false
Version :
24 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Initial System Configuration Glossary
5 Initial System Configuration Glossary
AST
Atlantic Standard Time
BFD
Bidirectional Forwarding Detection
CLI
Command-Line Interface
CST
Central Standard Time
DES
Data Encryption Standard
EST
Eastern Standard Ti
FTP
File Transfer Protocol
HST
Hawaii Standard Time
MOMs
Managed Object Models
MST
Mountain Standard Time
NETCONF
Network Configuration
3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 25

PST
Pacific Standard Time
SCP
Secure Copy Protocol
SSH
Secure Shell
26 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Initial System Configuration: Operating Instructions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Initial System Configuration: Operating Instructions

Uploaded by

Copyright:

Available Formats

Initial System Configuration

3/1543-AXI 101 09/1-V1 Uen T3

© Ericsson AB 2018-2019. All rights reserved. No part of this document may be

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

2 Configuring Administrator Access 4

3 Configuring System-Wide Settings 13

4 Installing License Key Files 19

5 Initial System Configuration Glossary 25

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

This document provides an overview of the initial configuration recommended for

1.1 Command-Line Interface

1.1.1 Commands and Case Sensitivity

1.1.2 Partially Typed Commands

1.1.3 No and Default Forms of Commands

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 1

Many configuration commands support the default keyword. Typing the

1.1.4 Committing Transactions

1.2 Accessing the CLI

— Console port— Connect either directly or through a terminal server.

— Ethernet management port— Connect a terminal to the system over LAN

Remote access enables remote file operations, such as downloading and

2 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

1.3 Field-Support Account

— Field-support account is used to create or recover CLI account, when CLI

Note: Linux user root is disabled.

1.4 Local Administrator Accounts

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 3

2 Configuring Administrator Access

2.1 Connect to the Console Port

2.2 Configure a Field-Support Account

1. On the console, input field-support account name and password.

2. Display the field-support account name.

4 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

Note: In case of local authentication is used and there is no user with

2.3 Access Global Configuration Mode

1. Enter global configuration mode.

2. List the commands available from this mode.

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 5

help Description of the interactive help system

2.4 Configure a Local Administrator Account

To configure a local administrator account, do the following starting in global

6 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

1. Enter the local context.

2. Configure the administrator account.

3. Confirm the configuration.

4. Configure the password pwd_for_priv_level_15 to allow the administrator

5. Confirm the configuration of the previous command.

6. Enable Telnet service in the context.

3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19 7

2.4.1 Save the Configuration File

1. To save the configuration file, execute the following command starting in

2.4.2 Change the Administrator Password or Privilege Level

1. Use the change-password command to change the account password (in

8 3/1543-AXI 101 09/1-V1 Uen T3 | 2020-05-19

2.5 Assign a User Role

The Field-Support Account (FSA) created at installation time always has

An administrator other than Field-Support Account (FSA) should be assigned

— The administrator need to run the system critical commands factory-reset

— The administrator need to change the password of the FSA.

— The administrator need to access Linux shell.

Note: — If any role is assigned by configuration already, the

— To facilitate node management, it’s suggested to configure one