Configuration Guide - Basic Configuration

Similar documents
Quidway NetEngine 20E/20 Series Router Product Specification

Configuration - Security

Table of Contents. 1 Introduction 1-1 Related Manuals 1-1 Volume Introduction 1-1

Configuration Guide - MPLS

About the HP MSR Router Series

HPE FlexNetwork MSR Router Series

Troubleshooting - Access

About the HP A7500 Configuration Guides

HPE FlexNetwork MSR Router Series

Overview 1. Service Features 1

Configuration Guide - IP Multicast

HPE FlexFabric 5950 Switch Series

Troubleshooting - IP Multicast

About the H3C S5130-HI configuration guides

HP 6125 Blade Switch Series

3G/4G Multiservice Routers

Quidway AR49 Series Routers Product Specification

Quidway S5700 Series Ethernet Switches V100R006C01. Configuration Guide - VPN. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Cisco Router Configuration Handbook

Configuring MPLS L2VPN

Cisco 5921 Embedded Services Router

H3C SR8800-F Core Routers

Switch shall have 4 SFP 1000 Mb/s ports (2 Port dual-personality ports; 10/100/1000BASE-T or SFP and 2 Fixed 1G SFP port)

Configuring MPLS L2VPN

Cisco Cookbook. Kevin Dooley and IanJ. Brown. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

HP A5820X & A5800 Switch Series MPLS. Configuration Guide. Abstract

CCIE Route & Switch Written (CCIERSW) 1.0

H3C S9500 Series Routing Switches

Cisco 5921 Embedded Services Router

Features:- Multiservice Integration. Routing and switching integrated

HP 5920 & 5900 Switch Series

HP 6125 Blade Switch Series

About the H3C S5130-EI configuration guides

Configuring MPLS L2VPN

About the Configuration Guides for HP Unified

Router 6000 R17 Training Programs. Catalog of Course Descriptions

HP MSR Router Series. MPLS Configuration Guide(V5) Part number: Software version: CMW520-R2513 Document version: 6PW

Huawei Technologies Co., Ltd. Huawei Technoiogies

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

CR1010 Multiservice Router Series

Ruijie RG-RSR20-X Multi-Service Router Series Datasheet

H3C SR8800 Series 10G Core Routers SRPU Datasheet. Hangzhou H3C Technologies Co., Ltd.

MPLS VPN--Inter-AS Option AB

H3C S9500 Series Routing Switches

H3C SR6600 Routers. MPLS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S10500 Switch Series

HP MSR Router Series. About the HP MSR series Configuration Guides(V5)

Configuring VPLS. VPLS overview. Operation of VPLS. Basic VPLS concepts

Quidway AR 18 Series Router Datasheet

MPLS VPN Inter-AS Option AB

ANDA TelecomATSR-40 Series Routers

AToM (Any Transport over MPLS)

Operation Manual MPLS. Table of Contents

Quidway S5300 Series Gigabit Switches

Huawei Enterprise S6700 Series 10G Switches

Operation Manual MPLS VLL. Table of Contents

HP A-MSR Router Series MPLS. Configuration Guide. Abstract

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

HP Routing Switch Series

H3C S10500 Switch Series

IP Routing Volume Organization

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

Configuration Guide - QoS

HP MSR Router Series. MPLS Configuration Guide(V7) Part number: Software version: CMW710-R0106 Document version: 6PW

Remote Access MPLS-VPNs

Configuring MPLS, MPLS VPN, MPLS OAM, and EoMPLS

A Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6

Cisco Technologies, Routers, and Switches p. 1 Introduction p. 2 The OSI Model p. 2 The TCP/IP Model, the DoD Model, or the Internet Model p.

Understanding How Routing Updates and Layer 2 Control Packets Are Queued on an Interface with a QoS Service Policy

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

LSW GP8GC: 24 SFP Gigabit ports, 8 10/100/1000 BASE-T Ethernet ports (Combo) and two

Huawei AR1000V Brochure

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

NE20E-S Universal Service Router

Organization of Product Documentation... xi

QoS: Per-Session Shaping and Queuing on LNS

H3C SecPath Series High-End Firewalls

Ruijie RSR20-14E. Router Datasheet V1.2

MPLS VPN Half-Duplex VRF

Configuring MPLS and EoMPLS

The H3C S5500-HI series switch is a new generation

Guide to Vyatta Documentation

Table of Contents Chapter 1 MPLS Basics Configuration

MPLS Networks: Design and Routing Functions

Implementing MPLS Layer 3 VPNs

IP Generic Training Programs. Catalog of Course Descriptions

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

3Com Switch 4800G Series, Version Release Notes. Customer Support. Documentation

GoCertify Advanced Cisco CCIE Lab Scenario # 1

Implementing MPLS VPNs over IP Tunnels

HUAWEI TECHNOLOGIES CO., LTD. NE40E Universal Service Router

Configuring CRS-1 Series Virtual Interfaces

MPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012

H3C S7500E switch series has been one of the best selling

GLOSSARY. See ACL. access control list.

H3C S9500 Series Routing Switches

Table of Contents Chapter 1 MPLS L3VPN Configuration

LSW6600 are the industry's highest performance 1U stackable data center switch, featuring with 1.28Tbps

Guide to Vyatta Documentation

Transcription:

Configuration Guide - Basic Configuration Release: Document Revision: 5.3 01.01 www.nortel.com NN46240-501 324555-A Rev01

Release: 5.3 Publication: NN46240-501 Document Revision: 01.01 Document status: Standard Document release date: 30 March 2009 Copyright 2009 Nortel Networks All Rights Reserved. Printed in Canada, India, and the United States of America LEGAL NOTICE While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their respective owners. ATTENTION For information about the safety precautions, read "Safety messages" in this guide. For information about the software license, read "Software license" in this guide.

Contents About this document...1 1 Product overview...1-1 1.1 Introduction...1-2 1.1.1 Secure Router 8000 Series...1-2 1.1.2 Architecture...1-2 1.1.3 Versatile Routing Platform...1-3 1.2 Functional features...1-3 1.3 Functions...1-9 1.3.1 File system...1-10 1.3.2 SNMP configuration...1-10 1.3.3 Terminal services...1-10 1.3.4 High Availability...1-11 1.3.5 Interfaces...1-12 1.3.6 Link layer protocols...1-12 1.3.7 IP services...1-12 1.3.8 Unicast routing protocols...1-13 1.3.9 Multicast routing protocols...1-14 1.3.10 MPLS features...1-14 1.3.11 VPN services...1-15 1.3.12 QoS...1-15 1.3.13 Security features...1-17 2 Configuration environment setup...2-1 2.1 Introduction...2-2 2.1.1 Console port configuration...2-2 2.1.2 Telnet configuration...2-2 2.1.3 AUX port configuration...2-3 2.2 Establishing the local configuration environment through the console port...2-3 2.2.1 Establishing the configuration task...2-3 2.2.2 Establishing the physical connection...2-4 2.2.3 Configuring terminals...2-4 2.2.4 Logging on to the router...2-4 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

2.3 Establishing the configuration environment through Telnet...2-4 2.3.1 Establishing the configuration task...2-4 2.3.2 Establishing the physical connection...2-5 2.3.3 Configuring logon user parameters...2-5 2.3.4 Logging on from the Telnet client...2-5 2.4 Establishing the configuration environment through the AUX port...2-6 2.4.1 Establishing the configuration task...2-6 2.4.2 Establishing the physical connection...2-6 2.4.3 Initializing and configuring the modem on the interface...2-7 2.4.4 Configuring the connection between the remote terminal and the router...2-7 2.4.5 Logging on to the router...2-7 2.5 Configuration examples...2-7 2.5.1 Example of logging on through the console port...2-7 2.5.2 Example of logging on through Telnet...2-10 2.5.3 Example of logging on through the AUX port...2-11 3 CLI overview...3-1 3.1 Introduction...3-2 3.1.1 CLI characteristics...3-2 3.1.2 Command levels...3-3 3.1.3 Command line views...3-3 3.1.4 Regular expressions...3-3 3.2 Configuring the command line view...3-4 3.3 CLI online Help...3-7 3.4 CLI error messages...3-8 3.5 Command history...3-8 3.6 Editing characteristics...3-9 3.7 Display characteristics...3-9 3.8 Outputting the display...3-10 3.8.1 Viewing the display...3-10 3.8.2 Filtering the display...3-10 3.9 Filtering information through regular expressions...3-10 3.10 Shortcut keys...3-11 3.10.1 Classifying shortcut keys...3-11 3.10.2 Defining shortcut keys...3-13 3.10.3 Using shortcut keys...3-13 3.11 Configuration examples...3-14 3.11.1 Example for using shortcut keys...3-14 4 Basic configuration...4-1 4.1 Introduction...4-2 4.1.1 Extension of command levels...4-2 4.1.2 Extension of user levels...4-2 ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

4.2 Configuring the basic system environment...4-2 4.2.1 Establishing the configuration task...4-2 4.2.2 Configuring the device name...4-3 4.2.3 Configuring the system clock...4-4 4.2.4 Configuring the header text...4-4 4.2.5 Configuring the password for switching user levels...4-5 4.2.6 Switching user levels...4-5 4.2.7 Locking the user interface...4-6 4.2.8 Configuring command privilege levels...4-6 4.2.9 Displaying system status messages...4-6 5 User management...5-1 5.1 Introduction...5-2 5.1.1 User interface view...5-2 5.1.2 User management...5-3 5.2 Configuring a user interface...5-4 5.2.1 Establishing the configuration task...5-4 5.2.2 Transmitting messages between user interfaces...5-6 5.2.3 Configuring asynchronous interface attributes...5-6 5.2.4 Setting terminal attributes...5-7 5.2.5 Configuring the user interface priority...5-7 5.2.6 Configuring modem attributes...5-8 5.2.7 Configuring an auto-execute command...5-8 5.2.8 Configuring the redirection function...5-9 5.2.9 Configuring the call-in or call-out restrictions of the VTY user interface...5-9 5.2.10 Configuring the maximum number of VTY user interfaces...5-10 5.2.11 Configuring the authentication timeout for VTY users...5-10 5.2.12 Disconnecting a user interface...5-11 5.2.13 Checking the configuration...5-11 5.3 Configuring user management...5-11 5.3.1 Establishing the configuration task...5-11 5.3.2 Configuring the authentication mode...5-12 5.3.3 Configuring the authentication password...5-13 5.3.4 Configuring the user name and password for AAA local authentication...5-13 5.3.5 Configuring the user priority...5-14 5.3.6 Checking the configuration...5-14 5.4 Configuring local user management...5-14 5.4.1 Establishing the configuration task...5-14 5.4.2 Creating the local user account...5-15 5.4.3 Configuring the service type of the local user...5-15 5.4.4 Configuring FTP directory authority for the local user...5-16 5.4.5 Configuring the local user status...5-16 Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

5.4.6 Configuring the local user priority...5-17 5.4.7 Configuring the access restriction of the local user...5-17 5.4.8 Checking the configuration...5-17 5.5 Configuration examples...5-18 5.5.1 Example of logging on to the router through password authentication...5-18 5.5.2 Example of logging on to the router through AAA...5-19 6 File system management...6-1 6.1 Introduction...6-2 6.1.1 File system...6-2 6.1.2 Storage devices...6-2 6.1.3 Files...6-2 6.1.4 Directories...6-2 6.2 Managing directories...6-2 6.2.1 Establishing the configuration task...6-2 6.2.2 Viewing the current directory...6-3 6.2.3 Switching the directory...6-3 6.2.4 Displaying the files in a directory...6-4 6.2.5 Creating a directory...6-4 6.2.6 Deleting a directory...6-4 6.3 Managing files...6-5 6.3.1 Displaying the contents of a file...6-5 6.3.2 Copying a file...6-6 6.3.3 Moving a file...6-6 6.3.4 Renaming a file...6-6 6.3.5 Deleting a file...6-7 6.3.6 Deleting files in the recycle bin...6-7 6.3.7 Restoring files...6-7 6.4 Configuring batch configuration...6-8 6.5 Managing storage devices...6-8 6.6 Configuring prompt modes...6-9 6.7 Example of configuring directory management...6-10 7 Configuration file management...7-1 7.1 Introduction...7-2 7.1.1 Configuration file...7-2 7.1.2 Configuration files and current configurations...7-2 7.2 Displaying the configuration of the router...7-2 7.2.1 Viewing the intial configuration...7-2 7.2.2 Viewing the current configuration...7-3 7.2.3 Viewing the running configuration in the current view...7-3 7.3 Saving the current configuration...7-3 7.4 Clearing the running information...7-3 iv Nortel Networks Inc. Issue 5.3 (30 March 2009)

7.5 Comparing configuration files...7-4 8 FTP, TFTP, and Xmodem...8-1 8.1 Introduction...8-2 8.1.1 FTP...8-2 8.1.2 TFTP...8-2 8.1.3 Xmodem...8-2 8.2 Configuring the router to be the FTP server...8-3 8.2.1 Establishing the configuration task...8-3 8.2.2 Enabling the FTP server...8-4 8.2.3 Configuring the timeout period...8-4 8.2.4 Configuring the local user name and password...8-4 8.2.5 Configuring service types and authorization information...8-5 8.2.6 Checking the configuration...8-5 8.3 Configuring FTP ACL...8-6 8.3.1 Establishing the configuration task...8-6 8.3.2 Enabling the FTP server...8-6 8.3.3 Configuring the basic ACL...8-7 8.3.4 Configuring the basic FTP ACL...8-7 8.4 Configuring the router to be the FTP client...8-8 8.4.1 Establishing the configuration task...8-8 8.4.2 Logging on to the FTP server...8-8 8.4.3 Configuring the file transmission mode...8-9 8.4.4 Viewing online Help for the FTP command...8-9 8.4.5 Uploading or downloading files...8-9 8.4.6 Managing directories...8-10 8.4.7 Managing files...8-11 8.4.8 Changing logon users...8-11 8.4.9 Disconnecting FTP...8-11 8.5 Configuring TFTP...8-12 8.5.1 Establishing the configuration task...8-12 8.5.2 Downloading files through TFTP...8-12 8.5.3 Uploading files through TFTP...8-13 8.6 Limiting access to the TFTP server...8-13 8.6.1 Establishing the configuration task...8-13 8.6.2 Configuring the basic ACL...8-14 8.6.3 Configuring the basic TFTP ACL...8-14 8.7 Configuring Xmodem...8-14 8.7.1 Establishing the configuration task...8-14 8.7.2 Retrieving a file through Xmodem...8-15 8.8 Configuration examples...8-15 8.8.1 Example of configuring the FTP server...8-15 Issue 5.3 (30 March 2009) Nortel Networks Inc. v

8.8.2 Example of configuring FTP ACL...8-17 8.8.3 Example of configuring the FTP client...8-19 8.8.4 Example of configuring TFTP...8-20 8.8.5 Example of configuring XModem...8-22 9 Telnet and SSH...9-1 9.1 Introduction...9-2 9.1.1 Overview of user logon...9-2 9.1.2 Telnet terminal services...9-2 9.1.3 SSH terminal services...9-4 9.2 Configuring Telnet terminal services...9-6 9.2.1 Establishing the configuration task...9-6 9.2.2 Establishing a Telnet connection...9-7 9.2.3 Scheduling Telnet disconnection...9-7 9.2.4 Checking the configuration...9-8 9.3 Configuring SSH terminal services...9-8 9.3.1 Establishing the configuration task...9-8 9.3.2 Configuring SSH for the VTY user interface...9-9 9.3.3 Generating the local RSA key pair...9-10 9.3.4 Authenticating the SSH client through the password...9-10 9.3.5 Authenticating the SSH client through RSA...9-11 9.3.6 Configuring basic authentication information for the SSH user...9-12 9.3.7 Authorizing the SSH user through the command line interface...9-12 9.3.8 Checking the configuration...9-12 9.4 Maintaining Telnet and SSH...9-13 9.4.1 Debugging Telnet terminal services...9-13 9.4.2 Debugging SSH terminal services...9-13 9.5 Configuration examples...9-14 9.5.1 Example of configuring Telnet terminal services...9-14 9.5.2 Example of configuring password authentication...9-16 9.5.3 Example of configuring RSA authentication...9-17 10 Router maintenance...10-1 10.1 Introduction...10-2 10.1.1 Device operation management...10-2 10.1.2 Electronic label...10-2 10.2 Powering off the FIC/HIC...10-2 10.2.1 Establishing the configuration task...10-2 10.2.2 Powering off the FIC/HIC...10-3 10.2.3 Checking the configuration...10-3 10.3 Managing the device operation...10-4 10.3.1 Establishing the configuration task...10-4 10.3.2 Specifying the slave RPU...10-5 vi Nortel Networks Inc. Issue 5.3 (30 March 2009)

10.3.3 Restarting the router...10-5 10.3.4 Performing the master/slave switchover...10-6 10.4 Monitoring the router status...10-7 10.4.1 Displaying the basic device information...10-7 10.4.2 Displaying the system version information...10-7 10.4.3 Displaying RPU restart information...10-8 10.5 Configuring the electronic label...10-9 10.5.1 Establishing the configuration task...10-9 10.5.2 Querying the electronic label...10-9 10.5.3 Backing up the electronic label...10-9 11 System software upgrade...11-1 11.1 Introduction...11-2 11.1.1 System software upgrade...11-2 11.1.2 License...11-2 11.2 Uploading the system software and license files...11-3 11.2.1 Establishing the configuration task...11-3 11.2.2 Uploading the system software and license to the master RPU...11-3 11.2.3 Copying the system software and license to the slave RPU...11-4 11.2.4 Checking the configuration...11-4 11.3 Specifying the system software for the next router startup...11-5 11.3.1 Establishing the cofiguration task...11-5 11.3.2 Specifying the system software for the next startup of the master RPU...11-5 11.3.3 Specifying the system software for the next startup of the slave RPU...11-6 11.3.4 Checking the configuration...11-6 12 Patch management...12-1 12.1 Introduction...12-2 12.2 Checking the system for running patches...12-3 12.2.1 Establishing the configuration task...12-3 12.2.2 Checking for a running patch on the RPU...12-3 12.3 Uploading a patch...12-4 12.3.1 Establishing the configuration task...12-4 12.3.2 Uploading a patch to the root directory of the flash of the master RPU...12-4 12.3.3 Copying a patch to the root directory of the flash of the slave RPU...12-5 12.4 Installing a patch on the RPU...12-5 12.4.1 Establishing the configuration task...12-5 12.4.2 Uploading the RPU patch...12-6 12.4.3 Activating the RPU patch...12-6 12.4.4 Running the RPU patch...12-6 12.5 Canceling the RPU patch...12-6 12.5.1 Establishing the configuration task...12-6 12.5.2 Deactivating the RPU patch...12-7 Issue 5.3 (30 March 2009) Nortel Networks Inc. vii

12.6 Removing the RPU patch...12-7 12.6.1 Establishing the configuration task...12-7 12.6.2 Deleting the RPU patch...12-8 A Glossary... A-1 B Acronyms and abbreviations...b-1 Index... i-1 viii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Figures Figure 1-1 Architecture...1-3 Figure 2-1 Networking diagram of logging on through the console port...2-8 Figure 2-2 New connection...2-8 Figure 2-3 Setting the port...2-9 Figure 2-4 Setting the port communication parameters...2-9 Figure 2-5 Establishing the configuration environment through the wide area network (WAN)...2-10 Figure 2-6 Running the Telnet program on the PC...2-11 Figure 2-7 Establishing the remote configuration environment...2-11 Figure 8-1 Using FTP to download files...8-16 Figure 8-2 FTP ACL...8-18 Figure 8-3 Configuring the FTP client...8-19 Figure 8-4 Using TFTP to download files...8-21 Figure 8-5 Setting the base directory of the TFTP server...8-21 Figure 8-6 Specifying the file to send...8-23 Figure 9-1 Telnet client services...9-3 Figure 9-2 Telnet redirection services...9-3 Figure 9-3 Usage of Telnet shortcut keys...9-3 Figure 9-4 Establishing an SSH channel in a LAN...9-5 Figure 9-5 Establishing an SSH channel in a WAN...9-5 Figure 9-6 Networking diagram for Telnet mode...9-14 Figure 9-7 Networking diagram of SSH password authentication...9-16 Figure 9-8 Accessing the router from the client software...9-17 Figure 9-9 Networking diagram of RSA...9-18 Figure 12-1 Conversion of patch status...12-2 Issue 5.3 (30 March 2009) Nortel Networks Inc. ix

Tables Table 1-1 System service features...1-3 Table 3-1 Command line views...3-5 Table 3-2 Common CLI error messages...3-8 Table 3-3 Access the command history...3-8 Table 3-4 Editing functions...3-9 Table 3-5 Display functions...3-10 Table 3-6 Metacharacters...3-10 Table 3-7 System-defined shortcut keys...3-12 Table 5-1 Examples of absolute numbering...5-2 Issue 5.3 (30 March 2009) Nortel Networks Inc. xi

Contents About this document...1 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

About this document About this document Overview This section describes the organization of this document, product version, intended audience, conventions, and update history. Related versions The following table lists the product versions related to this document. Product name Nortel Secure Router 8000 Series Version Nortel Secure Router 8000 Series Intended audience This document is intended for the following audience: network operators network administrators network maintenance engineers Organization This document consists of twelve chapters and is organized as follows. Chapter Content 1 Product overview This chapter describes the architecture, features, and main functions of the Nortel Secure Router 8000 Series. 2 Establishment of the Configuration Environment This chapter describes the procedures to set up the configuration environment through the console port, Telnet, and the AUX port. Issue 5.3 (30 March 2009) Nortel Networks Inc. 1

About this document Nortel Secure Router 8000 Series Chapter Content 3 CLI overview This chapter describes the command line interface (CLI), command levels, command views, and hot keys. 4 Basic configuration This chapter describes how to configure the basic system environment on the router. 5 User management This chapter describes the basic concepts of the user interface and user management. 6 File System This chapter describes the file system and its configuration. 7 Management of Configuration Files 8 FTP, TFTP, and Xmodem This chapter describes how to manage the configuration file. This chapter describes how to configure the basic functions of the File Transfer Protocol (FTP) server, and how to upload and download files through FTP, Trivial File Transfer Protocol (TFTP), and Xmodem. 9 Telnet and SSH This chapter provides an overview of Telnet and Secure Shell (SSH) and describes how to log on to the router through Telnet and configure the router. 10 Router maintenance This chapter describes the principles and concepts of router maintenance. 11 System software upgrade This chapter describes the principles and concepts of system software upgrades. 12 Patch management This chapter describes the principles and concepts of patch management. Appendix A Glossary and Appendix B Acronyms and Abbreviations Index This chapter contains a glossary and list of frequently used acronyms and abbreviations. This chapter lists important key words used in this manual to help you access information quickly. Conventions Symbol conventions This section describes the symbol and text conventions used in this document. The following table describes the symbols that are used in this document. Symbol Description Indicates a hazard with a high level of risk that, if not avoided, can result in death or serious injury. 2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

About this document Symbol Description Indicates a hazard with a medium or low level of risk that, if not avoided, can result in minor or moderate injury. Indicates a potentially hazardous situation that, if not avoided, can cause equipment damage, data loss, and performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text. General conventions Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman font. Names of files, directories, folders, and users are in boldface. For example, log on as the user root. Book titles are in italics. Terminal display is in Courier New font. Command conventions Convention Boldface Italic Description The keywords of a command line are in boldface. Command arguments are in italics. [ ] Items (keywords or arguments) in square brackets [ ] are optional. { x y... } Alternative items are grouped in braces and separated by vertical bars. You select one item. [ x y... ] Optional alternative items are grouped in square brackets and separated by vertical bars. You select one item or no item. { x y... } * Alternative items are grouped in braces and separated by vertical bars. You can select a minimum of one item or a maximum of all items. [ x y... ] * Optional alternative items are grouped in square brackets and separated by vertical bars. You can select no item or multiple items. Issue 5.3 (30 March 2009) Nortel Networks Inc. 3

About this document Nortel Secure Router 8000 Series Convention &<1-n> Description The parameter before the ampersand sign (&) can be repeated 1 to n times. # A line starting with the number sign (#) contains comments. GUI conventions Convention Boldface Description Buttons, menus, parameters, tabs, windows, and dialog box titles are in boldface. For example, click OK. > Multilevel menus are in boldface and separated by the right-angled bracket sign (>). For example, choose File > Create > Folder. Keyboard operation Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, Ctrl+Alt+A means press the three keys concurrently. Press the keys in turn. For example, Alt, A means press the two keys in turn. Mouse operation Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a new position. 4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

About this document Update history Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous versions. Updates in Issue 01(2008-06-06) This is the first release of this document. Issue 5.3 (30 March 2009) Nortel Networks Inc. 5

Contents 1 Product overview...1-1 1.1 Introduction...1-2 1.1.1 Secure Router 8000 Series...1-2 1.1.2 Architecture...1-2 1.1.3 Versatile Routing Platform...1-3 1.2 Functional features...1-3 1.3 Functions...1-9 1.3.1 File system...1-10 1.3.2 SNMP configuration...1-10 1.3.3 Terminal services...1-10 1.3.4 High Availability...1-11 1.3.5 Interfaces...1-12 1.3.6 Link layer protocols...1-12 1.3.7 IP services...1-12 1.3.8 Unicast routing protocols...1-13 1.3.9 Multicast routing protocols...1-14 1.3.10 MPLS features...1-14 1.3.11 VPN services...1-15 1.3.12 QoS...1-15 1.3.13 Security features...1-17 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Figures Figure 1-1 Architecture...1-3 Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Tables Table 1-1 System service features...1-3 Issue 5.3 (30 March 2009) Nortel Networks Inc. v

1 Product overview 1 Product overview About this chapter The following table shows the contents of this chapter. Section Description 1.1 Introduction This section describes the characteristics of the Secure Router 8000 Series. 1.2 Functional features This section describes the functional features of the Secure Router 8000 Series. 1.3 Functions This section describes the main functions of the Secure Router 8000 Series. Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-1

1 Product overview Nortel Secure Router 8000 Series 1.1 Introduction This section describes the characteristics of the Secure Router 8000 Series: Secure Router 8000 Series Architecture Versatile Routing Platform 1.1.1 Secure Router 8000 Series 1.1.2 Architecture The Secure Router 8000 Series routers are grouped into SR8002, SR8004, SR8008, and SR8012 routers based on the number of slots. The equipment structure and the system of the SR8012 are similar to the SR8008. All of the routers have a modular architecture and provide optional multifunctional interface modules such as the High-speed Interface Card (HIC) and Flexible Interface Card (FIC). The Secure Router 8000 Series routers provide a coherent network interface, user interface, and management interface, as well as flexibility and configurability. The routers integrate technologies such as Multiprotocol Label Switching (MPLS), Virtual Private Network (VPN), Quality of Service (QoS), traffic engineering, multicast, and user management. The routers also support link layer protocols. In networking applications, as high-performance convergence devices, the routers can provide overall service processing capacity and flexible network solutions, thus improving network value and reducing costs. Based on the TCP/IP structure model, the Secure Router 8000 Series supports multiple data link layer protocols, network layer protocols, and application layer protocols, as shown in Figure 1-1. 1-2 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview Figure 1-1 Architecture Service Control Plane(SCP) General Control Plane(GCP) System Manage Plane(SMP) Routing VPN Config Management Protocol Client AAA/Local-MCM Data Forwarding Plane(DFP) FE API FEC FE DRV FE URP4/6 MRP4/6 VPN_ExTE_Ex RM4/6 IP Stack Application Layer Socket Layer TCP4/6 UDP4/6 IP4/6 ICMP4/6 Net Interface IFNET/PPP/ETH/ ATM/Tunnel L2VPN/L3VPN MPLS CSPF/CR-LDP/ RSVP-TE Security FireWall/ACL/ NAT QoS BW-M/QoSM/ RSVP CLI/SNMP/WebUI CMO Information Management Trace/State Multi Languages Device Management Hot Plug Switch Over System Service Plane(SSP) RPC IPC OSAL Operating System 1.1.3 Versatile Routing Platform Versatile Routing Platform (VRP) is a proprietary network operating system platform, developed for Nortel data communication products. VRP has a modular architecture and can provide rich functional features and scalability based on applications. With TCP/IP as its core protocol suite, VRP performs the following functions: integrates routing, QoS, VPN, security, and IP voice in the operating system provides enhanced data forwarding capabilities for routing equipment by using IP TurboEngine technology provides various hardware platforms with a consistent network interface, user interface, and management interface provides users with flexible application solutions 1.2 Functional features This section describes the functional features of the Secure Router 8000 Series. Table 1-1 System service features Service features Network interconnection Description LAN protocol Ethernet VLAN Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-3

1 Product overview Nortel Secure Router 8000 Series Service features Description Network protocol Link layer protocol IP service Protocol stacks IPv4 routing IPv6 routing IP multicast protocols PPP and MP HDLC (High-level Data Link Control) Frame Relay ATM PPPoE, IPoA, PPPoA, and PPPoEoA ARP Domain name resolution NAT IP unnumbered address DHCP relay and DHCP server IP policy-based routing IP packet filtering IPv4 and IPv6 dual protocol stacks IPv6 forwarding through the hardware Static route management Dynamic unicast routing protocols: RIP-1/RIP-2 OSPF IS-IS BGP-4/MBGP/BGP VPN V4 Routing policies IPv4-to-IPv6 transition technologies: manual tunnel configuration, automatic tunnel configuration, 6to4 tunnel, NAT-PT on the hardware IPv6 static route, BGP4/BGP4+, RIPng, OSPFv3, and ISISv6 dynamic routing protocol IPv6 MIB: ICMPv6 MIB, UDP6 MIB, TCP6 MIB, and IPv6 MIB IGMP PIM-DM, PIM-SM PIM-SSM MBGP MSDP MPLS MPLS Basic MPLS forwarding MPLS LDP MPLS TE MPLS QoS Hierarchy of PE (HoPE) 1-4 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview Service features VPN Network security Description L2VPN PWE3 L3VPN AAA service IPSec encryption MPLS L2VPN (Martini, Kompella, CCC and SVC) VPLS L2TP Single- and multi-hop PWs in LDP mode Static PW, dynamic PW, and RSVP-PW LSP, GRE, and TE tunnels Pseudo wire templates Interconnection with different media PW QoS Encapsulation modes: Ethernet, VLAN, FR, PPP, HDLC, ATM-n-to-1, ATM-1-to-1, and ATM-SDU Multi-hop LDP-PW loop detection PWE3 inter-as Interworking between PWE3 and VPLS ATM QoS class, CLP, DSCP, 801.1p, and MPLS EXP mapping ATM OAM transparent transmission MPLS/BGP VPN, serving as PE/ P Inter-AS VPN Hierarchy of VPN (HoVPN) GRE CHAP authentication PAP authentication RADIUS HWTACACS Local user management IKE and IPSec through hardware, including IKE negotiation, IPSec packet process, and SA management Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-5

1 Product overview Nortel Secure Router 8000 Series Service features Description NetStream NAT Making a NetStream flow with a septet, including the source IP address, destination IP address, source port number, destination port number, IP protocol type, IP TOS, and ingress information Recording and measuring traffic information Routing and peer entity information: next-hop address, source AS number, destination AS number, source address mask, destination address mask Exporting statistics packets in V5, V8, and V9 formats Convergence according to AS, protocol-port, source-prefix, destination-prefix, prefix, and ToS Connecting normal aging and compelled aging configured by users Monitoring TCP link state Making a flow with fragments (the first fragment) NAT NetStream Inbound/outbound NetStream of MPLS Collecting packet information in either definite proportion or random proportion Multicast data flow ATM, POS, ETH (including high-speed and low-speed card FE/GE), VLAN subinterface, E1, HSSI, and CE1 statistics Pure IP address translation, and simultaneous translation of IP address and port number Load balancing between multiple public network egresses Internal servers Hybrid addressing of internal networks Various NAT ALGs One public network to multiple private networks, and one private network to multiple public networks Traffic limit and rate limit to specific users Traffic limit to BT NAT statistics NAT log 1-6 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview Service features Description Other security features Terminal access security IP packet filtering (interface-based ACL and time-range based ACL) Firewall (packet filtering firewall and state firewall) Port mirroring Unicast Reverse Path Forwarding (URPF) Hierarchical protection of commands to ensure that unauthorized users have no access to the router Device reliability Redundancy hot backup GR FRR BFD Other features 1:1 backup of RPU and NPU Power 1+1 redundancy backup Power, fan, and service interface module hot plugging as well as automatic adjustment of fan rotate speed Protocol-level GR: IS-IS, OSPF, BGP, and LDP IP FRR MPLS TE FRR VPN FRR LDP FRR Creating, deleting, and modifying a BFD session Bidirectional fault detection for links Deleting faults in asynchronous and query modes BFD detection of single- and multi-hop links Providing link state information for the application layer by BFD Automatic switchover for protection Backup center VRRP Next-hop backup Maintainability Automatic fault diagnosis function Remote configuration and maintenance through AUX Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-7

1 Product overview Nortel Secure Router 8000 Series Service features QoS Description Traffic classification Traffic policing and shaping Congestion management Congestion avoidance Policy-based routing MPLS QoS L2 QoS HQoS Simple traffic classification Complex traffic classification, based on the port number and Layer 2, Layer 3, and Layer 4 packet information Traffic policing and shaping based on srtcm and trtcm Services such as EF and AF based on Diff-Serv GTS LLS, LLQ, NLS, PQ, CQ, WFQ, and CBWFQ RED, WRED, and SARED Route redirection, and distribution of the LSP explicit route of MPLS Mapping between DSCP and EXP at the domain boundary 802.1p mark and DSCP/IP precedence mark Hierarchical QoS 1-8 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview Service features Configuration management Description Command line interface Time service Online service Information processing center Network management Local configuration through the console port Local configuration or remote configuration through the AUX port Local configuration or remote configuration through Telnet Local configuration or remote configuration through SSH logon Hierarchical command protection to prevent unauthorized users from accessing the router Detailed debugging information for diagnosing network faults Network test tools such as tracert and ping commands to quickly diagnose the network The Telnet command to log on to and manage other routers FTP server/client to download and upload configuration files and application programs through FTP TFTP client to download and upload configuration files and application programs through TFTP Xmodem to download configuration files and application programs locally using the Xmodem protocol Log function Virtual file system User interface configuration: multiple modes of authentication and authorization for users Time zone NTP server and NTP client Online loading Online upgrade Outputting alarm and log information to the log host and logon user terminal through SNMP Agent and cache buffer SNMP V1/V2c/VC3 RMON and RMON2 1.3 Functions This section describes the following main functions of the Secure Router 8000 Series: Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-9

1 Product overview Nortel Secure Router 8000 Series File system SNMP configuration Terminal services High Availability Link layer protocols IP services Multicast routing protocols VPN services QoS 1.3.1 File system Security features The Secure Router 8000 Series provides the following rich file system functions: facilitates management of the files and directories in a storage device supports operations such as deleting a file, recovering deleted files, clearing files in the recycle bin, displaying file contents, renaming files, copying files, moving files, running batch processing files, and displaying information about a specified or private file The Secure Router 8000 Series supports the following file transmission services: File transmission service between remote hosts through FTP: FTP server service: Log on to a router for file access by running the FTP client program. FTP client service: Log on to a router with a terminal emulation program or Telnet, and run an FTP command to connect with the remote FTP server to access the files on the remote host. TFTP-based file transmission for environments with simple client-server interworking Xmodem-based file transmission that can be applied to the AUX port to support 128-byte packets and Cyclical Redundancy Check (CRC). HyperTerminal has the function to send files. 1.3.2 SNMP configuration 1.3.3 Terminal services The Secure Router 8000 Series supports Simple Network Management Protocol (SNMP) to perform the following functions: transmit management information between any two points enable administrators to retrieve information, modify information, locate faults, perform fault diagnosis, perform capacity planning, and generate reports from any node on the network The Secure Router 8000 Series SNMP Agent supports public Management Information Bases (MIB) prescribed by a series of RFCs, and those defined by Nortel, to implement real-time monitoring of a high number of network devices. This section describes the terminal services supported by the Secure Router 8000 Series. 1-10 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview Telnet service The Secure Router 8000 Series supports the Telnet server and Telnet client services. You can log on to a specified router port from your PC by running the Telnet client, and then initiate communication with the device connecting to the asynchronous serial port of the router. You can use this method to remotely configure and maintain the device. Secure Shell (SSH) terminal service 1.3.4 High Availability Network attacks are usually triggered by the Telnet service that is provided by the server. As the Telnet protocol does not provide a secure authentication mode, and the data transmitted over TCP is in plain text, this challenges network security. The Secure Router 8000 Series provides Secure Shell (SSH) service and supports password, RSA authentication, DES, and 3DES encryption. SSH features make it possible to implement secure remote access over nonsecure networks: The user name and password for communication between the SSH client and server are encrypted, which prevents the password from being intercepted. The SSH service encrypts the data in transmission to ensure the security and reliability of the data. RSA authentication ensures secure key exchange and a secure session by generating a public key and a private key according to the encryption principal for asymmetric encryption systems. The Secure Router 8000 Series ensures the network availability through redundancy of key modules, High Availability (HA) of Line Processing Units (LPUs), Fast Reroute (FRR), and Graceful Restart (GR). Redundancy of key modules IP/MPLS Fast Reroute The Secure Router 8000 Series can work with a single Routing Process Unit (RPU) or two RPUs in redundancy. The RPU of the Secure Router 8000 Series supports hot backup. The Secure Router 8000 Series supports the following two switchover methods: automatic switchover forcible switchover The Secure Router 8000 Series supports backup of the management bus and 1+1 backup for the power module. The LPU, the power module, and the fan modules are hot swappable. Fast Reroute (FRR) can minimize data loss due to network faults. The switch time can be less than 50 milliseconds (ms). The Secure Router 8000 Series provides the following FRR functions: IP FRR LDP FRR TE FRR VPN FRR Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-11

1 Product overview Nortel Secure Router 8000 Series Graceful Restart 1.3.5 Interfaces Graceful Restart (GR) is a key technology for providing HA. Network administrators or faults can trigger GR. GR due to network faults does not delete the routing information in the routing or forwarding table or reset the LPU, so services are not interrupted. The Secure Router 8000 Series supports system-based GR and protocol-based GR. Protocol-based GR includes the following: BGP GR OSPF GR IS-IS GR MPLS LDP GR L3 VPN GR The Secure Router 8000 Series supports the following rich interface types: Physical interface (the LAN interface and the WAN interface). The Secure Router 8000 Series supports the following physical interfaces: Ethernet interface POS interface CPOS interface ATM interface E1/CE1/CT1/CE3 Logical interface (not physical, but configured to perform data exchange). The Secure Router 8000 Series supports the following logical interfaces: subinterface virtual Ethernet interface loopback interface null interface tunnel interface 1.3.6 Link layer protocols 1.3.7 IP services The Secure Router 8000 Series supports link layer protocols, including PPP, HDLC, ATM, IP over ATM, 1483B, RPR, RRPP, and FR. The Secure Router 8000 Series supports the following: the VLAN function under the IEEE 802.1Q specification IP packet forwarding between different VLANs intercommunication with the devices of third-party vendors data forwarding between several VLANs on a single physical Ethernet interface by creating subinterfaces (each of which acts as an independent Ethernet interface) for each Ethernet interface, which saves interface resources This section describes the IP services supported by the Secure Router 8000 Series. 1-12 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview Flexible IP address configuration The Secure Router 8000 Series provides rich applications based on IP address: Support for multiple secondary IP addresses: Each interface can be configured with a primary IP address and several subordinate IP addresses to connect to different subnets. This improves networking efficiency. IP address-negotiable: Users who access the Internet through an Internet service provider (ISP) are usually allocated addresses by a remote server. This requires the interface to be encapsulated with PPP and configured as IP address-negotiable so that it can accept the IP addresses allocated by the peer end through PPP negotiation. IP unnumbered: To enable an interface that is not configured with an address to operate normally, you can borrow the IP address of another interface. Address Resolution Protocol functions DHCP relay Policy-based routing The Secure Router 8000 Series supports dynamic and static Address Resolution Protocol (ARP) functions. Under special circumstances (for example, if some fixed IP addresses are available on the LAN gateway), you can use the static ARP function to bind these IP addresses to a specified network interface card. This ensures that the packets heading for these addresses are forwarded by the gateway. If you need to filter illegal IP addresses, you can configure the static ARP table manually. Standard Dynamic Host Configuration Protocol (DHCP) is applicable in cases where the DHCP client and server lie on the same subnet. To provide dynamic host configuration for clients on different subnets, you must configure a DHCP server for every subnet. This approach is not economical. The Secure Router 8000 Series uses the DHCP relay function to complete the following tasks: provide relay service for DHCP clients and servers across different subnets transmit DHCP packets to the destination DHCP server (or client) crossing the subnet relay, so the DHCP clients of different subnets can share one DHCP server and, therefore, centralized management of client information. Policy-based routing is a route selection mechanism that is based on a customized policy. The Secure Router 8000 Series supports routing based on input packet information such as source address and address length. Multicast packets are usually forwarded according to the routing table; however, with policy-based routing, you can forward multicasting packets according to a customized policy for multicast traffic. 1.3.8 Unicast routing protocols In terms of routing protocols, the Secure Router 8000 Series supports the following: static routing and dynamic routing protocols such as RIP, OSPF, IS-IS, and BGP centralized management of the routes discovered by these protocols Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-13

1 Product overview Nortel Secure Router 8000 Series varying routing policies and sharing of routes discovered by both static and dynamic routing protocols In networking practice, the routing table is always large, while the memory of the router is limited. To resolve this issue, the Secure Router 8000 Series provides a size control mechanism for routing tables. It monitors the current free memory of the system, based on which it decides whether to add routes to the routing table and whether to keep the connection of the routing protocol. In addition, the Secure Router 8000 Series supports load sharing and route backup functions. 1.3.9 Multicast routing protocols This section describes the multicast routing protocols supported by the Secure Router 8000 Series. Internet Group Management Protocol The Secure Router 8000 Series supports the Internet Group Management Protocol (IGMP) that is used to establish and maintain multicast members between the IP host and the directly connected multicast routers. Multicast routing protocol support 1.3.10 MPLS features The Secure Router 8000 Series supports multicast routing protocols as follows: Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent Multicast-Sparse Mode (PIM-SM) (used in the same area) Multicast Source Discovery Protocol (MSDP) and Multiprotocol Border Gateway Protocol (MBGP) (used between areas) Multiprotocol Label Switching (MPLS) uses short labels with a fixed length to encapsulate network layer packets. MPLS performs the following functions: acts as an intermediate layer between the network and link layers provides connection-oriented network services through the services obtained from link layer protocols such as PPP and FR The Secure Router 8000 Series forms forwarding equivalence classes (FECs) based on information such as the IP address prefix, and performs the following roles: generates the label-forwarding table forwards traffic information of different FECs (with different label fields in the headers) through the different label switch paths (LSPs) MPLS supports the following: policy- and constraint-based routing (such as limitations based on the VPN and Diff-Serv) on LSPs, which enables you to select a router from the MPLS network to establish an LSP LSP tunneling technology with a label stack at both the ingress and egress of a tunnel to perform tunnel nesting and to meet different application requirements The Secure Router 8000 Series provides the following MPLS functions: 1-14 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview 1.3.11 VPN services IP VPN Layer 2 VPN MPLS/BGP Layer 3 VPN 1.3.12 QoS accelerated packet forwarding MPLS VPN applications, interworking between various types of VPNs, and networking applications such as traffic engineering, QoS, and Diff-Serv The Secure Router 8000 Series MPLS function supports Layer 3 and Layer 2 protocols such as IP, FR, ATM, and Ethernet. MPLS provides an Operation, Administration and Maintenance (OAM) mechanism without dependence on the upper or lower layers in the TCP-IP protocol suite. The IP Telecommunication Network (IPTN) supported by the Secure Router 8000 Series is based on IP network technologies. IPTN meets end-to-end QoS, reduces the investment of carriers, and creates value-added telecommunication network solutions. This section describes the Virtual Private Network (VPN) services supported by the Secure Router 8000 Series. The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packets of certain network layer protocols (such as IP and IPX packets) so that these packets can be transmitted in a network running another network layer protocol (such as IP). As a tunnel protocol, GRE uses the tunnel technology in the protocol layer. GRE can be used to perform the following functions: transmit local multiprotocol network data through the single-protocol backbone network extend a network that is limited by hops, such as an IPX network connect the separated subnets for a VPN. access MPLS VPN through GRE tunnels The Secure Router 8000 Series provides Layer 2 VPN services based on MPLS. It supports VPLS, Martini MPLS L2VPN, Kompella MPLS L2VPN, CCC MPLS L2VPN, and SVC MPLS L2VPN to carry VLL services, and it supports PWE3. The Secure Router 8000 Series implements MPLS/BGP Layer 3 VPN and provides carriers with end-to-end VPN solutions as follows: Carrier s carrier Inter-AS VPN HoVPN RRVPN This section describes the Secure Router 8000 Series support for Quality of Service (QoS). Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-15

1 Product overview Nortel Secure Router 8000 Series Traffic policing Congestion management Traffic shaping Traffic classification VPN QoS FR QoS The Secure Router 8000 Series supports parameters such as the committed rate, the peak rate, the committed burst size, and the maximum burst size for every type of flow according to the Service Level Agreements (SLA). For traffic beyond the SLA, the router can pass or drop the flow. Traffic policing does not influence the forwarding performance of a device because a hardware coprocessor is used internally to implement the Committed Access Rate (CAR). The Secure Router 8000 Series uses the Weighted Random Early Detection (WRED) congestion control mechanism. The Secure Router 8000 Series can configure individual congestion control algorithms for each priority queue on the port. The Secure Router 8000 Series uses the Generic Traffic Shaping (GTS) algorithm to buffer packets, to avoid the congestion of downstream devices, and to reduce the drop of packets. The Secure Router 8000 Series supports shaping for services like Expedited Forwarding (EF) and Assured Forwarding (AF) to smooth the transmission rate of Diff-Serv services to the downstream traffic. The Secure Router 8000 Series supports simple and complex traffic classification. If no QoS guarantee or traffic classification is required, or if there are no rules to match packets after traffic classification, the device processes the packets with the Best-Effort (BE) service. As a QoS Policy Propagation through the Border Gateway Protocol (QPPB) policy, VPN QoS can transmit private network routes through BGP, which extends the QoS Policy Propagation through the Border Gateway Protocol (QPPB) application in the Layer 3 VPN environment. VPN QoS can be applied to VPN instances and VPNv4. When VPN QoS is applied to the private network route of a specific VPN instance, the inbound and outbound route policy should be applied to the VPN instance. If VPN QoS is applied to the private network route of all VPN instances, the inbound and outbound route policy should be applied to the VPNv4 neighbors of BGP. Frame Relay (FR) has its own QoS that can be configured with Permanent Virtual Paths(PVCs) to provide flexible services for customers. The Secure Router 8000 Series supports multiple FR QoS technologies like FRTS, FRTP, FR congestion management, FR queue management, and FR fragmentation. 1-16 Nortel Networks Inc. Issue 5.3 (15 January 2009)

1 Product overview Hierarchical QoS Hierarchical QoS (HQoS) is a QoS technology that can control traffic and perform queue scheduling simultaneously on the basis of the user s priority. HQoS uses a two-level scheduling mode: Priority Queue (PQ) Confirmed Bandwidth Priority Queue (CBPQ) HQoS supports complete traffic statistics. You can view the bandwidth usage of all services and distribute bandwidth properly according to traffic analysis. 1.3.13 Security features To ensure security, the Secure Router 8000 Series performs the following functions: performs Authentication, Authorization and Accounting (AAA) functions builds up distributed client/server secure access applications based on the ITU-T RADIUS protocol specifications provides AAA services for local, logon, and dial-up users to prevent unauthorized access based on the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) specification The Secure Router 8000 Series supports protocol security authentication as follows: PPP supports PAP and CHAP authentication modes. Routing protocols including RIPv2, OSPF, IS-IS, and BGP support plain text authentication and MD5 encrypted text authentication. SNMP supports SNMPv3 encryption and authentication. The Secure Router 8000 Series supports the mirroring function. With mirroring, the system sends a copy of the packet on the current node to one specific packet analysis device from an observing port without interrupting services. You can define the mirroring port number and connect the port with the packet analysis device to monitor traffic. In compliance with the command levels, users are divided into four levels. A user can use only the commands with levels no higher than the user s level. The Secure Router 8000 Series supports the Network Address Translation (NAT) function and relays the access between private and public networks. It converts a private IP address to a public IP address or changes the mix of internal IP address and port to a mix of external IP address and port. This enables the hosts of an internal network to access Internet resources without risking the privacy of the internal network. Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-17

Contents 2 Configuration environment setup...2-1 2.1 Introduction...2-2 2.1.1 Console port configuration...2-2 2.1.2 Telnet configuration...2-2 2.1.3 AUX port configuration...2-3 2.2 Establishing the local configuration environment through the console port...2-3 2.2.1 Establishing the configuration task...2-3 2.2.2 Establishing the physical connection...2-4 2.2.3 Configuring terminals...2-4 2.2.4 Logging on to the router...2-4 2.3 Establishing the configuration environment through Telnet...2-4 2.3.1 Establishing the configuration task...2-4 2.3.2 Establishing the physical connection...2-5 2.3.3 Configuring logon user parameters...2-5 2.3.4 Logging on from the Telnet client...2-5 2.4 Establishing the configuration environment through the AUX port...2-6 2.4.1 Establishing the configuration task...2-6 2.4.2 Establishing the physical connection...2-6 2.4.3 Initializing and configuring the modem on the interface...2-7 2.4.4 Configuring the connection between the remote terminal and the router...2-7 2.4.5 Logging on to the router...2-7 2.5 Configuration examples...2-7 2.5.1 Example of logging on through the console port...2-7 2.5.2 Example of logging on through Telnet...2-10 2.5.3 Example of logging on through the AUX port...2-11 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Figures Figure 2-1 Networking diagram of logging on through the console port...2-8 Figure 2-2 New connection...2-8 Figure 2-3 Setting the port...2-9 Figure 2-4 Setting the port communication parameters...2-9 Figure 2-5 Establishing the configuration environment through the wide area network (WAN)...2-10 Figure 2-6 Running the Telnet program on the PC...2-11 Figure 2-7 Establishing the remote configuration environment...2-11 Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

2 Configuration environment setup 2 Configuration environment setup About this chapter The following table shows the contents of this chapter. Section Description 2.1 Introduction This section describes the three methods for establishing the configuration environment. 2.2 Establishing the local configuration environment through the console 2.3 Establishing the configuration environment through Telnet 2.4 Establishing the configuration environment through the AUX port This section describes how to establish the configuration environment through the console port. See Example of logging on through the console port. This section describes how to establish the configuration environment through Telnet. See Example of logging on through Telnet. This section describes how to establish the configuration environment through the AUX port. See Example of logging on through the AUX port. 2.5 Configuration examples This section provides examples of establishing configuration environments. Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-1

2 Configuration environment setup Nortel Secure Router 8000 Series 2.1 Introduction This section describes the following three methods for establishing the configuration environment: Console port configuration Telnet configuration AUX port configuration 2.1.1 Console port configuration Applicable environment Applications You can configure the router by local logon. Use the console port to configure the router in the following situations: The router is powered on for the first time. The configuration environment cannot be established through Telnet or the AUX port. 2.1.2 Telnet configuration Applicable environment Applications You can configure the router by local or remote logon. Preconfigure the IP addresses of interfaces on the router, the user account, the logon authentication, and the incoming and outgoing call restriction. Also, ensure that directly connected or reachable routes exist between terminals and the router. The destination router authenticates the user based on the configured parameters in three modes: Password authentication: the logon user must enter the correct password. AAA local authentication: the logon user must enter the correct user name and password. Non-authentication: the logon user is not required to enter the user name or password. If the logon succeeds, a command line prompt such as Nortel appears on the Telnet client interface. Enter the command to check the running status of the router or to configure the router. Enter? for help. 2-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

2 Configuration environment setup NOTE If you modify the IP address of the router when you configure the router through Telnet, the modification can disconnect Telnet. If necessary, set up the connection again after you enter a new IP address. 2.1.3 AUX port configuration Applicable environment Applications You can configure the router by remote logon. If you cannot configure the router by local logon and no reachable route to other routers exists, connect the PC and the router through the Public Switched Telephone Network (PSTN). Pre-enable the modem dial-up of the AUX port through the console port and configure the user name and password. 2.2 Establishing the local configuration environment through the console port 2.2.1 Establishing the configuration task Applicable environment Preconfiguration tasks Data preparation If you log in to the router for the first time or perform the local configuration, you need to log in to the router through the Console port. Before you configure the router through the console port, complete the following tasks: Prepare the PC/terminal (including the serial port and RS-232 cable). Install a terminal emulation program on the PC (such as Windows XP HyperTerminal). To configure the router, you need the following data. No. Data 1 Terminal communication parameters (including baud rate, data bit, parity, stop bit, and flow control) Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-3

2 Configuration environment setup Nortel Secure Router 8000 Series Configuration procedures No. Procedure 1 Establishing the physical connection 2 Configuring terminals 3 Logging on to the router 2.2.2 Establishing the physical connection Do as follows on the router: Step 1 Connect the COM port on the PC and the console port on the router by cable. Step 2 Power on all devices to perform a self-check. ----End 2.2.3 Configuring terminals Do as follows on the PC: Run the terminal emulation program on the PC, setting the communication parameter of the terminal to 9600 bps, data bit to 8, and stop bit to 1. Specify no parity and no flow control. 2.2.4 Logging on to the router Do as follows on the PC: Press Enter until a command line prompt such as Nortel appears, and then enter the configuration environment in the user view. 2.3 Establishing the configuration environment through Telnet 2.3.1 Establishing the configuration task Applicable environment Preconfiguration tasks You can configure the router by local logon or remote logon through Telnet. Before you configure the router through Telnet, complete the following tasks: Power on devices and perform a self-check. Prepare the PC (including the serial port and Ethernet crossover/direct network cable). 2-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

2 Configuration environment setup Data preparation To configure the router through Telnet, you need the following data. No. Data 1 IP address of the PC 2 IP address of the Ethernet interface on the router 3 User information accessed through Telnet (including the user name, password, and authentication mode) Configuration procedures No. Procedure 1 Establishing the physical connection 2 Configuring logon user parameters 3 Logging on from the Telnet client 2.3.2 Establishing the physical connection Connect the router and the PC directly, or connect the router and the PC respectively to the network through the network cable. 2.3.3 Configuring logon user parameters Do as follows on the router: Step 1 Configure the authentication mode of logon users. Step 2 Configure the authority limitation of logon users. For more information, see Chapter 5, User management. ----End 2.3.4 Logging on from the Telnet client Do as follows on the PC: Step 1 Run the Telnet client program on the PC, and enter the IP address of the interface on the destination router that provides the Telnet service. Step 2 In the logon window, enter the user name and password. After authentication, a command line prompt such as Nortel appears. Enter the configuration environment in the user view. ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-5

2 Configuration environment setup Nortel Secure Router 8000 Series 2.4 Establishing the configuration environment through the AUX port 2.4.1 Establishing the configuration task Applicable environment Preconfiguration tasks Data preparation If you cannot configure the router by local logon and no reachable route to other routers exists, connect the serial port of the PC and the AUX port of the router through the modem. Before you configure the router through AUX port dial-up, complete the following tasks: Prepare the PC/terminal (including the serial port and RS-232 cable). Prepare the PC terminal emulation program (such as Windows XP HyperTerminal). Prepare two modems. To configure the router, you need the following data. No. Data 1 Type of terminals 2 Terminal communication parameters 3 Modem communication parameters Configuration procedures No. Procedure 1 Establishing the physical connection 2 Initializing and configuring the modem on the interface 3 Configuring the connection between the remote terminal and the router 4 Logging on to the router 2.4.2 Establishing the physical connection Step 1 Connect the modem with the PC and the network. Step 2 Connect the modem with the router through the AUX port and the network. ----End 2-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

2 Configuration environment setup 2.4.3 Initializing and configuring the modem on the interface Do as follows on the router: Step 1 Configure the authentication mode of logon users. Step 2 Configure the authority limitation of logon users. For more information, see Nortel Secure Router 8000 Series Configuration Security (NN46240-600). ----End 2.4.4 Configuring the connection between the remote terminal and the router Do as follows on the terminal PC: Step 1 Run a terminal emulation program on the PC (such as Windows XP HyperTerminal) to enter the Connection Description window. Step 2 Enter the connection name of the PC and the router, such as Dial. Step 3 Click OK to enter the Connect To window. Step 4 Enter the parameters and select options as required. Step 5 Click OK to enter the Connect window. Step 6 Click Dial. ----End 2.4.5 Logging on to the router In the logon window, enter the user name and password. After configuration, a command line prompt such as Nortel appears. Enter the configuration environment in the user view. 2.5 Configuration examples 2.5.1 Example of logging on through the console port Networking requirements Initialize the configuration of the router when the router is powered on for the first time. Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-7

2 Configuration environment setup Nortel Secure Router 8000 Series Figure 2-1 Networking diagram of logging on through the console port PC Router Configuration roadmap Data preparation Connect the PC and the router through the console port. Configure the parameters on the PC end. Log on to the router. Configuration procedure terminal communication parameters (including baud rate, data bit, parity, stop bit, and flow control) Step 1 Connect the serial port of the PC (or terminal) to the console port of the router through standard RS-232 configuration cable. The local configuration environment is established. Step 2 Run the terminal emulation program on the PC. Configure the terminal communication parameters to 9600 bps, data bit to 8, and stop bit to 1. Specify no parity and no flow control as shown in Figure 2-2 to Figure 2-4. Figure 2-2 New connection 2-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

2 Configuration environment setup Figure 2-3 Setting the port Figure 2-4 Setting the port communication parameters Power on the router to perform a self-check. The system performs automatic configuration. When the self-check finishes, you are prompted to press Enter until a command line prompt such as Nortel appears. Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-9

2 Configuration environment setup Nortel Secure Router 8000 Series Enter the command to check the running status of the router or configure the router, or enter? for help. For more information, see the following chapters in this document. ----End 2.5.2 Example of logging on through Telnet Networking requirements You can log on to the router on other network segments through the PC or other terminals to perform remote maintenance. Figure 2-5 Establishing the configuration environment through the wide area network (WAN) GE1/0/0 202.38.160.92/16 WAN PC Router Target Router Configuration roadmap Data preparation Configuration procedure Establish the physical connection. Configure user logon parameters. Log on to the router from the client side. IP address of the PC IP address of the Ethernet interface on the router user information accessed through Telnet (including the user name, password, and authentication mode) Step 1 Connect the PC and the router respectively to the network. Step 2 Configure logon user parameters. # Configure the logon address: <Nortel> system-view [Nortel] interface GigabitEthernet 1/0/0 [Nortel-GigabitEthernet1/0/0] ip address 202.38.160.92 255.255.0.0 [Nortel-GigabitEthernet1/0/0] quit # Configure the logon authentication mode: [Nortel] aaa 2-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

2 Configuration environment setup [Nortel-aaa] local-user nortel password cipher test2 [Nortel-aaa] local-user nortel service-type telnet [Nortel-aaa] local-user nortel level 3 [Nortel-aaa] quit [Nortel] user-interface vty 0 4 [Nortel-ui-vty0-14] authentication-mode aaa Step 3 Configure the client logging on to the router. Run Telnet on the PC, as shown in Figure 2-6. Figure 2-6 Running the Telnet program on the PC Step 4 Click OK. In the logon window, enter the user name and password. After authentication, a command line prompt such as Nortel appears. Enter the configuration environment in the user view. ----End 2.5.3 Example of logging on through the AUX port Networking requirements If you cannot configure the router by local logon and no reachable route to other routers exists, connect the serial port of the PC and the AUX port of the router through the modem. The detailed configuration environment is shown in Figure 2-7. Figure 2-7 Establishing the remote configuration environment Modem PSTN Modem AUX COM Router PC Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-11

2 Configuration environment setup Nortel Secure Router 8000 Series Configuration roadmap Data preparation Establish the physical connection. Configure modem parameters. Configure the AUX port to support modem dial-up. type of terminals Configuration procedure terminal communication parameters modem communication parameters Step 1 Establish the physical connection as shown in Figure 2-7. Step 2 Configure the AUX port to support modem dial-up. <Nortel> system-view [Nortel] aaa [Nortel-local-aaa-server] local-user nortel password cipher test1 [Nortel-local-aaa-server] local-user nortel service-type terminal [Nortel-local-aaa-server] local-user nortel level 3 [Nortel-local-aaa-server] quit [Nortel] user-interface aux 0 [Nortel-ui-aux0] authentication-mode aaa [Nortel-ui-aux0] modem both Step 3 Configure modem parameters. # Run the PC emulation terminal; refer to Establishing the local configuration environment through the console port. Press Enter on the PC emulation terminal until a modem command line prompt such as > appears. Configure the modem to meet AUX communication requirements. For details, see the modem documentation. Step 4 Log on to the router. In the remote terminal emulation program, enter the user name and password. After authentication, a command line prompt such as Nortel appears. Enter the command to check the running status of the router or configure the router. Enter? for help. For detailed operations, see the following chapters in this document. ----End 2-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Contents 3 CLI overview...3-1 3.1 Introduction...3-2 3.1.1 CLI characteristics...3-2 3.1.2 Command levels...3-3 3.1.3 Command line views...3-3 3.1.4 Regular expressions...3-3 3.2 Configuring the command line view...3-4 3.3 CLI online Help...3-7 3.4 CLI error messages...3-8 3.5 Command history...3-8 3.6 Editing characteristics...3-9 3.7 Display characteristics...3-9 3.8 Outputting the display...3-10 3.8.1 Viewing the display...3-10 3.8.2 Filtering the display...3-10 3.9 Filtering information through regular expressions...3-10 3.10 Shortcut keys...3-11 3.10.1 Classifying shortcut keys...3-11 3.10.2 Defining shortcut keys...3-13 3.10.3 Using shortcut keys...3-13 3.11 Configuration examples...3-14 3.11.1 Example for using shortcut keys...3-14 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Tables Table 3-1 Command line views...3-5 Table 3-2 Common CLI error messages...3-8 Table 3-3 Access the command history...3-8 Table 3-4 Editing functions...3-9 Table 3-5 Display functions...3-10 Table 3-6 Metacharacters...3-10 Table 3-7 System-defined shortcut keys...3-12 Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

3 CLI overview 3 CLI overview About this chapter The following table shows the contents of this chapter. Section Description 3.1 Introduction This section describes the basic concepts of the command line interface (CLI). 3.2 Configuring the command line view This section describes the command view. 3.3 CLI online Help This section describes how to use the CLI online Help. 3.4 CLI error messages This section describes the CLI error messages. 3.5 Command history This section describes the command history. 3.6 Editing characteristics This section describes how to use the editing functions. 3.7 Display characteristics This section describes how to use the display functions. 3.8 Outputting the display This section describes how to output the display. 3.9 Filtering information through regular expressions This section describes how to use regular expressions. 3.10 Shortcut keys This section describes how to use shortcut keys. 3.11 Configuration examples This section provides examples for using shortcut keys. Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-1

3 CLI overview Nortel Secure Router 8000 Series 3.1 Introduction This section describes the concepts you should know before you configure the command line interface (CLI). CLI characteristics Command levels Command line views Regular expressions 3.1.1 CLI characteristics The appearance of a command line prompt indicates entry to the CLI. Users can configure and manage routers by entering a series of configuration commands in the CLI. The CLI has the following characteristics: enables local or remote configuration through the AUX port enables local configuration through the console port. enables local or remote configuration through Telnet or Secure Shell (SSH). allows logging on to the asynchronous serial interface of a router through modem dial-up to perform remote configuration provides a user interface view through which terminal users can perform specific configuration provides hierarchical command protection for users of different levels (that is, it supports running commands based on the corresponding level) provides local authentication, password authentication, and Authentication, Authorization and Accounting (AAA) to prevent unauthorized users from accessing the router allows the user to enter? for online Help at any time provides network testing commands such as tracert and ping for diagnosing network faults provides detailed debugging information for diagnosing network faults uses the telnet command to directly log on to and manage other routers provides FTP service for uploading and downloading files provides a function that is similar to DOS-Key for running a history command provides a command line interpreter, which provides intelligent command resolution methods such as key word fuzzy match and context conjunction 3-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

3 CLI overview NOTE 3.1.2 Command levels The system supports commands with a maximum of 256 characters. The command can be in an incomplete form. The system saves an incomplete command to the configuration files in the complete form; therefore, the command may have more than 256 characters. However, when the system is restarted, the incomplete command cannot be restored, so note the length of incomplete commands. The system uses a hierarchical protection mode that has 16 command levels in increasing order. By default, the commands are registered as one of the following four levels: Visit level: Commands of this level include commands of the network diagnosis tool (such as ping and tracert) and commands that start from the local device and visit an external device (including Telnet client side, SSH client side, and Rlogin). Monitoring level: Commands of this level, including the display command and the debugging command, are used for tasks such as system maintenance and service fault diagnosis. Configuration level: Commands of this level are service configuration commands that provide direct network service to the user, including routing and network layer commands. Management level: Commands of this level are commands that influence the base operation of the system and provide support to the service. They include file system commands, File Transfer Protocol (FTP) commands, Trivial File Transfer Protocol (TFTP) commands, Xmodem downloading commands, configuration file switching commands, power supply control commands, backup board control commands, user management commands, level setting commands, and system internal parameter setting commands. NOTE 3.1.3 Command line views The default command level may be higher than the command level defined according to the command rules in the application. Logon users have the same four levels as the command levels. Logon users can use only the commands of the levels that are equal to or lower than their own levels. For more information about logon user levels, see Chapter 5 "User management." The system provides command line views, which correspond to command interfaces. Each command is registered and runs only in a specific command view. 3.1.4 Regular expressions When you output information, you can use regular expressions in commands to filter out unnecessary content and display only the necessary content. In the commands that support regular expressions, you can use three kinds of filtering modes to filter the output: { begin exclude include } regular-expression. begin: Displays information that begins with the line that matches regular-expression. exclude: Displays information that excludes lines that match regular-expression. include: Displays information that includes lines that match regular-expression. Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-3

3 CLI overview Nortel Secure Router 8000 Series You can also specify the filtering mode when the information is displayed on the screen. If a large amount of information is output and displayed on the screen, you can specify the filtering mode in the prompt ---- More ----. /regular-expression: Displays information that begins with the line that matches regular expression. -regular-expression: Displays information that excludes lines that match regular expression. +regular-expression: Displays information that includes lines that match regular expression. Regular expressions are used to filter the output. When using the metacharacter {}, if the number of matching times exceeds the scope specified in {}, the matching times out and the information cannot be displayed normally. The system provides display commands for displaying the system status. When you display the system status, you can add the regular expressions { begin exclude include } regular-expression to the specified commands to filter the information. begin regular-expression: Displays information that begins with the line that matches regular-expression. exclude text: Displays information that excludes lines that match regular-expression. include text: Displays information that includes lines that match regular-expression. 3.2 Configuring the command line view # Establish a connection with the router. If the router uses the default configuration, you can enter the user view with the prompt <Nortel>. # Type system-view to enter the system view. <Nortel> system-view [Nortel] # Type aaa in the system view to enter the AAA view. [Nortel] aaa [Nortel-aaa] NOTE The prompt Nortel indicates the default router name. The prompt <> indicates the user view, and the prompt [] indicates other views. Some commands that are implemented in the system view can also be implemented in the other views; however, the function implemented is associated with the command view. For example, the mpls command (for starting MPLS) can be run in the system view to enable the MPLS capability globally. It can also be run in the interface view to enable the MPLS capability on the interface. Table 3-1 shows the command line views. 3-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

3 CLI overview Table 3-1 Command line views View aaa aaa-accounting aaa-authen aaa-author aaa-domain aaa-recording acl-adv acl-basic acl-if aspf-policy Atm Atm-class Atm-pvc aux bgp bgp-af-l2vpn bgp-af-vpnv4 bgp-af-vpn-instance vpls-family cpos dhcp e1 e3 ethernet explicit-path fr-class ftp-client GigabitEthernet hwtacacs ike-proposal Description AAA view AAA accounting view AAA authentication view AAA authorization view AAA domain view AAA recording view Advanced ACL view Basic ACL view ACL view based on interface ASPF policy view ATM interface view ATM view ATM PVC view AUX interface view BGP view BGP AF Layer 2 VPN view BGP AF VPNv4 view BGP AF VPN instance view VPLS address family view CPOS interface view DHCP address pool view E1 interface view E3 interface view Ethernet interface view Explicit path view Frame relay view FTP client view GE interface view HWTACACS view IKE view Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-5

3 CLI overview Nortel Secure Router 8000 Series View ipsec-policy-isakmp ipsec-policy-manual ipsec-policy-template ipsec-proposal isis l2tp loopback mp-group mpls mpls-l2vpn mpls-ldp null ospf ospf-area policy-based-route pos radius rip rip-af-vpn-instance ripng route-policy rsa-key-code rsa-public-key serial shell system t1 t3 tunnel tunnel-policy user-interface Description IPSec policy Isakmp view IPSec policy manual view IPSec policy template view IPSec view IS-IS view Layer 2 TP view Loopback interface view Mp-group interface view MPLS view MPLS-Layer 2 VPN view MPLS-LDP view Null interface view OSPF view OSPF area view Policy-based route view POS interface view RADIUS view RIP view RIP AF VPN instance view RIPng view Route policy view RSA key code view RSA public key view Serial interface view Shell view System view T1 interface view T3 interface view Tunnel interface view Tunnel policy view User interface view 3-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

3 CLI overview View virtual-ethernet virtual-template vpn-instance Description Virtual Ethernet interface view Virtual template interface view VPN instance view 3.3 CLI online Help The CLI provides two online Help systems: full help and partial help. You can obtain help in these systems as follows: Full help # Enter? in any command line view to display all the commands and their simple descriptions. <Nortel>? # Enter a command and? separated by a space. If the key word is at this position, all key words and their simple descriptions are displayed. For example: <Nortel> language-mode? chinese Chinese environment English English environment In this example, Chinese and English are keywords; Chinese environment and English environment describe the keywords respectively. # Enter a command and? separated by a space. If a parameter is at this position, the related parameter names and parameter descriptions are displayed. For example: [Nortel] display aaa? configuration AAA configuration [Nortel] display aaa configuration? <cr> In this example, configuration is the parameter name, and AAA configuration is the description of the parameter; <cr> indicates that no parameter is at this position. The command is repeated in the next command line. You can press Enter to run the command. Partial help # Enter a character string and? to display all commands that begin with the character string. <Nortel> d? debugging delete dir display # Enter a command followed by? to display all the key words that begin with the character string. <Nortel> display v? version virtual-access vlan vpls vrrp vsi Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-7

3 CLI overview Nortel Secure Router 8000 Series 3.4 CLI error messages If a user enters incorrect commands, the grammar check fails and the CLI reports error messages to the user. If all of the commands are correct, the grammar check passes. Table 3-2 describes common error messages. Table 3-2 Common CLI error messages Error messages Unrecognized command Cause of the error The command cannot be found. The key word cannot be found. Wrong parameter A parameter type error occurred. The parameter value exceeds the boundary. Incomplete command Too many parameters Ambiguous command Incomplete command entered. Too many parameters entered. Indefinite parameters entered. 3.5 Command history The CLI automatically saves a command history for each user. This function is similar to the DOS-Key. By default, the CLI saves a maximum of 10 commands for each user. Table 3-3 describes the command history operations. You can run the saved history command at any time. Table 3-3 Access the command history Action Key or command Result Display the command history. Access the last history command. Access the next history command. display history-command Up cursor key or Ctrl+P Down cursor key or Ctrl+N Display the user s command history. Display the last history command if an earlier history command exists. Otherwise, the alarm bell rings. Display the next history command if a later history command exists. Otherwise, the command is cleared and the alarm bell rings. NOTE On the Windows 9X HyperTerminal, the cursor key is invalid because the Windows 9 HyperTerminal defines keys differently. In this case, you can replace the cursor key with Ctrl+P. When you use the history command, note the following: 3-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

3 CLI overview The saved history commands are the same as those entered by users. For example, if the user enters an incomplete command, the saved command is also incomplete. If the user runs the same command several times, the earliest command is saved. If the command is entered in different forms, each form is considered a different command. For example, if the display ip routing-table command is run several times, only one history command is saved. If the display ip routing command and the display ip routing-table command are run, two history commands are saved. 3.6 Editing characteristics The CLI provides basic command editing functions and supports multiline editing as shown in Table 3-4. The maximum length of each command is 256 characters. Table 3-4 Editing functions Key Common key Backspace Left cursor key or Ctrl+B Right cursor key or Ctrl+F Tab Function Inserts a character at the current position of the cursor if the editing buffer is not full and the cursor moves rightward. Otherwise, the alarm bell rings. Deletes the character to the left of the cursor and the cursor moves leftward. When the cursor reaches the head of the command, the alarm bell rings. Moves the cursor to the left one character space. When the cursor reaches the head of the command, the alarm bell rings. Moves the cursor to the right one character space. When the cursor reaches the end of the command, the alarm bell rings. Press Tab after you type an incomplete key word and the system runs the partial help: If the matching key word is unique, the system replaces the typed word with the complete key word and displays it in a new line with the cursor one space behind. If there are several matches or no match, the system displays the prefix first. Press Tab to view the matching key words one by one. The cursor appears at the end of the word; you can type a space to enter the next word. If you enter an incorrect key word, press Tab and your input is displayed in a new line. 3.7 Display characteristics The CLI provides the following display characteristics: The prompt and Help information can be displayed in both Chinese and English. Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-9

3 CLI overview Nortel Secure Router 8000 Series When the information displayed exceeds a full screen, the CLI provides a pause function. Table 3-5 describes the three display functions. Table 3-5 Display functions Key Ctrl+C Space Enter Function Stops the display and running of the command. Continues to display the information on the next screen. Continues to display the information on the next line. 3.8 Outputting the display 3.8.1 Viewing the display Do as follows on the router: Run: display current-configuration The current configuration is displayed. 3.8.2 Filtering the display Do as follows on the router: Run: display current-configuration include ip The commands that include ip are displayed. 3.9 Filtering information through regular expressions When you output information, you can use regular expressions to filter the displayed information. A regular expression is a tool for matching and replacing modes. You construct the matching mode based on rules, and then match the mode with the target object. To help you construct the matching mode, you can use special characters called metacharacters with regular expressions. Metacharacters are used to define the matching modes of other characters in the regular expression. Table 3-6 describes metacharacters. Table 3-6 Metacharacters Metacharacter Connotation \ Escape character. Matches any single character including a space, except for \n. 3-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

3 CLI overview Metacharacter Connotation * Characters on the left of this metacharacter appear 0 or many times continuously in the target object. + Characters on the left of this metacharacter appear 1 or many times continuously in the target object. An OR relationship exists between characters on the left and right of this metacharacter. ^ Characters on the right of this metacharacter must appear at the beginning of the target object. $ Characters on the left of this metacharacter must appear at the end of the target object. [xyz] [^xyz] [a-z] [^a-z] {n} {n,} {n,m} Matches the character listed in the square brackets. Matches any character that is not listed in the square brackets (^ is on the left of the character). Matches any character within the specified range. Matches any character that is not within the specified range. The matches appear n times (n is a non-negative integer). The matches appear for at least n times (n is a non-negative integer). The matches appear for n m times (m and n are non-negative integers and n is smaller than or equal to m). Note that there is no space between n and m. For example: ^ip: matches the target object that begins with the character string ip. ip$: matches the target object that ends with the character string ip. The simplest regular expressions do not contain any metacharacters. For example, when a regular expression is defined as hello, it matches only the character string hello. 3.10 Shortcut keys 3.10.1 Classifying shortcut keys The shortcut keys in the system are classified into the following types: User-oriented and user-defined shortcut keys: CTRL_G, CTRL_L and CTRL_O. The user can associate these shortcut keys with any commands. When the shortcut keys are pressed, the system automatically runs the corresponding command. For information about defining shortcut keys, see Defining shortcut keys. System-defined shortcut keys: These are shortcut keys with fixed functions defined by the system. Table 3-7 lists the system-defined shortcut keys. Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-11

3 CLI overview Nortel Secure Router 8000 Series NOTE Different terminal software programs define these keys differently. Therefore, the shortcut keys on the terminal may be different from those listed in this section. Table 3-7 System-defined shortcut keys Key CTRL_A CTRL_B CTRL_C CTRL_D CTRL_E CTRL_F CTRL_H CTRL_K CTRL_N CTRL_P CTRL_R CTRL_SHIFT_V CTRL_T CTRL_U CTRL_W CTRL_X CTRL_Y CTRL_Z CTRL_] ESC_B ESC_D ESC_F ESC_N ESC_P Function The cursor moves to the beginning of the current line. The cursor moves to the left one character space. Terminates the running function. Deletes the character at the cursor position. The cursor moves to the end of the current line. The cursor moves to the right one character space. Deletes one character to the left of the cursor. Terminates the outbound connection. Displays the next command in the history command buffer. Displays the previous command in history command buffer. Redisplays the information of the current line. Pastes the contents on the clipboard. Kill outgoing connection when connecting. Delete all characters up to the cursor. Deletes a character string or character to the left of the cursor. Deletes all the characters to the left of the cursor. Deletes all the characters to the right of the cursor. Returns to the user view. Terminates the inbound or redirection connections. The cursor moves to the left one word space. Deletes a word to the right of the cursor. The cursor moves rightward to the end of the next word. The cursor moves down to the next line. The cursor moves up to the previous line. 3-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

3 CLI overview Key ESC_SHIFT_< ESC_SHIFT_< Function Sets the position of the cursor to the beginning of the clipboard. Sets the position of the cursor to the end of the clipboard. 3.10.2 Defining shortcut keys NOTE When you define shortcut keys, use double quotation marks to define the command if it contains several command words (that is, spaces exist in the command). Configure shortcut keys as follows in the system view. Action Define shortcut keys. Command hotkey { CTRL_G CTRL_L CTRL_O } command-text 3.10.3 Using shortcut keys You can press the shortcut keys wherever you can type a command. The system then displays the full corresponding command. If you type part of a command and do not press Enter, you can press the shortcut keys to clear the input and display the full corresponding command. This operation has the same effect as deleting all commands and then reentering the complete command. The shortcut keys are run as commands; the syntax is recorded in the command buffer and log for fault location and querying. NOTE The terminal in use can affect the functions of the shortcut keys. For example, if the customized shortcut keys of the terminal conflict with those of the router, the input shortcut keys are captured by the terminal program and, therefore, the shortcut keys do not function. Run the following command in any view to display the shortcut keys. Action View the shortcut keys. Command display hotkey Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-13

3 CLI overview Nortel Secure Router 8000 Series 3.11 Configuration examples 3.11.1 Example for using shortcut keys Defining shortcut keys Step 1 Associate Ctrl_G with the display ip routing-table command and run the shortcut keys. <Nortel> system-view [Nortel] hotkey ctrl_g display ip routing-table Step 2 Press Ctrl+G when the prompt Nortel appears. [Nortel] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 ----End Copying commands using shortcut keys Step 1 Enter the command in any view. # Move the cursor to the beginning of the command and press ESC_SHIFT_<. Move the cursor to the end and press ESC_SHIFT_>. Then, press CTRL_Cf to copy the command. <Nortel> display ip routing-table Step 2 Run the display clipboard command to view the contents on the clipboard. <Nortel> display clipboard ---------------- CLIPBOARD----------------- display ip routing-table Step 3 Press Ctrl+Shift+V to paste the contents of clipboard. <Nortel> display ip routing-table ----End 3-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Contents 4 Basic configuration...4-1 4.1 Introduction...4-2 4.1.1 Extension of command levels...4-2 4.1.2 Extension of user levels...4-2 4.2 Configuring the basic system environment...4-2 4.2.1 Establishing the configuration task...4-2 4.2.2 Configuring the device name...4-3 4.2.3 Configuring the system clock...4-4 4.2.4 Configuring the header text...4-4 4.2.5 Configuring the password for switching user levels...4-5 4.2.6 Switching user levels...4-5 4.2.7 Locking the user interface...4-6 4.2.8 Configuring command privilege levels...4-6 4.2.9 Displaying system status messages...4-6 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

4 Basic configuration 4 Basic configuration About this chapter The following table shows the contents of this chapter. Section Description 4.1 Introduction This section provides an introduction to basic configuration. 4.2 Configuring the basic system environment This section describes how to configure the basic system environment on the router. Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-1

4 Basic configuration Nortel Secure Router 8000 Series 4.1 Introduction Before you configure the services, you need to configure the basic system environment, including the system name and system time. 4.1.1 Extension of command levels By default, the product supports command levels 0 to 3, which correspond to visit, monitoring, configuration, and management respectively. This limited number of command levels cannot meet the requirements of managing authorization of users at the device end. In the networking environment, the product cannot interwork with devices that support command levels 0 to 15. By extending command levels, you can advance in batches the command levels 0 to 3 to levels 0 to 15. If the levels of commands are not modified separately, all the command levels are adjusted after they are advanced in batches: Commands at levels 0 and 1 remain unchanged. Commands at level 2 are advanced to level 10. Commands at level 3 are advanced to level 15. No commands exist at levels 2 to 9 and 11 to 14. Command levels 2 to 9 and 11 to 14 do not correspond to the visit, monitoring, configuration, and management levels. You can adjust commands to levels 2 to 9 and 11 to 14 to manage authorization of users. You perform the advancement of command levels 2 and 3 to levels 10 and 15, respectively, in batches at one time. 4.1.2 Extension of user levels If you advance the command levels to 0 and 15, you should also advance the user levels to 0 and 15 from the previous levels 0 to 3. 4.2 Configuring the basic system environment 4.2.1 Establishing the configuration task Applicable environment Preconfiguration tasks Before you configure the services, you need to configure the basic system environment to meet your requirements. Before you configure the basic system environment, power on the router. 4-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

4 Basic configuration Data preparation To configure the basic system environment, you need the following data. No. Data 1 Language mode 2 System time 3 Host name 4 Password for switching user levels 5 Command level 6 Logon information Configuration procedures No. Procedure 1 Configuring the device name 2 Configuring the system clock 3 Configuring the header text 4 Configuring the password for switching user levels 5 Switching user levels 6 Locking the user interface 7 Configuring command privilege levels 8 Displaying system status messages 4.2.2 Configuring the device name Do as follows on the router: Step 1 Run: system-view The system view appears. Step 2 Run: sysname host-name This command configures the device name. ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-3

4 Basic configuration Nortel Secure Router 8000 Series You can change the name of the router that appears in the command prompt. 4.2.3 Configuring the system clock Do as follows on the router: Step 1 Run: clock datetime HH:MM:SS YYYY-MM-DD This command configures the Universal Time Coordinate (UTC) standard time. Step 2 Run: clock timezone time-zone-name { add minus } offset This command configures the time zone. Step 3 Run: clock daylight-saving-time time-zone-name one-year start-time start-data end-time end-data offset Or: clock daylight-saving-time time-zone-name repeating start-time {{ first second third fourth fifth last } weekday month start-date } end-time { end-year month { first second third fourth fifth last } weekday month end-date } offset [ start-year [ end-year ] ] This command configures daylight saving time. ----End To guarantee compatibility with other devices, you must accurately set the system time. You can also configure the time zone and daylight saving time. 4.2.4 Configuring the header text Step 1 Run: Step 2 Run: Step 3 Run: Do as follows on the router: system-view The system view appears. header login { information text file file-name } This command configures the header text during logon. header shell { information text file file-name } This command configures the header text after logon. ----End 4-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

4 Basic configuration Header text is the prompt displayed by the system when users connect to the router, log on, or begin configuration. Configure the header text to provide detailed information. 4.2.5 Configuring the password for switching user levels Step 1 Run: Step 2 Run: When simple password is used, the password is saved in the configuration files in simple text. Logon users with a lower access level can retrieve the password by viewing the configuration. This can cause security problems. Therefore, you can use cipher to save the password in encrypted text. When cipher password is used, the password cannot be retrieved from the system. Do not lose or forget the password. Do as follows on the router: system-view The system view appears. super password [ level user-level ] { simple cipher } password This command configures the password for switching user levels. ----End When users log on to the router with a lower user level, they can switch to a super user level to perform advanced operations by entering the corresponding password. The password must be preconfigured. 4.2.6 Switching user levels Do as follows on the router: Run: super [ level ] This command switches the user level. To switch from a lower level to a higher level, the user must enter an accurate password. When configuring the switchover of user levels on the router, you can perform HWTACACS authentication. For configuration details, see Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600). Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-5

4 Basic configuration Nortel Secure Router 8000 Series NOTE When a logon user of a lower level switches to a higher level through super, the system automatically sends trap messages and records the switchover in the log. When the user switches to a lower level, the system only records the switchover in the log. 4.2.7 Locking the user interface Do as follows on the router: Run: lock This command locks the user interface. When you leave the terminal, you can lock the user interface to prevent unauthorized users from operating the interface. You must enter the correct password to unlock the user interface. 4.2.8 Configuring command privilege levels Step 1 Run: Step 2 Run: Step 3 Run: Do as follows on the router: system-view The system view appears. command-privilege level rearrange This command advances the command levels in batches. command-privilege level level view view-name command-key This command configures the command level. ----End NOTE All commands have default views and privileges and need not be reconfigured. When you run the command-privilege level rearrange command, the system prompts you to configure a super password that corresponds to level-15 users, if it is not already configured. If N is selected, you need to set a password. If Y is selected, the command levels are advanced in batches. In the latter case, the user levels can be advanced only when you log on to the router through the console port. 4.2.9 Displaying system status messages You can use the display commands to view the following status messages: system configuration message system working status message system statistics message restart message on Active Main Board (AMB) 4-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

4 Basic configuration The following sections show only the system display commands. For information about display commands for protocols and interfaces, see the related sections in this document. You can run the following commands in all views. Commands displaying system configuration Run the following commands as required: display version: displays the system edition. display clock: displays the system time. display users [ all ]: displays the terminal user. display saved-configuration: displays the original configuration. display current-configuration: displays the current configuration. Commands displaying system status Run the following commands as required: display debugging [ interface interface-type interface-number ] [ module-name ]: displays the debugging status. display this: displays the configuration of the current view. Commands displaying system statistics Run the following commands as required: display diagnostic-information [ file-name ]: displays system diagnosis information. When the system fails or performs routine maintenance, you need to collect detailed information to locate the fault. However, there are many display commands. You can use the display diagnostic-information command to collect the running information of the current modules in the system. The display diagnostic-information command collects all display information of the following commands: display clock, display version, display cpu, display interface, display current-configuration, display saved-configuration, and display history-command. Displaying RPU restart information Run one or both of the following commands as required: display system restart: displays information about the last 10 AMB restarts. display system slave-restart: displays information about the last 10 Slave Main Board (SMB) restarts. The restart time and possible causes are displayed. Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-7

Contents 5 User management...5-1 5.1 Introduction...5-2 5.1.1 User interface view...5-2 5.1.2 User management...5-3 5.2 Configuring a user interface...5-4 5.2.1 Establishing the configuration task...5-4 5.2.2 Transmitting messages between user interfaces...5-6 5.2.3 Configuring asynchronous interface attributes...5-6 5.2.4 Setting terminal attributes...5-6 5.2.5 Configuring the user interface priority...5-7 5.2.6 Configuring modem attributes...5-8 5.2.7 Configuring an auto-execute command...5-8 5.2.8 Configuring the redirection function...5-9 5.2.9 Configuring the call-in or call-out restrictions of the VTY user interface...5-9 5.2.10 Configuring the maximum number of VTY user interfaces...5-10 5.2.11 Configuring the authentication timeout for VTY users...5-10 5.2.12 Disconnecting a user interface...5-11 5.2.13 Checking the configuration...5-11 5.3 Configuring user management...5-12 5.3.1 Establishing the configuration task...5-12 5.3.2 Configuring the authentication mode...5-12 5.3.3 Configuring the authentication password...5-13 5.3.4 Configuring the user name and password for AAA local authentication...5-13 5.3.5 Configuring the user priority...5-14 5.3.6 Checking the configuration...5-14 5.4 Configuring local user management...5-14 5.4.1 Establishing the configuration task...5-14 5.4.2 Creating the local user account...5-15 5.4.3 Configuring the service type of the local user...5-16 5.4.4 Configuring FTP directory authority for the local user...5-16 5.4.5 Configuring the local user status...5-16 5.4.6 Configuring the local user priority...5-17 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

5.4.7 Configuring the access restriction of the local user...5-17 5.4.8 Checking the configuration...5-18 5.5 Configuration examples...5-18 5.5.1 Example of logging on to the router through password authentication...5-18 5.5.2 Example of logging on to the router through AAA...5-19 ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Tables Table 5-1 Examples of absolute numbering...5-2 Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

5 User management 5 User management About this chapter The following table shows the contents of this chapter. Section Description 5.1 Introduction This section describes the basic concepts of the user interface and user management. 5.2 Configuring a user interface This section describes how to configure and manage the physical and logical interfaces in asynchronous interactive mode. 5.3 Configuring user This section describes how to manage and authenticate management users that log on to the router. 5.4 Configuring local user management This section describes how to configure local user management. 5.5 Configuration examples This section provides examples for logging on to the router. Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-1

5 User management Nortel Secure Router 8000 Series 5.1 Introduction This section describes the concepts you need to know before you configure user management: User interface view User management 5.1.1 User interface view The user interface view is a command line view that you can use to configure and manage all the physical and logical interfaces in asynchronous mode. User interfaces supported by the system User interface numbering The system supports the following user interfaces: Console port (CON) The console port is a serial port provided by the main control unit of the router. The main control unit provides one EIA/TIA-232 DCE console port for local configuration by directly connecting a terminal to a router. Auxiliary port (AUX) The main control unit of a router provides the auxiliary port, which is a line device port. The main control unit has one EIA/TIA-232 DTE AUX port, and is used by a terminal to access the router through the modem. Virtual type line (VTY) The virtual port is a logical terminal line. A VTY is the Telnet connection with the router through a terminal, and is used for local or remote access to the router. The user interface numbering methods are as follows: Relative numbering The format of relative numbering is user interface type + number. Relative numbering is used to uniquely identify a single interface or a group of user interfaces of the same type. It must comply with the following rules: Number of the console port: CON 0 Number of the auxiliary port: AUX 0 Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on Absolute numbering Specifies a user interface or a group of user interfaces. The starting number is 0 and the rest is in the sequence of CON > AUX > VTY. There is only a single console port and AUX port and 15 VTY interfaces. You can use the user-interface maximum-vty command to set the maximum number of user interfaces. The default number is 5. Table 5-1 shows the absolute numbers of the user interfaces in the system. Table 5-1 Examples of absolute numbering Absolute number User interface 0 CON0 33 AUX0 5-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management Absolute number User interface 34 The first virtual interface (VTY0) 35 The second virtual interface (VTY1) 36 The third virtual interface (VTY2) 37 The fourth virtual interface (VTY3) 38 The fifth virtual interface (VTY4) 5.1.2 User management User classification User level NOTE For different types of devices, the absolute numbers of the AUX interface and the VTY interface may vary. The numbers from 1 to 32 are reserved for TTY user interfaces. Run the display user-interface command to view the absolute number of user interfaces. When a router is powered on for the first time, the user name and password are not configured. As a result, any user can configure the router by connecting a PC through the console port. A remote user can access the router through Telnet if the router is configured with the IP address of the Routing Process Unit (RPU) or that of the interface board. The remote user accesses the network by establishing a Point-to-Point Protocol (PPP) connection with the router. Configure the user name and password for the router to ensure network security and to improve user management. Users of a router are classified as follows, based on the available services: HyperTerminal users: Access the router through the console port or the AUX port. Telnet users: Access the router through Telnet. File Transfer Protocol (FTP) users: Establish FTP connections with the router to transfer files. Point-to-Point Protocol (PPP) users: Establish PPP connections (such as dialing and PPPoA) with the router to access the network. Secure Shell (SSH) users: Establish SSH connections with the router to access the network. The system provides hierarchical management of HyperTerminal users and Telnet users. Logon users have the same 16 levels as commands. They are marked from 0 to15. The higher the mark, the higher the priority. Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-3

5 User management Nortel Secure Router 8000 Series User authentication User planning A user can access commands with a level equal to or lower than the user s level. For example, if the user level is 2, the user can access commands with the level 0, 1, or 2. A user with the level 3 can access all the commands. NOTE For information about command levels, see Chapter 3, CLI Overview. After user configuration, the system authenticates users when they access the router. The four types of user authentication are as follows: Nonauthentication: A user accesses the router without the user name and password. This type is not recommended due to security reasons. Password authentication: A user accesses the router with only the password, but not the user name. This type is safer than nonauthentication. Authentication, Authorization and Accounting (AAA) authentication: AAA supports local authentication and remote authentication. A user requires both the user name and password to access the router in local authentication. The remote authentication scheme cooperates with the AAA server, which authenticates PPP users. AAA local authentication authenticates Telnet and HyperTerminal users. The network administrator provides a user plan based on specific requirements: At least one HyperTerminal user is created on a router. A Telnet user is created for remote access. An FTP user uploads or downloads files on a router from a remote location. A PPP user can access networks through PPP connections. NOTE For information about configuring FTP users, see Chapter 8, FTP, TFTP, and Xmodem. For information about configuring PPP users, see Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600). 5.2 Configuring a user interface 5.2.1 Establishing the configuration task Applicable environment To guarantee a secure logon, do as follows: Confirm the user interface type and configure the logon parameters for the user interface. Classify the logon user level and configure the authentication mode for the user. Configure the terminal services. This section describes how to configure a user interface. 5-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management Preconfiguration tasks Data preparation Before you configure a user interface, complete the following tasks: Power on the router. Connect the PC with the router. To configure a user interface, you need the following data. No. Data 1 Transmission rate (optional) 2 Flow control mode (optional) 3 Parity mode (optional) 4 Stop bits (optional) 5 Data bits (optional) 6 Terminal user timeout (optional) 7 Length of the terminal screen (optional) Configuration procedures NOTE The default values for these data items are stored on the router and do not need additional configuration. No. Procedure 1 Transmitting messages between user interfaces 2 Configuring asynchronous interface attributes 3 Setting terminal attributes 4 Configuring the user interface 5 Configuring modem attributes 6 Configuring an auto-execute command 7 Configuring the redirection function 8 Configuring the call-in or call-out restrictions of the VTY user interface 9 Configuring the maximum number of VTY user interfaces 10 Configuring the authentication timeout for VTY users 11 Disconnecting a user interface 12 Checking the configuration Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-5

5 User management Nortel Secure Router 8000 Series NOTE You can configure one or more user interfaces simultaneously in any view. 5.2.2 Transmitting messages between user interfaces Do as follows on the router that the user logs on to: Run: send { all ui-number ui-type ui-number1 } The message is transmitted between the user interfaces. 5.2.3 Configuring asynchronous interface attributes Do as follows on the router that the user logs on to: Step 1 Run: system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Step 3 (Optional) Run: speed speed-value The transmission rate is set. By default, the transmission rate is 9600 bit/s. By default, the value is 9600 bit/s. Step 4 (Optional) Run: flow-control { hardware none software } The flow control mode is set. By default, the flow-control mode is none. Step 5 (Optional) Run: parity { even mark none odd space } The parity mode is set. By default, the value is none. Step 6 (Optional) Run: stopbits { 1.5 1 2 } The stop bit is set. By default, the value is 1 bit. Step 7 (Optional) Run: databits { 5 6 7 8 } The data bit is set. 5-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management By default, the data bit is 8. ----End 5.2.4 Setting terminal attributes Do as follows on the router that the user logs on to: Step 1 Run: system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Step 3 Run: Shell The terminal service starts. Step 4 Run: idle-timeout minutes [ seconds ] This command configures the timeout period. Step 5 Run: screen-length screen-length This command configures the terminal screen length. Step 6 Run: history-command max-size size-value This command configures the history command buffer. ----End 5.2.5 Configuring the user interface priority Do as follows on the router that the user logs on to: Step 1 Run: system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-7

5 User management Nortel Secure Router 8000 Series Step 3 Run: user privilege level level This command configures the priority of the user interface. ----End 5.2.6 Configuring modem attributes Step 1 Run: Step 2 Run: Step 3 Run: Step 4 Run: Step 5 Run: Do as follows on the router that the user logs on to: system-view The system view appears. user-interface aux 0 The user interface view appears. modem timer answer seconds This command configures the interval between the system receiving the ring signal and waiting for CD_UP. The interval is the time from the modem answer to carrier detection. modem auto-answer This command configures automatic answer. modem [ both call-in ] This command configures incoming and outgoing calls. ----End 5.2.7 Configuring an auto-execute command Use the auto-execute command command carefully because it can cause failure of the system configuration through the user interface. Before you configure this command and save the configuration, ensure that you can remove the configuration by logging on to the system in other ways, such as logging on the router through the console port Do as follows on the router that the user logs on to: 5-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management Step 1 Run: system-view The system view appears. Step 2 Run: user-interface aux 0 The user interface view appears. Step 3 Run: auto-execute command command This command configures the auto-execute command. ----End 5.2.8 Configuring the redirection function Do as follows on the router that the user logs on to: Step 1 Run: system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Step 3 Run: redirect This command enables the Telnet redirection function. ----End 5.2.9 Configuring the call-in or call-out restrictions of the VTY user interface Step 1 Run: Step 2 Run: Do as follows on the router that the user logs on to: system-view The system view appears. user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-9

5 User management Nortel Secure Router 8000 Series Step 3 Run: acl acl-number { inbound outbound } This command configures the call-in and call-out restrictions of the VTY user interface. ----End 5.2.10 Configuring the maximum number of VTY user interfaces Do as follows on the router that the user logs on to: Step 1 Run: system-view Step 2 The system view appears. Run: user-interface maximum-vty number This command configures the maximum number of VTY user interfaces. ----End In Step 2, you can configure the maximum number of users that can log on to the router at the same time. less than the current If the maximum number of VTY user interfaces that you configure is greater than the current maximum number of interfaces, you must configure the authentication mode and password for the newly added user interfaces. By default, the newly added user interfaces use password authentication. The prompt is as follows: For example, if the current maximum number of VTY users is 5 and you need to change the maximum number to 15, run the authentication-mode and set authentication password commands to configure the authentication mode and the password for 5-14 VTY user interfaces. The configuration is as follows: 5.2.11 Configuring the authentication timeout for VTY users Step 1 If the maximum number of VTY user interfaces that you configure is maximum number of interfaces, no other configuration is required. Warning:Login password has not been set! <Nortel> system-view [Nortel] user-interface maximum-vty 15 [Nortel] user-interface vty 5 14 [Nortel-ui-vty5-14] authentication-mode password [Nortel-ui-vty5-14] set authentication password cipher nortel Do as follows on the router that the user logs on to: Run: system-view The system view appears. 5-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] Step 3 The user interface view appears. Run: authorization-cmd timeout timeout-value This command configures the authorization and authentication timeout for the command line. ----End The Secure Router 8000 Series supports HWTACACS the logon user level or the name of the SSH user. command line authentication based on When a user logs on to the router, every entered command should be authorized by the HWTACACS server if command line authorization is configured. If the router receives no authorization from the HWTACACS server before timeout, it processes the authorization as a failure and the entered command cannot be run. 5.2.12 Disconnecting a user interface Do as follows on the router that the user logs on to: Run: free user-interface { ui-number ui-type ui-number1 } This command disconnects the specified user interface. 5.2.13 Checking the configuration Run the following commands to check the previous configuration. Action Command Check information about user display users [ all ] interface usage. Check the maximum number of VTY user interfaces. Check the physical attributes and configurations of the user interface. display user-interface maximum-vty display user-interface [ ui-type ui-number ] [ summary ] Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-11

5 User management Nortel Secure Router 8000 Series 5.3 Configuring user management 5.3.1 Establishing the configuration task Applicable environment Preconfiguration tasks Data preparatio n This section describes how to configure user priority and authentication. Rem ote users can log on to the router to access networks through Telnet or establish a PPP connection with the router, if the router is configured with the IP address of the MCU or that of the interface board. To ensure network security and improve user management, configure a user name and password for the router. Before you configure user management, complete the following tasks: Power on the router. Connec t the PC with the router. To configure user management, you need the following data. No. Data 1 Authentication mode 2 User name and password 3 User priority Configuration procedures No. Procedure 1 Configuring the authentication mode 2 Configuring the authentication password 3 Configuring the user name and password for AAA local authentication 4 Configuring the user priority 5 Checking the configuration 5.3.2 Configuring the authentication mode Step 1 Do as follows on the router that the user logs on to: Run: 5-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Step 3 Run: authentication-mode { simple cipher } This command configures the user password authentication mode. ----End 5.3.3 Configuring the authentication password Do as follows on the router that the user logs on to: Step 1 Run: system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Step 3 Run: set authentication password { cipher simple } password This command configures the authentication password. ----End NOTE The default authentication mode is password authentication. 5.3.4 Configuring the user name and password for AAA local authentication Do as follows on the router that the user logs on to: Step 1 Run: system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-13

5 User management Nortel Secure Router 8000 Series Step 3 Run: set authentication password { cipher simple } password This command configures the password for local authentication. Step 4 Run: system-view The system view appears. Step 5 Run: aaa The AAA view appears. Step 6 Run: local-user user-name password { simple cipher } password This command configures the local user name and password. ----End 5.3.5 Configuring the user priority For information, see Nortel Secure Router 8000 Series Configuration Guide - Security ( NN46240-600). 5.3.6 Checking the configuration Run the following commands to check the previous configuration. Action Command Check user information. display users [ all ] Check information for local users. Check information for access users. display local-user display access-user 5.4 Configuring local user management 5.4.1 Establishing the configuration task Applicable environment Preconfiguratio n tasks You can create and manage the separate local user on the broadband access server. None 5-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management Data preparation To configure local user management, you need the following data. No. Data 1 User name and password 2 Service type of the local user 3 FTP directory of the local user 4 The status of the local user 5 The m aximum number of local users Configuration procedures No. Procedure 1 Creating the local user account 2 Configuring the service type of the local user 3 Configuring FTP directory authority for the local user 4 Configuring the local user status 5 Configuring the local user priority 6 Configuring the access restriction of the local user 7 Checking the configuration 5.4.2 Creatin g the local user account Do as follows on the broadband access router: Step 1 Run: system-view Step 2 The system view appears. Run: aaa The AAA view appears. Step 3 Run: local-user user-name password { simple cipher } password This command creates the local user account. ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-15

5 User management Nortel Secure Router 8000 Series 5.4.3 Configuring the service type of the local user Do as follows on the broadband access router: Step 1 Run: system-view The system view appears. Step 2 Run: aaa The AAA view appears. Step 3 Run: local-user user-name service-type { ftp ppp ssh telnet terminal } * This command configures the service type of the local user. ----End NOTE By configuring the service type of the local user, you can manage users based on service type. 5.4.4 Configuring FTP directory authority for the local user Do as follows on the broadband access router: Step 1 Run: system-view The system view appears. Step 2 Run: aaa The AAA view appears. Step 3 Run: local-user user-name ftp-directory directory This command configures FTP directory authority for the local user. ----End 5.4.5 Configuring the local user status Do as follows on the broadband access router: Step 1 Run: system-view The system view appears. 5-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management Step 2 Run: aaa The AAA view appears. Step 3 Run: local-user user-name state { active block } This command configures the local user status. ----End 5.4.6 Configuring the local user priority Do as follows on the broadband access router: Step 1 Run: system-view Step 2 The system view appears. Run: aaa The AAA view appears. Step 3 Run: local-user user-name level level This command configures the local user priority. ----End 5.4.7 Config uring the access restriction of the local user Do as follows on the broadband access router: Step 1 Run: system-view Step 2 The system view appears. Run: aaa The AAA view appears. Step 3 Run: local-user user-name access-limit access-limit This command configures access restriction for the local user. ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-17

5 User management Nortel Secure Router 8000 Series 5.4.8 Checki ng the configuration R un the following command to check the previous configuration. Action Check the attributes of the local user. Command display local-user [ domain domain-name user-name user-name ] 5.5 Configuration examples After you complete the following two configuration examples, the current user VTY0 cannot run commands at levels higher than 2. Ensure that you can log on to the router through other methods to delete the configuration. This section provides the following examples: Example of logging on to the router through password E xample of logging on to the router through AAA 5.5.1 Example of logging on to the router through password authentication Networking requirements Configuration roadmap Data preparation The COM port of the PC is connected with the console port. Set the priority of VTY0 to 2 and authenticate the passwords of users. Users must enter the password Nortel to successfully log on. After logon, if operations are not performed within 30 minutes, the user interface is disco nnected from the router. 1. Enter the user interface. 2. Configure the priority of VTY0 as 2. 3. Configure simple authentication and the disconnect time. To complete the configuration, you need the following data: password of the authentication mode connection time 5-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

5 User management Configuration procedure <Nortel> system-view [Nortel] user-interface vty 0 [Nortel-ui-vty0] user privilege level 2 [Nortel-ui-vty0] authentication-mode password [Nortel-ui-vty0] set authentication password simple nortel [Nortel-ui-vty0] idle-timeout 30 # Use the display this command to check all configurations. [Nortel-ui-vty0] display this # user-interface con 0 user-interface aux 0 user-interface vty 0 user privilege level 2 set authentication password simple nortel idle-timeout 30 0 user-interface vty 1 4 # return # Use the display current-configuration command to view the system files. [Nortel] display current-configuration # sysname Nortel # user-interface con 0 user-interface aux 0 user-interface vty 0 user privilege level 2 set authentication password simple nortel idle-timeout 30 0 user-interface vty 1 4 # return Configuration files # sysname Nortel # user-interface vty 0 user privilege level 2 set authentication password simple nortel idle-timeout 30 0 # return 5.5.2 Example of logging on to the router through AAA Networking requirements The COM port of the PC and the console port of the router are connected. Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-19

5 User management Nortel Secure Router 8000 Series Configuration roadmap Data preparation Configuration procedure Configuration files Configure the priority of VTY0 to 2, and perform AAA authentication on the user that logs on through VTY 0. The logon user must enter the user name Nortel and the password Nortel. After logon, if the user does not operate the router within 30 minutes, the connection with the router is disabled. 1. Enter the user interface view to configure the priority of VTY0 to 2 and configure the disconnection time. 2. Enter the AAA view to configure the user name, password, and user level. To complete the configuration, you need the following data. user name and password for authentication disconnection time <Nortel> system-view [Nortel] user-interface vty 0 [Nortel-ui-vty0] user privilege level 2 [Nortel-ui-vty0] authentication-mode aaa [Nortel-ui-vty0] idle-timeout 30 [Nortel-ui-vty0] quit [Nortel] aaa [Nortel -aaa] local-user nortel password cipher nortel [Nortel -aaa] local-user nortel level 2 # sysname Quidway # aaa local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user huawei level 2 local-user huawei idle-cut # authorization-scheme default # accounting-scheme default # domain default # user-interface vty 0 authentication-mode aaa user privilege level 2 idle-timeout 30 0 # return 5-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Contents 6 File system management...6-1 6.1 Introduction...6-2 6.1.1 File system...6-2 6.1.2 Storage devices...6-2 6.1.3 Files...6-2 6.1.4 Directories...6-2 6.2 Managing directories...6-2 6.2.1 Establishing the configuration task...6-2 6.2.2 Viewing the current directory...6-3 6.2.3 Switching the directory...6-3 6.2.4 Displaying the files in a directory...6-4 6.2.5 Creating a directory...6-4 6.2.6 Deleting a directory...6-4 6.3 Managing files...6-5 6.3.1 Displaying the contents of a file...6-5 6.3.2 Copying a file...6-6 6.3.3 Moving a file...6-6 6.3.4 Renaming a file...6-6 6.3.5 Deleting a file...6-7 6.3.6 Deleting files in the recycle bin...6-7 6.3.7 Restoring files...6-7 6.4 Configuring batch configuration...6-8 6.5 Managing storage devices...6-8 6.6 Configuring prompt modes...6-9 6.7 Example of configuring directory management...6-10 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

6 File system management 6 File system management About this chapter The following table shows the contents of this chapter. Section Description 6.1 Introduction This section provides an overview of file system concepts. 6.2 Managing directories This section describes how to configure directory management. 6.3 Managing files This section describes how to configure file management. 6.4 Configuring batch configuration This section describes how to execute the batch process. 6.5 Managing storage devices This section describes how to manage storage devices. 6.6 Configuring prompt modes This section describes how to configure the prompt mode. 6.7 Example of configuring directory management This section provides an example of configuring directory management. Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-1

6 File system management Nortel Secure Router 8000 Series 6.1 Introduction This section describes the concepts that you need to know before you configure a file system: File system Storage devices Files 6.1.1 File system Directories 6.1.2 Storage devices The file system manages the files and directories in the storage devices. It can create, delete, modify, and rename a file or directory and display the contents of a file. The file system has two functions: managing the storage devices and managing the files that are stored in those storage devices. Storage devices are hardware devices for storing messages. The storage device of the Secure Router 8000 Series is flash memory. 6.1.3 Files 6.1.4 Directories SR8012 also can use the compact flash(cf)as the storage devices. A file is a mechanism by which the system stores and manages messages. A directory is a mechanism by which the system integrates and organizes files. It is the logical container of files. 6.2 Managing directories 6.2.1 Establishing the configuration task Applicable environment Preconfiguration tasks When you need to transfer files between the client and the server, use the file system to configure the directory. Before you configure the file system, complete the following tasks: Power on the router. Connect the client with the server. 6-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

6 File system management Data preparation To configure a file system, you need the following data. No. Data 1 Name of the directory to create 2 Name of the directory to delete Configuration procedures No. Procedure 1 Viewing the current directory 2 Switching the directory 3 Displaying the files in a directory 4 Creating a directory 5 Deleting a directory 6.2.2 Viewing the current directory Do as follows on the router: Step 1 Enter the user view. Step 2 Run: pwd This command displays the current directory. ----End 6.2.3 Switching the directory Step 1 Enter the user view. Step 2 Run: cd directory This command displays the specified directory. Step 3 Run: pwd This command displays the current directory. ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-3

6 File system management Nortel Secure Router 8000 Series 6.2.4 Displaying the files in a directory Step 1 Enter the user view. Step 2 Run: cd directory This command displays the specified directory. Step 3 Run: dir [ /all ] [ filename ] This command displays the file list in the directory. ----End By default, the dir command displays only the file information for the current directory. 6.2.5 Creating a directory Do as follows on the router: Step 1 Enter the user view. Step 2 Run: Step 3 Run: cd directory This command displays the specified directory. This is the parent directory of the new directory. mkdir directory This command creates the new directory. ----End 6.2.6 Deleting a directory Do as follows on the router: Step 1 Enter the user view. Step 2 Run: cd directory This command displays the parent directory of the directory to delete. Step 3 Run: rmdir directory This command deletes the directory. ----End 6-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

6 File system management 6.3 Managing files Applicable environment Preconfiguration tasks Data preparation Configure the file system to transfer files between the client and the server. Before you configure the file system, complete the following tasks: Power on the router. Connect the client with the server. To configure a file system, you need the following data. No. Data 1 Name of the file to create 2 Name of the file to delete Configuration procedures No. Procedure 1 Displaying the contents of a file 2 Copying a file 3 Moving a file 4 Renaming a file 5 Deleting a file 6 Deleting files in the recycle bin 7 Restoring files 6.3.1 Displaying the contents of a file Do as follows on the router: Step 1 Enter the user view. Step 2 Run: cd directory This command displays the file directory. Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-5

6 File system management Nortel Secure Router 8000 Series Step 3 Run: more filename This command displays the file contents. ----End 6.3.2 Copying a file Do as follows on the router: Step 1 Enter the user view. Step 2 Run: cd directory This command displays the file directory. Step 3 Run: copy source-filename destination-filename This command copies the file. ----End 6.3.3 Moving a file The length of the file must exceed 0 (zero) bytes; otherwise, the file cannot be copied. Do as follows on the router: Step 1 Enter the user view. Step 2 Run: cd directory This command displays the file directory. Step 3 Run: move source-filename destination-filename This command moves the file. ----End 6.3.4 Renaming a file Do as follows on the router: Step 1 Enter the user view. Step 2 Run: cd directory 6-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

6 File system management This command displays the file directory. Step 3 Run: rename source-filename destination-filename This command renames the file. ----End 6.3.5 Deleting a file Do as follows on the router: Step 1 Enter the user view. Step 2 Run: cd directory This command displays the file directory. Step 3 Run: delete [ /unreserved ] filename This command deletes the file. ----End 6.3.6 Deleting files in the recycle bin Do as follows on the router: Run: reset recycle-bin [ filename ] This command deletes the file. 6.3.7 Restoring files Running this command deletes only the files in the recycle bin of the master Routing Process Unit (RPU). Do as follows on the router: Run: undelete filename This command restores the file. NOTE If the file is not in the root directory, you must use the absolute path to copy, delete, move, or rename this file Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-7

6 File system management Nortel Secure Router 8000 Series 6.4 Configuring batch configuration Applicable environment Preconfiguration tasks Data preparation You can run established batched files to perform fixed tasks automatically. Before you configure the batch process, complete the following tasks: Power on the router. Log on to the router. Upload the batched files on the client end to the router. To configure the batch process, you need the following data. No. Data 1 Name of the batched file Configuration procedure Do as follows on the router: Step 1 Run: system-view The system view appears. Step 2 Run: execute filename This command runs the batched file. ----End 6.5 Managing storage devices Applicable environment Preconfiguration tasks When the router cannot store messages normally, you must fix any faulty storage devices. Before you configure the storage devices, complete the following tasks: Power on the router. 6-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

6 File system management Log on to the router at the client end. Data preparation To configure storage devices, you need the following data. No. Data 1 Device name Configuration procedure Do as follows on the router: Step 1 Enter the user view. Step 2 Run: format device-name This command formats the storage device. Step 3 Run: fixdisk device-name This command fixes the storage device of the faulty file system. ----End 6.6 Configuring prompt modes If you select quiet as the prompt mode of the file system, no prompt is displayed when an incorrect operation is performed, such as deleting a file, which results in data loss. Applicable environment Preconfiguration tasks The system provides prompts for operations that can cause data loss or damage. Before you configure prompt modes, complete the following tasks: Power on the router. Log on to the router at the client end. Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-9

6 File system management Nortel Secure Router 8000 Series Data preparation To configure the prompt mode, you need the following data. No. Data 1 Name of the command Configuration procedure Do as follows on the router: Step 1 Enter the user view. Step 2 Run: system-view The system view appears. Step 3 Run: file prompt { alert quiet } This command configures the prompt mode of the file system. ----End 6.7 Example of configuring directory management Networking requirements Configuration roadmap Data preparation Configuration procedure By configuring the file system of the router, you can operate the router through the console port and copy files to a specified directory. The file path in memory must be correct. If you do not specify a target file name, the target file name is the source file name by default; that is, the target file name is the same as the source file name. To complete the configuration, you need the following data: source file name and target file name source file path and target file path Step 1 Display the file information in the current directory. <Nortel> dir flash: 6-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

6 File system management Directory of flash:/ 0 -rw- 28 Jan 19 2007 11:18:14 private-data.txt 1 -rw- 35260 Mar 24 2006 10:46:09 exception.dat 2 -rw- 98776 Jan 19 2007 11:18:46 matnlog.dat 3 -rw- 540 Jul 18 2006 11:43:03 vrpcfg.zip 4 -rw- 21614652 Jan 13 2007 18:04:42 SR8012V2R5.bin 5 -rw- 0 Dec 08 2006 15:03:59 patchnpstate.dat 63881 KB total (21753 KB free) Step 2 Copy files from flash:/log.txt to slave#flash:/log.txt. <Nortel> copy flash:/log.txt slave#flash:/log.txt Copy flash:/log.txt to flash:/log.txt?[y/n]:y % Copyed flash:/log.txt slave#flash:/log.txt Step 3 Display the file information in the current directory to show that the file is copied to the specified directory. <Nortel> dir slave#flash Directory of slave#flash:/ 0 -rw- 2906 Jan 21 2004 20:36:33 vrpcfg.cfg 1 -rw- 7094180 Feb 29 2004 21:43:57 vrp5.cc 2 -rw- 94456 Feb 24 2004 19:23:50 matnlog.dat 3 -rw- 444 Jul 25 2003 14:45:30 hostkey 4 -rw- 572 Jul 25 2003 14:45:40 serverkey 5 -rw- 4 Mar 01 2004 21:19:27 snmpboots 6 -rw- 80 Mar 09 2004 09:47:36 header-file.txt 7 drw- - Mar 09 2004 09:50:38 log.txt 63881 KB total (20998 KB free) ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-11

Contents 7 Configuration file management...7-1 7.1 Introduction...7-2 7.1.1 Configuration file...7-2 7.1.2 Configuration files and current configurations...7-2 7.2 Displaying the configuration of the router...7-2 7.2.1 Viewing the intial configuration...7-2 7.2.2 Viewing the current configuration...7-3 7.2.3 Viewing the running configuration in the current view...7-3 7.3 Saving the current configuration...7-3 7.4 Clearing the running information...7-3 7.5 Comparing configuration files...7-4 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

7 Configuration file management 7 Configuration file management About this chapter The following table shows the contents of this chapter. Section Description 7.1 Introduction This section describes the basic concepts of the configuration file. 7.2 Displaying the configuration of the router This section describes how to display the router configuration. 7.3 Saving the current This section describes how to save the current configuration configuration to the configuration file. 7.4 Clearing the running information 7.5 Comparing configuration files This section describes how to clear the configuration file in the storage device. This section describes how to compare the current configuration to the configuration file. Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-1

7 Configuration file management Nortel Secure Router 8000 Series 7.1 Introduction 7.1.1 Configuration file This section provides an overview of configuration file concepts. Configuration files are configuration items uploaded at the current startup or next startup of the router. The configuration file is a text file in the following format: It is saved in the command format. To save space, default parameters are not saved. For the default values of the configuration parameters, see Nortel Secure Router 8000 SeriesSeries Routers Commands Reference (NN46240-500). Commands are organized by command view. All commands of the same command view are grouped into a section. Command sections are separated by one or several blank lines or comment lines (beginning with #). The sequence of command sections is as follows: global configuration, physical interface configuration, logical interface configuration, routing protocol configuration, and so on. NOTE The system can run commands with a maximum length of 255 characters, including commands in the incomplete form. If a command is entered in the incomplete form, the command is saved in the complete form. Therefore, the command length in the configuration file may exceed 255 characters. When the system is restarted, these commands cannot be restored. 7.1.2 Configuration files and current configurations Initial configuration: When the router is powered on, it retrieves the configuration files from the default save path to initiate itself. If no configuration file exists in the default save path, the router uses the default parameters. Current configuration: Indicates the configuration of the currently running router. You can modify the current router configuration through the command line interface (CLI). When you use the save command to save the current configuration to the configuration file of the default storage devices, the current configuration becomes the initial configuration the next time the router is powered on. 7.2 Displaying the configuration of the router After configuration, run the display command in any view to view the running information in the configuration file. For more information, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500). 7.2.1 Viewing the intial configuration Do as follows on the router: 7-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

7 Configuration file management Run: display saved-configuration [ last ] The initial configuration of the router is displayed. Using the display saved-configuration last command, you can view the configuration files saved during in the previous startup. That is, the configuration files of the current startup are displayed. 7.2.2 Viewing the current configuration Do as follows on the router: Run: display current-configuration [ configuration [ configuration-type ] controller interface interface-type [ interface-number ] ] [ { begin exclude include } regular-expression ] This command displays the current configuration of the router. 7.2.3 Viewing the running configuration in the current view Do as follows on the router: Run: display this This command displays the running configuration in the current view. NOTE The configuration file is displayed in the same form as the saved file. The display this interface command can only be run in the interface view. 7.3 Saving the current configuration Do as follows on the router: Run: save [ configuration-file ] This command saves the current configuration. 7.4 Clearing the running information Do as follows on the router: Run: reset saved-configuration This command clears the configuration file in the storage device. Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-3

7 Configuration file management Nortel Secure Router 8000 Series 7.5 Comparing configuration files Do as follows on the router: Run: compare configuration [ line-number1 line-number2 ] This command compares the current configuration to the contents of the configuration file saved on the storage device. 7-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Contents 8 FTP, TFTP, and Xmodem...8-1 8.1 Introduction...8-5 8.1.1 FTP...8-5 8.1.2 TFTP...8-5 8.1.3 Xmodem...8-5 8.2 Configuring the router to be the FTP server...8-6 8.2.1 Establishing the configuration task...8-6 8.2.2 Enabling the FTP server...8-7 8.2.3 Configuring the timeout period...8-8 8.2.4 Configuring the local user name and password...8-8 8.2.5 Configuring service types and authorization information...8-8 8.2.6 Checking the configuration...8-9 8.3 Configuring FTP ACL...8-9 8.3.1 Establishing the configuration task...8-9 8.3.2 Enabling the FTP server...8-10 8.3.3 Configuring the basic ACL...8-10 8.3.4 Configuring the basic FTP ACL...8-11 8.4 Configuring the router to be the FTP client...8-11 8.4.1 Establishing the configuration task...8-12 8.4.2 Logging on to the FTP server...8-13 8.4.3 Configuring the file transmission mode...8-14 8.4.4 Viewing online Help for the FTP command...8-14 8.4.5 Uploading or downloading files...8-15 8.4.6 Managing directories...8-15 8.4.7 Managing files...8-16 8.4.8 Changing logon users...8-16 8.4.9 Disconnecting FTP...8-17 8.5 Configuring TFTP...8-17 8.5.1 Establishing the configuration task...8-17 8.5.2 Downloading files through TFTP...Error! Bookmark not defined. 8.5.3 Uploading files through TFTP...Error! Bookmark not defined. 8.6 Limiting access to the TFTP server...8-18 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

8.6.1 Establishing the configuration task...8-19 8.6.2 Configuring the basic ACL...8-20 8.6.3 Configuring the basic TFTP ACL...8-20 8.7 Configuring Xmodem...8-21 8.7.1 Establishing the configuration task...8-21 8.7.2 Retrieving a file through Xmodem...8-21 8.8 Configuration examples...8-22 8.8.1 Example of configuring the FTP server...8-22 8.8.2 Example of configuring FTP ACL...8-24 8.8.3 Example of configuring the FTP client...8-26 8.8.4 Example of configuring TFTP...8-27 8.8.5 Example of configuring XModem...8-29 ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Figures Figure 8-1 Using FTP to download files...8-22 Figure 8-2 FTP ACL...8-24 Figure 8-3 Configuring the FTP client...8-26 Figure 8-4 Using TFTP to download files...8-27 Figure 8-5 Setting the base directory of the TFTP server...8-28 Figure 8-6 Specifying the file to send...8-29 Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

8 FTP, TFTP, and Xmodem 8 FTP, TFTP, and Xmodem About this chapter The following table shows the contents of this chapter. Section Description 8.2 Introduction This section describes basic concepts of File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Xmodem. 8.3 Configuring the router to be the FTP server This section describes how to configure the basic functions of the FTP server. 8.4 Configuring FTP ACL This section describes how to configure a client to log on to the router. Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-1

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series Section 8.1.1 8.4.6 Checking the Configuration Description This section describes how to configure a router as an FTP client and log on to the FTP server. Run the following commands to check the preceding configuration. Action Check the configuration and running information about the FTP server. Command display ftp-server After configuring the FTP server, run the display ftp-server command. You can view that the FTP ACL is 2345. <Quidway> display ftp-server FTP server is running Max user number 5 User count 1 Timeout value(in minute) 30 Acl Number 2345 Configuring the router to be the FTP client 8.6 Configuring TFTP This section describes how to configure TFTP to log on to the server. 8-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem Section 8.1.2 8.6.2 Configuring the source address of TFTP Client Description This section describes how to limit client access to the TFTP router. Step 1 Run: Step 2 Run: Do as follows on the router that serves as the TFTP server: system-view The system view is displayed. tftp client-source {-a source-ip-address -i { interface-name interface-type interface-num }} The source address of TFTP client is started. ----End 8.1.3 Downloading Files Through TFTP Do as follows on the router that serves as the TFTP client: Step 1 Run the following commands according to different type of the server IP addresses. The IP address of the server is IPv4 address, run: tftp [-a source-ip-address -i { interface-name interface-type interface-num } ] tftp-server get source-filename [ destination-filename ] The router is configured to download files through TFTP. The IP address of the server is IPv6 address, run: tftp ipv6 [-a source-ip-address ] tftp-server [ -i interface-type interface-number ] get source-filename [ destination-filename ] The router is configured to download files through TFTP. ----End : Step 2 Run the following commands according to Issue 5.3 (30 Marchdifferent 2009) type of the server Nortel IP Networks addresses. Inc. 8-3 The IP address of the server is IPv4 address, run: tftp [-a source-ip-address -i

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series Section Description 8.8 Configuring Xmodem This section describes how to transfer files through Xmodem. 8.9 Configuration examples This section provides examples for configuring FTP, TFTP, and Xmodem. 8-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem 8.2 Introduction 8.2.1 FTP 8.2.2 TFTP 8.2.3 Xmodem This section describes basic FTP, TFTP, and Xmodem concepts. File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP protocol suite. It implements file transfer between remote hosts based on corresponding file systems. The router provides the following FTP services: FTP server service. Users can run the FTP client program to log on to the router and access the files on the router. FTP client service. Users can establish a connection with the router by running a terminal emulation program or a Telnet program on a PC, and then enter an FTP command to connect with the remote FTP server and access the files on the remote host. FTP supports two file transfer formats: Binary format for program files ASCII format for text files Compared with FTP, Trivial File Transfer Protocol (TFTP) provides a simple interactive access interface and authentication control. TFTP is suitable in an environment where no complex interaction occurs between the client and the server. For example, TFTP is used to obtain the memory image of the system when the system starts up. TFTP is implemented based on User Datagram Protocol (UDP). The client initiates the TFTP transfer. To download files, the client sends a read request packet to the TFTP server, receives packets from the server, and sends acknowledgement to the server. To upload files, the client sends a write request packet to the TFTP server, sends packets to the server, and receives acknowledgement from the server. The Secure Router 8000 Series can serve as the TFTP client only and, therefore, can only transfer files in the binary format. The Xmodem file transfer protocol is widely used due to its simplicity and performance. Xmodem transfers files through serial interfaces. It supports packets of 128 bytes and 1 kilobyte, common checksum and cyclical redundancy check (CRC), and retransmission (usually 10 times) when packet error occurs. Xmodem file transfer consists of a receiving program and a sending program. The receiving program first sends the negotiation character to negotiate the check mode. After the negotiation succeeds, the sending program begins to send packets. When the receiving program receives a complete packet, it checks the packet according to the negotiated mode: The receiving program sends the acknowledgement character after the check passes. The sending program then sends the next packet. Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-5

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series If the check fails, the receiving program sends the deny character and the sending program retransmits the packet. The Secure Router 8000 Series provides the Xmodem receiving program function, which can be applied to the AUX port and supports 128-byte packets and CRC. The Xmodem sending program function is automatically included in HyperTerminal. NOTE The Xmodem function is supported only by the AUX port. Xmodem does not support simultaneous operations by multiple users. 8.3 Configuring the router to be the FTP server 8.3.1 Establishing the configuration task Applicable environment Preconfiguration tasks Data preparation Configure FTP to transfer files between the FTP client and the remote server. When the router serves as the FTP server, for security, you can configure the router by Access Control List (ACL) to be accessed by only those clients that satisfy the matching conditions. Before you configure FTP, complete the following tasks: Power on the router. Connect the FTP client with the server. To configure FTP, you need the following data. No. Data 1 FTP user name and password 2 The file directory authorized to the FTP user 3 The timeout time of the FTP server Configuration procedures No. Procedure 1 Configuring the source address of FTP server 8-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem No. 2 Procedure 8.3.2 Configuring the source address of FTP server Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp server-source {-a source-ip-address -i { interface-name interface-type interface-num } } The source address of FTP server is started. Enabling the FTP server 3 Configuring the timeout period 4 Configuring the local user name and password 5 Configuring service types and authorization information 6 Checking the configuration 8.3.3 Configuring the source address of FTP server Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp server-source {-a source-ip-address -i { interface-name interface-type interface-num } } The source address of FTP server is started. 8.3.4 Enabling the FTP server Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-7

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series ftp server enable This command enables the FTP server. ----End 8.3.5 Configuring the timeout period Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: ftp timeout minutes This command configures the timeout time of the FTP server. ----End 8.3.6 Configuring the local user name and password Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: aaa The AAA view appears. Step 3 Run: local-user user-name password { simple cipher } password This command configures the local user name and password. ----End 8.3.7 Configuring service types and authorization information Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: local-user user-name service-type ftp 8-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem This command configures the FTP service type. Step 3 Run: local-user user-name ftp-directory directory This command configures the authorized directory of the FTP user. ----End 8.3.8 Checking the configuration Run the following commands to check the previous configuration. Action Check the configuration and running information of the FTP server. Check the FTP logon user. Command display ftp-server display ftp-users Run the display ftp-server command. If the configuration and the status of the FTP server are displayed, the configuration is successful. <Nortel> display ftp-server FTP server is running Max user number 5 User count 1 Timeout value(in minute) 30 Acl number 0 Run the display ftp-users command. If information about the FTP logon users is displayed, the configuration is successful. <Nortel> display ftp-users Username host port idle topdir nortel 100.2.150.211 4641 0 flash: 8.4 Configuring FTP ACL 8.4.1 Establishing the configuration task Applicable environment Preconfiguration tasks Configure FTP to transfer files between the FTP client and the remote server. When the router serves as the FTP server, for security, you can configure the router by ACL to be accessed by only those clients that satisfy the matching conditions. Before you configure FTP, complete the following tasks: Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-9

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series Data preparation Power on the router. Connect the FTP client with the server. To configure FTP, you need the following data. No. Data 1 FTP user name and password 2 The file directory authorized to the FTP user 3 The timeout time of the FTP server Configuration procedures No. Procedure 1 Enabling the FTP server 2 8.4.2 Enabling the FTP server Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: ftp server enable This command enables the FTP server. ----End Configuring the basic ACL 3 Configuring the basic FTP ACL 8.4.3 Enabling the FTP server Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: 8-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem ftp server enable This command enables the FTP server. ----End 8.4.4 Configuring the basic ACL Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: acl acl-number The ACL view appears. Step 3 Run: rule [ rule-id ] { deny permit } [ source { source-ip-address { source-wildcard 0 } any } time-range time-name vpn-instance vpn-instance-name ] * This command configures the ACL rule. ----End NOTE FTP supports only the basic ACL. 8.4.5 Configuring the basic FTP ACL Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view appears. Step 2 Run: ftp acl acl-number This command configures the basic FTP ACL. ----End 8.4.6 Checking the Configuration Run the following commands to check the preceding configuration. Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-11

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series Action Check the configuration and running information about the FTP server. Command display ftp-server After configuring the FTP server, run the display ftp-server command. You can view that the FTP ACL is 2345. <Quidway> display ftp-server FTP server is running Max user number 5 User count 1 Timeout value(in minute) 30 Acl Number 2345 8.5 Configuring the router to be the FTP client 8.5.1 Establishing the configuration task Applicable environment Preconfiguration tasks Configure FTP to transfer files between the FTP client and the remote server. Before you configure FTP, complete the following tasks: Power on the router. Connect the FTP client with the server. Data preparation To configure FTP, you need the following data. No. Data 1 Host name or IP address of the FTP server 2 Port number of the FTP server used to create the FTP connection 3 Logon user name and password Configuration procedures No. Procedure 1 Configuring the source address of FTP Client 8-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem No. 2 Procedure 8.5.2 Configuring the source address of FTP Client Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp client-source {-a source-ip-address -i { interface-name interface-type interface-num }} The source address of FTP client is started. ----End Logging on to the FTP server 3 Configuring the file transmission mode 4 Viewing online Help for the FTP command 5 Uploading or downloading files 6 Managing directories 7 Managing files 8 Changing logon users 9 Disconnecting FTP 8.5.3 Configuring the source address of FTP Client Do as follows on the router that serves as the FTP server: Step 1 Run: system-view The system view is displayed. Step 2 Run: ftp client-source {-a source-ip-address -i { interface-name interface-type interface-num }} The source address of FTP client is started. ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-13

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series 8.5.4 Logging on to the FTP server Perform the following steps, as required, on the router that serves as the client. In different views, the connection methods for the FTP server vary. In the user view, run: ftp [-a source-ip-address -i { interface-name interface-type interface-num } ] [ host [ port-number ] ] [ vpn-instance vpn-instance-name ] This command connects the router to the FTP server. In the FTP view, run: open host [ port-number ] [ vpn-instance vpn-instance-name ] This command connects the router to the FTP server. 8.5.5 Configuring the file transmission mode Step 1 Run: Step 2 Run: Step 3 Run: Do as follows on the router that serves as the client: ftp [-a source-ip-address -i { interface-name interface-type interface-num } ] [ host [ port-number ] ] [ vpn-instance vpn-instance-name ] The router is connected to the FTP server, and the FTP client view appears. ascii binary This command configures the data type of the file transfer. passive This command configures passive file transfer mode. ----End 8.5.6 Viewing online Help for the FTP command Do as follows on the router that serves as the client: Step 1 Run: ftp [-a source-ip-address -i { interface-name interface-type interface-num } ] [ host [ port-number ] ] [ vpn-instance vpn-instance-name ] The router is connected to the FTP server, and the FTP client view appears. Step 2 Run: remotehelp [ command ] This command displays the online Help for the FTP command. ----End 8-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem 8.5.7 Uploading or downloading files Do as follows on the router that serves as the client: Step 1 Run: ftp [-a source-ip-address -i { interface-name interface-type interface-num } ] [ host [ port-number ] ] [ vpn-instance vpn-instance-name ] The router is connected to the FTP server, and the FTP client view appears. Step 2 Perform the following steps, as required. To upload local files to the FTP server, run: put local-filename [ remote-filename ] To download local files from the FTP server, run: ----End get remote-filename [ local-filename ] 8.5.8 Managing directories Do as follows on the router that serves as the client: Step 1 Run: ftp [-a source-ip-address -i { interface-name interface-type interface-num } ] [ host [ port-number ] ] [ vpn-instance vpn-instance-name ] This command connects the router to the FTP server. Step 2 Run one or more of the following commands to manage directories. Run: cd pathname This command specifies the working path of the remote FTP server. Run: cdup This command switches the working path of the FTP server to the upper-level directory. Run: pwd This command displays the specified FTP server directory. Run: lcd This command displays the specified FTP client directory. Run: mkdir remote-directory This command creates a directory on the FTP server. Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-15

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series Run: rmdir remote-directory This command deletes a directory on the FTP server. ----End 8.5.9 Managing files Do as follows on the router that serves as the client: Step 1 Run: ftp [-a source-ip-address -i { interface-name interface-type interface-num } ] [ host [ port-number ] ] [ vpn-instance vpn-instance-name ] This command connects the router to the FTP server. Step 2 Run one or more of the following commands to manage files. Run: ls [ remote-filename ] [ local-filename ] This command displays the specified directory or file on the remote FTP server. Run: dir [ remote-filename ] [ local-filename ] This command displays the specified directory or file on the local FTP server. Run: delete remote-filename This command deletes the specified file on the FTP server. ----End 8.5.10 Changing logon users Do as follows on the router that serves as the client: Step 1 Run: ftp [-a source-ip-address -i { interface-name interface-type interface-num } ] [ host [ port-number ] ] [ vpn-instance vpn-instance-name ] This command connects the router to the FTP server. Step 2 Run: user user-name [ password ] This command changes the current logon user and another user logs on. ----End 8-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem 8.5.11 Disconnecting FTP Perform the following steps, as required, on the router that serves as the client: To disconnect the FTP connection and return to the user view, run: bye or quit This command disconnects the remote FTP connection. To disconnect the FTP connection and return to the FTP view, run: disconnect or close 8.5.12 Checking the Configuration Run the following commands to check the preceding configuration. Action Check the login FTP user. Command display ftp-users Run the display ftp-users command to view the user name, port number, authorization directory of the FTP user configured currently. <Quidway> display ftp-users username host port idle topdir zll 100.2.150.226 2320 0 cfcard: 8.6 Configuring TFTP 8.6.1 Establishing the configuration task Applicable environment Preconfiguration tasks Configure TFTP to transfer files between the server and the client in a simple interaction environment. Before you configure TFTP, complete the following tasks: Power on the router. Connect the TFTP client with the server. Data preparation To configure TFTP, you need the following data. No. Data 1 IP address of the TFTP server Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-17

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series No. Data 2 Name of the specific file in the TFTP server 3 File directory 4 ACL number Configuration procedures No. Procedure 1 Configuring the source address of TFTP Client 2 Downloading Files Through TFTP 3 Uploading Files Through TFTP 8.6.2 Configuring the source address of TFTP Client Do as follows on the router that serves as the TFTP server: Step 1 Run: system-view The system view is displayed. Step 2 Run: tftp client-source {-a source-ip-address -i { interface-name interface-type interface-num }} The source address of TFTP client is started. ----End 8.6.3 Downloading Files Through TFTP Do as follows on the router that serves as the TFTP client: Step 1 Run the following commands according to different type of the server IP addresses. The IP address of the server is IPv4 address, run: tftp [-a source-ip-address -i { interface-name interface-type interface-num } ] tftp-server get source-filename [ destination-filename ] The router is configured to download files through TFTP. The IP address of the server is IPv6 address, run: tftp ipv6 [-a source-ip-address ] tftp-server [ -i interface-type interface-number ] get source-filename [ destination-filename ] The router is configured to download files through TFTP. 8-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem ----End 8.6.4 Uploading Files Through TFTP Do as follows on the router that serves as the TFTP client: Step 1 Run the following commands according to different type of the server IP addresses. The IP address of the server is IPv4 address, run: tftp [-a source-ip-address -i { interface-name interface-type interface-num } ] tftp-server put source-filename [ destination-filename ] The router is configured to upload files through TFTP. The IP address of the server is IPv6 address, run: tftp ipv6 [-a source-ip-address ] tftp-server [ -i interface-type interface-number ] put source-filename [ destination-filename ] The router is configured to upload files through TFTP. 8.7 Limiting access to the TFTP server 8.7.1 Establishing the configuration task Applicable environment Preconfiguration tasks You can limit the access of the router to the specified TFTP server through TFTP. Before you configure TFTP, complete the following tasks: Power on the router. Connect the TFTP client with the server. Data preparation To configure TFTP, you need the following data. No. Data 1 IP address of the TFTP server 2 ACL number Configuration procedures No. Procedure 1 Configuring the basic ACL Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-19

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series No. Procedure 2 Configuring the basic TFTP ACL 8.7.2 Configuring the basic ACL Do as follows on the router that serves as the TFTP client: Step 1 Run: system-view The system view appears. Step 2 Run: acl acl-number The ACL view appears. Step 3 Run: rule [ rule-id ] { deny permit } [ source { source-ip-address { source-wildcard 0 } any } time-range time-name vpn-instance vpn-instance-name ] This command configures the ACL rule. ----End NOTE TFTP supports only the basic ACL rules. 8.7.3 Configuring the basic TFTP ACL Do as follows on the router that serves as the TFTP client: Step 1 Run: system-view The system view appears. Step 2 Run: tftp-server [ ipv6 ] acl acl-number ACL is used to limit access to the TFTP server. ----End 8-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem 8.8 Configuring Xmodem 8.8.1 Establishing the configuration task Applicable environment Preconfiguration tasks Data preparation Configure Xmodem to transfer files through serial interfaces. Before you configure Xmodem, complete the following tasks: Power on the router. Connect the router and the PC through an AUX port or a console port. Log on to the router through the terminal emulation program and specify the file path in the terminal emulation program To configure Xmodem, you need the following data. No. Data 1 Name of a specific file 2 Absolute path of the file Configuration procedures No. Procedure 1 Retrieving a file through Xmodem 8.8.2 Retrieving a file through Xmodem Do as follows on the router: Run: xmodem get filename Xmodem is used to retrieve the file. Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-21

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series NOTE Before you retrieve the file, confirm the path and name of the file. For filename, an absolute path name is required. If the filename value is similar to an existing file name, the system sends a prompt asking you whether to overwrite. 8.9 Configuration examples 8.9.1 Example of configuring the FTP server Networking requirements As shown in Figure 8-1, the IP address of the FTP server is 172.16.104.110/24. Log on to the router from the HyperTerminal and then download files from the FTP server. Figure 8-1 Using FTP to download files Server 172.16.104.110/24 console cable Configuration roadmap Data preparation 1. Run the HyperTerminal on the PC and log on to the router. 2. Use the correct user name and password to log on to the FTP server to download the files in the memory of the router. To complete the configuration, you need the following data: FTP user name (nortel) and password as (nortel) on the server correct path of the original files on the FTP server destination file name and its position in the router Configuration procedure Step 1 Enable FTP on the FTP server and configure the authentication information for the FTP user. <Nortel> system-view [Nortel] sysname server [Server] ftp server enable 8-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem [Server] ftp timeout 30 [Server] aaa [Server -aaa] local-user nortel password simple nortel Step 2 Configure the authorization mode and directory of the FTP user on the FTP server. [Server -aaa] local-user nortel service-type ftp [Server -aaa] local-user nortel ftp-directory flash: [Server -aaa] quit Step 3 Assign an IP address to the FTP server. [Server] interface Ethernet2/0/0 [Server-Ethernet2/0/0] ip address 172.16.104.110 255.255.255.0 [Server-Ethernet2/0/0] quit Step 4 Obtain the system host software. # Log on to the FTP server to obtain system host software and save it in the root directory of the flash memory of the router. <Router> cd flash: <Router> pwd flash:<router> ftp 172.16.104.110 Trying 100.1.1.201... Press CTRL+K to abort Connected to 100.1.1.201. 220 FTP service ready. User(100.1.1.201:(none)): nortel 331 Password required for nortel. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get vrp.bin 200 PORT command okay 150 Opening BINARY mode data connection for vrp.bin 226 Transfer finished successfully. FTP: 5805100 byte(s) received in 19.898 second(s) 291.74Kbyte(s)/sec. [ftp] bye ----End Configuration files Configuration file of the FTP server. # sysname Server # ftp server enable # interface Ethernet2/0/0 ip address 172.16.104.110 255.255.255.0 # aaa local-user nortel password simple nortel local-user nortel service-type ftp Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-23

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series local-user nortel ftp-directory flash:/ftp/system authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # Return 8.9.2 Example of configuring FTP ACL Networking requirements As shown in Figure 8-2, the IP address of the FTP server is 172.16.104.110/24. At the client side, PC1, PC2, and the FTP server are reachable. After configuring ACL, the router that serves as the FTP server allows only PC1 with the host address of 172.16.104.111 to download and upload files in FTP mode. PC2 cannot connect to the FTP server. Figure 8-2 FTP ACL GE2/0/0 IP Network PC2 172.16.105.111/24 Server 172.16.104.110 GE1/0/0 PC1 172.16.104.111/24 Configuration roadmap Data preparation Configuration procedure The configuration roadmap is as follows: 1. Configure the basic FTP functions. 2. Configure ACL on the FTP server. To complete the configuration, you need the following data: ACL number Step 1 Configure basic FTP functions. For details, see Configuring the router to be the FTP server. 8-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem Step 2 Configure the basic ACL. <Nortel> system-view [Nortel] acl 2001 [Nortel-acl-basic-2001]rule permit source 172.16.104.111 0.0.0.255 [Nortel-acl-basic-2001]quit Step 3 Configure the basic FTP ACL. [nortel]ftp acl 2001 Step 4 Connect to the FTP server from PC1. c:\ ftp 172.16.104.110 Connected to 172.16.104.110 220 FTP service ready. User (100.2.150.40:(none)):nortel 331 Password required for nortel Password: 230 User logged in. Step 5 Connect to the FTP server from PC2. c:\ ftp 172.16.104.110 Connected to ftp 172.16.104.110. Info:ACL was denied by remote host! Connection closed by remote host. ----End Configuration files Configuration file of the FTP server: # sysname Server # ftp server enable FTP acl 2001 # interface Ethernet2/0/0 ip address 172.16.104.110 255.255.255.0 # aaa local-user nortel password simple nortel local-user nortel service-type ftp local-user nortel ftp-directory flash:/ftp/system authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # Return Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-25

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series 8.9.3 Example of configuring the FTP client Networking requirements As shown in Figure 8-3, the router that serves as the FTP client can access the FTP server and download system software and configuration software from the FTP server. Figure 8-3 Configuring the FTP client IP Network GE2/0/0 Server 172.16.104.110 Router 172.16.105.111/24 Configuration roadmap Users on the FTP client log on to the FTP server and download system files from the server to the storage devices on the client side. Data preparation To complete the configuration, you need the following data: IP address of the FTP server The destination file name and its position in the router Configuration procedure Step 1 Log on to the FTP server from the router. <Nortel> ftp 172.16.104.110 Trying ftp 172.16.104.110 Press CTRL+K to abort Connected to ftp 172.16.104.110 220 FTP service ready. User(ftp 172.16.104.110:(none)):nortel 331 Password required for nortel Password: 230 User logged in. Step 2 Configure the transmission mode as binary format and configure the directory of the flash memory on the router. [ftp] binary 200 Type set to I. [ftp] lcd flash:/ % Local directory now flash: Step 3 Download the newest system software from the remote FTP server on the router. 8-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem [ftp] get vrpv5r3d031.cc [ftp] quit ----End 8.9.4 Example of configuring TFTP Networking requirements As shown in Figure 8-4, the IP address of the TFTP server is 10.111.16.160/24. Log on to the router from the HyperTerminal and then download the file vrp.cc from the TFTP server. Figure 8-4 Using TFTP to download files TFTP Server Quidw ay PC 10.111.16.160/24 Configuration roadmap Data preparation 1. Run the TFTP software on the TFTP server. 2. Configure the position of the source file on the server. 3. Use the TFTP command on the Nortel router to download the files. To complete the configuration, you need the following data: TFTP software installed on the TFTP server path of the source file on the TFTP server destination file name and its path on the Nortel router Configuration procedure Step 1 Start the TFTP server and configure its base directory as the directory where the vrp.cc file resides. Figure 8-5 shows the interface. Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-27

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series Figure 8-5 Setting the base directory of the TFTP server NOTE The interface may be different depending on the TFTP server software used by the computer. Step 2 Log on to the router through the HyperTerminal and enter the following command to download files. <Nortel> tftp 10.111.16.160 get vrp.cc flash:/vrp.cc Step 3 Check the configuration. Run the dir command to view whether the downloaded target file resides in the specified directory of the router. <Nortel> dir flash: Directory of flash:/ 0 -rw- 10014764 Jun 20 2005 15:00:28 vrp.bin 1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt 2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat 3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat 4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg 5 -rw- 14343 May 19 2006 15:00:10 paf.txt 6 -rw- 1004 Feb 05 2001 09:51:22 vrp1.zip 7 -rw- 6247 May 19 2006 15:00:10 license.txt 8 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak 63881 KB total (20998 KB free) ----End 8-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

8 FTP, TFTP, and Xmodem 8.9.5 Example of configuring XModem Networking requirements Configuration roadmap Data preparation The router is connected with the PC through the AUX port. Log on to the router through the AUX port to receive files from the AUX port and save the received packets to flash memory. 1. Run the HyperTerminal on the PC and log on to the router. 2. Use the xmodem command to download the files on the router. 3. Specify the file path on the HyperTerminal. To complete the configuration, you need the following data: files copied to the PC path of the file on the PC Configuration procedure Step 1 Log on to the router through the AUX port. For details, see Chapter 2, Configuration environment setup. Step 2 On the HyperTerminal, specify the file to send. Figure 8-6 Specifying the file to send After configuration, click Send to send the file. Step 3 Use the Xmodem protocol to receive the file from the AUX port. The received file is saved to the flash memory of the router and the file name is test.txt. <Nortel> xmodem get flash:/test.txt **** WARNING **** xmodem is a slow transfer protocol limited to the current speed settings of the auxiliary ports. During the course of the download no exec input/output will be Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-29

8 FTP, TFTP, and Xmodem Nortel Secure Router 8000 Series available! Proceed?[Y/N]y ---- ******* ---- Destination filename [flash:/ test.txt]? Before press ENTER you must choose 'YES' or 'NO'[Y/N]:y Download with XMODEM protocol... CCCCC After the system indicates that the file transmission is successful, you can view the flash memory directory. <Nortel> Download successful! <Nortel> Download successful! <Nortel> dir flash:/ Directory of flash:/ 0 -rw- 10014764 Jun 20 2005 15:00:28 vrp.bin 1 -rw- 98776 Jul 27 2005 09:36:12 matnlog.dat 2 -rw- 28 Jul 27 2005 09:34:39 private-data.txt 3 -rw- 480 May 10 2003 11:25:18 vrpcfg.zip 4 -rw- 10103172 Jul 22 2005 16:40:37 date.txt 5 -rw- 1515 Jul 19 2005 17:39:55 vrpcfg.cfg 6 -rw- 3844 Jul 14 2004 11:51:45 exception.dat 7 -rw- 8628372 Jun 01 2005 10:14:34 vrp330-0521.01.bin 8 -rw- 45 Jul 27 2005 10:51:26 test.txt 63881 KB total (21753 KB free) ----End 8-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Contents 9 Telnet and SSH...9-1 9.1 Introduction...9-2 9.1.1 Overview of user logon...9-2 9.1.2 Telnet terminal services...9-2 9.1.3 SSH terminal services...9-4 9.2 Configuring Telnet terminal services...9-6 9.2.1 Establishing the configuration task...9-6 9.2.2 Establishing a Telnet connection...9-7 9.2.3 Scheduling Telnet disconnection...9-7 9.2.4 Checking the configuration...9-8 9.3 Configuring SSH terminal services...9-8 9.3.1 Establishing the configuration task...9-8 9.3.2 Configuring SSH for the VTY user interface...9-9 9.3.3 Generating the local RSA key pair...9-10 9.3.4 Authenticating the SSH client through the password...9-10 9.3.5 Authenticating the SSH client through RSA...9-11 9.3.6 Configuring basic authentication information for the SSH user...9-12 9.3.7 Authorizing the SSH user through the command line interface...9-12 9.3.8 Checking the configuration...9-12 9.4 Maintaining Telnet and SSH...9-13 9.4.1 Debugging Telnet terminal services...9-13 9.4.2 Debugging SSH terminal services...9-13 9.5 Configuration examples...9-14 9.5.1 Example of configuring Telnet terminal services...9-14 9.5.2 Example of configuring password authentication...9-16 9.5.3 Example of configuring RSA authentication...9-17 Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Figures Figure 9-1 Telnet client services...9-3 Figure 9-2 Telnet redirection services...9-3 Figure 9-3 Usage of Telnet shortcut keys...9-3 Figure 9-4 Establishing an SSH channel in a LAN...9-5 Figure 9-5 Establishing an SSH channel in a WAN...9-5 Figure 9-6 Networking diagram for Telnet mode...9-14 Figure 9-7 Networking diagram of SSH password authentication...9-16 Figure 9-8 Accessing the router from the client software...9-17 Figure 9-9 Networking diagram of RSA...9-18 Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

9 Telnet and SSH 9 Telnet and SSH About this chapter The following table lists the contents of this chapter. Section Describes 9.1 Introduction This section describes the basic concepts of user logon through Telnet and Secure Shell (SSH). 9.2 Configuring Telnet This section describes how to log on to a router through terminal services Telnet and configure the router. 9.3 Configuring SSH terminal This section describes how to configure SSH users. services 9.4 Maintaining Telnet and SSH This section describes how to debug the Telnet and SSH terminal services. 9.5 Configuration examples This section provides examples for configuring Telnet and SSH. Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-1

9 Telnet and SSH Nortel Secure Router 8000 Series 9.1 Introduction This section provides an overview of the concepts that you need to know before you configure Telnet and Secure Shell (SSH): Overview of user logon Telnet terminal services SSH terminal services 9.1.1 Overview of user logon To configure, monitor, and maintain the local or remote Secure Router 8000 Series network devices, configure the user interface, user management, and the terminal service. The user interface provides the logon mechanism, user management guarantees logon security, and the terminal service provides the logon protocol. The Secure Router 8000 Series supports the following logon methods: logon through the console port local or remote logon through the AUX port local or remote logon through Telnet or SSH 9.1.2 Telnet terminal services When the number of remote logon users reaches the maximum number of virtual type terminal (VTY) user interfaces, the system notifies you that all user interfaces are in use and you cannot use Telnet to log on. Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote logon and a virtual terminal service through the network. The router provides the following Telnet services: Telnet server: You can run the Telnet client program on a PC to log on to, configure, and manage the router. Telnet client: You can run the terminal emulation program or the Telnet client program on a PC to connect with the router. You can use the telnet command to log on to other routers to configure and manage them. In Figure 9-1, Router A serves as both the Telnet server and the Telnet client. 9-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH Figure 9-1 Telnet client services Telnet Session 1 Telnet Session 2 Telnet Server PC RouterA RouterB Redirection terminal services: You can run the Telnet client program on a PC to log on to the router through a specified interface. Then, connect with the serial interface devices that are connected with the asynchronous interface of the router, as shown in Figure 9-2. The typical application is to connect the 8/16-port asynchronous interface of the router with multiple devices for remote configuration and maintenance. Figure 9-2 Telnet redirection services PC Ethernet Router Async0 Async1 Async2 Async8/16 Router1 Lan Switch Modem Router2 NOTE Only devices that provide an asynchronous interface support the Telnet redirection service. Interruption of Telnet services: You can use two types of shortcut keys to interrupt a Telnet connection: Ctrl_] and Ctrl_K. As shown in Figure 9-2, Router A logs on to Router B through Telnet, and Router B logs on to Router C through Telnet. Thus, a cascade network is formed. In this case, Router A is the client of Router B, and Router B is the client of Router C. Figure 9-3 illustrates the usage of the two types of shortcut keys. Figure 9-3 Usage of Telnet shortcut keys Telnet Session 1 Telnet Session 2 Telnet Client Telnet Server RouterA RouterB RouterC Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-3

9 Telnet and SSH Nortel Secure Router 8000 Series Ctrl_]: The server interrupts the connection. If the network connection is normal, when you press Ctrl+], the Telnet server interrupts the current Telnet connection. For example: <RouterC> (Press <Ctrl_]> to return to the prompt of RouterB. Note: The max number of VTY users is 5, and the current number of VTY users on line is 0. The connection was closed by the remote host! <RTB> (Press <Ctrl_]> to return to the prompt of RouterA.) Note: The max number of VTY users is 5, and the current number of VTY users on line is 0. The connection was closed by the remote host! <RTA> NOTE If the network disconnects, the shortcut keys become invalid and instructions cannot be sent to the server. Ctrl_K: The client interrupts the connection. When the server fails and the client is unaware of the failure, the server does not respond to client input. In this case, if you press Ctrl+K, the Telnet client interrupts the connection and quits the Telnet connection. For example: <RouterC> (Press <Ctrl_K> to directly interrupt the connection and quit Telnet connection. <RouterA> 9.1.3 SSH terminal services Overview of SSH When users on a nonsecure network log on to the router through Telnet, the Secure Shell (SSH) feature provides security and authentication. SSH protects the router from attacks such as IP address spoofing and interception of plain text passwords. Multiple SSH users can connect to the router. The SSH client function allows users to establish SSH connections with a router that supports an SSH server or a UNIX host. As shown in Figure 9-4 and Figure 9-5, an SSH channel is set up for the local area network (LAN) connection and the wide area network (WAN) connection. 9-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH Figure 9-4 Establishing an SSH channel in a LAN WorkStation Router Ethernet 100BASE-TX Server LapTop PC PC running SSH client Figure 9-5 Establishing an SSH channel in a WAN Local LAN Remote LAN WAN Router SSH router PC run SSH client PC Setup process for SSH connections This section describes the process for setting up SSH connections. Negotiating versions The SSH client sends a request packet to the server to set up a TCP connection. After the TCP connection is set up, the server and the client begin to negotiate the SSH version number. If the version numbers match, the server and client continue to negotiate the shared key. If the version numbers do not match, the server interrupts the TCP connection. Negotiating the key algorithm This process covers two actions: negotiating the key and accounting the session key. The detailed procedures are as follows: The server generates the Revest-Shamir-Adleman Algorithm (RSA) key randomly and sends the public key to the client. The client calculates the key based on the received RSA public key and the local key generated randomly. The client then encrypts the randomly generated local key with the RSA public key, and sends it to the server. The server decrypts the received packets with its private key and retrieves the random key generated on the client. It then calculates the session key. Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-5

9 Telnet and SSH Nortel Secure Router 8000 Series In this way, the server and the client have the same session keys to guarantee session security. Negotiating authentication mode After the session key is calculated, the server must authenticate the client. The client sends identity information to the server. If nonauthentication mode is configured on the server, a session request is performed. If authentication mode is configured on the server, the client sends the authentication request to the server. The authentication succeeds, or the connection is interrupted because of timeout. The SSH server provides the following authentication modes: Password authentication: The server compares the configured password with that from the client; if they match, authentication succeeds. RSA authentication: Configure the RSA public key for the client on the server. The SSH client first sends its RSA public key modulo to the server. The server then authenticates the modulo, generates a number randomly, encrypts the number with the RSA public key of the client, and sends the encrypted number to the client. The server and the client both calculate the key based on the number randomly generated. The client calculates the number used by the server to authenticate the client and sends the result to the server. The server then compares the received result with that locally calculated. If they are the same, the authentication succeeds. Sending the session request After authentication succeeds, the client sends the session request to the server. The server then processes this request and the interactive session begins. Starting the interactive session In the interactive session, the server and the client encrypt and decrypt data with the session key. 9.2 Configuring Telnet terminal services 9.2.1 Establishing the configuration task Applicable environment Preconfiguration tasks When you log on to a router through Telnet to manage or maintain the router, configure the Telnet terminal services. Before you configure Telnet terminal services, complete the following tasks: Power on the router. Configure the IP addresses for interfaces of the router. Configure users, authentication modes, and call-in or call-out restrictions. Configure a reachable route between the terminal and the router. 9-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH Data preparation To configure Telnet terminal services, you need the following data. No. Data 1 IP address of the router 2 VPN instance name 3 IPv4/IPv6 address or host name of the remote router 4 Number of the TCP port that provides Telnet services on the remote router 5 Timeout period of the user interface Configuration procedures No. Procedure 1 Establishing a Telnet connection 2 Scheduling Telnet disconnection 3 Checking the configuration 9.2.2 Establishing a Telnet connection Do as follows on the logon router: Step 1 Connect the PC with the router through Telnet and the terminal. For details, see Chapter 2, Configuration environment setup. Step 2 Run: Step 3 Run: telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address] host-name [ port-number ] You can now log on to the router through Telnet and manage other routers. telnet ipv6 [-a source-ip-address] host-name [ -i interface-type interface-number ] [ port-number ] You can now log on to the router through Telnet and manage other routers. Perform Step 2 to configure the network based on IPv4, and perform Step 3 to configure the network based on IPv6. ----End 9.2.3 Scheduling Telnet disconnection Do as follows on the logon router: Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-7

9 Telnet and SSH Nortel Secure Router 8000 Series Step 1 Run: system-view The system view appears. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ] The user interface view appears. Step 3 Run: idle-timeout minutes [ seconds ] This command enables the scheduled Telnet disconnection. ----End 9.2.4 Checking the configuration Run the following commands to check the previous configuration. Action Check the connection status of the current user interface. Check the connection status of all user interfaces. Check the status of all the established TCP connections. Command display users display users all display tcp status Run the display tcp status command to view TCP connection status. The Established status appears after the TCP connection is established. <Quidway> display tcp status TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State 39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed 32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 Listening 34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0 Established 9.3 Configuring SSH terminal services 9.3.1 Establishing the configuration task Applicable environment For a secure logon, log on to the router through SSH to configure the router. In this case, you must configure SSH terminal services. The Secure Router 8000 Series also supports command line authorization through the HWTACAS server. You cannot run the command without authorization. 9-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH Preconfiguration tasks Data preparation Before you configure SSH terminal services, complete the following tasks: Power on the router. Connect the router with the PC. Configure a reachable route between the PC and the router. To configure SSH terminal services, you need the following data. No. Data 1 Number of the VTY user interface 2 SSH user name 3 Update time of the server key 4 Timeout period of SSH authentication 5 Retry times of SSH authentication 6 Name of the public key Configuration procedures No. Procedure 1 Configuring SSH for the VTY user interface 2 Generating the local RSA key pair 3 Authenticating the SSH client through the password 4 Authenticating the SSH client through RSA 5 Configuring basic authentication information for the SSH user 6 Authorizing the SSH user through the command line interface (optional) 7 Checking the configuration NOTE Procedures 3 and 4 are parallel; you can choose either configuration procedure. 9.3.2 Configuring SSH for the VTY user interface Do as follows on the logon router: Step 1 Run: system-view Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-9

9 Telnet and SSH Nortel Secure Router 8000 Series The system view appears. Step 2 Run: user-interface [ vty ] first-ui-number [ last-ui-number ] This command displays the VTY user interface. Step 3 Run: authentication-mode aaa This command configures AAA authentication mode. Step 4 Run: protocol inbound ssh This command configures SSH for VTY. ----End NOTE Configure the authentication mode for the VTY user interface to AAA. Otherwise, you cannot configure SSH for VTY. 9.3.3 Generating the local RSA key pair Step 1 Run: Step 2 Run: Do as follows on the logon router: system-view The system view appears. rsa local-key-pair create This command generates the local RSA key pair. ----End NOTE Before you log on through SSH, you must configure the router to generate the local RSA key pair. Run the rsa local-key-pair create command to generate the local key pair. 9.3.4 Authenticating the SSH client through the password Step 1 Run: Step 2 Run: Do as follows on the logon router: system-view The system view appears. ssh user user-name authentication-type password 9-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH This command configures password authentication for the SSH client. Step 3 Run: ssh authentication-type default password This command configures the default password authentication for the SSH client. ----End 9.3.5 Authenticating the SSH client through RSA Do as follows on the logon router: Step 1 Run: system-view The system view appears. Step 2 Run: ssh user user-name authentication-type rsa This command configures RSA authentication for the SSH client. Step 3 Run: rsa peer-public-key key-name The public key view appears. Step 4 Run: public-key-code begin The public key editing view appears. Step 5 Run: hex-data This command edits the public key. Step 6 Run: public-key-code end This command exits the public key editing view. Step 7 Run: peer-public-key end This command exits the public key view and returns you to the system view. Step 8 Run: ssh user user-name assign rsa-key key-name This command assigns the public key to the SSH users. ----End Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-11

9 Telnet and SSH Nortel Secure Router 8000 Series NOTE In the public key editing view, you can send the RSA public key generated on the client software that supports SSH1.5 to the server. Copy and paste the RSA public key to the router that serves as the SSH server. 9.3.6 Configuring basic authentication information for the SSH user Step 1 Run: Step 2 Run: Step 3 Run: Step 4 Run: Do as follows on the logon router: system-view The system view appears. ssh server rekey-interval hours This command configures the update time of the server key. ssh server timeout seconds This command configures the timeout for SSH authentication. ssh server authentication-retries times This command configures the retry time for SSH authentication. ----End 9.3.7 Authorizing the SSH user through the command line interface NOTE The SSH user can be authenticated through password mode or RSA mode. For information about configuring command line authorization in password mode, see Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600). This section describes how to configure command line authorization in RSA mode. 9.3.8 Checking the configuration Action Check the public key in the local key pair generated by the SSH server. Check the RSA public key of the client. Check the SSH status and session information. Command display rsa local-key-pair public display rsa peer-public-key [ brief name key-name ] display ssh server { session status } 9-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH Action Command Check information about an SSH user. display ssh user-information [ user-name ] 9.4 Maintaining Telnet and SSH This section describes the following topics: Debugging Telnet terminal services Debugging SSH terminal services 9.4.1 Debugging Telnet terminal services When a Telnet fault occurs, run the following debugging command in the user view to locate the fault. Debugging affects the performance of the system. After you debug Telnet terminal services, run the undo debugging all command to disable debugging. Action Enable Telnet debugging. Command debugging telnet 9.4.2 Debugging SSH terminal services Deleting SSH users This section describes the following topics: Deleting SSH users Debugging SSH Delete SSH users by using the following commands in the system view. Action Delete the specified SSH user. Delete all the SSH users. Command undo ssh user user-name undo ssh user Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-13

9 Telnet and SSH Nortel Secure Router 8000 Series Debugging SSH Debugging affects the performance of the system. After you debug SSH, run the undo debugging all command to disable debugging. When a fault occurs, run the debugging command in the user view to locate the fault. For information about displaying debugging information, see Nortel Secure Router 8000 SeriesConfiguration - System Management (NN46240-601). Action Enable the SSH debugging function. Command debugging ssh server { vty index all }{ message event packet all } 9.5 Configuration examples This section provides the following example: Example of configuring Telnet terminal services Example of configuring password authentication Example of configuring RSA authentication 9.5.1 Example of configuring Telnet terminal services Networking requirements As shown in Figure 9-6, Router A and Router B can ping each other. Users can log on to Router B from Router A through Telnet. Figure 9-6 Networking diagram for Telnet mode GE1/0/0 1.1.1.1/24 GE1/0/0 1.1.1.2/24 RouterA RouterB Configuration roadmap 1. Configure the authentication mode and password of the user interface VTY0 to VTY4 on Router B. 2. Users must enter the password when they log on to Router B from Router A through Telnet. 9-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH Data preparation To complete the configuration, you need the following data: host address of Router B authentication mode and password Configuration procedure Step 1 Configure the IP address. # Configure Router A. <RouterA> system-view [RouterA] interface gigabitethernet1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24 # Configure Router B. <RouterB> system-view [RouterB] interface gigabitethernet1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24 Step 2 Configure the authentication mode and password of Telnet on Router B. <RouterB> system-view [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode password [Nortel-ui-vty0-4] set authentication password simple 123456 [RouterB-ui-vty0-4] quit Step 3 Log on to Router B from Router A through Telnet. <RouterA> telnet 1.1.1.2 Trying 1.1.1.2... Press CTRL+K to abort Connected to 1.1.1.2... *********************************************************** * All rights reserved (2000-2005) * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * * Notice: * * This is a private communication system. * * Unauthorized access or use may lead to prosecution. * *********************************************************** Login authentication Password:123456 Note: The max number of VTY users is 5, and the current number of VTY users on line is 1. <RouterB> ----End Configuration files configuration file of Router A (not shown here) configuration file of Router B Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-15

9 Telnet and SSH Nortel Secure Router 8000 Series # # sysname RouterB user-interface vty 0 4 # set authentication password simple 123456 return 9.5.2 Example of configuring password authentication Networking requirements The SSH client must establish a local connection with the router. The terminal runs the client software that supports SSH1.5. The user interface supports only SSH. SSH Client001 logs on to the router in password authentication mode. Figure 9-7 Networking diagram of SSH password authentication SSH Client001 GE1/0/0 1.1.1.1/24 PC Quidway Configuration roadmap Data preparation Configure SSH Client001 on the router. To complete the configuration, you need the following data: number of the logon user interface user name and password of SSH clients Configuration procedure Step 1 Generate the local key pair. <Nortel> system-view [Nortel] rsa local-key-pair create The key name will be: Nortel_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: Generating keys......++++++++++++...++++++++++++...++++++++ 9-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

9 Telnet and SSH...++++++++ Step 2 Generate the SSH client. NOTE If password authentication mode is configured for SSH users, you must configure the same local user name. # Configure the VTY user interface. [Nortel] user-interface vty 0 4 [Nortel-ui-vty0-4] authentication-mode aaa [Nortel-ui-vty0-4] protocol inbound ssh [Nortel-ui-vty0-4] quit # Generate an SSH user with the name client001, and configure the password authentication mode. <Nortel> system-view [Nortel] ssh user client001 authentication-type password # Set the password of the SSH user client001 to nortel. [Nortel] aaa [Nortel-aaa]local-user client001 password simple nortel [Nortel-aaa]local-user client001 service-type ssh NOTE You can use the default authentication timeout period, retry time, and updating time of the server key. After the configuration, you can run the client software that supports SSH1.5 on the terminals connected with the router and access the router with the user name client001 and the password nortel. Step 3 Run the client software that supports SSH1.5 on the terminal and access the router as shown in Figure 9-8. Figure 9-8 Accessing the router from the client software ----End NOTE The logon interface may be different from the example shown depending on the client software. 9.5.3 Example of configuring RSA authentication Networking requirements Configure the SSH client and the router for the local connection. Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback