Cisco Systems 15310-CL, 15310-MA manual Configuring SSH, Configuration Guidelines, 15-3

Page 197

Chapter 15 Configuring Security for the ML-Series Card

Secure Shell on the ML-Series Card

SSH has two applications, an SSH server and SSH client. The ML-Series card only supports the SSH server and does not support the SSH client. The SSH server in Cisco IOS software works with publicly and commercially available SSH clients.

The SSH server enables a connection into the ML-Series card, similar to an inbound Telnet connection, but with stronger security. Before SSH, security was limited to the native security in Telnet. SSH improves on this by allowing the use of Cisco IOS software authentication.

The ONS node also supports SSH. When SSH is enabled on the ONS node, you use SSH to connect to the ML-Series card for Cisco IOS CLI sessions.

Note Telnet access to the ML-Series card is not automatically disabled when SSH is enabled. The user can disable Telnet access with the vty line configuration command transport input ssh.

Configuring SSH

This section has configuration information:

Configuration Guidelines, page 15-3

Setting Up the ML-Series Card to Run SSH, page 15-3(required)

Configuring the SSH Server, page 15-4(required)

Configuration Guidelines

Follow these guidelines when configuring the ML-Series card as an SSH server:

The new model of AAA and a AAA login method must be enabled. If not previously enabled, complete the “Configuring AAA Login Authentication” section on page 15-11.

A Rivest, Shamir, and Adelman (RSA) key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.

If you get CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command. For more information, see the “Setting Up the ML-Series Card to Run SSH” section on page 15-3.

When generating the RSA key pair, the message No host name specified might appear. If it does, you must configure a hostname by using the hostname global configuration command.

When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-nameglobal configuration command.

Setting Up the ML-Series Card to Run SSH

Follow these steps to set up your ML-Series card to run as an SSH server:

1.Configure a hostname and IP domain name for the ML-Series card.

2.Generate an RSA key pair for the ML-Series card, which automatically enables SSH.

3.Configure user authentication for local or remote access. This step is required.

Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair.

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

 

78-18133-01

15-3

 

 

 

Image 197
Contents Text Part Number Americas HeadquartersCopyright 2007-2009 Cisco Systems, Inc. All rights reserved RPR Startup Configuration File Iii Configuring POS Interface Framing ModeUnderstanding VLANs Configuring Encapsulation over EtherChannel or POS Channel IP ACLs Vii Role of Sonet CircuitsViii Configuration GuidelinesUsing Technical Support C-1 Page 11-4 11-311-5 11-714-17 14-1314-18 14-2210-6 10-511-11 11-1217-8 13-317-7 Revision History PrefaceThis section provides the following information DateRelated Documentation Document ObjectivesAudience Convention Application Document ConventionsBoldface ItalicWarnung Wichtige Sicherheitshinweise Bewaar Deze InstructiesAviso Instruções Importantes DE Segurança Avvertenza Importanti Istruzioni Sulla SicurezzaPage GEM Disse Anvisninger Viii Cisco Optical Networking Product Documentation CD-ROM Where to Find Safety and Warning InformationObtaining Optical Networking Information Page ML-Series Card Description Overview of the ML-Series CardIRB ML-Series Feature ListBundling the two POS ports LEX encapsulation only Cisco IOS Key ML-Series FeaturesGFP-F Framing Cisco IOS Release 12.228SVRmon Link Aggregation FEC and POSTL1 Displaying ML-Series POS Statistics in CTC CTC Operations on the ML-Series CardML-Series POS Statistics Fields and Buttons RefreshML-Series Ethernet Statistics Fields and Buttons Displaying ML-Series Ethernet Statistics in CTCButton Description CTC Provisioning Sonet Circuits Displaying Sonet AlarmsDisplaying J1 Path Trace 78-18133-01 Page Cisco IOS on the ML-Series Card Initial Configuration of the ML-Series CardHardware Installation Telnetting to the Node IP Address and Slot Number Opening a Cisco IOS Session Using CTCCTC Node View Showing IP Address Telnetting to a Management PortML-Series IOS CLI Console Port Connecting a PC or Terminal to the Console PortRJ-11 to RJ-45 Console Cable Adapter RJ-11 Pin RJ-45 PinStartup Configuration File Configuring the Management Port PasswordsCommand Purpose Router enableNvram Configuring the HostnameClick the IOS startup config button Loading a Cisco IOS Startup Configuration File Through CTCDatabase Restore of the Startup Configuration File Cisco IOS Command ModesEnter the configure terminal Mode What You Use It For How to Access PromptInterface fastethernet 0 for Enter the line consoleRouter# configure ? Using the Command ModesExit Getting HelpPage MAC Addresses Configuring Interfaces on the ML-Series CardGeneral Interface Guidelines MLSeries# show interfaces fastethernet Interface Port IDMLSeriesconfig# interface fastethernet number Basic Interface ConfigurationMLSeries# configure terminal Configuring the Fast Ethernet Interfaces Basic Fast Ethernet and POS Interface ConfigurationConfiguring the POS Interfaces Hdlc Monitoring Operations on the Fast Ethernet InterfacesFCR Example 4-3 show controller Command OutputDaytona# show run interface fastethernet Example 4-4 show run interface Command OutputAvailable Circuit Sizes and Combinations Configuring POS on the ML-Series CardUnderstanding POS on the ML-Series Card Lcas Support J1 Path Trace, and Sonet AlarmsCcat High Order Vcat High Order Mbps STS-1 STS-1-1v STS-1-2vEncapsulations LEX default Cisco Hdlc Configuring the POS InterfaceCRC Sizes Bit default None FCS disabled GFP-F Framing Hdlc FramingFraming mode changes on POS ports are Configuring POS Interface Framing ModeAllowed only when the interface is shut down AdmindownNot a keyword choice in the command. The no Sets the framing mode employed by the ONSForm of the command sets the framing mode GFP default-The ML-Series card supportsConfiguring Sonet Alarms Sonet AlarmsAll -All alarms/signals Configuring Sonet Delay TriggersMonitoring and Verifying POS Hdlc Page These sections describe how the spanning-tree features work Configuring STP and Rstp on the ML-Series CardSTP Features Bridge Protocol Data Units STP OverviewSupported STP Instances Election of the Root Switch Spanning-Tree Timers Bridge ID, Switch Priority, and Extended System IDSwitch Priority Value BitSpanning-Tree Interface States Creating the Spanning-Tree TopologySpanning-Tree Interface States Blocking StateListening State Disabled StateLearning State Forwarding StateSpanning Tree and Redundant Connectivity Spanning-Tree Address ManagementSTP and Ieee 802.1Q Trunks Supported Rstp Instances Rstp FeaturesAccelerated Aging to Retain Connectivity Port State Comparison Port Roles and the Active TopologyIs Port Included Rapid Convergence Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port RolesRstp Bpdu Flags Bridge Protocol Data Unit Format and ProcessingBit Function Processing Inferior Bpdu Information Topology ChangesProcessing Superior Bpdu Information Interoperability with Ieee 802.1D STP Configuring STP and Rstp FeaturesDisabling STP and Rstp Default STP and Rstp ConfigurationFeature Default Setting Port-channel-number Configuring the Root SwitchConfiguring the Port Priority Configuring the Switch Priority of a Bridge Group Configuring the Path CostConfiguring the Hello Time Verifying and Monitoring STP and Rstp Status Configuring the Forwarding-Delay Time for a Bridge GroupConfiguring the Maximum-Aging Time for a Bridge Group Example 6-1 show spanning-tree Commands Commands for Displaying Spanning-Tree StatusDisplays detailed STP or Rstp information Displays brief summary of STP or Rstp informationPage Understanding VLANs Configuring VLANs on the ML-Series CardConfiguring Ieee 802.1Q Vlan Encapsulation Returns to privileged Exec mode Ieee 802.1Q Vlan ConfigurationOptional Saves your configuration changes to MLSeriesconfig-subif# endBridging Ieee 802.1Q VLANs ML-Series#show vlans Example 7-2 Output for show vlans CommandMonitoring and Verifying Vlan Operation Page Understanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network FCS Configuring an Ieee 802.1Q Tunneling Port Configuring Ieee 802.1Q TunnelingIeee 802.1Q Tunneling and Compatibility with Other Features Displays the tunnel ports on the switch Untagged will be switched based on this bridge-group. OtherOptional Saves your entries in the configuration file Ieee 802.1Q ExampleVLAN-Transparent Service Versus VLAN-Specific Services VLAN-Transparent Services VLAN-Specific ServicesExample 8-2 MLSeries B Configuration Example 8-3applies to ML-Series card a Example 8-3 ML-Series Card a ConfigurationExample 8-5 ML-Series Card C Configuration Example 8-4 ML-Series Card B ConfigurationExample 8-4applies to ML-Series card B Example 8-5applies to ML-Series card CUnderstanding Layer 2 Protocol Tunneling Configuring Layer 2 Protocol TunnelingLayer 2 Protocol Tunneling Configuration Guidelines Default Layer 2 Protocol Tunneling Configuration2shows the default Layer 2 protocol tunneling configuration Default Layer 2 Protocol Tunneling ConfigurationConfiguring Layer 2 Tunneling on a Port Monitoring and Verifying Tunneling Status Configuring Layer 2 Tunneling Per-VLANUnderstanding Link Aggregation Configuring Link Aggregation on the ML-Series CardConfiguring Fast EtherChannel Configuring Link AggregationCisco IOS Configuration Fundamentals Configuration Guide EtherChannel Configuration ExampleConfigure one POS channel on the ML-Series card Configuring POS ChannelCreates the POS channel interface. You can Assigns an IP address and subnet mask to the POSPOS Channel Configuration Example Understanding Encapsulation over FEC or POS Channel Configuring Encapsulation over EtherChannel or POS ChannelSupported interface commands to meet Configuration mode and enable otherExample 9-5 MLSeries a Configuration Encapsulation over EtherChannel ExampleMonitoring and Verifying EtherChannel and POS Example 9-6 MLSeries B ConfigurationFor the Frame Load Balancing on the ML-Series cardsXOR Result Port Channel PortInterface for Used MemberFrame EtherChannelFirst SecondThird FourthUsed Member Cisco IOS Command Reference publication Configuring IRB on the ML-Series CardUnderstanding Integrated Routing and Bridging This chapter includes the following major sections10-2 Configuring IRB10-3 IRB Configuration ExampleExample 10-2 Configuring MLSeries B Example 10-1 Configuring MLSeries aMonitoring and Verifying IRB 10-410-5 10-6 Field Description11-1 Configuring Quality of Service on the ML-Series CardUnderstanding QoS IP Precedence and Differentiated Services Code PointPriority Mechanism in IP and Ethernet 11-211-3 Ethernet CoS11-4 ML-Series QoSClassification 11-5 PolicingMarking and Discarding with a Policer 11-6 QueuingScheduling 11-7 Control Packets and L2 Tunneled ProtocolsIngress Priority Marking Egress Priority MarkingQinQ Implementation 11-811-9 QoS on RPRFlow Control Pause and QoS 11-10 Configuring QoSCreating a Traffic Class 11-11 Creating a Traffic PolicyPolicy-map policy-nameno policy-map policy-name Syntax of the class command isClass class-map-name no class class-map-name Maximum of 40 alphanumeric characters11-13 11-14 Command11-15 Attaching a Traffic Policy to an InterfaceConfiguring CoS-Based QoS Monitoring and Verifying QoS ConfigurationDisplays all configured traffic policies Traffic class11-17 QoS Configuration Examples11-18 Traffic Classes Defined ExampleTraffic Policy Created Example Example 11-7 Class Map Match Any Command Example Example 11-6 Class Map Match All Command ExampleExample 11-8 Class Map SPR Interface Command Example Match spr1 Interface ExampleML-Series VoIP Example Example 11-9 ML-Series VoIP CommandsML-Series Policing Example 11-20Routerconfig# class-map match-all policer Example 11-10 ML-Series Policing CommandsRouterconfig# policy-map policef0 ML-Series CoS-Based QoS ExampleML-Series CoS Example 11-2211-23 Default Multicast QoS11-24 Configuring Multicast Priority Queuing QoSMulticast Priority Queuing QoS Restrictions 11-25 11-26 QoS not Configured on EgressML-Series Egress Bandwidth Example Bandwidth 11-27Fast Ethernet Understanding CoS-Based Packet StatisticsStatistics Collected Interface Subinterface Vlan 11-2811-29 Configuring CoS-Based Packet Statistics11-30 Understanding IP SLAMLSeries# show interface fastethernet 0 cos MLSeries# show interface pos0 cos11-31 IP SLA on the ML-SeriesIP SLA Restrictions on the ML-Series 11-32 12-1 Understanding the SDMUnderstanding SDM Regions Configuring SDM Regions Configuring SDMDefault Size Lookup TypeTask Command Configuring Access Control List Size in TcamMonitoring and Verifying SDM Entries12-4 Understanding ACLs Configuring Access Control Lists on ML-Series CardML-Series ACL Support 13-1Named IP ACLs IP ACLsUser Guidelines 13-213-3 Creating IP ACLsCreating Numbered Standard and Extended IP ACLs Creating Named Extended IP ACLs Control Plane Only Creating Named Standard IP ACLsApplying the ACL to an Interface 13-4Modifying ACL Tcam Size Controls access to an interface13-5 Applying ACL to Interface13-6 14-1 Configuring Resilient Packet Ring on ML-Series CardUnderstanding RPR 14-2 Role of Sonet CircuitsPacket Handling Operations 14-3 Ring Wrapping14-4 RPR Framing ProcessRPR as the source DA-MAC and 0x00 for Unknown DA-MAC14-5 RPR Frame for ML-Series CardMAC Address and Vlan Support Configuring RPRRPR QoS CTM and RPR14-7 Configuring CTC Circuits for RPRCTC Circuit Configuration Example for RPR Three-Node RPR Example 14-814-9 Optional Sets the RPR ring wrap mode to either wrap Configures a station ID. The user must configure aImmediate delayed 14-1014-11 Assigning the ML-Series Card POS Ports to the SPR Interface14-12 14-13 Example 14-1 SPR Station-ID 1 Configuration RPR Cisco IOS Configuration ExampleExample 14-2 SPR Station-ID 2 Configuration 14-1414-15 CRC Threshold Configuration and DetectionExample 14-3 SPR Station-ID 3 Configuration 14-16 Monitoring and Verifying RPRExample 14-4 Example of show interface spr 1 Output Example 14-5 Example of show run interface spr 1 Output14-17 Add an ML-Series Card into an RPRThree-Node RPR After the Addition 14-1814-19 Adding an ML-Series Card into an RPREnables the port Cisco ONS 15454 Procedure GuideEndpoint of the first newly created circuit 14-20Delete an ML-Series Card from an RPR Stop. You have completed this procedureEndpoint of the second newly created circuit 14-21Three-Node RPR Before the Deletion 14-22Log into Adjacent Node 1 with CTC Deleting an ML-Series Card from an RPRDouble-click the ML-Series card in Adjacent Node 14-2314-24 Configuring Shortest Path and Topology Discovery Configuring Cisco Proprietary RPR KeepAliveCisco Proprietary RPR KeepAlive Cisco Proprietary RPR Shortest PathMonitoring and Verifying Shortest Path andTopolgy Discovery Redundant InterconnectRedundant Interconnect is only supported on 454 platforms 14-2615-1 Configuring Security for the ML-Series CardUnderstanding Security Disabling the Console Port on the ML-Series Card Secure Login on the ML-Series CardSecure Shell on the ML-Series Card Understanding SSHConfiguration Guidelines Configuring SSHSetting Up the ML-Series Card to Run SSH This section has configuration information15-4 Configuring the SSH ServerRouter # configure terminal Displaying the SSH Configuration and StatusRouter config# ip ssh version 1 Router config# ip ssh timeout15-6 Radius Relay ModeRadius on the ML-Series Card 15-7 Radius Stand Alone ModeConfiguring Radius Relay Mode 15-8 Configuring RadiusUnderstanding Radius 15-9 Default Radius ConfigurationIdentifying the Radius Server Host 15-10 Router# configure terminal Enter global configuration mode Configuring AAA Login AuthenticationRouter config# aaa new-model Enable AAA Switchconfig# radius-server host host115-12 Router config# aaa authenticationRouter config# line console tty Router# show running-config Verify your entries Router config# end Return to privileged Exec modeDefining AAA Server Groups 15-13Router config-sg-radius# server Router config# aaa group serverRouter config-sg-radius# end Router # show running-config15-15 Radius15-16 Starting Radius Accounting15-17 Configuring a nas-ip-address in the Radius PacketConfiguring Settings for All Radius Servers Deadtime minutes Default is 0 the range is 1 to 1440 minutesMarked as dead, the skipping will not take place 15-1815-19 Send accounting authentication15-20 Displaying the Radius Configuration16-1 Configuring Bridging on the ML-Series CardUnderstanding Bridging 16-2 Configuring Bridging16-3 For any statically configured forwarding entriesMonitoring and Verifying Bridging Bridge-group-number restricts the spanning tree information Displays detailed information about spanning treeTo specific bridge groups Brief displays summary information about spanning treeCE-100T-8 Overview CE-100T-8 Ethernet OperationSonet 17-117-2 CE-100T-8 Ethernet FeaturesAutonegotiation, Flow Control, and Frame Buffering 17-3 Ethernet Link Integrity Support17-4 Enhanced State Model for Ethernet and Sonet PortsIeee 802.1Q CoS and IP ToS Queuing CoS Priority Queue Mappings 17-5IP ToS Priority Queue Mappings Rmon and Snmp Support CE-100T-8 Sonet Circuits and FeaturesStatistics and Counters 17-6Number of STS-3c Circuits Maximum Number of STS-1 Circuits Ccat High Order Vcat High Order Vcat Low OrderMaximum Number of STS-1-2v Circuits 17-7CE-100T-8 STS/VT Allocation Tab CE-100T-8 Maximum Service Densities7x=1-12 6x=1-14 5x=1-16 =1-21 17-817-9 CE-100T-8 Vcat Characteristics17-10 CE-100T-8 POS Encapsulation, Framing, and CRC17-11 CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms17-12 Command Reference for the ML-Series Card Drpri-rstp Related Commands bridge-groupIeee RstpRouter# clear counters Related Commands show interfaceClear counters No clock auto Syntax Description Defaults Command Modes Usage GuidelinesClock summertime Clock timezoneInterface spr Defaults Command ModesMLSeriesconfig-if # pos mode gfp fcs-disable No pos mode gfp fcs-disabledRelated Commands shutdown No pos pdi holdoff time Pos trigger defects No pos report alarmRelated Commands Non pos trigger defects condition Syntax Description DefaultsRelated Commands pos trigger delay Time Delay time in milliseconds, 200 to No pos trigger delay timeDefault value is 200 milliseconds Command is 50 millisecondsDelayed No pos vcat defect immediate delayedParameter Description ImmediateMLSeries# show controller pos 0 Interface POS0 Show controller pos interface-numberdetailsRelated Commands show interface pos Clear counters Show interface pos interface-number Use this command to display the status of the POS interfaceRelated Commands show controller pos Clear counters MLSeries# show ons alarm Show ons alarm78-18133-01 Vcg EqptSts MLSeries# show ons alarm defect sts Related Commands show controller pos Show ons alarm failuresML-Series#show ons alarm failure port MLSeries# show ons alarm failure eqptMLSeries# show ons alarm failure sts Interface spr Spr station-id Spr wrap Assigns the POS interface to the SPR interfaceNo spr load-balance auto port-based Related Commands interface sprAuto Port-basedDefaultsN/A Configures a station IDFollowing example sets an ML-Series card SPR station ID to Spr-intf-id Spr wrapInterface spr Spr-intf-id Spr station-id Spr wrap immediate delayedWraps RPR traffic after the carrier delay time expires Unsupported Global Configuration Commands Unsupported CLI Commands for the ML-Series CardUnsupported Privileged Exec Commands Page Unsupported POS Interface Configuration Commands Unsupported FastEthernet Interface Configuration Commands Unsupported Port-Channel Interface Configuration Commands Rate-limit Random-detect Timeout Tx-ring-limit Unsupported BVI Interface Configuration CommandsGathering Information About Your Internetwork Using Technical SupportGetting the Data from Your ML-Series Card Providing Data to Your Technical Support Representative Page IN-5 IN-6 IS,AINSIN-7 Rstp SDM RPRSSH CRCIN-9 Rstp STPIN-10 See also framingGFP-F IN-11 LcasIN-12 POSRPR SDM IN-13 IN-14 RmonRstp IN-15 SnmpSee also Bpdu IN-16 TcamVcat Customer numbering in service-provider Configuring as Layer 2 tunnel Configuring Ieee 802.1QSDM STP and Rstp status VTP Layer 2 protocol tunneling VtyIN-18
Related manuals
Manual 8 pages 60.19 Kb Manual 352 pages 59.1 Kb

15310-CL, 15310-MA specifications

Cisco Systems has established itself as a leader in the networking domain, offering a wide array of solutions to meet the needs of modern businesses. Among its impressive product lineup are the Cisco 15310-CL and 15310-MA routers, designed to provide advanced network performance and reliability.

The Cisco 15310-CL is a versatile platform that primarily serves as a carrier-class router aimed at supporting high-speed data and voice services. It is built to handle the demands of large enterprises and service providers, offering a robust design that ensures maximum uptime and performance. One of its standout features is its modular architecture, which enables users to customize their configurations based on specific application needs. This scalability allows for future expansion without the need for a complete hardware overhaul.

Key technologies integrated into the Cisco 15310-CL include high-density Ethernet interfaces and a comprehensive suite of Layer 2 and Layer 3 protocol support. The device is capable of supporting multiple types of connections, including TDM, ATM, and Ethernet. This flexibility makes it an ideal choice for organizations that require seamless migration between various service types. Moreover, with features such as MPLS (Multiprotocol Label Switching) support and advanced Quality of Service (QoS) mechanisms, the router ensures that critical applications receive the necessary bandwidth and low latency required for optimal performance.

In contrast, the Cisco 15310-MA focuses on access solutions, providing a cost-effective entry point for businesses looking to enhance their network capabilities. It is well-suited for smaller offices or branch locations that need reliable connectivity without the expense and complexity associated with larger systems. The device supports a range of access methods and provides essential features like firewall capabilities, VPN support, and comprehensive security measures to protect sensitive data.

Both models benefit from Cisco's commitment to security and manageability, offering features like enhanced encryption protocols and user authentication mechanisms that help safeguard networks against threats. Additionally, they can be managed through Cisco’s intuitive software tools, simplifying configuration and monitoring tasks for IT administrators.

The Cisco 15310-CL and 15310-MA are ideal solutions for businesses seeking to enhance their network infrastructure, ensuring firms can keep pace with evolving technology demands while maintaining a focus on security and performance. Their combination of advanced features, modular capabilities, and robust support makes them valuable assets in the networking landscape.