Avaya ERS 2500 Technical Configuration Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Network Router
  5. ERS 2500
  6. Technical configuration manual

Avaya ERS 2500 Technical Configuration Manual

Ethernet routing switch
Hide thumbs Also See for ERS 2500:
Table of Contents

Advertisement

Quick Links

Ethernet Routing Switch
2500, 4500, 5000
Engineering
> Management Access Security for ERS
2500, ERS 4500, and ERS 5000
Technical Configuration Guide
Avaya Data Solutions
Document Date: May 31, 2010
Document Number: NN48500-594
Document Version: 1.0

Advertisement

Table of Contents
loading

Related Manuals for Avaya ERS 2500

Summary of Contents for Avaya ERS 2500

  • Page 1 Ethernet Routing Switch 2500, 4500, 5000 Engineering > Management Access Security for ERS 2500, ERS 4500, and ERS 5000 Technical Configuration Guide Avaya Data Solutions Document Date: May 31, 2010 Document Number: NN48500-594 Document Version: 1.0...
  • Page 2 2500, 4500, and 5000 securely for management purposes. This document covers accessing the switch using telnet, HTTP, SSL, SSH, and SNMP. Revision Control Date Version Revised by Remarks 05/19/2010 PRMGT Modifications to Software Baseline section Avaya Inc. – External Distribution...

  • Page 3: Table Of Contents

    SNMP MIB View ......................48 10.4 SNMP Trap Receivers ....................49 10.5 SNMP System Name, Contact, and Location ............... 50 10.6 Disable SNMPv1 and SNMPv2 ..................50 10.7 SNMPv3 ......................... 51 10.8 Enabling Secure SNMP ....................52 Avaya Inc. – External Distribution...
  • Page 4 SNMP Configuration Examples ..................53 10.9.1 SNMP Community String Configuration Example ..............53 10.9.2 Verify Operations .........................54 10.9.3 SNMPv3 Configuration Example ..................56 10.9.4 Verify Operations .........................57 10.10 SNMP Trap Notification Control ................59 Software Baseline:......................61 Reference Documentation: ..................... 61 Avaya Inc. – External Distribution...

  • Page 5: Conventions

    Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Avaya devices are displayed in a Lucinda Console font: ERS5520-48T# show running-config ! Embedded ASCII Configuration Generator Script ! Model = Ethernet Routing Switch 5520-24T-PWR ! Software version = v5.0.0.011...

  • Page 6: Overview

    1. Overview On an ERS 2500, ERS 4500, or ERS 5000 series switch, there is no access security enabled by default. This allows a user to access the switch either via the local serial port, HTTP (WEB), or via Telnet without any user name or password protection.

  • Page 7: Management Ip Address

    By default all stackable switches will attempt to obtain an IP management address if one  has not been configured. The ERS 4500 and ERS 5000 support both bootp and DHCP, while the ERS 2500 supports bootp.  Layer 3 method assuming the Management VLAN is 200...

  • Page 8: Local Password Protection

    3. Local password protection CLI/WEB Password Protection By default, on the ERS 2500, ERS 4500, or ERS 5000 series switch, serial port and telnet/web access is allowed without any password protection. The following command displays the various password options available.

  • Page 9: Password Security

    The switch can be configured to store up to 10 previously used passwords. The passwords stored in the password history until they pass out of the history table. Password update verification Any password change must be verified by typing the new Avaya Inc. – External Distribution...
  • Page 10 Any time a password is displayed or entered in NNCLI, each character of the password is displayed as an asterisk (*). Password security factory default By default, password security is enabled on the SSH software image and disabled on the non-SSH software image. Avaya Inc. – External Distribution...

  • Page 11: Telnet Password Protection Using Local Authentication

     ERS-Stackable# show cli password Switch Access Login Username / Password ------ --------- ------------------------------------ RW / *************** RO / *************** Stack Access Login Username / Password ------ --------- ------------------------------------ RW / *************** RO / *************** Avaya Inc. – External Distribution...

  • Page 12: Telnet Access Configuration Examples Using Local Users With Password Security Disabled

    ERS-Stackable(config)# username user1 rwaccess switch rw ERS-Stackable(config)# username user2 roaccess stack ro ERS-Stackable(config)# username user2 roaccess switch ro ERS-STACKABLE: Step 3 – Enable telnet local authentication ERS-Stackable(config)# cli password stack telnet local ERS-Stackable(config)# cli password switch telnet local Avaya Inc. – External Distribution...

  • Page 13: Verify Operations

    % Password should contain a minimum of 2 upper, 2 lowercase letters, % 2 numbers and 2 special characters like !@#$%^&*(). % Please change the password Enter RO Switch password: ********** Confirm RO Switch password: ********** Enter RO Switch password: ********** Confirm RO Switch password: ********** Avaya Inc. – External Distribution...

  • Page 14: Local Password Configuration - Password Security Enabled

    Confirm password: ********* ERS-Stackable(config)# username tech stack ro Enter password: ********* (TechUser@#1234) Confirm password: ********* ERS-STACKABLE: Step 2 – Enable telnet local authentication ERS-Stackable(config)# cli password stack telnet local ERS-Stackable(config)# cli password switch telnet local Avaya Inc. – External Distribution...

  • Page 15: Ip Manager

    Enable IP Manager control over SSH sessions. telnet Enable IP Manager control over TELNET sessions. Enable IP Manager control over WEB connections.  ERS-Stackable(config)# ipmgr source-ip ? <1-50> Select which address/mask pair <51-100> Select which ipv6 address/prefix Avaya Inc. – External Distribution...

  • Page 16: Ip Manager Configuration Example

    <30>42:16:44:41 ERS-Stackable :S telnet(192.168.20.100): 42 days, 16:44:41: configure terminal <30>42:16:44:50 ERS-Stackable :S telnet(192.168.20.100): 42 days, 16:44:50: vlan create 89 type port <30>42:16:45:33 ERS-Stackable :S telnet(192.168.20.100): 42 days, 16:45:33: exit <30>42:16:45:38 ERS-Stackable :S telnet(192.168.20.100): 42 days, 16:45:38: exit Avaya Inc. – External Distribution...

  • Page 17: Telnet Password Protection Using Radius Authentication

    RADIUS server. The ERS 5000, ERS 4500, and ERS 2500 each support two different user access levels which are read-only and read-write with support for up to two RADIUS servers. RADIUS attribute type 6, Service-Type, is used to determine the access level.

  • Page 18: Password Fallback

    Hence, it is recommended that you setup an account with the user name avaya and a blank password on your RADIUS server to avoid invalid RADIUS user login messages. The following command is used to configure the reachability setting: ...

  • Page 19: Use Management Ip

    IP address for all RADIUS requests independent of the out-going interface. To enable RADIUS Management IP, please enter the following command  ERS-Stackable(config)# radius use-management-ip Avaya Inc. – External Distribution...

  • Page 20: Radius Password Configuration Example

    5.3 RADIUS Password Configuration Example 5.3.1 Ethernet Routing Switch Configuration Up to two RADIUS servers are supported on the ERS 5000, ERS 4500, or ERS 2500 series switches. For this configuration example we will simply configure one RADIUS server. ERS-STACKABLE: Step 1 – Add RADIUS server, enable RADIUS, and enable RADIUS accounting ERS-Stackable(config)# radius-server host 172.168.100.50 key avaya...

  • Page 21: Ide Radius Configuration

    Assuming we are using Identity Engines Ignition Server as the RADIUS server, please follow the configuration steps below. The following chart displays the outbound attribute values required by the ERS 5000, ERS 4500, or ERS 2500 for each access level using RADIUS attribute type 6 (Service-Type).
  • Page 22 Choose Global Outbound Attribute: pull down menu. In the Value Unsigned – 32 bit window, enter 6 (i.e. value of 6 signifies Administrative for read-write- access). Click on OK twice when done. Avaya Inc. – External Distribution...
  • Page 23 User Name: and enter the password for this user via Password and Confirm Password. Click on OK when done. If you wish, you can also change the expiry date via Password Expires if you do not wish to use the default setting of one year Avaya Inc. – External Distribution...
  • Page 24 All Outbound Values window, select the output attribute we created above named ERSrwa and click on the less-than arrow key to move the attribute to the Provision With window. When completed, you can view the complete policy by clicking on the Access Policy Summary button Avaya Inc. – External Distribution...
  • Page 25 Avaya Inc. – External Distribution...
  • Page 26 Go to Site Configuration -> Authenticators -> default -> Nortel Switch and click on New. Enter the settings as shown below making sure you select the policy we created above named ERS-access via Access Policy. Leave Enable Authenticator and Enable RADIUS Access checked. Click on OK when done. Avaya Inc. – External Distribution...

  • Page 27: Tacacs

    6. TACACS+ The ERS 5000, ERS 4500, and ERS 2500 all support a TACACS+ client. TACACS+ provides management of users who access the switch through Telnet, serial, and SSHv2 (password authentication) connections using Transmission Control Protocol (TCP). TACACS+ supports users only on the CLI interface.

  • Page 28: Tacacs+ Configuration Example

    Ethernet Routing Switch Verify Operations Step 1 – Verify user names ERS-Stackable(config)# show tacacs Result: Primary Host: 172.168.100.50 Secondary Host: 0.0.0.0 Port: Key: *************** TACACS+ authorization is enabled Authorization is enabled on levels : 0-15 TACACS+ accounting is enabled Avaya Inc. – External Distribution...

  • Page 29: Ide Tacacs+ Configuration

    Non-Specified Argument of Allow as shown below for the access level 10 “user10” user. Click on OK when done.  For the access 15 user, we will simply use the default all-commands Device Command Sets Avaya Inc. – External Distribution...
  • Page 30 Avaya Inc. – External Distribution...
  • Page 31 Allow Commands in Set window. Next, click on the Session Values tab, check off Privilege Level and enter 15. Click on Ok when done. When completed, you can view the complete policy by clicking on the Access Policy Summary button Avaya Inc. – External Distribution...
  • Page 32 Avaya Inc. – External Distribution...
  • Page 33 For example, we will create new container named Avaya Switch by right clicking default and selecting Add Container. Go to Site Configuration -> Authenticators -> default -> Avaya Switch and click on New Enter a name for the switch via Name, add the switch IP address via IP Address,. select Wired under Authenticator Type, select Nortel via Vendor, select ers-switches-nortel via Device Template and remove the default check via Enable RADIUS Access.

  • Page 34: Sshv2

    7. SSHv2 The ERS 2500, ERS 4500, and ERS 5000 support Secure Shell (SSH). SSH is a client/server protocol for secure remote login and other secure network services over an insecure network. It is essentially a replacement for telnet which is insecure because of its weak authentication method and unencrypted data exchange.

  • Page 35: Ssh Configuration Examples

    ERS-Stackable(config)# cli password stack read-write rwonlypasswd ERS-STACKABLE: Step 2 – Enable secure mode ERS-Stackable(config)# ssh secure Enable secure mode will cut off all remote access. Telnet, snmp and web will be disabled. Are you sure (y/n) ? y Avaya Inc. – External Distribution...
  • Page 36 Putty: Step 3 – Open up Putty and go to Session -> Host Name (or IP address), enter the IP address of the switch, select SSH, and click on Open when done Avaya Inc. – External Distribution...
  • Page 37 No to accept to accept this fingerprint, but, not save it. Putty: Step 3 – Enter login credentials, i.e. user name = RW or RO and appropriate password assuming the default user names are used Avaya Inc. – External Distribution...

  • Page 38: Verify Operations

    Result: Active SSH Sessions Version Version 2 only Port Authentication Timeout DSA Authentication True Password Authentication : True DSA Auth Key TFTP Server: 47.132.2.13 DSA Auth Key File Name DSA Host Keys Exist Enabled Secure Avaya Inc. – External Distribution...

  • Page 39: Ssh Using Public Key Authentication

    Puttygen: Step 1 – Run Puttygen and select SSH-2 DSA key with 1024 bits and click on Generate to create both a public and private key. The public key will be uploaded to the switch. You will be prompted to move your mouse to create the key Avaya Inc. – External Distribution...
  • Page 40 ERS-STACKABLE: Step 3 – Copy the public key to the ERS switch using the public key name you entered in the step above, i.e. erskey.pub. SSH must first be disabled, if enabled, in order to download the key ERS-Stackable(config)# no ssh ERS-Stackable(config)# ssh download-auth-key address 47.132.2.13 key-name erskey.pub Avaya Inc. – External Distribution...
  • Page 41 ERS-STACKABLE: Step 4 – Disable SSH password authentication and then re-enable SSH again ERS-Stackable(config)# no ssh pass-auth ERS-Stackable(config)# ssh Putty: Step 4 – Open up Putty, scroll down to SSH -> Auth and enter select the private key generated above by clicking on the Browse icon Avaya Inc. – External Distribution...
  • Page 42 Putty: Step 5 – Go to Session -> Host Name (or IP address) , enter the IP address of the switch, select SSH, and click on Open when done Avaya Inc. – External Distribution...
  • Page 43 Putty: Step 6 – Enter any user name you like when prompted with the login as prompt and enter the DSA Key passphrase from the DSA key you generated above Avaya Inc. – External Distribution...

  • Page 44: Verify Operations

    DSA Host Keys Exist Enabled True Step 3 – Verify DSA download public key ERS-Stackable# show ssh download-auth-key Result: DSA Auth Key TFTP Server: 47.132.2.13 DSA Auth Key File Name erskey.pub Last Transfer Result Success Avaya Inc. – External Distribution...

  • Page 45: Web Access - Enterprise Device Manager

    Also, TACACS+ cannot be enabled if you wish to enable HTTP access. Please see the section Telnet password protection section above, ether using local authentication or RADIUS authentication if you wish to provide WEB access user name and password protection. Avaya Inc. – External Distribution...

  • Page 46: Secure Socket Layer Protocol - Ssl

    SSL certificates are issued and signed by a Certificate Authority (CA) such as VeriSign. Because the management and cost of purchasing a certificate from a CA is a client concern, Avaya issues and signs the SSL certificate with the understanding that it is not a recognized CA.
  • Page 47 To enable IP Manager control for WEB SSL access, enter the following command depending on if IPv4 or IPv6 addressing is used:  ERS-Stackable(config)# ipmgr source-ip <1-50> <IPv4 address/mask>  ERS-Stackable(config)# ipmgr source-ip <51-100> <IPv6 address/prefix>  ERS-Stackable(config)# ipmgr web Avaya Inc. – External Distribution...

  • Page 48: Simple Network Management Protocol - Snmp

    To change the SNMP read-only community string, enter the following command:  ERS-Stackable(config)# snmp-server community <enter rw string> ro  ERS-Stackable(config)# snmp-server community ro Enter community string: <enter ro string> Confirm community string: <enter ro string> Avaya Inc. – External Distribution...

  • Page 49: Snmp Mib View

    Trap #4 IP Address: 0.0.0.0 Community String: *************** Authentication Trap: Enabled AutoTopology: Enabled 10.3 SNMP MIB View To add a new SNMP MIB view, enter the following command:  ERS-Stackable(config)# snmp-server view <view name> <oid .. oid> Avaya Inc. – External Distribution...

  • Page 50: Snmp Trap Receivers

    SNMP server community string(s) should be defined first supporting a notify view using the NNCLI syntax: snmp- server community read-view <view name> write-view <view name> notify-view <view name> Avaya Inc. – External Distribution...

  • Page 51: Snmp System Name, Contact, And Location

     2526T-10(config)# default snmp-server name 2526T-PWR(config)# 10.6 Disable SNMPv1 and SNMPv2 SNMPv1 and SNMPv2 access can be disabled by entering the following commands:  ERS-Stackable(config)# no snmp-server community rw  ERS-Stackable(config)# no snmp-server community ro Avaya Inc. – External Distribution...

  • Page 52: Snmpv3

    By default, there is a default authNoPriv account with a user name of initial and an MD5  password of initial. For security reasons, you may want to delete this user account by issuing the command no snmp-server user initial. Avaya Inc. – External Distribution...

  • Page 53: Enabling Secure Snmp

    Note: In this configuration, restricted contains a smaller subset of views than internet view. The subsets are defined according to RFC 3515 Appendix A. <very-secure> Specifies a maximum security configuration that allows no access to the users. Avaya Inc. – External Distribution...

  • Page 54: Snmp Configuration Examples

    ERS-Stackable(config)# snmp-server view no_ip +1.3 -1.3.6.1.4.1.2272.1.8 ERS-STACKABLE: Step 4 – Create an new community named noipreadwrite with the write- view created above named no_ip ERS-Stackable(config)# snmp-server community write-view noipreadwrite Enter community string: ***** (no_ip) Confirm community string: ***** (no_ip) Avaya Inc. – External Distribution...

  • Page 55: Verify Operations

    RO AC +1.3.6.1.6.3.10 RO AC +1.3.6.1.6.3.12 RO AC +1.3.6.1.6.3.13 RO AC +1.3.6.1.6.3.1.1.4 RO AC +1.3.6.1.6.3.1.1.5 -------------------------------- -- -- ------------------------------------- webSnmpObjs RO AC +1.3 RO AC +1.0.8802.1.1.1 RO AC +1.0.8802.1.1.2 RO AC +1.2.840.10006.300.43 -------------------------------- -- -- ------------------------------------- Avaya Inc. – External Distribution...
  • Page 56 If using EDM, you can use it to perform a MIB walk as shown below. Open up a browser connection and enter the management IP address of your switch. The result shown below shows the MIB object ID for IP. Result: Avaya Inc. – External Distribution...

  • Page 57: Snmpv3 Configuration Example

    Confirm 3Des pass-phrase: *********** (despasswdrw)  The SNMP view name used in this example is one of the default MIB view on the Ethernet Routing Switch which can be viewed by entering the CLI command show snmp-server view. Avaya Inc. – External Distribution...

  • Page 58: Verify Operations

    Storage Type: Non Volatile (NVRAM) Status: Active Views for Unauthenticated Access: Read View: restricted Write View: Notify View: restricted Views for Authenticated Access: Read View: internet Write View: internet Notify View: internet --------------------------------------------------------------------------- User Name: templateMD5 Avaya Inc. – External Distribution...
  • Page 59 SNMP Engine ID: Local Authentication Protocol: Privacy Protocol: None Storage Type: Non Volatile (NVRAM) Status: Active Views for Unauthenticated Access: Read View: Write View: Notify View: Views for Authenticated Access: Read View: Write View: Notify View: --------------------------------------------------------------------------- Avaya Inc. – External Distribution...

  • Page 60: Snmp Trap Notification Control

    10.10 SNMP Trap Notification Control SNMP Trap functionality on the ERS 4500 5.4, ERS 2500 4.3, and ERS 5000 6.2 is changed to align all SNMP trap control to the new „notification control‟ method. Previously on the Ethernet Routing Switch the following functions used this new method: DHCP Snooping, Dynamic ARP Inspection (DAI) and IP Source Guard (IPSG).
  • Page 61 To add a notification filter and apply it to a SNMP trap host, enter the following commands assuming a SNMPv1 trap receiver is used  ERS-Stackable(config)# snmp-server notify-filter <filter name> <notification name or OID>  ERS-Stackable(config)# snmp-server host <IPv4 or IPv6 address> v1 <SNMPv1 community string> filter <filter name> Avaya Inc. – External Distribution...

  • Page 62: Software Baseline

    © 2010 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by ®, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc.

This manual is also suitable for:

Ers 4500Ers 5000

Table of Contents