and the Alcatel logo are registered trademarks of Alcatel. Xylan®, OmniSwitch®, OmniStack®,
are registered trademarks of Alcatel Internetworking, Inc.
OmniAccess™, Omni Switch/Router™, PolicyView™, RouterView™, SwitchManager™, VoiceView™,
WebView™, X-Cell™, X-Vision™, and the Xylan logo are trademarks of Alcatel Internetworking, Inc.
This OmniSwitch product contains components which may be covered by one or more of the followin g
U.S. Patents:
•U.S. Patent No. 6,339,830
•U.S. Patent No. 6,070,243
•U.S. Patent No. 6,061,368
•U.S. Patent No. 5,394,402
•U.S. Patent No. 6,047,024
•U.S. Patent No. 6,314,106
•U.S. Patent No. 6,542,507
•U.S. Patent No. 6,874,090
26801 West Agoura Road
Calabasas, CA 91301
(818) 880-3500 FAX (818) 880-3505
US Customer Support—(800) 995-2696
International Customer Support—(818) 878-4507
iiOmniSwitch 6600 Family Switch Management GuideApril 2006
About This Guide ..........................................................................................................xi
Third Party Licenses and Notices ............................................ .... ..................................A-4
A. Booting and Debugging Non-Proprietary Software ..........................................A-4
B. The OpenLDAP Public License: Version 2.4, 8 December 2000 .....................A-4
C. Linux .................................................................................................................. A-5
D. GNU GENERAL PUBLIC LICENSE: Version 2, June 1991 ..........................A-5
E. University of California ...................................................................................A-10
F. Carnegie-Mellon University ............................................................................A-10
G. Random.c .........................................................................................................A-10
H. Apptitude, Inc. .................................................................................................A-11
I. Agranat .............................................................................................................A-11
J. RSA Security Inc. ............................................................................................A-11
K. Sun Microsystems, Inc. ....................................................................................A-11
L. Wind River Systems, Inc. ................................................................................A-12
M. Network Time Protocol Version 4 ...................................................................A-12
Index .......................................................................................................................Index-1
xOmniSwitch 6600 Family Switch Management GuideApril 2006
About This Guide
This OmniSwitch 6600 Family Switch Management Guide describes basic attributes of your switch and
basic switch administration tasks. The software features described in this manual are shipped standard with
your OmniSwitch 6600 Family switch. These features are used when readying a switch for integration into
a live network environment.
Note. The OmniSwitch 6600 Family Switch Management Guide was originally known as the “OmniSwitch
6624/6648 Switch Management Guide.”
Supported Platforms
This information in this guide applies to the following products:
• OmniSwitch 6624
• OmniSwitch 6648
• OmniSwitch 6600-U24
• OmniSwitch 6600-P24
• OmniSwitch 6602-24
• OmniSwitch 6602-48
OmniSwitch 6600 Family switches are next generation enterprise edge/workgroup switches. The
OmniSwitch 6624 and 6602-24offer 24 copper 10/100 ports, the 6600-P24 offers 24 copper 10/100 Power
over Ethernet (PoE) ports, the 6648 and 6602-48 offer 48 copper 10/100 ports, and the 6600 -U24 offers 24
fiber 100 ports.
In addition, OmniSwitch 6624/6600-U24/6648 switches have one expansion port that can be used for a
Gigabit Ethernet uplink module and another expansion port that can be used for a Gigabit Ethernet uplink
or a stacking module while the 6602-24/6602-48switches offer fixed Gigabit Ethernet uplinks and fixed
stacking ports. The stacking ports on all OmniSwitch 6600 Family switches allow two to eight
OmniSwitch 6600 Family switches to be configured as one virtual chassis known as a stack.
Note. All references to OmniSwitch 6624 and 6648switches also apply to the OmniSwitch 6600-U24,
6600-P24, 6602-24, and 6602-48 unless specified otherwis e.
OmniSwitch 6600 Family Switch Management GuideApril 2006page xi
Who Should Read this Manual?About This Guide
Unsupported Platforms
The information in this guide does not apply to the following products:
• OmniSwitch (original version with no numeric model name)
• OmniSwitch 6800-24
• OmniSwitch 6800-48
• OmniSwitch 6800-U24
• OmniSwitch 6800-24L
• OmniSwitch 6800-48L
• OmniSwitch 7700
• OmniSwitch 7800
• OmniSwitch 8800
• OmniSwitch 6850
• OmniSwitch 9700
• Omni Switch/Router
• OmniStack
• OmniAccess
Who Should Read this Manual?
The audience for this user guide is network administrators and IT support personnel wh o need to configure, maintain, and monitor switches and routers in a live network. However, anyone wishing to gain
knowledge on how fundamental software features are implemented in the OmniSwitch 6600 Family will
benefit from the material in this configuration guide.
When Should I Read this Manual?
Read this guide as soon as your switch is up and running and you are ready to familiarize yourself with
basic software functions. You should have already stepped through the first login procedures and read the
brief software overviews in the OmniSwitch 6600 Family Getting Started Guide.
Note. The OmniSwitch 6600 Family Getting Started Guide was originally known as the “OmniSwitch
6624/6648 Getting Started Guide.”
You should have already set up a switch password and be familia r with the very basics of the switch software. This manual will help you understand the switch’s directory structure, the Command Line Interface
(CLI), configuration files, basic security features, and basic administrative functions. The features and
procedures in this guide will help form a foundation that will allow you to configure more advanced
switching features later.
page xiiOmniSwitch 6600 Family Switch Management GuideApril 2006
About This GuideWhat is in this Manual?
What is in this Manual?
This configuration guide includes information about the following features:
• Basic switch administrative features, such as file editing utilities, procedures for loading new software,
and setting up system information (name of switch, date, time).
• Configurations files, including snapshots, off-line configuration, time-activated file download.
• The CLI, including on-line configuration, command-building help, syntax error checking, and line edit-
• Basic security features, such as switch access control and customized user accounts.
• Web-based management (WebView)
What is Not in this Manual?
The configuration procedures in this manual primarily use Command Line In terface (CLI) commands in
examples. CLI commands are text-based commands used to manage the switch through serial (consol e
port) connections or via Telnet sessions. This guide does include introduct ory chapters for alternative
methods of managing the switch, such as web-based (WebView) and SNMP management. However the
primary focus of this guide is managing the switch through the CLI.
Further information on WebView can be found in the context-sensitive on-line help available with that
This guide does not include documentation for the OmniVista network management system. However,
OmniVista includes a complete context-sensitive on-line help system.
This guide provides overview material on software features, how-to procedures, and tutorials that will
enable you to begin configuring your OmniSwitch. However, it is not intended as a comprehensive reference to all CLI commands available in the OmniSwitch. For such a reference to all OmniSwitch 6600
Family CLI commands, consult the OmniSwitch CLI Reference Guide.
How is the Information Organized?
Each chapter in this guide includes sections that will satisfy the information requirements of casual readers, rushed readers, serious detail-oriented readers, advanced users, and beginning users.
Quick Information. Most chapters include a specifications table that lists RFCs and IEEE specifications
supported by the software feature. In addition, this table inclu de s other perti nen t info rmation such as minimum and maximum values and sub-feature support. Some chapters include a defaults table that lists the
default values for important parameters along with the CLI command used to configure the parameter.
Many chapters include Quick Steps sections, which are procedures covering the basic steps required to get
a software feature up and running.
In-Depth Information. All chapters include overview sections on software features as well as on selected
topics of that software feature. Topical sections may often lead into procedure sections that describe how
to configure the feature just described. Many chapters include tutorials or application examples that help
convey how CLI commands can be used together to set up a particular feature.
OmniSwitch 6600 Family Switch Management GuideApril 2006page xiii
Documentation RoadmapAbout This Guide
Documentation Roadmap
The OmniSwitch user documentation suite wa s design ed to supply you with information at several critical
junctures of the configuration process. The following section outlines a roadmap of the manuals that will
help you at each stage of the configuration process. Under each stage, we point you to the manual or
manuals that will be most helpful to you.
Stage 1: Using the Switch for the First Time
Pertinent Documentation: OmniSwitch 6600 Family Getting St arted Guide
Release Notes
A hard-copy OmniSwitch 6600 Family Getting Started Guide is included with your switch; this guide
provides all the information you need to get your switch up and running the first time. This guide provides
information on unpacking the switch, rack mounting the switch, installing uplink and stacking modules,
unlocking access control, setting the switch’s IP address, setting up a password, and setting up stacks. It
also includes succinct overview information on fund amental aspects of the switch, such as hardware
LEDs, the software directory structure, stacking, CLI conventions, and web-based management.
At this time you should also familiarize yourself with the Release Notes that accompanied your switch.
This document includes important information on feature limitations that are not included in other user
Note. The OmniSwitch 6600 Family Getting Started Guide was originally known as the “OmniSwitch
6624/6648 Getting Started Guide.”
page xivOmniSwitch 6600 Family Switch Management GuideApril 2006
About This GuideDocumentation Roadmap
Stage 2: Gaining Familiarity with Basic Switch Functions
Pertinent Documentation: OmniSwitch 6600 Family Hardware Users Guide
OmniSwitch 6600 Family Switch Management Guide
Once you have your switch up and running, you will want to begin investigating basic aspects of its hard
ware and software. Information about OmniSwitch 6600 Family hardware is provided in the OmniSwitch 6600 Family Hardware Users Guide. This guide provides specifications, illustrations, and descriptions of
all hardware components—chassis, power supplies, uplink and stacking modules, and cooling fans. They
also include steps for common procedures, such as removing and installing switch components.
The OmniSwitch 6600 Family Switch Management Guide is the primary user guide for the basic software
features on a single switch. This guide contains information on the switch directory structure, basic file
and directory utilities, switc h access security, SNMP, and web-based management. It is recommended that
you read this guide before connecting your switch to the network.
Note. The OmniSwitch 6600 Family Switch Management Guide and the OmniSwitch 6600 Famil y Hard-
ware Users Guide were originally known as the “OmniSwitch 6624/6648 Switch Management Guide” and “OmniSwitch 6624/6648 Hardware Users Guide”, respectively.
Stage 3: Integrating the Switch Into a Network
Pertinent Documentation: OmniSwitch 6600 Family Network Configuration Guide
OmniSwitch 6600 Family Advanced Routing Configuration Guide
When you are ready to connect your switch to the network, you will need to learn how the OmniSwitch
implements fundamental software features, such as 802.1Q, VLANs, Spanning Tree, and network routing
protocols. The OmniSwitch 6600 Family Network Configuration Guide contains overview information,
procedures and examples on how standard networking technologies are configured in the OmniSwitch
6600 Family.
Note. The OmniSwitch 6600 Family Network Configuration Guide and the OmniSwitch 6600 Family
Advanced Routing Configuration Guide were originally known as the “OmniSwitch 6624/6648 Network
Configuration Guide” and the “OmniSwitch 6624/6648 Advanced Routing Configuration Guide”, respec-
The OmniSwitch 6600 Family Advanced Routing Configuration Guide includes configuration information
for networks using Open Shortest Path First (OSPF).
The OmniSwitch CLI Reference Guide contains comprehensive information on all CLI commands
supported by the switch. This guide includes syntax, default, usage, example, related CLI command, and
CLI-to-MIB variable mapping information for all CLI commands supported by the switch. This guide can
be consulted anytime during the configuration process to find detailed and specific information on each
CLI command.
OmniSwitch 6600 Family Switch Management GuideApril 2006page xv
Related DocumentationAbout This Guide
Related Documentation
The following are the titles and descriptions of all the OmniSwitch 6600 Family user manuals:
• OmniSwitch 6600 Family Getting Start ed Guide
Describes the hardware and software procedures for getti ng an OmniSwitc h 6600 Fa mily swit ch up and
running. Also provides information on fundamental aspects of OmniSwitch software and stacking
Note. The OmniSwitch 6600 Family Getting Started Guide was originally known as the “OmniSwitch
6624/6648 Getting Started Guide.”
• OmniSwitch 6600 Family Hardware Users Guide
Complete technical specifications and procedures for all OmniSwitch 6600 Family chassis, power
supplies, fans, and uplink and stacking modules.
Note. The OmniSwitch 6600 Family Hardware Users Guide was originally known as the “OmniSwitch
6624/6648 Hardware Users Guide.”
• OmniSwitch CLI Reference Guide
Complete reference to all CLI commands supported on the OmniSwitch 6600, 7700, 7800, and 8800.
Includes syntax definitions, default values, examples, usage guidelines, and CLI-to-MIB variable
• OmniSwitch 6600 Family Switch Management Guide
Includes procedures for readying an individual switc h for integ ration into a ne twork. To pics in clud e the
software directory architecture, image rollback protections, authenticated switch access, managing
switch files, system configuration, using SNMP, and using web management software (WebView).
Note. The OmniSwitch 6600 Family Switch Management Guide was originally known as the “OmniSwitch
6624/6648 Switch Management Guide.”
• OmniSwitch 6600 Family Network Configuration Guide
Includes network configuration procedures and descriptive information on all the major software
features and protocols included in the base software package. Chapters cover Layer 2 information
(Ethernet and VLAN configuration), Layer 3 information, security options (authenticated VLANs),
Quality of Service (QoS), and link aggregation.
Note. The OmniSwitch 6600 Family Network Configuration Guide was originally known as the
“OmniSwitch 6624/6648 Network Configuration Guide.”
page xviOmniSwitch 6600 Family Switch Management GuideApril 2006
About This GuideRelated Documentation
• OmniSwitch 6600 Family Advanced Routing Configuration Guide
Includes network configuration procedures and descriptive information on all the software features and
protocols included in the advanced routing software package OSPF.
Note. The OmniSwitch 6600 Family Advanced Routing Configuration Guide was originally known as the
“OmniSwitch 66/24/6648 Advanced Routing Configuration Guide.”
• Technical Tips, Field Notices
Includes information published by Alcatel’s Customer Support group.
• Release Note
Includes critical Open Problem Reports, feature exceptions, and other important information on the
features supported in the current release and any limitations to their support.
OmniSwitch 6600 Family Switch Management GuideApril 2006page xvii
User Manuals Web SiteAbout This Guide
User Manuals Web Site
All related user guides for the OmniSwitch 6600 Family can be found on our web site at
All documentation on the User Manual web site is in
program for viewing. Acrobat Reader freeware is available at
Note. When printing pages from the documentation PDFs, de-select Fit to Page if it is selected in your
print dialog. Otherwise pages may print with slightly smaller margins.
PDF format and requires the Adobe Acrobat Reader
Technical Support
An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support.
You’ll also receive regular software updates to mainta in and maximize your Alcatel product’s features and
functionality and on-site hardware replacement through our gl obal network of highly qualified service
delivery partners. Additionally, with 24-hour-a-day access to Alcatel’s Service and Support web page,
you’ll be able to view and update any case (open or closed) that you have reported to Alcatel’s technical
support, open a new case or access helpful release notes, technical bulletins, and manuals. For more information on Alcatel’s Service Programs, see our web page at, call us at 1-800-9952696, or email us at
page xviiiOmniSwitch 6600 Family Switch Management GuideApril 2006
1 Logging Into the Switch
Logging into the switch may be done locally or remotely. Management tools include: the Command Line
Interface (CLI), which may be accessed locally via the console port, or remotely via Telnet; WebView,
which requires an HTTP client (browser) on a remote workstation; and SNMP, which requires an SNMP
manager (such as Alcatel’s OmniVista or HP OpenView) on the remote workstation. Secure sessions are
available using the Secure Shell interface. File transfers can be done via FTP or Secure Shell FTP.
In This Chapter
This chapter describes the basics of logging into the switch to manage the switch through the CLI. It
includes information about using Telnet, FTP, and Secure Shell for logging into the switch as well as
information about using the switch to start a Telnet or Secure Shell session on another device. It also
includes information about managing sessions and specifying a DNS resolver. For more details about the
syntax of referenced commands, see the OmniSwitch CLI Referenc e Guide.
Configuration procedures described in this chapter include:
• “Quick Steps for Logging Into the Switch” on page 1-3
• “Using Telnet” on page 1-6
• “Using FTP” on page 1-7
• “Using Secure Shell” on page 1-8
• “Modifying the Login Banner” on page 1-14
• “Configuring Login Parameters” on page 1-15
• “Enabling the DNS Resolver” on page 1-17
Management access is disabled (except through the console port) unless specifically enabled by a network
administrator. For more information about management access and methods, use the table here as a guide:
For more information about...See...
Enabling or “unlocking” management interfaces
on the switch
Authenticating users to manage the switchChapter 8, “Managing Switch Security”
Creating user accounts directly on the switchChapter 7, “Managing Switch User Accounts”
Using the CLIChapter 5, “Using the CLI”
Using WebView to manage the switchChapter 9, “Using WebView”
Getting Started Guide or
Chapter 8, “Managing Switch Security”
Using SNMP to manage the switchChapter 10, “Using SNMP”
OmniSwitch 6600 Family Switch Management GuideApril 2006page 1-1
Login SpecificationsLogging Into the Switch
Login Specifications
Telnet clients supportedAny standard Telnet client.
FTP clients supportedAny standard FTP client.
HTTP (WebView) clients supported
Secure Shell clients supportedAny standard Secure Shell client (Secure Shell
SNMP clients supportedAny standard SNMP manager (such as HP Open-
– Internet Explorer for Windows NT, Windows
XP, and Windows 2000, version 5.5
– Netscape for Windows NT, Windows XP, and
Windows 2000, version 4.7
– Netscape for Sun OS 2.8, version 4.7
– Netscape for HP-UX 11.0, version 4.7.
Version 2).
Login Defaults
Access to managing the switch is always available for the admin user through the console port, even if
management access to the console port is disabled.
Parameter DescriptionCommandDefault
Session login attempts allowed
before the TCP connection is
session login-attempt3 attempts
Timeout period allowed for
session login before the TCP
connection is closed.
Inactivity timeout period. The
length of time the switch can
remain idle during a login
session before the switch will
close the session.
session login-timeout55 seconds
session timeout4 minutes
page 1-2OmniSwitch 6600 Family Switch Management GuideApril 2006
Logging Into the SwitchQuick Steps for Logging Into the Switch
Quick Steps for Logging Into the Switch
The following procedure assumes that you have set up the switch as described in your OmniSwitch Getting
Started Guide and Hardware Users Guide. Setup includes:
• Connecting to the switch via the console port.
• Setting up the Ethernet Management Port (EMP) through the switch’s boot prompt.
Shell) through the aaa authentication command for the interface you are using. Note t hat Te ln et, FTP,
and Secure Shell are used to log into the switch’s Command Line Interface (CLI). For detailed information about enabling session types, see Chapter 8, “Managing Switch Security.”
1 If you are connected to the switch via the console port, your terminal will automatically display the
switch login prompt. If you are connected remotely, you must enter the switch IP address in your Telnet,
FTP, or Secure Shell client (typically the IP address of the EMP). The login prompt then displays.
2 At the login prompt, enter the admin username. At the password prompt, enter the switch password.
(Alternately, you may enter any valid username and password.) The switch’s default welcome banner will
display, followed by the CLI prompt.
Welcome to the Alcatel OmniSwitch 6000
Software Version Development, April 13, 2006.
Copyright(c), 1994-2005 Alcatel Internetworking, Inc. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel Internetworking, Inc. registered in the
United States Patent and Trademark Office.
You are now logged into the CLI. For information about changing the welcome banner, see “Modifying
the Login Banner” on page 1-14.
For information about changing the login prompt, see Chapter 5, “Using the CLI.”
For information about setting up additi onal user accounts locally on the switch, see Chapter 7, “Managing
Switch User Accounts.”
OmniSwitch 6600 Family Switch Management GuideApril 2006page 1-3
Overview of Switch Login ComponentsLogging Into the Switch
Overview of Switch Login Components
Switch access components include access methods (or interfaces) and user accounts stored on the local
user database in the switch and/or on external authentication servers. Each access method, except the
console port, must be enabled or “unlocked” on the switch before users can access the switch through that
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
local user
remote user
Login via Secure Shell, Telnet,
local user
Login via the console port.
Switch Login Components
Management Interfaces
Logging into the switch may be done locally or remotely. Remote connections may be secure or insecure,
depending on the method. Management interfaces are enabled using the aaa authentication command.
This command also requires specifying the external servers and/or local user database that will be used to
authenticate users. The process of authenticating users to manage the switch is called Authenticated
Switch Access (ASA). Authenticated Switch Access i s d escrib ed in det ail i n Chapter 8, “Managing Switch
An overview of management methods is listed here:
Logging Into the CLI
• Console port—A direct connection to the switch through the console port. The console port is always
enabled for the default user account. For more information about connecting to the console port, see
your OmniSwitch Hardware Users Guide.
• Telnet—Any standard Telnet client may be used for remote login to the switch. This method is not
secure. For more information about using Telnet to access the switch, see “Using Telnet” on page 1-6.
• FTP—Any standard FTP client may be used for remote login to the switch. This method is not secure.
See “Using FTP” on page 1-7.
• Secure Shell—Any standard Secure Shell client may be used for remote login to the switch. See
“Using Secure Shell” on page 1-8.
page 1-4OmniSwitch 6600 Family Switch Management GuideApril 2006
Logging Into the SwitchOverview of Switch Login Components
Using the WebView Management Tool
• HTTP—The switch has a Web browser management interface for users logging in via HTTP. This
management tool is called WebView. For more information about using WebView, see Chapter 9,
“Using WebView.”
Using SNMP to Manage the Switch
• SNMP—Any standard SNMP browser may be used for logging into the switch. See Chapter 10,
“Using SNMP.”
User Accounts
User accounts may be configured and stored directly on the switch, and user accounts may also be configured and stored on an external authentication server or servers.
The accounts include a username and password. In addition, they also specify the user’s privileges or enduser profile, depending on the type of user account. In either case, the user is given read-only or read-write
access to particular commands.
• Local User Database
The user command creates accounts directly on the switch. See Chapter 7, “Managing Switch User
Accounts,”for information about creating accounts on the switch.
• External Authentication Ser vers
The switch may be set up to communicate with external authentication servers that contain user information. The user information includes usernames and passwords; it may also include privilege information or
reference an end-user profile name.
For information about setting up the switch to communicate with external authentication servers, see the
OmniSwitch 6600 FamilyNetwork Configuration Guide.
OmniSwitch 6600 Family Switch Management GuideApril 2006page 1-5
Using TelnetLogging Into the Switch
Using Telnet
Telnet may be used to log into the switch from a remote station. All of the standard Telnet commands are
supported by software in the switch. When Telnet is used to log in, the switch is acting as a Telnet server.
A Telnet session may also be initiated fro m the switch itself during a login session. In this case, the switch
is acting as a Telnet client.
Logging Into the Switch Via Telnet
Before you can log into the OmniSwitch using a Telnet interface, the telnet option of the aaa
authentication command must be enabled. Once enabled, any standard Telnet client may be used to log
into the switch. To log into the switch, open your Telnet application and enter the switch’s IP address (the
IP address will typically be the same as the one configured for the EMP). The switch’s welcome banner
and login prompt display.
Note. A Telnet connection is not secure. Secure Shell is recommended instead of Telnet or FTP as a
secure method of accessing the switch.
Starting a Telnet Session from the Switch
At any time during a login session on the switch, you can initiate a Telnet session to another switch (or
some other device) by using the telnet CLI command and the relevant IP address. The following shows an
example of telnetting to another OmniSwitch with an IP address of
-> telnet
Connected to
Escape character is '^]'.
login :
Here, you must enter a valid username and password. Once login is completed, the OmniSwitch welcome
banner will display as follows:
login : admin
password :
Welcome to the Alcatel OmniSwitch 6000
Software Version Development, April 13, 2006.
Copyright(c), 1994-2005 Alcatel Internetworking, Inc. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel Internetworking, Inc. registered
in the United States Patent and Trademark Office.
page 1-6OmniSwitch 6600 Family Switch Management GuideApril 2006
Logging Into the SwitchUsing FTP
Using FTP
The OmniSwitch can function as an FTP server. Any standard FTP client may be used.
Note. An FTP connection is not secure. Secure Shell is recommended instead of FTP or Telnet as a secure
method of accessing the switch.
Using FTP to Log Into the Switch
You can access the OmniSwitch with a standard FTP application. To login to the switch, start your FTP
client. Where the FTP client asks for “Name”, enter the IP address of your switch. Where the FTP client
asks for “User ID”, enter the username of your login account on the switch. Where the FTP client asks for
“Password”, enter your switch password.
Note. If you are using Authenticated Switch Access (ASA), the port interface must be authenticated for
FTP use and the username profile must have permission to use FTP. Otherwise the switch will not accept
an FTP login. For information about ASA, refer to Chapter 8, “Managing Switch Security.”
Note. You must use the binary mode (bin) to transfer image files via FTP.
OmniSwitch 6600 Family Switch Management GuideApril 2006page 1-7
Using Secure ShellLogging Into the Switch
Using Secure Shell
The OmniSwitch Secure Shell feature provides a secure mechanism that allows you to log in to a remote
switch, to execute commands on a remote device, and to move files from one device to another. Secure
Shell provides secure, encrypted communications even when your transmission is between two untrusted
hosts or over an unsecured network. Secure Shell protects against a variety of security risks including the
• IP spoofing
• IP source routing
• DNS spoofing
• Interception of clear-text passwords and other data by intermediate hosts
• Manipulation of data by users on intermediate hosts
Note. The OmniSwitch supports Secure Shell Version 2 only.
Secure Shell Components
The OmniSwitch includes both client and server components of the Secure Shell interface and the Secure
Shell FTP file transfer protocol. SFTP is a subsystem of the Secure Shell protocol. All Secure Shell FTP
data are encrypted through a Secure Shell channel.
Since Secure Shell provides a secure session, the Secure Shell interface and SF TP are recommended
instead of the Telnet program or the FTP protocol for communications over TCP/IP for sending file
transfers. Both Telnet and FTP are available on the OmniSwitch but they do not support encrypted
Note. Secure Shell may only be used to log into the switch to manage the switch. It cannot be used for
Layer 2 authentication through the switch.
Secure Shell Interface
The Secure Shell interface is invoked when you enter the ssh command. After the authentication process
between the client and the server is complete, the remote Secure Shell interface runs in the same way as
Telnet. Refer to “Starting a Secure Shell Session” on page 1-11 to for detailed information.
Secure Shell File Transfer Protocol
Secure Shell FTP is the standard file transfer protocol used with Secure Shell version 2. Secure Shell FTP
is an interactive file transfer program (similar to the industry standard FTP) which performs all file
transfer operations over a Secure Shell connection.
You invoke the Secure Shell FTP protocol by using the sftp command. Once the authentication phase is
completed, the Secure Shell FTP subsystem runs. Secure Shell FTP connects and logs into the specified
host, then enters an interactive command mode. Refer to “Starting a Secure Shell Session” on page 1-11
for detailed information.
page 1-8OmniSwitch 6600 Family Switch Management GuideApril 2006
Logging Into the SwitchUsing Secure Shell
Secure Shell Application Overview
Secure Shell is an access protocol used to establish secured access to your OmniSwitch. The Secure Shell
protocol can be used to manage an OmniSwitch directly or it can provide a secure mechanism for
managing network servers through the OmniSwitch.
The drawing below illustrates the Secure Shell being used as an access protocol replacing Telnet to
manage the OmniSwitch. Here, the user terminal is connected through the network to the switch.
Secure Shell
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
Secure Shell Used as an Access Protocol
The drawing below shows a slightly different application. Here, a single OmniSwitch to which a terminal
is connected acts as a Secure Shell client and also as an entry point into the network. In this scenario, the
client portion of the Secure Shell software is used on the connecting Omn iSwi tch and the server portion of
Secure Shell is used on the switches or servers being managed.
Secure Shell
Access Protocol
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch Secure
Shell Client
Secure Shell
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
Secure Shell
OmniSwitch as a Secure Shell Client
Secure Shell Authentication
Secure Shell authentication is accomplished in several phases using industry standard algorithms and
exchange mechanisms. The authentication phase is identical for Secure Shell and Secure Shell SFTP. The
following sections describe the process in detail.
OmniSwitch 6600 Family Switch Management GuideApril 2006page 1-9
Using Secure ShellLogging Into the Switch
Protocol Identification
When the Secure Shell client in the OmniSwitch connects to a Secure Shell server, the server accepts the
connection and responds by sending back an identification string. The cli ent will parse the server’s identification string and send an identification string of its own. The purpose of the identification strings is to
validate that the attempted connection was made to the correct port number. The strings also declare the
protocol and software version numbers. This informatio n is needed on both the client and server sides for
debugging purposes.
At this point, the protocol identification strings are in human-readable form. Later in the authentication
process, the client and the server switch to a packet-based binary protocol, which is machine readable
Algorithm and Key Exchange
The OmniSwitch Secure Shell server is identified by one or several host-specific DSA keys. Both the
client and server process the key exchange to choose a common algorithm for encryption, signature, and
compression. This key exchange is included in the Secure Shell transport layer protocol. It uses a key
agreement to produce a shared secret that cannot be determined by e ither the client or the serve r al one. The
key exchange is combined with a signature and the host key to provide host authentication. Once the
exchange is completed, the client and the server turn encryption on using the selected algorithm and key.
The following elements are supported:
Note. The OmniSwitch generates a 512 bit DSA host key at initial startup. The DSA key on the switch is
made up of two files contained in the /flash/network directory; the public key is called, and the private key is called ssh_host_dsa_key. To generate a different DSA key,
use the Secure Shell tools available on your Unix or Windows system and copy the files to the /flash/network directory on your switch. The new DSA key will take effect after the OmniSwitch is rebooted.
Authentication Phase
When the client tries to authenticate, the server determines the process used by telling the client which
authentication methods can be used. The client has the freedom to attempt several methods listed by the
server. The server will disconnect itself from the client if a certain number of failed authentications are
attempted or if a timeout period expires. Authentication is performed independent of whether the Secure
Shell interface or the SFTP file transfe r protocol will be implemented.
Connection Phase
After successful authentication, both the client and the server process the Secure Shell connection
protocol. The OmniSwitch supports one channel for each Secure Shell connection. This channel can be
used for a Secure Shell session or a Secure Shell FTP session.
page 1-10OmniSwitch 6600 Family Switch Management GuideApril 2006
Logging Into the SwitchUsing Secure Shell
Starting a Secure Shell Session
To start a Secure Shell session from an OmniSwitch, issue the ssh command and identify the IP address
for the device you are connecting to.
Note. You can only use a host name instead of an IP address if the DNS resolver has been configured and
enabled. If not, you must specify an IP address. See Chapter 2, “Managing System Files,” for details.
Note. Use of the cmdtool OpenWindows support facility is not recommended over Secure Shell connections with an external server.
The following command establishes a Secure Shell interface from the local OmniSwitch to IP address
-> ssh 11.333.30.135
login as:
You must have a login and password that is recognized by the IP address you specify. Wh en you enter
your login, the device you are logging into will request your password as shown here.
Once the Secure Shell session is established, you can use the remote device specified by the IP address on
a secure connection from your OmniSwitch.
Note. The login parameters for Secure Shell session login parameters can be affected by the session login-
attempt and session login-timeout CLI commands.
The following drawing shows an OmniSwitch, using IP address, establishing a Secure Shell
session across a network to another OmniSwitch , using IP add ress 1 1.333. 30.13 5. To est ablish this sessio n
from the console in the figure below, you would use the CLI commands shown in the examples above.
Once you issue the correct password, you are logged into the OmniSwitch at IP address 11.333.30.135.
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
Secure Shell Session between Two OmniSwitches
OmniSwitch 6600 Family Switch Management GuideApril 2006page 1-11
Using Secure ShellLogging Into the Switch
To view the parameters of the Secure Shell session, issue the who command. The following will display.
-> who
Session number = 0
User name = (at login),
Access type = console,
Access port = Local,
IP address =,
Read-only domains = None,
Read-only families = ,
Read-Write domains = None,
Read-Write families = ,
End-User profile =
Session number = 1
User name = rrlogin1,
Access type = ssh,
Access port = NI,
IP address =,
Read-only domains = None,
Read-only families = ,
Read-Write domains = All ,
Read-Write families = ,
End-User profile =
This display shows two sessions currently running on the remote Omni Switch a t IP address 11.333 .30.135.
Session number 0 is identified as the console session. Session number 1 indicates the User name is
rrlogin1, the IP address is, and the Access type is “ssh” which indicates a Secure Shell
Closing a Secure Shell Session
To terminate the Secure Shell session, issue the exit command. The following will disp lay:
-> exit
Connection to 11.333.30.135 closed.
Using the example shown above, this display indicates the Secure Shell session between the two switches
is closed. At this point, the user is logged into the local Omni Switch at IP address
Log Into the Switch with Secure Shell FTP
To open a Secure Shell FTP session from a local OmniSwitch to a remote device, proceed as follows:
1 Log on to the OmniSwitch and issue the sftp CLI command. The command syntax requires yo u to
identify the IP address for the device to which you are connecting. The following command establishes a
Secure Shell FTP interface from the local OmniSwitch to IP address
-> sftp
login as:
2 You must have a login and password that is recognized by the IP address you specify. When you enter
your login, the device you are logging in to will request your password as shown here.