Manuals / Cisco Systems / Computer Equipment / Network Card

Cisco Systems Cisco ONS 15310-MA, ONS 15310-CL Displaying the SSH Configuration and Status, 16-5

Models: ONS 15310-CL ONS 15310-MA Cisco ONS 15310-MA

1 292

Download 292 pages 38.32 Kb

Page 203

Chapter 16 Configuring Security for the ML-Series Card

Secure Shell on the ML-Series Card

Configuring the SSH Server

Beginning in privileged EXEC mode, follow these steps to configure the SSH server:

	Command	Purpose
Step 1
Step 1	Router # configure terminal	Enter global configuration mode.
Step 2
Step 2	Router (config)# ip ssh version [1 2]	(Optional) Configure the ML-Series card to run SSH Version 1 or SSH
		Version 2.
		• 1—Configure the ML-Series card to run SSH Version 1.
		• 2—Configure the ML-Series card to run SSH Version 2.
		If you do not enter this command or do not specify a keyword, the SSH
		server selects the latest SSH version supported by the SSH client. For
		example, if the SSH client supports SSHv1 and SSHv2, the SSH server
		selects SSHv2.
Step 3
Step 3	Router (config)# ip ssh timeout	Specify the timeout value in seconds; the default is 120 seconds. The
	seconds	range is 0 to 120 seconds. This parameter applies to the SSH negotiation
		phase. After the connection is established, the ML-Series card uses the
		default timeout values of the CLI-based sessions.
		By default, up to five simultaneous, encrypted SSH connections for
		multiple CLI-based sessions over the network are available (session 0 to
		session 4). After the execution shell starts, the CLI-based session timeout
		value returns to the default of 10 minutes.
Step 4
Step 4	Router (config)# ip ssh	Specify the number of times that a client can reauthenticate to the server.
	authentication-retries number	The default is 3; the range is 0 to 5.
Step 5
Step 5	Router (config)# end	Return to privileged EXEC mode.
Step 6
Step 6	Router # show ip ssh	Show the version and configuration information for your SSH server.
	or
	Router # show ssh	Show the status of the SSH server connections on the ML-Series card.
Step 7
Step 7	Router # copy running-config	(Optional) Save your entries in the configuration file.
	startup-config

To return to the default SSH control parameters, use the no ip ssh {timeout authentication-retries} global configuration command.

Displaying the SSH Configuration and Status

To display the SSH server configuration and status, use one or more of the privileged EXEC commands in Table 16-1.

		Table 16-1	Commands for Displaying the SSH Server Configuration and Status

		Command		Purpose

		show ip ssh		Shows the version and configuration information for the SSH server.

		show ssh		Shows the status of the SSH server.

	Cisco ONS 15310-CL, ONS 15310-MA, and ONS 15310-MA SDH Ethernet Card Software Feature and Configuration Guide, R9.1 and R9.2

	78-19415-01					16-5
	78-19415-01					16-5

Image 203

Cisco Systems Cisco ONS 15310-MA manual Displaying the SSH Configuration and Status, Configuring the SSH Server, 16-5

Contents

Text Part Number Americas HeadquartersPage Iii N T E N T SExit Getting Help Bridge ID, Switch Priority, and Extended System ID Ieee 802.1Q Tunneling and Compatibility with Other Features Vii Configuring Encapsulation over EtherChannel or POS ChannelViii Monitoring and Verifying QoS ConfigurationRPR QoS Displaying the Radius Configuration CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms Xii Providing Data to Your Technical Support Representative C-312-12 11-511-6 12-1117-18 Xiv17-5 12-5 10-512-3 12-4Xvi Date PrefaceRevision History This section provides the following informationXviii Document ObjectivesAudience Related DocumentationItalic Document ConventionsConvention Application BoldfaceWarnung Wichtige Sicherheitshinweise Bewaar Deze InstructiesXxi Avvertenza Importanti Istruzioni Sulla SicurezzaAviso Instruções Importantes DE Segurança Xxii Xxiii GEM Disse AnvisningerXxiv Xxv Where to Find Safety and Warning InformationObtaining Optical Networking Information Cisco Optical Networking Product Documentation CD-ROMXxvi ML-Series Card Description Overview of the ML-Series CardIRB ML-Series Feature ListBundling the two POS ports LEX encapsulation only Cisco IOS Release 12.228SV Key ML-Series FeaturesCisco IOS GFP-F FramingRmon Link Aggregation FEC and POSTL1 Refresh CTC Operations on the ML-Series CardDisplaying ML-Series POS Statistics in CTC ML-Series POS Statistics Fields and ButtonsML-Series Ethernet Statistics Fields and Buttons Displaying ML-Series Ethernet Statistics in CTCButton Description CTC Provisioning Sonet Circuits Displaying Sonet AlarmsDisplaying J1 Path Trace Page 78-19415-01 Cisco IOS on the ML-Series Card Initial Configuration of the ML-Series CardHardware Installation Telnetting to the Node IP Address and Slot Number Opening a Cisco IOS Session Using CTCCTC Node View Showing IP Address Telnetting to a Management PortRJ-11 Pin RJ-45 Pin Connecting a PC or Terminal to the Console PortML-Series IOS CLI Console Port RJ-11 to RJ-45 Console Cable AdapterStartup Configuration File Router enable PasswordsConfiguring the Management Port Command PurposeNvram Configuring the HostnameClick the IOS startup config button Loading a Cisco IOS Startup Configuration File Through CTCDatabase Restore of the Startup Configuration File Cisco IOS Command ModesEnter the line console Mode What You Use It For How to Access PromptEnter the configure terminal Interface fastethernet 0 forGetting Help Using the Command ModesRouter# configure ? Exit78-19415-01 Understanding Bridging Configuring Bridging on the ML-Series CardConfiguring Bridging Bridge irb Bridge 1 protocol ieee Example 4-1 MLSeries a ConfigurationExample 4-2 MLSeries B Configuration Monitoring and Verifying BridgingTo specific bridge groups For any statically configured forwarding entriesDisplays detailed information about spanning tree Bridge-group-number restricts the spanning tree informationPage 78-19415-01 MAC Addresses Configuring Interfaces on the ML-Series CardGeneral Interface Guidelines MLSeries# show interfaces fastethernet Interface Port IDMLSeriesconfig# interface fastethernet number Basic Interface ConfigurationMLSeries# configure terminal Configuring the Fast Ethernet Interfaces Basic Fast Ethernet and POS Interface ConfigurationConfiguring the POS Interfaces Hdlc Monitoring Operations on the Fast Ethernet InterfacesExample 5-3 show controller Command Output Ucode drops Example 5-4 show run interface Command OutputBuilding configuration Current configuration 222 bytes Bridge-group 2 spanning-disabled endAvailable Circuit Sizes and Combinations Configuring POS on the ML-Series CardUnderstanding POS on the ML-Series Card Mbps STS-1 STS-1-1v STS-1-2v J1 Path Trace, and Sonet AlarmsLcas Support Ccat High Order Vcat High OrderPPP/BCP Encapsulations LEX default Cisco HdlcCRC Sizes Bit default None FCS disabled GFP-F Framing Hdlc FramingAllowed only when the interface is shut down Configuring the POS InterfaceConfiguring POS Interface Framing Mode Framing mode changes on POS ports areGFP default-The ML-Series card supports Sets the framing mode employed by the ONSNot a keyword choice in the command. The no Form of the command sets the framing modeCisco-EoS-LEX, special encapsulation for Sonet AlarmsLex-default LAN extension Hdlc-Cisco HdlcAll -All alarms/signals Configuring Sonet AlarmsConfiguring Sonet Delay Triggers Monitoring and Verifying POS Input drop packets CCAT/VCAT info not available yetInput Packets Input Short packets ?? pre-encap bytes 28378-19415-01 These sections describe how the spanning-tree features work Configuring STP and Rstp on the ML-Series CardSTP Features Bridge Protocol Data Units STP OverviewSupported STP Instances Election of the Root Switch Bit Bridge ID, Switch Priority, and Extended System IDSpanning-Tree Timers Switch Priority ValueSpanning-Tree Interface States Creating the Spanning-Tree TopologySpanning-Tree Interface States Blocking StateForwarding State Disabled StateListening State Learning StateLearns addresses Does not receive BPDUs Spanning-Tree Address ManagementSTP and Ieee 802.1Q Trunks Spanning Tree and Redundant ConnectivitySupported Rstp Instances Rstp FeaturesAccelerated Aging to Retain Connectivity Port State Comparison Port Roles and the Active TopologyIs Port Included Rapid Convergence Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port RolesRstp Bpdu Flags Bridge Protocol Data Unit Format and ProcessingBit Function Processing Inferior Bpdu Information Topology ChangesProcessing Superior Bpdu Information Interoperability with Ieee 802.1D STP Configuring STP and Rstp FeaturesDisabling STP and Rstp Default STP and Rstp ConfigurationFeature Default Setting Port-channel-number Configuring the Root SwitchConfiguring the Port Priority Configuring the Switch Priority of a Bridge Group Configuring the Path CostConfiguring the Hello Time Verifying and Monitoring STP and Rstp Status Configuring the Forwarding-Delay Time for a Bridge GroupConfiguring the Maximum-Aging Time for a Bridge Group Displays brief summary of STP or Rstp information Commands for Displaying Spanning-Tree StatusExample 7-1 show spanning-tree Commands Displays detailed STP or Rstp information78-19415-01 Understanding VLANs Configuring VLANs on the ML-Series CardConfiguring Ieee 802.1Q Vlan Encapsulation MLSeriesconfig-subif# end Ieee 802.1Q Vlan ConfigurationReturns to privileged Exec mode Optional Saves your configuration changes toNo ip routing Bridging Ieee 802.1Q VLANsBridging Example 8-2 Output for show vlans CommandMonitoring and Verifying Vlan Operation ML-Series#show vlans78-19415-01 Understanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network FCS Configuring an Ieee 802.1Q Tunneling Port Configuring Ieee 802.1Q TunnelingIeee 802.1Q Tunneling and Compatibility with Other Features Ieee 802.1Q Example Untagged will be switched based on this bridge-group. OtherDisplays the tunnel ports on the switch Example 9-1 MLSeries a ConfigurationVLAN-Transparent Service Versus VLAN-Specific Services VLAN-Transparent Services VLAN-Specific ServicesExample 9-2 MLSeries B Configuration Interface FastEthernet0 Example 9-3 ML-Series Card a ConfigurationExample 9-3applies to ML-Series card a Example 9-5applies to ML-Series card C Example 9-4 ML-Series Card B ConfigurationExample 9-5 ML-Series Card C Configuration Example 9-4applies to ML-Series card BNo ip address Configuring Layer 2 Protocol TunnelingUnderstanding Layer 2 Protocol Tunneling Default Layer 2 Protocol Tunneling Configuration Default Layer 2 Protocol Tunneling ConfigurationLayer 2 Protocol Tunneling Configuration Guidelines 2shows the default Layer 2 protocol tunneling configurationConfiguring Layer 2 Tunneling on a Port Monitoring and Verifying Tunneling Status Configuring Layer 2 Tunneling Per-VLAN10-1 Configuring Link Aggregation on the ML-Series CardUnderstanding Link Aggregation 10-2 Configuring Link AggregationConfiguring Fast EtherChannel 10-3 EtherChannel Configuration ExampleCisco IOS Configuration Fundamentals Configuration Guide 10-4 Configuring POS Channel10-5 POS Channel Configuration Example10-6 Configuring Encapsulation over EtherChannel or POS ChannelUnderstanding Encapsulation over FEC or POS Channel Your requirements Configuration mode and enable otherSupported interface commands to meet Encapsulation over EtherChannel ExampleHostname MLSeriesB Bridge irb Example 10-6 MLSeries B ConfigurationMonitoring and Verifying EtherChannel and POS 10-8MLSeries# show int port-channel Example 10-7 show interfaces port-channel Command10-9 10-10 11-1 Configuring IRB on the ML-Series CardCisco IOS Command Reference publication Understanding Integrated Routing and Bridging11-2 Configuring IRB11-3 IRB Configuration Example11-4 Example 11-1 Configuring MLSeries aExample 11-2 Configuring MLSeries B Monitoring and Verifying IRB11-5 11-6 Field Description12-1 Configuring Quality of Service on the ML-Series Card12-2 IP Precedence and Differentiated Services Code PointUnderstanding QoS Priority Mechanism in IP and Ethernet12-3 Ethernet CoS12-4 ML-Series QoSClassification 12-5 PolicingMarking and Discarding with a Policer 12-6 QueuingScheduling 12-7 Control Packets and L2 Tunneled Protocols12-8 Egress Priority MarkingIngress Priority Marking QinQ Implementation12-9 QoS on RPRFlow Control Pause and QoS 12-10 Configuring QoSCreating a Traffic Class 12-11 Creating a Traffic PolicyMaximum of 40 alphanumeric characters Syntax of the class command isPolicy-map policy-nameno policy-map policy-name Class class-map-name no class class-map-name12-13 12-14 Command12-15 Attaching a Traffic Policy to an InterfaceTraffic class Monitoring and Verifying QoS ConfigurationConfiguring CoS-Based QoS Displays all configured traffic policies12-17 QoS Configuration Examples12-18 Traffic Classes Defined ExampleTraffic Policy Created Example Match spr1 Interface Example Example 12-6 Class Map Match All Command ExampleExample 12-7 Class Map Match Any Command Example Example 12-8 Class Map SPR Interface Command Example12-20 Example 12-9 ML-Series VoIP CommandsML-Series VoIP Example ML-Series Policing ExampleML-Series CoS-Based QoS Example Example 12-10 ML-Series Policing CommandsRouterconfig# class-map match-all policer Routerconfig# policy-map policef012-22 MLSeriesBconfig# cos commit12-23 Default Multicast QoS12-24 Configuring Multicast Priority Queuing QoSMulticast Priority Queuing QoS Restrictions 12-25 12-26 QoS not Configured on EgressML-Series Egress Bandwidth Example Bandwidth Crc Service-policy output policyegressbandwidth12-27 12-28 Understanding CoS-Based Packet StatisticsFast Ethernet Statistics Collected Interface Subinterface Vlan12-29 Configuring CoS-Based Packet StatisticsMLSeries# show interface pos0 cos Understanding IP SLA12-30 MLSeries# show interface fastethernet 0 cos12-31 IP SLA on the ML-SeriesIP SLA Restrictions on the ML-Series 12-32 13-1 Understanding the SDMLookup Type Configuring SDMDefault Size Understanding SDM RegionsMonitoring and Verifying SDM Configuring SDM RegionsConfiguring Access Control List Size in Tcam Task CommandMAC Addr 8192 64-bit Access List 300 64-bit13-4 14-1 Configuring Access Control Lists on ML-Series CardUnderstanding ACLs ML-Series ACL Support14-2 IP ACLsNamed IP ACLs User Guidelines14-3 Creating IP ACLsCreating Numbered Standard and Extended IP ACLs 14-4 Creating Named Standard IP ACLsCreating Named Extended IP ACLs Control Plane Only Applying the ACL to an InterfaceApplying ACL to Interface Controls access to an interfaceModifying ACL Tcam Size 14-514-6 15-1 Configuring Resilient Packet Ring on ML-Series CardUnderstanding RPR 15-2 Role of Sonet CircuitsPacket Handling Operations 15-3 Ring Wrapping15-4 RPR Framing ProcessRPR Frame for ML-Series Card DA-MAC and 0x00 for Unknown DA-MACRPR as the source 15-5CTM and RPR Configuring RPRMAC Address and Vlan Support RPR QoS15-7 Configuring CTC Circuits for RPRCTC Circuit Configuration Example for RPR Three-Node RPR Example 15-815-9 15-10 Configures a station ID. The user must configure aOptional Sets the RPR ring wrap mode to either wrap Immediate delayed15-11 Assigning the ML-Series Card POS Ports to the SPR Interface15-12 15-13 15-14 RPR Cisco IOS Configuration ExampleExample 15-1 SPR Station-ID 1 Configuration Example 15-2 SPR Station-ID 2 Configuration15-15 CRC Threshold Configuration and DetectionExample 15-3 SPR Station-ID 3 Configuration Example 15-5 Example of show run interface spr 1 Output Monitoring and Verifying RPR15-16 Example 15-4 Example of show interface spr 1 Output15-17 Add an ML-Series Card into an RPRThree-Node RPR After the Addition 15-1815-19 Adding an ML-Series Card into an RPR15-20 Cisco ONS 15454 Procedure Guide15-21 Stop. You have completed this procedureDelete an ML-Series Card from an RPR Endpoint of the second newly created circuit10 Two-Node RPR After the Deletion 15-2215-23 Deleting an ML-Series Card from an RPR15-24 Routerconfig-if# noRedundant Interconnect Cisco Proprietary RPR KeepAliveCisco Proprietary RPR Shortest Path 15-26 16-1 Configuring Security for the ML-Series CardUnderstanding Security Understanding SSH Secure Login on the ML-Series CardDisabling the Console Port on the ML-Series Card Secure Shell on the ML-Series CardThis section has configuration information Configuring SSHConfiguration Guidelines Setting Up the ML-Series Card to Run SSH16-4 16-5 Displaying the SSH Configuration and StatusConfiguring the SSH Server 16-6 Radius Relay ModeRadius on the ML-Series Card 16-7 Radius Stand Alone ModeConfiguring Radius Relay Mode 16-8 Configuring RadiusUnderstanding Radius 16-9 Default Radius ConfigurationIdentifying the Radius Server Host 16-10 Switchconfig# radius-server host host1 Configuring AAA Login AuthenticationRouter# configure terminal Enter global configuration mode Router config# aaa new-model Enable AAA16-12 Router config# aaa authenticationRouter config# line console tty 16-13 Router config# end Return to privileged Exec modeRouter# show running-config Verify your entries Defining AAA Server GroupsRouter # show running-config Router config# aaa group serverRouter config-sg-radius# server Router config-sg-radius# end16-15 Switchconfig# aaa new-modelSwitchconfig-sg-radius# exit Radius16-16 Starting Radius Accounting16-17 Configuring a nas-ip-address in the Radius PacketConfiguring Settings for All Radius Servers 16-18 Default is 0 the range is 1 to 1440 minutesDeadtime minutes Marked as dead, the skipping will not take place16-19 Send accounting authenticationRouter config# radius-server host hostname Ip-addressnon-standard16-20 Displaying the Radius Configuration17-1 CE-Series Ethernet CardsCE-100T-8 Ethernet Card Section topics includeSonet CE-100T-8 Ethernet FeaturesCE-100T-8 Overview Autonegotiation, Flow Control, and Frame Buffering17-3 Ethernet Link Integrity Support17-4 Enhanced State Model for Ethernet and Sonet PortsIP ToS Priority Queue Mappings Default NoneIeee 802.1Q CoS and IP ToS Queuing 17-517-6 Rmon and Snmp SupportStatistics and Counters Number of STS-3c Circuits Maximum Number of STS-1 Circuits CE-100T-8 Sonet Circuits and FeaturesAvailable Circuit Sizes and Combinations Ccat High Order Vcat High Order Vcat Low Order17-8 CE-100T-8 STS/VT Allocation TabMaximum Number of STS-1-2v Circuits 7x=1-12 6x=1-14 5x=1-16 =1-21CE-100T-8 STS/VT Allocation Tab 17-917-10 CE-100T-8 Vcat CharacteristicsCE-100T-8 POS Encapsulation, Framing, and CRC 17-11 CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms17-12 CE-MR-6 Ethernet CardCE-MR-6 Overview 17-13 CE-MR-6 Ethernet FeaturesCisco ONS 15310 Procedure Guide Flow Control 17-1417-15 Ethernet Drop and Continue Circuit17-16 Cisco ONS 15310-CL and Cisco ONS 15310-MA Reference Manual17-17 17-18 17-19 Snmp MIBs Supported17-20 CE-MR-6 Circuits and FeaturesSupported Cross-connects Minimum Sonet Circuit Sizes for Ethernet Speeds Vcat High Order Vcat Low Order17-21 Supported Sonet Circuit Sizes of CE-MR-6 on ONS17-22 STS Circuit Combinations VT Circuits17-23 CE-MR-6 Vcat CharacteristicsCE-MR-6 Pool Allocation 17-24 CE-MR-6 Loopback, J1 Path Trace, and Sonet AlarmsCE-MR-6 POS Encapsulation, Framing, and CRC 17-25 17-26 Command Reference for the ML-Series Card Rstp Related Commands bridge-groupDrpri-rstp IeeeRouter# clear counters Related Commands show interfaceClear counters Clock timezone Syntax Description Defaults Command Modes Usage GuidelinesNo clock auto Clock summertimeInterface spr Defaults Command ModesMLSeriesconfig-if # pos mode gfp fcs-disable No pos mode gfp fcs-disabledRelated Commands shutdown MLSeriesconfig # int pos0 MLSeriesconfig-if # shutdownNo pos pdi holdoff time Pos trigger defects No pos report alarmRelated Commands Gatewayconfig# int pos0 Gatewayconfig-if# pos report allNon pos trigger defects condition Syntax Description DefaultsRelated Commands pos trigger delay Gatewayconfig# int pos0Command is 50 milliseconds No pos trigger delay timeTime Delay time in milliseconds, 200 to Default value is 200 millisecondsImmediate No pos vcat defect immediate delayedDelayed Parameter DescriptionMLSeries# show controller pos 0 Interface POS0 Show controller pos interface-numberdetailsRelated Commands show interface pos Clear counters Show interface pos interface-number Use this command to display the status of the POS interfaceRelated Commands show controller pos Clear counters MLSeries# show ons alarm Show ons alarm78-19415-01 Vcg EqptPort StsSTS Defects MLSeries# show ons alarm defect stsML-Series#show ons alarm failure port MLSeries# show ons alarm failure eqptEquipment Alarms Active RUNCFG-SAVENEED MLSeries# show ons alarm failure sts Interface spr Spr station-id Spr wrap Assigns the POS interface to the SPR interfacePort-based Related Commands interface sprNo spr load-balance auto port-based AutoSpr-intf-id Spr wrap Configures a station IDDefaultsN/A Following example sets an ML-Series card SPR station ID toInterface spr Spr-intf-id Spr station-id Spr wrap immediate delayedWraps RPR traffic after the carrier delay time expires MLSeriesconfig-if# spr wrap delayedUnsupported Global Configuration Commands Unsupported CLI Commands for the ML-Series CardUnsupported Privileged Exec Commands 78-19415-01 Unsupported POS Interface Configuration Commands Unsupported FastEthernet Interface Configuration Commands Unsupported Port-Channel Interface Configuration Commands Rate-limit Random-detect Timeout Tx-ring-limit Unsupported BVI Interface Configuration CommandsGathering Information About Your Internetwork Using Technical SupportGetting the Data from Your ML-Series Card Providing Data to Your Technical Support Representative 78-19415-01 IN-1 IN-2 IS,AINSCE-MR-6 IN-3 IN-4 CRCIN-5 DscpRstp Rstp STPIN-6 See also framingGFP-F IN-7 LcasIN-8 RPR SnmpTL1 RPRIN-9 POSIN-10 Radius RPRRmon SDM IN-12 SSHSee also Bpdu Accelerated aging Blocking state TcamIN-13 VcatIN-14