Plexxi HCN Plexxi Switch Software Administrator Guide using Linux and Plexxi CLI Release 4.0.0

Similar documents
Plexxi Switch Administrator Guide using Linux and Plexxi CLI Release 3.2.2

Plexxi Switch Administrator Guide using Linux and Plexxi CLI Release 3.2.0

Plexxi Control Installation, Upgrade and Administration Guide Releases 2.3.x, 2.4.x, 3.0.x, 3.1.0

Plexxi Control Installation, Upgrade and Administration Guide Releases 2.3.x, 2.4.x, 3.0.x, 3.1.0

Plexxi Switch Administrator Guide using Linux and Plexxi CLI Release 3.1.1

Plexxi Control Installation, Upgrade and Administration Guide Release 3.2.0

Plexxi HCN Control Software Installation, Upgrade and Administration Guide Release through 3.3.0

Plexxi Release Notes Release 3.1.0

Plexxi Release Notes Plexxi Switch and Control Release 3.1.1

Plexxi Connect vsphere Plugin User Guide Releases through 2.5.0

Plexxi Getting Started Guide Small and Medium Deployments

Plexxi HCN Plexxi Getting Started Guide Small and Medium Deployments Releases: Switch-Control 3.2.0/1 and Connect 2.3.x

Plexxi HCN Plexxi Connect Installation, Upgrade and Administration Guide Release 3.0.0

100 Innovative Way- Suite 3322 Nashua, NH Tel PLEX (7539) Plexxi Release Notes

Plexxi Connect Release Notes

Overview of the Cisco NCS Command-Line Interface

100 Innovative Way- Suite 3322 Nashua, NH Tel PLEX (7539) Plexxi Release Notes

Plexxi Switch Command Line Interface Guide Release 2.4.0

Plexxi Switch Command Line Interface Guide Release 2.2.1

Plexxi Switch Command Line Interface Guide Release 2.1.0

Plexxi HCN Compatibility Matrix

User and System Administration

Chapter 3 Command List

Maintenance Tasks CHAPTER

Plexxi HCN Plexxi Control High Availability Installation, Upgrade and Administration Guide Release 4.0.0

Cisco WAAS Software Command Summary

Maintenance Tasks CHAPTER

Configuring Security with Passwords, Privileges, and Logins

Configuring Security Features on an External AAA Server

Lab 7 Configuring Basic Router Settings with IOS CLI

C H A P T E R Commands Cisco SFS Product Family Command Reference OL

CCNA 1 Chapter 2 v5.0 Exam Answers %

ExtraHop Command-line Reference

Deploy the ExtraHop Discover Appliance 1100

Configuring Web-Based Authentication

Configuring Web-Based Authentication

Network Configuration Example

Available Commands CHAPTER

EtherWAN Managed Switch Firmware Release Notes Copyright 2018 EtherWAN Systems, Inc. RELEASE SUMMARY Version: Release Date: 2018/May/15

Configuring the Management Interface and Security

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Configuring TACACS+ About TACACS+

Overview. ACE Appliance Device Manager Overview CHAPTER

IPMI Configuration Guide

Silver Peak EC-V and Microsoft Azure Deployment Guide

CCNA 1 Chapter 2 v5.0 Exam Answers 2013

F5 BIG-IQ Centralized Management: Licensing and Initial Setup. Version 5.1

CHAPTER 2 ACTIVITY

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

Lenovo ThinkSystem NE Release Notes. For Lenovo Cloud Network Operating System 10.6

Configuring the Cisco NAM 2220 Appliance

CounterACT 7.0 Single CounterACT Appliance

Lab Using the CLI to Gather Network Device Information Topology

Configuring Management Access

Managing GSS Devices from the GUI

Command-Line Interface Command Summary

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

Finding Support Information for Platforms and Cisco IOS Software Images

NN Nortel Communication Server 1000 Linux Platform Base and Applications Installation and Commissioning

Configuring Switch Security

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.5

Link Gateway Initial Configuration Manual

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

HP 6125 Blade Switch Series

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Cisco Unified Serviceability

Deploy the ExtraHop Discover 3100, 6100, 8100, or 9100 Appliances

Identity Firewall. About the Identity Firewall

-1- Command Guide of SGS T2X

NNMi Integration User Guide for CiscoWorks Network Compliance Manager 1.6

BIG-IP TMOS : Implementations. Version

VERTIV. Avocent ACS8xxx Advanced Console System Release Notes VERSION 2.4.2, AUGUST 24, Release Notes Section Outline. 1 Update Instructions

COMMAND LINE CHEAT SHEET

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

vcenter Server Appliance Configuration Modified on 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

EX2500 Ethernet Switch 3.0 Release Notes

Redhat OpenStack 5.0 and PLUMgrid OpenStack Networking Suite 2.0 Installation Hands-on lab guide

NN Nortel Communication Server 1000 Linux Platform Base and Applications Installation and Commissioning

MiPDF.COM. 3. Which procedure is used to access a Cisco 2960 switch when performing an initial configuration in a secure environment?

F5 BIG-IQ Centralized Management: Licensing and Initial Setup. Version 5.2

WLM1200-RMTS User s Guide

SuperLumin Nemesis. Getting Started Guide. February 2011

WhatsConfigured v3.1 User Guide

EX2500 Ethernet Switch 3.1 Release Notes

GSS Administration and Troubleshooting

User and System Administration

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

F5 BIG-IQ Centralized Management: Authentication, Roles, and User Management. Version 5.4

STRM Log Manager Administration Guide

Configuring Security for the ML-Series Card

Peplink SD Switch User Manual. Published on October 25th, 2018

Configuring Cisco IOS CNS Agents

RealPresence Access Director System Administrator s Guide

This document is a tutorial related to the Router Emulator which is available at:

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

Table of Contents 1 Commands for Access Controller Switch Interface Board 1-1

Toggling Between Basic and Advanced GUI Modes

Transcription:

Plexxi HCN Plexxi Switch Software Administrator Guide using Linux and Plexxi CLI Release 4.0.0 Document Version 2 May 22, 2018 100 Innovative Way - Suite 3322 Nashua, NH 03062 Tel. +1.888.630.PLEX (7539) www.plexxi.com

Legal Notices The information contained herein is subject to change without notice. Plexxi, the Plexxi logo, and LightRail are registered trademarks, and Plexxi HCN, Plexxi Control and Plexxi Connect are trademarks of Plexxi, Inc. in the United States and other countries. Other product or service name may be trademarks or service marks of others. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Plexxi, Inc. Plexxi, Inc. reserves all rights of copyright in this documentation. PLEXXI, INC. PROVIDES THIS DOCUMENTATION AS IS, WITHOUT WARRANTY, TERM, OR CONDITION OF ANY KIND, EITHER IMPLIED OR EXPRESSED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES, TERMS, OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Plexxi, Inc. reserves the right to make changes to equipment design or program components described in this documentation, as progress in engineering, manufacturing methods, or other circumstances may warrant. No responsibility is assumed for the use of Plexxi, Inc. software or hardware, all rights, obligations and remedies related to which are as set forth in the applicable sales and license agreements. Plexxi, Inc. 100 Innovative Way - Suite 3322 Nashua, NH 03062 Tel: +1.888.630.PLEX (7539) www.plexxi.com Published May 22, 2018 Printed in United States of America. Copyright 2018 Plexxi, Inc. All rights reserved. The Plexxi Switch system is classified as a class 1 telecommunications laser product employing embedded class 1 lasers and complies with the following: THIS PRODUCT COMPLIES WITH FDA RULE 21 CFR SUBCHAPTER J IN EFFECT AT DATE OF MANUFACTURE. PRODUCT COMPLIES WITH 21 CFR 1040.10 AND 1040.11 PRODUIT CONFORME SELON LE SOUS CHAPITRE J DU DOCUMENT FDA RÈGLE 21 CFR EN VIGUEUR LORS DE LA DATE DE FABRICATION. PRODUIT CONFORME SELON 21CFR 1040.10 ET 1040.11. Electrotechnical Commission (IEC) 60825-1, 60825-2 This product is classified as a: CLASS 1 LASER PRODUCT APPAREIL À LASER DE CLASSE 1 This unit is intended to be installed in a Restricted Access Location only with access only by trained personnel. Warning: The primary hazards of exposure to invisible laser radiation from an optical fiber communications system are: Damage to the eye by viewing an unterminated optical fiber or fiber optic connector. Damage to the eye from invisible laser radiation from viewing a cut fiber or a broken fiber. Never attempt to view optical connectors that may be emitting laser energy and always avoid possible exposure to invisible optical laser radiation. Using optical fiber scopes or magnifying lenses may increase the possibility for an eye hazard. It is recommended that you use an optical power meter to determine if there is optical laser radiation present or use a remote video display inspection tool to inspect connectors. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 2

Table of Contents Legal Notices... 2 Welcome...12 Related Documentation...13 Contacting Plexxi Support...13 1 Switch Management Connections...14 Ports... 14 Serial Console Port... 14 SSH through Management Port... 14 SSH Session opened from Plexxi Control... 14 Logging into the switch... 14 User Accounts... 14 2 Initial Switch Setup...15 Serial Console... 15 Running px-setup... 15 Configuring the Plexxi Control IP Address on the DHCP Server... 15 Connecting through the Management Interface... 16 Changing the admin User Password... 16 Accessing the Plexxi CLI... 16 Configuring LightRails... 17 Saving the Configuration... 17 Upgrading Plexxi Switch Software... 17 3 Plexxi Linux Utilities for Switch Configuration...18 px-adduser... 18 px-hostname... 20 px-log-bundle... 20 px-lspart... 21 px-package-check... 21 px-setup... 22 px-ssl-install... 24 px-sslgen... 24 px-topology... 25 4 Managing Plexxi Switch Linux User Accounts and Authentication Methods...27 Local Switch Authentication... 28 Adding a Local User Using the Plexxi px-adduser Utility... 28 Accessing the Plexxi CLI... 28 TACACS+ Authentication for a Switch... 29 Overview... 29 Configuring TACACS+ Authentication on a Switch... 29 TACACS+ PAM setup... 29 TACACS+ NSS Configuration... 30 RADIUS Authentication for a Switch... 31 Overview... 31 Configuring RADIUS Authentication on a Switch... 31 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 3

Enabling RADIUS... 31 LDAP Authentication for a Switch... 32 Overview... 32 Configuring LDAP Authentication for a Switch... 32 Enabling the Authentication Method for a Switch... 34 5 Debian Linux Commands for Switch Configuration...35 Configuring Clocks... 35 Manually Setting the Time and Date... 35 Changing the Time Zone... 35 Setting Time Once with NTP... 35 Configuring NTP... 35 Configuring the IP Domain... 37 Configuring the Management Interface... 37 Configuring the IP Address of the Management Interface... 37 Configuring the MTU Size of the Management Interface... 37 Enabling and Disabling the Management Interface... 38 Configuring a VLAN on the Management Interface... 38 Configuring IP Routes... 38 Configuring SNMP... 38 Groups... 38 Communities... 39 MIB Views... 39 SNMP v3 User-Based Security Model... 39 Copying Files to a Switch... 40 Configuring SSH Keys on a Switch... 40 Regenerating SSH Host Keys on the Switch... 40 Starting or Stopping the SSH service on the Switch... 40 Making SSH Persistent on the Switch... 40 6 Saving Configuration Changes...41 Saving Configuration Changes... 41 Checking the Current Configuration... 41 7 Handling Files...42 Handling Files from the Debian Linux Prompt... 42 Copying Files from a Remote System... 42 Handling Files from the Plexxi CLI... 42 running-config and startup-config... 42 Copy, Move, and Delete Examples... 42 File Copy with URL... 43 8 Upgrading the Plexxi Switch Software to Release 4.0.0...44 Preparing to Upgrade from a Pre-3.3.0 Release... 44 Upgrading the Switches... 44 Implementing the IS-IS Protocol... 44 Running a Fit... 44 9 In-Band Management...45 Overview... 45 Configuring In-Band Management... 46 Related Plexxi CLI Commands... 47 inband-management config dhcp... 48 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 4

inband-management config ip... 48 inband-management delete... 48 inband-management gw add... 48 show inband-management... 48 10 Configuring LightRails...49 Overview... 49 LightRail 1... 49 LightRail 2 (Switch 3eq)... 49 LightRail 3 (Switch 3eq)... 49 User Interface and Workflow Details... 49 CLI Commands to Configure LightRails... 50 11 Switch 2e DCI mode...51 Operation... 51 Modes of operation... 51 Switch2e DCI CLI Command: fabric redirect... 52 Switch 2e I/O Panel Ports... 53 12 BGP-EVPN...54 About BGP-EVPN... 54 Configuring BGP-EVPN on Each Plexxi Switch... 54 address-family... 55 exit-address-family... 55 neighbor activate... 56 neighbor peer-group... 57 neighbor remote-as... 57 13 Routed Port Interface...59 Overview... 59 Considerations... 59 Viewing the Configured LAGs on a Plexxi Switch... 59 Prerequisites... 60 Configuring a Routed Port Interface... 60 Creating the Interface... 60 Assigning an IP Address to the Interface... 60 Verifying the Configuration... 61 14 Spine Switch Fabric...62 CLI Commands to Configure the Spine Switch Fabric... 62 Configure the Spine LightRail... 62 Configure the Fabric Speed for LightRail Type 1 or 2 on the Spine Switch... 62 Configure the Fabric Egress Rate for Fabric Ports on the Spine Switch... 62 15 Plexxi CLI Modes...63 Opening the Plexxi CLI Shell... 63 Entering the CLI Modes... 64 Entering the EXEC Mode... 64 Entering the PRIV-EXEC Mode... 64 Entering the CONFIG Mode... 64 Entering the CONFIG-LINE Mode... 64 Exiting the CONFIG-LINE Mode... 64 Exiting the CLI Modes... 65 Returning to the Previous CLI Mode... 65 Returning to the PRIV-EXEC Mode... 65 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 5

Exiting Plexxi Shell to Bash... 65 16 CLI Command Reference Exec mode...66 clear access-list... 66 clear counters... 66 clear ip... 66 clear ipv6... 66 clear mac sw-table... 67 debug bgp... 67 debug ip... 67 debug mrd... 68 debug nsm... 69 debug ospf... 69 debug pim... 69 debug pip... 70 debug prd... 70 disable... 70 enable... 70 exit quit... 70 help... 70 logout... 71 no... 71 no debug all... 71 ping... 71 quit... 71 reset log... 71 show access-list... 71 show bgp... 72 show cli... 73 show clock... 74 show crossbars... 74 show cutthru... 74 show debugging... 74 show fabric... 74 show flow... 74 show hardware... 75 show history... 75 show hold-policy... 75 show hosts... 75 show interface... 75 show interface summary... 75 show ip... 76 show ip arp... 76 show ip dhcp-relay... 78 show ip domain-list... 78 show ip domain-name... 78 show ip fastpath statistics... 78 show ip host... 79 show ip igmp snooping... 81 show ip interface... 81 show ip name-server... 82 show ip route... 82 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 6

show lacp... 85 show lacp lag... 85 show lag... 85 show lag lacp... 85 show lag IFNAME vlan... 85 show list... 86 show lldp... 86 show lldp local-info... 86 show locate-led... 86 show log... 86 show mrib... 87 show neighbor-discovery... 87 show nsm... 87 show ntp... 87 show post... 87 show privilege... 87 show qinq svlan... 87 show qsfp... 87 show router-channel... 88 show router-id... 88 show sflow... 88 show system resources... 88 show system uptime... 88 show timezone... 88 show topography... 88 show transceivers... 88 show translation tvlan... 88 show users... 88 show version... 88 show virtual-routers... 88 show vlan... 89 ssh... 89 telnet... 89 terminal... 89 trace-attachment... 89 traceroute... 89 undebug... 89 17 CLI Command Reference PRIV-EXEC mode...90 boot toggle... 90 clear arp-cache... 90 clear controller address... 90 clear controller config... 90 clear cores... 90 clear hold... 90 clear ip route kernel... 90 clear mac hw-table... 90 clear policer statistics... 91 configure (terminal)... 91 controller set... 91 copy FILE... 91 copy running-config... 91 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 7

copy startup-config... 91 copy URL... 91 cutthru... 91 dci-behavior... 92 delete FILE... 92 delete startup-config... 92 dir... 92 disable... 92 enable... 92 fabric-encap create... 92 fabric clear-fabric-id... 94 fabric-encap delete... 94 fabric east-egress-rate (Switch 2e)... 94 fabric east-speed (Switch 2e)... 94 fabric egress-rate (Switch 3eq)... 95 fabric learn-fabric-id... 95 fabric lightrails... 95 fabric protocol-change... 96 fabric redirect (for Switch 2e)... 97 fabric redirect (for Switch 2, 2s, 2p, 2sp)... 98 fabric speed (Switch 3eq)... 99 fabric west-egress-rate (Switch 2e)... 99 fabric west-speed (Switch 2e)... 100 flow... 100 hold... 100 hold-policy... 100 hold IFNAME... 100 inband-management config port... 100 inband-management config dhcp... 101 inband-management config ip... 101 inband-management delete... 101 install <FILE>... 101 lldp port IFNAME receive... 101 locate-led... 101 logout... 102 migrate-data... 102 move FILE... 102 mstat... 102 mtrace... 102 ptp... 102 qsfp config... 102 quit... 102 reload (rescue)... 102 rpi create... 102 rpi delete... 103 show boot... 103 show controller... 103 show debugging snmp... 103 show fabric... 103 show fabric-encap... 103 show file... 104 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 8

show flow... 104 show fsat... 104 show history... 104 show hosts... 104 show inband-management... 104 show install... 104 show interface... 105 show l2-isis... 105 show loop-detection-stats... 105 show mac hw-table... 105 show mac sw-table... 105 show nsm client... 105 show peers... 105 show process... 106 show psat... 106 show running-config... 106 show startup-config... 106 show system cores... 106 show tech-support... 106 show topography... 108 show topology residual... 108 show topology vlan... 109 show user-defined-path... 110 show users... 110 support log-bundle... 110 verify FILE... 110 18 CLI Command Reference CONFIG mode... 111 access-list... 111 arp... 111 banner motd... 111 bgp... 111 debug... 112 debug nsm... 112 do <command>... 112 dump bgp... 112 enable password... 112 exit quit... 112 fib retain... 112 help... 113 interface... 113 ip forwarding... 113 ip route... 113 line console 0... 113 line vty... 113 log file... 113 max-fib-routes... 114 max-static-routes... 114 maximum-access-list... 114 maximum-paths... 114 no... 114 route-map <tag>... 114 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 9

router bgp... 114 router ospf... 115 router-channel... 115 router-id... 115 service advanced-vty... 115 service password-encryption... 115 service terminal-length... 115 show cli... 115 show list... 115 show running-config... 115 synce... 115 19 CLI Command Reference CONFIG-LINE mode... 116 exec-timeout... 116 end exit quit CTRL-D... 116 help... 116 history... 116 login... 116 privilege level... 116 show cli... 117 show list... 117 show running-config... 117 Appendix A CLI Help... 118 Output Modifiers... 119 Repeat a Show Command... 119 Appendix B Troubleshooting... 120 Switch Log... 120 Test Network Connectivity... 120 Assess System Health... 120 Display Running Processes... 121 Hardware Status... 121 Power Supply Details... 121 Temperature Sensor Readings... 122 Fan Status... 122 Appendix C Working with Plexxi Care Support... 123 Opening the PRIV-EXEC Mode... 123 Combining show Command Output... 123 Redirecting show Command Output... 124 Bundling Log Files... 125 Specifying the Number of Days to Include in Log Output... 125 Specifying a Time... 125 Copying Plexxi Switch Core Files... 126 Checking for Core Files... 126 Copying a Core File to Another Network Host... 126 Copying a Core File to Local User Disk Space... 126 Verifying a Core File in its Original Location... 126 Deleting Core Files... 126 Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 10

Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 11

Welcome This document describes switch administration tasks and commands/functions that are performed at either the Debian Linux Bash prompt or at a Plexxi configuration command line interface (CLI) prompt. The CLI is used for initial switch set up, some feature configurations, and troubleshooting. You can use the CLI to access information available from Plexxi Control and to display system status. Although some Plexxi Switch configurations are performed using the Plexxi CLI, most switch configuration tasks are performed using either the Plexxi Control graphical user interface (GUI) or the Plexxi Connect GUIs. Configuration parameters that are set at the Linux prompt as outlined in this document include: Clocks management interface NTP SNMP switch user management Configuration parameters that are set at the Plexxi CLI prompt as described in this document include: Switch 2e DCI L2 Fabric Link Encapsulation In-band Management Redirection Configuration parameters that are set using the Plexxi Control GUI are described in the Plexxi Control Online Help and include: VLANs Affinities User-Defined Paths Switch ports Switch software upgrades Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 12

Related Documentation The following additional documentation supports this release: Plexxi Compatibility Matrix, Version 10 or greater. The Plexxi Compatibility Matrix contains versionspecific software and hardware support information as well as cable and transceiver support information. Plexxi Release Notes, Release 4.0.0 Plexxi Control Installation, Upgrade and Administration Guide, Release 4.0.0 Plexxi Control Online Help is available while logged into the Plexxi Control UI Except for the online help, this documentation is available on the Resources > Technical Publications page of http://www.plexxi.com. Contacting Plexxi Support Plexxi Technical Support services are available to answer your questions and to make sure that your software and hardware continue to operate properly. You can contact Plexxi Support at: support@plexxi.com 1.888.415.9809 (US/Canada toll-free) +1 603-782-0702 (US/International). www.plexxi.com/support Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 13

1 Switch Management Connections Ports You can connect to a Plexxi Switch to perform switch management using the following methods: connect via SSH through the management port open a terminal session from Plexxi Control connect a console system to the console port on the switch. IMPORTANT: If you are performing an initial setup of the switch, refer to 2, Initial Switch Setup. Serial Console Port The serial console may be needed for part of the initial switch setup, for troubleshooting, or for general switch management using Linux and the Plexxi CLI. For serial access, the console system must be connected to the console port on the switch. To connect to the serial console port, the following settings are needed: 115.2 Kbps 8 data bits 1 stop bit No Parity SSH through Management Port If a switch has undergone the initial switch setup and if the management port is connected to a network for management, you can SSH remotely through the switch s management port. IMPORTANT: If you are performing an initial setup of the switch, refer to 2, Initial Switch Setup. SSH Session opened from Plexxi Control You can open an SSH session from Plexxi Control as described in the Plexxi Control Online Help, which is accessible from the Plexxi Control UI (User Interface). Logging into the switch When you connect to the switch, you are prompted for a username and password. The default values for the pre-configured administrator account are: username: admin password: plexxi When you log in, you start in your home directory at /home/<username>. At the shell prompt, you can: perform switch setup using px-setup utilities perform some switch configuration tasks using the Plexxi CLI User Accounts For information on managing Plexxi user accounts from Linux, refer to the next chapter. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 14

2 Initial Switch Setup When you initially install a switch, you need to open a console connection to any switch in the fabric, then run the px-setup command to configure the appropriate switch(es) as described in the sections that follow. Additionally, you can specify a new password for access to Linux on any new switches, and for switch 3eq, define LightRail configuration. Serial Console The serial console may be needed for part of the initial switch setup, for troubleshooting, or for general switch management using Linux and the Plexxi CLI. For serial access, the console system must be connected to the console port on the switch. To connect to the serial console port, the following settings are needed: 115.2 Kbps 8 data bits 1 stop bit No Parity Running px-setup px-setup is a Plexxi utility that simplifies Plexxi switch setup by eliminating the need to edit configuration files and restart services on the Plexxi Switch. The utility queries administrators for information, then configures the IP or hostname of the Plexxi Control software, time zone, network address, default gateway, SNMP management, and several network services, including NTP and DNS. The px-setup commands require root/sudo privilege to modify core services. For example, logged into the switch as admin: $ sudo px-setup To setup all switches and all network characteristics for a new install, use px-setup without arguments: $ sudo px-setup For detailed information about the px-setup command, refer to the following section in px-setup on page 22. Note: Instead of specifying the IP address or hostname of the Plexxi Control server using the px-setup command, refer to the next section to configure the IP address or hostname of the Plexxi Control server on the DHCP server. You only need to perform this step for the first Plexxi switch installed in the fabric. Configuring the Plexxi Control IP Address on the DHCP Server Rather than configuring the IP address or hostname of the Plexxi Control server on a Plexxi switch via the px-setup-controller CLI command, administrators can configure the IP address or hostname of the Plexxi Control server on the DHCP server. Follow the instructions in this section for the first Plexxi switch being deployed in your fabric. Note: These instructions assume that Plexxi Control has already been deployed on a Plexxi Control server. For an ISC (Internet Systems Consortium) DHCP server, include the following option lines in the DHCP server's configuration file: option plexxi-control-address code 240 = text; option plexxi-control-address = 1.2.3.4 ; Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 15

You can define either an IP address or hostname. The Plexxi switch will obtain the IP address or hostname of the Plexxi Control server from the DHCP server when the switch is booted or rebooted. The DHCP server will send the code 240 value to the Plexxi Switch in the DHCP Reply message. The Plexxi switch will then configure the specified IP address or hostname for communicating with the Plexxi Control server. IMPORTANT: If an IP address or hostname for the Plexxi Control server has already been configured on the Plexxi switch using the px-setup-controller CLI command, the IP address or hostname received in the DHCP Reply message will not override it. Once the configuration is complete, you can remove the option lines above from the DHCP server s configuration file, because the configured IP address or hostname of the Plexxi Control server will persist even through upgrades and will only be removed by explicitly removing it using the px-setupcontroller (or equivalent) command on the Plexxi switch. Connecting through the Management Interface Connect to the switch using the ssh command. This requires that the MGMT port on the switch be connected and that you know the IP address of the switch management port (the address you just configured). Connect to the switch using ssh and log in using the default credentials. For example: ssh admin@ipaddress Reply as prompted; the default administrator login is: Username: admin Password: plexxi This puts you at the Debian Linux prompt on the switch in the /home/admin directory. Changing the admin User Password You can change the password for the Linux admin user on any new switches using the Linux passwd command while logged in as admin and at the Linux prompt on the switch: $ passwd Accessing the Plexxi CLI Access the Plexxi CLI as follows: 1. Open the Plexxi CLI Shell. At the Bash prompt, enter the following sudo command and then enter the password for admin: admin@switch:~$ sudo px-shell This opens the EXEC Mode prompt: switch> For example: admin@plexxi1:~$ sudo px-shell [sudo] password for admin:... plexxi1> Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 16

2. Enter the PRIVILEGED EXEC mode, from the EXEC mode, enter the enable command. For example, on switch Plexxi1: plexxi1> enable plexxi1# The prompt changes from > to #. Configuring LightRails Configure the LightRails as described in Chapter 10, Configuring LightRails. Saving the Configuration An asterisk preceding the prompt indicates that the configuration has changed and not saved. In the PRIV-EXEC mode (# prompt), save the new configuration settings to the switch, enter the command: *plexxi1# copy running-config startup-config Building configuration... [OK] plexxi1# Upgrading Plexxi Switch Software You might need to upgrade to the latest version of the switch software when you initialize the switch for the first time. If you are not sure, verify with your Plexxi representative. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 17

3 Plexxi Linux Utilities for Switch Configuration Some Plexxi switch specific configuration settings are accomplished using Plexxi Linux utilities as outlined in the sections that follow. IMPORTANT: Man pages are available for Plexxi px- utilities. Running Plexxi Linux Utilities To run the Plexxi Linux utilities: 1. Connect to the Plexxi switch using ssh and log in using the default credentials using the following command: ssh admin@ipaddress For example: ssh admin@192.168.1.2 In the above command, you can specify the hostname rather than the IP address, as follows: ssh admin@hostname For example: ssh admin@sw2 2. Reply as prompted. The default administrator login is: Username: admin Password: plexxi 3. This puts you at the Debian Linux prompt on the switch in the /home/admin directory. 4. Change directory to the root directory: cd / 5. At the prompt, enter a Plexxi utility command. For example: $ px-topology --info 6. To get a man page for a Plexxi utility command, enter the following command: $ man command_name For example: $ man px-adduser px-adduser Add a User The px-adduser utility enables you to easily create accounts that adhere to Plexxi switch user roles. It is accessible in the switch Bash environment; it is not available from the px-shell CLI. Note: It is not mandatory that you use this utility to create Plexxi switch user accounts - it just makes it easier. px-adduser <username> px-adduser [--user-role administrator operator viewer] [--full-name <name>] <user_name> px-adduser [--disabled-login] <user_name> px-adduser [-h --help] Helper utility for creating local user accounts that adhere to Plexxi user roles. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 18

Options -h, --help Display help for this command. --user-role role Specify the role for this account: administrator, operator or viewer. --full-name name Indicate the full name of this user or any comment for the account. --disabled-login Create the account without prompting for the initial password. Issuing this command with only the user_name argument prompts you to enter the user role, full name and password for this new account. The optional parameters listed above can be passed to avoid entering settings interactively. Note: The password cannot be passed on the command line. You can use the disabled-login option to create the account initially disabled, then later, use the passwd command to set the initial password and enable the account. User Roles Plexxi supports the following user roles: Administrator - This role has the highest privileges on the system. It equates, indirectly, to superuser access. User accounts of this role have: o o Membership in group px_administrator; this group has sudo access to all system commands Default shell is /bin/bash Operator - This is the second highest privilege level. It allows for configuration changes in px-shell, but is more limited for the rest of the system. It has: o o Membership in group px_operator; this group has sudo access only to px-shell. Default shell is /bin/bash Viewer - This is the least privileged role. Users with this role are only allowed unprivileged access to px-shell and no access to Bash. It includes: o o Examples Membership in group px_viewer; this group has no sudo privileges Default shell is /bin/px-shell The following command, you are prompted for role, full name and initial password. $ sudo px-adduser nemo The following command generates no prompts and creates an operator account that is disabled: $ sudo px-adduser --user-role operator --full-name "Dory fish" --disabled-login dory The following command displays Help for the px-adduser command: $ sudo px-adduser -help Exit Status This utility essentially calls the useradd command, followed by the passwd command (unless opted out). If either of these exhibit an error, their status is propagated out by this utility. See useradd(8) and passwd(1) for more details on their status codes. Scripting It may be desirable to script the creation of accounts. This can be accomplished by using the optional -- user-role and --full-name arguments to pass the information normally prompted for. The password cannot be passed on the command line - it could be visible to other users in the process listing. Instead, the --disabled-login option can be passed, and the account gets created in an initially disabled state. Later on, /usr/bin/passwd can be used to set the initial password and enable the account. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 19

px-hostname Configure the Switch Host Name The standard Linux hostname command does not make a persistent change to the switch hostname. To make a persistent switch hostname change, use the Plexxi px-hostname utility from BASH. When using the px-hostname command to change the hostname of the switch, the command must be run as 'root' (with 'sudo'). Note: The host name becomes part of the Linux and Plexxi CLI command prompts on the next login. px-hostname px-hostname <new_host_name> [-y --yes-restart] px-hostname -h --help Options: -h, --help -y, --yes-restart Print help for this command. Proceed with the hostname change without prompting. When you configure the switch hostname, various services are restarted. Therefore, you will be prompted to continue. You can avoid the prompt by entering y or --yes-restart as a command argument. px-hostname with no arguments returns the current active hostname. px-hostname with a new hostname persistently applies the new hostname to the switch. px-log-bundle Generate log bundle The px-log-bundle utility allows users to retrieve a log bundle from a specified switch. The output file has the format HOSTNAME-YYYYMMDD-HHMM-sw-log-bundle.tar.gz and contains log files for a switch that are newer than the specified or default (24 hours) time. px-log-bundle [-h] [-v] [-d days -H hours -f [YYYY][MM][DD]hhmm] Optional Arguments -h --help -d --days=(days) Display help for this command. Include files newer than number of days before now. -f --format=[yyyy][mm][dd]hhmm Include files newer than the specified date/time: YYYY MM DD hhmm 4-digit year 2-digit month 2-digit day Hour and minute -H --hours=(hours) Include files newer than number of hours before now. -v --verbose Run in verbose mode. Can be used with [-d days -H hours -f [YYYY][MM][DD]hhmm] or with no other options (which collects logs from the previous 24 hours). Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 20

Examples The following command generates a log bundle containing data from the last 36 hours: $ px-log-bundle -H 36 The following command generates a log bundle containing data from the last 30 days: $ px-log-bundle -d 30 The following command generates a log bundle containing data starting at 1:00 April 27, 2018: $ px-log-bundle -f 201804270100 px-lspart Display Install Partition Information The /usr/bin/px-lspart utility lists the installed software version for each of the install partitions (A and B). It also indicates which partition is currently running ( r is shown next to the partition) and which partition is currently the default boot partition ( b is shown next to the partition). px-lspart px-lspart -h --help Options -h, --help Display a help summary. Notes If the alternate partition is not mounted, an error is given indicating as such. The command relies on /alt being mounted. Also, the version strings shown are those for the install package that was installed to the partition (either via ONIE or Plexxi upgrade). If you need to know more granular information about specific package versions, try the px-package-check or dpkg commands. px-package-check List Installed Software Packages The Plexxi px-package-check utility returns a report of any packages that have been added, removed, or updated since the current partition was installed. px-package-check [-h] [-e] [-i] [-r] [-u] Optional Arguments -h or --help Show help for this command. -e or --errors List error conditions. Returns the name, version, and status. -i or --installed List packages installed since initial install. Returns the name and version. -r or --removed List packages removed since initial install. Returns the name and version. -u or --upgraded List packages upgraded since initial install. Returns the name, original version and current version. If no arguments are passed, the px-package-check utility lists the following: packages that do not appear to be fully installed. packages that have been added since the initial installation packages that have been removed since the initial installation Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 21

packages that have upgraded (or otherwise changed version) since the initial installation This utility does not detect reinstallation or reconfiguration of packages. Note: You can also refer to the 'dpkg-query' command and the /var/log/dpkg.log file. px-setup Switch Setup px-setup is a Plexxi utility that simplifies Plexxi switch setup by eliminating the need to edit configuration files and restart services on the Plexxi Switch. The utility queries administrators for information, then configures the IP or hostname of the Plexxi Control software, time zone, network address, default gateway, SNMP management, and several network services, including NTP and DNS. The px-setup commands require root/sudo privilege to modify core services. For example, logged into the switch as admin: $ sudo px-setup To setup all switches and all network characteristics for a new install, use px-setup without arguments: $ sudo px-setup To setup a new Plexxi switch added to an existing Plexxi fabric, use px-setup and define the switch by its MAC address: $ sudo px-setup t MAC_Address To configure a specific parameter in an existing Plexxi fabric, use px-setup with the protocol/network characteristic to configure. For example, to configure time zone: $ sudo px-setup-tz Note: px-setup uses UTC by default for time zone. Plexxi recommends that you use UTC for Plexxi Switch and Plexxi Control. IMPORTANT: Plexxi recommends that Plexxi Connect, Plexxi Control and Plexxi Switches all be connected to a reliable NTP service. Determining Your Operating Environment Determine whether the installed switches will use static IP addresses or DHCP. For static IP, run px-setup without arguments to configure all parameters. $ sudo px-setup For DHCP, determine which services DHCP configures in your environment, and which services you configure with px-setup. Refer to the below. px-setup px-setup [-t switch,,switch] px-setup --help Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 22

Command px-setup px-setupcontroller px-setup-hostaddr px-setup-tz px-setup-ntp px-setup-dns px-setup-snmp Function Entering px-setup with no arguments queries for all service information and applies the configuration to all Plexxi switches on the fabric. You can answer 'n' to omit service queries as they are prompted. With no arguments, it configures ALL switches discovered by census info; in other words, all switches properly connected and detected on the Plexxi fabric. Configure the fully-qualified host name or IP address of the Plexxi Control server. This value was assigned when you deployed Plexxi Control on the Plexxi Control host. Configure the host name and management IP address for each switch being configured. Set the time zone for each switch being configured. Note: px-setup uses UTC by default for time zone. Plexxi recommends that you use UTC for Plexxi Switch and Plexxi Control. Configure NTP for each switch being configured. Configure DNS for each switch being configured. Configure SNMP for each switch being configured. Options -t MAC,,MAC Specify one or more switches to configure. This is a comma delimited (no spaces) list of MAC address which uniquely identify the Plexxi switches. If one or more switches is specified using the -t, only the listed switches are configured and only questions which apply to those switches will be posed. This option is recommended to configure an individual switch or multiple switches of a similar class (city, service-type, etc). --help Display a help summary. Examples $ sudo px-setup This asks a series of questions about all detectable switches and common services, then applies the configuration to the switches. $ sudo px-setup -t 01:02:03:aa:bb:cc This prompts and collects configuration information for a specified switch (01:02:03:aa:bb:cc) identified by its unique base MAC address. The configuration is applied to the specified switch only. $ sudo px-setup -t 01:02:03:aa:bb:cc,55:44:ff:ee:bb:00 Specifies two switches. The utility queries about all services common to the specified switches, then applies the configuration on the specified switches. $ sudo px-setup-ntp Queries only about NTP, then applies the configuration to all Plexxi switches. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 23

$ sudo px-setup-ntp -t 01:02:03:aa:bb:cc Queries only about NTP, then applies the configuration to only the specified switch. $ sudo px-setup --help Displays a help summary. Notes The px-setup commands create a set of backup files of the puppet manifests it utilizes to distribute and apply the configuration. These are stored in the /var/opt/px-setup-backups directory in a subdirectory which uses a date-time format such as 2017-05-10_20-27. This directory is populated with configuration data (in an intermediary state) on all systems where the configuration is to be applied. To prevent disk over-usage, a limited set of backup files is retained. If an automated backup system is in place, it is advisable to collect the data in these directories. The px-setup commands keep the output simple and clean. More detailed debug information can be found in /var/log/px-setup.log. This log is only produced on the switch where px-setup was executed. It is unique per switch and not shared or distributed. px-ssl-install Install an SSL Certificate and Keys The px-ssl-install utility enables administrators to install their own custom certificates and key pairs on the Plexxi switch. This tool places the files in the correct place in the file system and restarts the Plexxi client so that the client can import the certificate and keys. px-ssl-install <cert> <key> px-ssl-install -h --help Where: <cert> <key> -h, --help The path and name for the certificate file. Needs to be in curl format. The path and name for the key file. Needs to be in curl format. Display help for this command. Examples The following command installs from local files: $ px-ssl-install file:///<certfile>.pem file:///<keyfile>.pem The following command installs from a Web server: $ px-ssl-install http://<webserver>/<certfile>.pem http://<webserver>/<keyfile>.pem px-sslgen Generate a Pair of Self-Signed SSL Keys The px-sslgen utility generates two self-signed SSL keys for the Plexxi switch, one private key and one public key. All fields in the px-sslgen command are optional. The tool generates SSL certificates with default values. px-sslgen -o --output <output> px-sslgen -c --country <country> px-sslgen -st --state <state> px-sslgen -l --location <location> px-sslgen -org --organization <organization> px-sslgen -cn --cname <cname> px-sslgen -em --email <email> Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 24

px-sslgen -a --altname <alternate name> px-sslgen -ex --expires <expires> px-sslgen -fp --fileprefix <fileprefix> px-sslgen h --help Optional Arguments -o, --output -c, --country -st, --state -l, --location -org, --organization -cn, --cname -em, --email -a, --altname -ex, --expires -fp, --fileprefix -h, --help The --output option specifies an optional output location. The default location is simple1/. The --country option specifies a value for the optional country field in SSL keys. The default value is US. The --state option specifies a value for the optional state field in SSL keys. The default value is New Hampshire. The --location option specifies a value for the optional location field in SSL keys. The default value is Nashua. The --organization option specifies a value for the optional organization field in SSL keys. The default value is Plexxi. The --cname option specifies a value for the optional cname field in SSL keys. The default value is the system hostname. The --email option specifies a value for the optional email field in SSL keys. The default value is support@plexxi.com. The --altname option specifies a value for the optional alternate name field in SSL keys. The default value is derived from the system hostname, FQDN, and interface IP addresses. The --expires option specifies a value for when the certificates expire in the expires field in SSL keys. The default value is 157680000 seconds (5 years). The --fileprefix option specifies a prefix used when generating output files. The default value is server. Display help for this command. Examples The following command generates two SSL keys, one private and one public, in the default directory simple1/ : $ px-sslgen The following command generates two SSL keys, one private and one public, in the current directory: $ px-sslgen -output "./" px-topology View and Diagnose the Plexxi Fabric Topology The px-topology command can be used to view and diagnose the Plexxi fabric (topology). px-topology -s --show residual px-topology -s --show vlan [vlan <VLAN>] [root <ROOT>] px-topology -t --trace residual px-topology -t --trace vlan <VLAN> [root <ROOT>] px-topology -t --trace attachments px-topology -v --validate px-topology -e --state residual px-topology -e --state vlan px-topology -c --control px-topology -i --info px-topology -h --help Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 25

Optional Arguments -s, --show -t, --trace -v, --validate -e, --state -c, --control -i, --info -h, --help vlan The --show option displays the currently active paths from this switch to one or more root switches in the Plexxi network. The --trace option sends trace packets from this switch to destination switches on the residual or VLAN (ISO) topologies. When tracing, you can specify the "attachments" argument to simulate actual lookup failures to follow attachments from this switch to the root switches the attachments reside on. The --validate option uses trace packets to test if the topology is healthy. It outputs a status message that indicates success or failure of the topology. The --state option shows the state of active and backup paths for either the residual or VLAN (ISO) topologies. Failures are indicated in the output; for example, switch or uplink failures. Show the active list of Plexxi switches. Show information on the state of the last fitting transaction. Display help for this command. The vlan (ISO) option filters results for a specific VLAN or root switch. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 26

4 Managing Plexxi Switch Linux User Accounts and Authentication Methods Plexxi Switch supports the following user authentication methods: Local switch authentication TACACS+ RADIUS LDAP These methods are described in this chapter. In addition, this chapter describes how to enable the configuration authentication method. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 27

Local Switch Authentication Local Linux and Plexxi CLI users can be created on each Plexxi switch. Linux users can be created on the switch platform using the Plexxi px-adduser utility. Each Plexxi switch user must be a member of one of the following pre-defined groups which give them their privileges: IMPORTANT: Only an Administrator can create users. px_administrator This user Role provides root access to the Plexxi Switch through pre-arranged sudoers config file. Upon login, any px_administrator user has full administrator access to all Linux commands and utilities, via sudo. px_operator This Role provides normal, unprivileged access to the Linux system. It cannot, for example, create or edit user accounts. Upon login, a px_operator user has elevated sudo privileges for 'px-shell' only. In this way, the user has full configuration ability within the Plexxi CLI. px_viewer - This user Role provides only viewing access in the Plexxi CLI, and NO access to Linux. Adding a Local User Using the Plexxi px-adduser Utility Important: This is the preferred utility to use when adding a user. Any Administrator can add a local user at the Linux prompt on the switch using the px-adduser utility: 1. Create the user by issuing this command and following the prompts: $ sudo px-adduser <username> Important: The px-adduser utility is described in detail in Chapter 4, in the section, Adding a User - px-adduser. This section also provides options on how to script px-adduser without user interaction. 2. Respond to the prompts, assigning the appropriate group (px_administrator, px_operator, or px_viewer) Accessing the Plexxi CLI As an Administrator To access the Plexxi CLI, at the Linux prompt on the switch, a user with Administrator role must execute the command: $ sudo px-shell In the Plexxi CLI, this user has full configuration privileges. Upon exiting the Plexxi CLI, this user is returned to their Linux shell until logout. As an Operator To access the Plexxi CLI, at the Linux prompt on the switch, a user with Operator role must execute the command: $ sudo px-shell In the Plexxi CLI, this user has full configuration privileges. Upon exiting the Plexxi CLI, this user is returned to their Linux shell with read-only privileges until logout. As a Viewer Upon login, a user with Viewer role is placed directly in the Plexxi CLI with Viewer privileges. Viewer users do not have Linux access. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 28

TACACS+ Authentication for a Switch Overview TACACS+ support allows Switch users to be authenticated using TACACS+ using the standard Linux Pluggable Authentication Modules (PAM) infrastructure. In Release 3.0, this needs to be configured directly on each Plexxi switch. When enabled, users that log in to the Switch platform using ssh, will be authenticated using an external TACACS+ server, and placed in an Administrator, Operator or Viewer group as defined in the TACACS server configuration. The groups refer to the privileges as documented in the Local AAA feature. Configuring TACACS+ Authentication on a Switch To configure TACACS for PAM authentication on a switch: 1. Configure TACACS+ PAM as described in TACACS+ PAM Setup, below. 2. If you are going to support remote users (as opposed to local users in /etc/passwd), then configure TACACS+ NSS as described in TACACS+ NSS Configuration page 30. 3. if you are using NSS, then add tacplus to the passwd and group lines in /etc/nsswitch.conf. For example: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat tacplus group: compat tacplus 4. Enable TACACS+ using the pam-auth-update utility as described in Enabling the Authentication Method for a Switch, page 34. 5. if you are using TACACS+ NSS, restart the NSCD service: $ sudo service nscd restart TACACS+ PAM setup For PAM, configure the /etc/tacplus.conf file with the following parameters: Variable Description Valid values server TACACS+ server. May have more than one entry. server=hostname server=ip_addr server=hostname:port server=ip_addr:port secret TACACS+ server secret. May have more than one entry. Each entry will be applied to the servers defined before the entry. secret=plain-text-string login TACACS+ authentication service. login=pap login=chap login=login DEFAULT is pap (suggest login=login) Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 29

Variable Description Valid values service TACACS+ service for authorization and accounting Don't care but the protocol wants it to be defined protocol TACACS+ protocol for authorization and accounting Don't care but the protocol wants it to be defined timeout Timeout value in seconds The default value is 5 seconds Example /etc/tacplus.conf server=1.2.3.4 secret=mysecret login=login service=linuxlogin protocol=ssh TACACS+ NSS Configuration For NSS, configure the /etc/nss_tacplus.conf file with the following parameters: Field name Description Example server Comma separated list of TACACS+ servers server 1.1.1.1 server 2.2.2.2:49 server 3.3.3.3,4.4.4.4 secret secret used to authenticate to the TACACS+ server secret=plain-text-string timeout timeout in seconds The default value is 5 seconds debug enable debug logging service service to query on TACACS+ server This is where UID and ROLE need to be defined protocol The default value is ssh Example /etc/nss_tacacs.conf server 1.2.3.4 secret mysecret timeout 2 service linuxlogin protocol ssh Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 30

RADIUS Authentication for a Switch Overview Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. RADIUS support allows Switch users to be authenticated using RADIUS and the standard Linux Pluggable Authentication Modules (PAM). When enabled, users who log in to the Switch using SSH are authenticated using an external RADIUS server and placed in an Administrator, Operator or Viewer group as defined in the RADIUS server configuration. The groups refer to the privileges as documented in the Local AAA feature. Configuring RADIUS Authentication on a Switch This feature needs to be configured directly on each Plexxi switch. Configure the RADIUS PAM module via the file /etc/pam_radius_auth.conf. Each line of the file consists of: <server_address>[:port] <secret> <timeout> Where: server_address is either an IPv4 address or a FQDN. port or server port, is optional. secret is the RADIUS server secret. timeout is the server timeout value in seconds. Example Multiple lines may be provided to use multiple RADIUS servers. For example: /etc/pam_radius_auth.conf 1.2.3.4:500 mysecret 2 radius.plexxi.com plexxi_secret 5 Enabling RADIUS Enable RADIUS using the pam-auth-update utility as described in Enabling the Authentication Method for a Switch, page 34. Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 31

LDAP Authentication for a Switch Overview LDAP allows Switch users to be authenticated using LDAP using the standard Linux Pluggable Authentication Modules (PAM) infrastructure. In Release 3.0, this needs to be configured directly on each switch. When enabled, users that log in to a switch using ssh will be authenticated using an external LDAP server, and placed in an Administrator, Operator or Viewer group as defined in the LDAP server configuration. Configuring LDAP Authentication for a Switch When LDAP is configured, the nsswitch.conf file must be edited to use LDAP. In this case, LDAP is configured for passwd, group and shadow: # /etc/nsswitch.conf # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: ldap compat group: ldap compat shadow: ldap compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sudoers: files ldap Example: Configuring LDAP with SSL Before configuring LDAP with SSL, make sure to copy your LDAP server's certificate to the switch. The 'tls_cacertfile' option in the nslcd config should point to wherever the certificate is located on the switch. # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldaps://172.17.1.150:636 # The search base that will be used for all queries. base dc=qa,dc=plexxi,dc=com # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options ssl on tls_reqcert demand tls_cacertfile /etc/ldap/slapd.crt # The search scope. #scope sub Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 32

Example: Configuring LDAP with TLS Similar to the SSL configuration, before configuring LDAP with TLS make sure to copy your LDAP server's certificate to the switch. The 'tls_cacertfile' option in the nslcd config should point to wherever the certificate is located on the switch. # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://172.17.1.150:389 # The search base that will be used for all queries. base dc=qa,dc=plexxi,dc=com # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options ssl start_tls tls_reqcert demand tls_cacertfile /etc/ldap/slapd.crt # The search scope. #scope sub Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 33

Enabling the Authentication Method for a Switch To enable the authentication method for a switch: Note: You must be logged in as administrator user. 1. Using sudo, enter the following command to run the interactive PAM (Pluggable Authentication Modules) configuration tool: sudo pam-auth-update 2. In the PAM configuration window, select the authentication method, then click OK. For example, to enable LDAP authentication: 3. Restart the nscd and nslcd services on the switch to finish applying the configuration. For example: sudo service nscd restart sudo service nslcd restart Plexxi Switch Administrator Guide using Linux and Plexxi CLI, 4.0.0 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback