Avocent CYCLADES ACS 5000 Command Reference Manual

CYCLADES® ACS 5000

Command Reference Guide

FCC Warning Statement

The Cyclades ACS 5000 advanced console server has been tested and found to comply with the limits for Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.

This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the Installation and Service Manual, may cause harmful interference to radio communications.

Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the problem at his or her own expense.

Notice about FCC Compliance for All Cyclades ACS 5000 Advanced Console Server Models

To comply with FCC standards, the Cyclades ACS 5000 advanced console server requires the use of a shielded CAT 5 cable for all interface ports. Notice that this cable is not supplied with either of the products and must be provided by the customer.

Canadian DOC Notice

The Cyclades ACS 5000 advanced console server does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications.

L’Cyclades ACS 5000 advanced console server n’émete pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la classe A prescrites dans le règlement sur le brouillage radioélectrique edicté par le Ministère des Communications du Canada.

Cyclades® ACS 5000 Advanced Console Server

Command Reference Guide

Avocent, the Avocent logo, The Power of Being There, DSView and Cyclades are registered trademarks of Avocent Corporation or its affiliates in the U.S. and other countries. All other marks are the property of their respective owners.

Instructions

This symbol is intended to alert the user to the presence of important operating and maintenance (servicing) instructions in the literature accompanying the appliance.

Dangerous Voltage

This symbol is intended to alert the user to the presence of uninsulated dangerous voltage within the product’s enclosure that may be of sufficient magnitude to constitute a risk of electric shock to persons.

Power On

This symbol indicates the principal on/off switch is in the on position.

Power Off

This symbol indicates the principal on/off switch is in the off position.

Protective Grounding Terminal

This symbol indicates a terminal which must be connected to earth ground prior to making any other connections to the equipment.

iii

Table of Contents

Chapter 1: Using the Command Line Interface............................................................. 1

Overview............................................................................................................................................1

Understanding the CLI Utility....................................................................................................1

Accessing the CLI.......................................................................................................................1

Important features of the CLI utility...................................... .....................................................2

Modes of operation.....................................................................................................................3

CLI Navigation ..................................................................................................................................4

Saving CLI changes....................................................................................................................5

Using CLI hotkeys.......................................................................................................................5

Chapter 2: Network Configuration.................................................................................. 9

Network Settings................................................................................................................................9

IPv4 and IPv6 addressing.........................................................................................................10

IPv4 Addressing........................................................................................................................11

IPv6 addressing........................................................................................................................11

IPv4 and IPv6 common parameters .........................................................................................13

Host settings .............................................................................................................................14

Security Profiles..................................................................................... ..........................................15

Enable serial ports....................................................................................................................16

VPN Configuration ..........................................................................................................................17

SNMP...............................................................................................................................................18

Hosts.........................................................................................................................................20

TCP keepalive...........................................................................................................................20

Firewall Configuration (IP Filtering) .............................................................................................20

Structure of the iptables............................................................................................................21

Match extensions ......................................................................................................................25

Multiport extension...................................................................................................................27

Target extensions......................................................................................................................27

Static Routes ....................................................................................................................................30

Chapter 3: Security........................................................................................................ 33

Security Profiles..................................................................................... ..........................................33

TABLE OF CONTENTS

iv Cyclades ACS 5000 Advanced Console Server Command Reference Guide

Authentication..................................................................................................................................33

User access to serial ports........................................................................................................36

NIS Client..................................................... ....................................................................................37

NIS Client Configuration.............................. .................................. .................................. ........37

nsswitch.conf.............................................................................................................................38

Kerberos Authentication..................................................................................................................39

Kerberos server authentication with tickets support................................................................39

Configuring the console server to use Kerberos tickets authentication...................................40

Kerberos server authentication ................................................................................................42

LDAP Authentication.......................................................................................................................43

Group Authorization......................................................................................... ...............................43

TACACS+ authorization on serial ports ..................................................................................43

One Time Password (OTP) Authentication .....................................................................................47

OTP authentication configuration tasks...................................................................................47

Shadow Passwords ..........................................................................................................................50

Digital Certificates ..........................................................................................................................50

Certificate for HTTP security...................................................................................................50

User configured digital certificate............................................................................................51

X.509 certificate on SSH...........................................................................................................52

Chapter 4: Accessing Connected Devices.................................................................. 55

Connection Profiles and Protocols..................................................................................................55

Serial ports general parameters...............................................................................................56

Accessing serial ports using ts_menu.......................................................................................58

Configuration examples............................................................................................................61

Chapter 5: Administration............................................................................................. 69

Process Monitoring..........................................................................................................................69

The Process Table............................................................................................................................70

Start and Stop Services ....................................................................................................................70

Syslog-ng..........................................................................................................................................71

Syslog Messages .................................................................................... ..........................................80

DCD ON/OFF Syslog Messages......................................................................................................80

Notifications and Alarms .................................................................................................................81

Dual Power Management................................................................................................................83

Table of Contents v

Date and Time, Timezone and Daylight Saving ..............................................................................83

Daylight Saving Time (DST).....................................................................................................83

Network Time Protocol (NTP)..................................................................................................85

Session Sniffing......................................................................................... .......................................86

Data Buffering .................................................................................................................................87

Ramdisk.....................................................................................................................................88

Linear vs. Circular buffering....................................................................................................88

Menu Shell .......................................................................................................................................89

Terminal Appearance ..................................................... .................................. ...............................92

SUDO Configuration Group............................................................................................................93

Saveconf and Restoreconf................................................................................................................93

Saveconf utility..........................................................................................................................93

Restoreconf utility.....................................................................................................................94

Crond ...............................................................................................................................................95

Clustering Using Ethernet Interface................................................................................................97

Chapter 6: Power Management..................................................................................... 99

Power Management Protocol.............................. .................................. .................................. ........99

IPDU Configuration and Management .........................................................................................100

Power management utility.......................................................................................... ............100

IPDU identification ......................................................................................... .......................100

pmMenu ..................................................................................................................................102

pmCommand...........................................................................................................................106

IPDU password .................................................... ..................................................................108

IPDU Firmware Upgrade........................................................................................... ............108

SNMP Proxy ............................................................................. ..............................................109

Appendices................................................................................................................... 111

Appendix A: Additional Features and Applications ......................................................................111

Appendix B: Upgrades and Troubleshooting ................................................................................130

Appendix C: Linux File Structure..................................................................................................138

Appendix D: The vi Editor.............................................................................................................140

Appendix E: Technical Support.....................................................................................................142

vi Cyclades ACS 5000 Advanced Console Server Command Reference Guide

Using the Command Line Interface

Overview

The Cyclades® ACS 5000 advanced console server command line interface (CLI) may be used for administration and maintenance of the ACS 5000 console server. CLI is comprised of a set of keywords nested in a hierarchy format. CLI allows the console server administrator to perform the same configuration tasks available through the web manager. In addition, it allows executing the frequently performed configuration tasks saved in text files in batch mode or through shell scripts.

Understanding the CLI Utility

The CLI utility is built on a set of commands that are nested in a hierarchical format. Some commands require parameters that are user-defined.

For example, network configuration tasks include network, hostsetting and hostname comm a nds nested in the following format.

cli> config network hostsettings hostname [parameter]

Commands used to configure or change a set of parameters:

cli> config security adduser username john password john12 admin yes

shell /bin/sh

Commands may also specify a function or an action to be performed. For example,

cli> config runconfig

cli> config savetoflash

Accessing the CLI

The CLI may be accessed in any of the following three methods:

• By local logins through the console port

Local console server “root” users may access the command line by logging in through the

console port using a terminal or a server running a terminal emulation program.

• By remote logins using SSH, PPP or a terminal emulation program

CHAPTER

2 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

Remote users may access the console server CLI through SSH, by using a terminal emulation

program to dial into an external modem or by creating a PPP connection with an external

modem.

• By clicking Connect to ACS 5000 in the web manager .

After logging into the web manager, you may access the CLI by clicking the Connect menu

option.

Important features of the CLI utility

• Only one user logged in as “root” or “admin” may have an active CLI or web manager session.

A second user who connects through the CLI or the web manager as “root” or “admin” has a

choice to abort the session or close the other user’s session.

NOTE: If there are cron jobs running through automated scripts, a root or admin user login may cause the automated cron jobs to fail.

• CLI has three possible user levels:

• Root user - A Linux root user has access to the full functionality of the CLI interface. Root users have access to the shell command in the CLI that provides access to the console server shell prompt.

NOTE: An administrator may enforce the Linux shell to execute the CLI utility when the user logs into the console server (/bin/CLI). A user with “root” access may invoke the Linux shell from the CLI inter f ace. An admin or a regular user who is configured with CLI as the default shell may not access the Linux shell.

• Admin - A Linux admin user has access to the full functionality of the CLI except the shell command, which provides access to the console server Linux shell prompt.

• Regular user - A Linux regular user has access only to limited functionality of the CLI. Access is granted only to the applications commands of the CLI utility.

• CLI interface generates syslog messages for executed commands, and when sessions are terminated. For example,

Apr 19 17:51:44 src_dev_log@swes-129 CLI[413]: User root starts an interactive CLI session.cli>config

Apr 19 16:28:02 src_dev_log@swes-129 CLI[412]: Session closed due idletimeout

Apr 19 17:54:23 src_dev_log@swes-129 CLI[413]: User root executed [quit]

• CLI writes every command executed in interactive mode in the file ~/.history. This file stores the last 1000 commands executed in any CLI session.

Chapter 1: Using the Command Line Interface 3

Modes of operation

The following table describes the three modes of executing commands using the CLI utility.

Table 1.1: Modes of Operation

Mode Description

Command Line CLI is invoked in the Linux shell with commands and parameters. For example:

[root@CAS root]# bin/CLI config network hostsettings hostname <parameter>

Batch • CLI commands may be saved in a text file and executed in batch mode by invoking

the CLI utility with the -f <filename> option.

• CLI commands may be used in a shell script. For example, #/bin/CLI may be invoked at the top of a shell script if the script contains only CLI commands. Any type of shell may be used to run CLI commands along with other commands.

For example:

• Create a script that calls /bin/CLI to configure a hostname in batch mode.

#!/bin/CLI config network hostsettings hostname FremontACS config savetoflash :wq

• Run a CLI command from the same script that is running other Linux commands.

#!/bin/bash ...

/bin/CLI -s config network hostsettings hostname FremontACS

...

• Run multiple CLI commands from a script that is running other Linux commands.

#!/bin/bash ... /bin/CLI << EOF config network hostsettings hostname FremontACS config security adduser username johndoe config savetoflash EOF

4 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

CLI Navigation

Autocompletion

Autocompletion may be used to find out what commands and parameters are available.

• Pressing the

Tab key twice displays all the commands at the top level. For example:

cli> Tab Tab administration info return version applications portStatus shell config quit show

• Pressing the Tab key once after partially-typing a command automatically completes the parameter name. If there is more than one parameter name beginning with the typed characters, then pressing the

Tab key again displays them all. For example:

cli> i Tab info cli> a Tab Tab

administration applications

• Pressing the Tab key after the first level command displays the commands one level down in the hierarchy. For example:

cli> config Tab

Interactive CLI is invoked and commands and parameters are entered in the Linux shell. CLI is

active until the quit command is issued. For example,

CLI> config network hostsettings dhcp <yes> CLI> config runconfig CLI> config savetoflash CLI> config quit [root@CAS root]#

Table 1.1: Modes of Operation (Continued)

Mode Description

administration discardchanges physicalports savetoflash

applications ipmi restorefromflash security

autodiscovery network runconfig virtualports

Chapter 1: Using the Command Line Interface 5

Saving CLI changes

Configuration changes made in any of the CLI modes are temporary. Changes are not activated and saved into the configuration files unless you run the commands described in the following table.

Using CLI hotkeys

The CLI hotkeys may be used to perform the following types of actions:

• Move the cursor on the command line.

• Move through the list of commands in the command history.

• Edit characters on the command line.

Table 1.2: CLI Commands for Saving Configuration Changes

Command Action

config runconfig Saves and activates configuration changes in the appropriate configuration files. config savetoflash Saves any unsaved configuration changes in the configuration files and creates a

zipped backup copy of the files in a backup directory for possible later retrieval.

config discardchanges Restores the backed up configuration files, overwriting any configuration changes

made since the last time the savetoflash option was executed.

Table 1.3: Cursor Movement Keys

Keyboard Keys Description Ctrl+a Move to the start of the current line. Ctrl+e Move to the end of the line. Ctrl+b Move back a character (same as the left arrow key). Ctrl+f Move forward a character (same as the right arrow key). Esc+b Move back to the start of the current or previous word. Words are composed of letters

and digits.

Esc+f Move forward to the end of the next word. Words are composed of letters and digits. Ctrl+l Clear the screen and redraw the current line, leaving the current line at the top of

the screen.

Table 1.4: Command History Keys

Keyboard Keys Description Ctrl+n Move forward through the history list, fetching the next command (same as <down

arrow key>).

6 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

NOTE: The command history buffer is only available for the last 500 commands in the current session. The

history is cumulative, so terminating the session does not clear the buffer. This means a user may log in to the CLI and go back over the commands entered by a previous user.

CLI Global commands

The CLI global commands may be entered at any level of the CLI hierarchy.

Ctrl+p Move back through the history list, fetching the previous command (same as <up

arrow key>).

Table 1.5: Text Modification Keys

Keyboard Keys Description Ctrl+d Delete the character under the cursor (same as Delete key). Ctrl+h Same as Backspace key. Ctrl+k Clear the text from the cursor to the end of the line. Ctrl+u Clear backward from the cursor to the beginning of the current line. Ctrl+w Delete the word behind point. Esc+d Clear from the cursor to the end of the current word, or if between words, to the end of the

next word.

Esc+Tab Displays the current parameter of the command entered. You may edit the value.

For example: To display the current value for domain and edit it.

cli> config network hostsettings hostsettings> domain [press <Esc> <Tab>] hostsettings> domain avocent.com

Table 1.6: CLI Global Commands

Command Description

quit Ends the CLI session. return Goes up one level in the CLI hierarchy. info Displays the help information available for the current level in the hierarchy. When

combined with a command name supported at the current level, the applicable information or parameter is displayed.

Table 1.4: Command History Keys (Continued)

Chapter 1: Using the Command Line Interface 7

CLI command arguments

Command arguments are used when CLI is invoked in the command line mode in the Linux shell or in a batch mode

show Displays the configuration parameter(s). When combined with a command name

supported at the current level, the applicable information or parameter is displayed.

Table 1.7: CLI Command Arguments

Argument Description

-q Suppress the output of error messages from CLI.

-t <time> Timeout in minutes, default is 10 minutes.

-T Disable the idle time-out. Same as -t 0.

-s batch mode only

Save changes to flash. This is the same as savetoflash command.

-r batch mode only

Activate changes. This is the same as runconfig command.

-f <filename> Executes the commands in the file <filename>.

Table 1.6: CLI Global Commands (Continued)

8 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

Network Configuration

Network Settings

The following instructions assume you are installing a new console server or you have reset an existing unit to factory default parameters.

Default configuration is with IPV4 and IPV6 enabled:

• IPV4 networking will be enabled and the main Ethernet interface IP address will be obtained from a DHCPv4 Server.

• IPV6 networking will be enabled only for the basic services of the main Ethernet interface and its IPv6 address will be obtained from a local router (stateless only option).

To configure initial network parameters using the wiz command:

1. From your terminal emulation application, log in to the console port as

root. The default

password is

avocent.

NOTE: It is strongly recommended to change the default password to a new password before configuring the

console server for secure access.

2. To change a password, run the following command.

[root@CAS root]# passwd New password:

3. Launch the configuration wizard by entering the wiz command.

[root@CAS root]# wiz

4. The system displays a configuration wizard banner, instructions for using the utility and the current configuration.

5. At the prompt, Set to defaults?, enter

n to change the defaults.

6. Continue through the configuration parameters until you are prompted to determine if the parameters are correct.

Are all these parameters correct? (y/n) [n] :

7. Enter n to go back and change any configuration parameters.

CHAPTER

10 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

-orIf you enter

y, you will be prompted to save your configuration after the following warning is

displayed:

(Note: If you are NOT connected to this unit through a console, and you have just reconfigured the IP of this unit, activating the new configurations may cause you to lose connection. In that case, please reconnect to the unit by the new IP address, and manually issue a saveconf to save your configurations to flash.)

Do you want to activate your configurations now? (y/n) [y] :

8. Activate and save your configuration when prompted to do so.

9. To confirm the configuration, enter the

ifconfig command. The new network settings will be

displayed.

IPv4 and IPv6 addressing

NOTE: All of the following configuration parameters are available in the wizard (wiz).

CAUTION: If you are accessing the CLI through a network connection instead of the through a console port, you

risk losing network access and control of the console server when you change the IP mode or the IP address. Be sure to keep track of the new IP address before activating the new configuration, so you can reconnect.

By default, IPv4 and IPv6 network addressing will be enabled. The console server allows the following network addressing configurations:

• IPv4 only

• IPv6 only

• Dual Stack (IPv4 and IPv6)

Disabling IPv4

If you disable IPv4, configuration of IPv4 addresses will not be allowed. A warning message will display advising you that services not supporting IPv6 will be unavailable. The IPv4 tab will be disabled.

Disabling/Enabling IPv6

If you disable IPv6, configuration of IPv6 addresses will not be allowed and the IPv6 tab will be disabled. If you change IPv6 from disabled to enabled, a warning message will display advising you that some services not supporting IPv6 will be unavailable. You will have to configure those services supporting IPv6 for proper operation.

Chapter 2: Network Configuration 11

NOTE: If services not supporting IPv6 are needed, select Dual Stack (IPv4 and IPv6) and those services will be

available for IPv4.

IPv4 Addressing

To enable IPv4 network addressing:

1. From the shell prompt on your terminal, enter the following command.

# CLI

2. From the cli prompt, enter the following:

cli> config network hostsettings ipmode dualstack

This will enable both IPv4 and IPv6 network addressing.

-or-

cli> config network hostsettings ipmode ipv4

This will enable IPv4 network addressing only.

To set IPv4 specific configurations:

From the cli prompt, enter the following.

cli> config network hostsettings

Follow the parameters in Table 2.1 for the rest of the configuration.

IPv6 addressing

Services not supported in IPv6

IPv6 does not support the following services:

• NIS authentication

• NFS data logging

Table 2.1: IPv4 Specific Configurations

IPv4 Specific Level 1 IPv4 Specific Level 2 Description

primipaddress <nnn.nnn.nnn.nnn> The primary IP address of the console server -

automatically obtained if DHCP is enabled secipaddress <nnn.nnn.nnn.nnn> The secondary IP address of the console server primsubnetmask <nnn.nnn.nnn.nnn> Subnet mask for the primary IP address secsubnetmask <nnn.nnn.nnn.nnn> Subnet mask for the secondary IP address dhcp <nnn.nnn.nnn.nnn> An IPv4 address will be dynamically obtained from a

DHCPv4 server

12 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

• V irtual ports

To enable IPv6 network addressing:

1. From the shell prompt on your terminal, enter the following command.

# CLI

2. From the cli prompt, enter the following:

cli> config network hostsettings ipmode dualstack

This will enable both IPv4 and IPv6 network addressing.

-or-

cli> config network hostsettings ipmode ipv6

This will enable IPv6 network addressing only.

To set IPv6 specific configurations:

From the cli prompt, enter the following:

cli> config network hostsetings ipv6

Follow the parameters in Table 2.2 for the rest of the configuration.

Table 2.2: IPv6 Specific Configurations

IPv6 Specific Level 1 IPv6 Specific Level 2 Description

dhcp6 Selects the options for the information that will be

retrieved from the DHCPv6 server.

none No further data will be retrieved from the server. dns The DNS server IP address will be retrieved from the

server.

domain The domain path will be retrieved from the server. dns_domain The DNS server IP address and the domain path will

be retrieved from the server.

Chapter 2: Network Configuration 13

To configure a static primary IP address in IPv6 mode, enter the following:

cli> config network hostsettings ipv6 staticpaddress <IPv6_address>

To configure a dynamic primary IP address in IPv6 mode, enter the following:

cli> config network hostsettings ipv6 ipv6method stateless_only

-or-

cli> config network hostsettings ipv6 ipv6method dhcp

IPv4 and IPv6 common parameters

To set up parameters common to IPv4 and IPv6 mode:

To set up or change the primary DNS server, enter the following:

cli> config network hostsettings primdnsserver <primary_DNS_server_ip>

Similarly, configure the secondary DNS server, if necessary:

cli> config network hostsettings secdnsserver <secondary_DNS_server_ip>

To set up or change the domain name where your system resides, enter the following:

cli> config network hostsettings domain <domain_name>

To configure the gateway, enter the following:

cli> config network stroutes add default gateway <gateway_IP_address>

ipv6method Selects the way IPV6 addresses will be configured or

obtained.

stateless_only IPv6 local address will be dynamically obtained from

an IPv6 Router in the local network – this method is to

be used only if the two others are not available (local

IPv6 addresses obtained by the router cannot be used

outside the local network).

static IPv6 address will be statically configured. dhcp IPv6 address and its prefix length will be dynamically

obtained from a DHCPv6 server. staticipaddress <ipaddress>/<prefix_length> Configures a static IPv6 address and its prefix length

for the interface. This is available only if ipv6method is

configured as static.

Table 2.2: IPv6 Specific Configurations (Continued)

IPv6 Specific Level 1 IPv6 Specific Level 2 Description

14 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

NOTE: If the gateway address is IPV6 link_local (range identified by the first 10 bits equal to 1111111010), then the interface id is required: config network stroutes add default gateway <gateway_IP_address> interface <interface_ID>

Activate and save your configuration.

cli> config runconfig cli> config savetoflash

Host settings

To configure host settings:

1. Enter the following string at the CLI prompt. Refer to Table 2.3 for host settings parameters and values.

cli> config network hostsettings <parameter> <value>

2. Activate and save your configuration.

Table 2.3: Host Settings Parameters and Values

Parameter Level1 Parameter Level2 Value Description

banner <console banner> Banner for the user shell bonding

miimon

updelay

Redundancy for the ethernet interface

The interval in which the active interface is checked to see if it is still communicating (in milliseconds)

The time the system waits to make the primary interface active after it has been detected as up

(in milliseconds) dhcp yes|no Enable or disable DHCP domain <domain name> Domain name hostname <string> Console Server name mtu <number[200-1500]> Maximum Transmission Unit used

by the TCP protocol primdnsserver <IPv6_address>/<prefix_length> Primary DNS Server (IPv4 or

IPv6)

Chapter 2: Network Configuration 15

Security Profiles

A security advisory appears the first time the console server is turned on, or when the unit is reset to factory default parameters. Once you have configured the basic network settings, a security profile must be selected in order to proceed to further configuration procedures. Table 2.4 describes the protocols and services available for each security profile.

To select a predefined security profile:

Configure a predefined security profile by entering the following string at the CLI prompt.

cli> config security profile [secured|moderate|open]

To configure a custom security profile:

1. Navigate to the custom menu.

cli> config security profile custom

secdnsserver <IPv6_address>/<prefix_length> Secondary DNS Server (IPv4 or

IPv6) primipaddress <nnn.nnn.nnn.nnn> Primary IP address (IPv4 specific) secipaddress <nnn.nnn.nnn.nnn> Secondary IP address (IPv4

specific) primsubnetmask <nnn.nnn.nnn.nnn> Primary subnet mask (IPv4

specific) secsubnetmask <nnn.nnn.nnn.nnn> Secondary subnet mask (IPv4

specific)

Table 2.3: Host Settings Parameters and Values (Continued)

Parameter Level1 Parameter Level2 Value Description

Table 2.4: Security Profiles

Security profile Description

Secured Predefined security profile. All protocols and services are disabled except SSHv2, HTTPs

and SSH to Serial Ports.

Moderate (Default)

Predefined security profile. Enables SSHv1, SSHv2, HTTP, HTTPs, Telnet, SSH and Raw connections to serial ports, ICMP and HTTP redirection to HTTPs.

Open Predefined security profile. Enables all services, Telnet, SSHv1, SSHv2, HTTP, HTTPS,

SNMP, RPC, ICMP and Telnet, SSH and Raw connections to Serial Ports.

Custom Administrator may configure individual protocols and services and configure access to

serial ports.

16 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

2. Enable or disable desired protocols or services. Refer to Table 2.5 for the list of parameters and values.

custom> [parameter] <value>

3. Activate and save your configuration.

Enable serial ports

By default, the console server is configured with all serial ports disabled.

To enable serial ports:

1. Enable single or multiple serial ports.

cli> config physicalports <range/list[1-32]> enable yes

Table 2.5: Custom Security Profile Parameters

Parameter Level1 Parameter Level2 Parameter Level3 Value

ftp yes|no icmp yes|no ipsec yes|no ports> auth2

bidirect raw2sport ssh2sport telnet2sport

yes|no yes|no yes|no yes|no

yes|no rpc yes|no snmp yes|no ssh> root_access

ssh_x509>

sshd_port sshv1 sshv2

CA_file hostkey authorizedkeys

yes|no

yes|no

yes|no telnet yes|no web> http

http2https http_port https https_port

yes|no

yes|no

Chapter 2: Network Configuration 17

2. Activate and save your configuration.

VPN Configuration

You can set up VPN connections to establish an encrypted communication between the console server and a host on a remote network. The encryption creates a security tunnel for dedicated communications.

To set up a security gateway, you should install IPSec. The ESP and AH authentication protocols, and RSA Public Keys and Shared Secret are supported.

To configure VPN:

1. Execute the following command to enable IPSec.

cli> config security profile custom ipsec <yes>

2. Configure VPN parameters, see Table 2.6.

cli> config network vpn [parameter] <value>

3. Activate and save your configuration.

Table 2.6: VPN Parameters

Parameter Value Description

add <connection name> A name to identify the connection. authmethod <rsapubkey|sharesecret> Authentication method used. Either RSA Public Key or

Shared Secret.

authprotocol <ah|esp> Authentication protocol used. Either Encapsulating Security

Payload (ESP) or Authentication Header (AH). bootaction <add|ignore|start> The boot action configured for the host. leftid

rightid

hostname@xyz.com This is the hostname that a local system and a remote

system use for IPSec negotiation and authentication. It may

be a fully qualified domain name (FQDN) preceded by @.

For example, hostname@xyz.com. leftip

rightip

<IP_address> The IPv4 or IPv6 address of the host.

leftnexthop rightnexthop

<IP_address> The IPv4 or IPv6 address of the router through which the

console server (on the left side) or the remote host (on the

right side) sends packets to a host on a network. leftrsakey

rightrsakey

<string> You need to generate a public key for the console server

and find out the key used on the remote gateway. You may

use copy and paste to enter the key in the RSA Key field.

18 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

SNMP

Simple Network Management Protocol (SNMP) works by sending messages called protocol data units (PDUs) to different parts of a network. SNMP compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. The console server uses the net-snmp package. See http://www.net-snmp.org for more information.

NOTE: Check the SNMP configuration before gathering information about the console server by SNMP. There are different types of attacks an unauthorized user may implement to retrieve sensitive information contained in the MIB. By default, the SNMP configuration in the console server does not permit the public community to read SNMP information.

In order to configure SNMP v1/v2, enter the following command. Refer to Table 2.7 for a list of parameters.

cli> config network snmp v1/v2 [parameter] <value>

leftsubnet rightsubnet

<n.n.n.n/n> The netmask of the subnetwork where the host resides.

NOTE: Use CIDR notation. The IP number followed by a

slash and the number of ‘one’ bits in the binary notation of

the netmask. For example, 192.168.0.0/24 indicates an IP

address where the first 24 bits are used as the network

address. This is the same as 255.255.255.0. secret <string> Pre-shared password between left and right users.

Table 2.6: VPN Parameters (Continued)

Parameter Value Description

Table 2.7: SNMP v1/v2 Configuration Parameters

Parameter Value Description

syscontact <string> The email address of the console server administrator. syslocation <string> The physical location of the console server. community <string> The group to which devices and management stations running

SNMP belong. oid <string> Object Identifier. Each managed object has a unique identifier. permission <string> Read Only access to the entire Management

Information Base (MIB) except for SNMP configuration objects.

Read/Write access to the entire MIB except for SNMP

configuration objects. source <string> The host IP address.

Chapter 2: Network Configuration 19

To configure SNMP v1/v2 (example):

1. The following command configures SNMP v1/v2 with the following parameters.

• community: avocent

•OID: .1

• permission: ro (read only)

• source (allowed host): 192.168.0.200

cli> config network snmp v1v2 add community avocent oid .1 permission ro source 192.168.0.200

2. Run the following commands to activate and save the configuration. In order to configure SNMP v3, enter the following command. Refer to Table 2.8 for a list

of parameters.

cli> config network snmp v3 [parameter] <value>

To configure SNMP v3 (example):

1. The following command configures SNMP v3 with the following parameters.

• username: john

• password: john1234

•OID: .1

• permission: ro (read only)

NOTE: The SNMP v3 password may be a maximum of 30 characters.

Table 2.8: SNMP v3 Parameters

Parameter Value Description

syscontact <string> The email address of the console server administrator. syslocation <string> The physical location of the console server. oid <string> Object Identifier. Each managed object has a unique identifier. password <string> User password. permission <string> Read Only access to the entire Management

Information Base (MIB) except for SNMP configuration objects. Read/Write access to the entire MIB except for SNMP configuration objects.

username <string> Username.

20 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

cli> config network snmp v3 add username john password john1234 oid .1 permission ro

2. Activate and save your configuration.

Hosts

To configure hosts:

1. Add a host name with IP address.

cli> config network hosttable add hostip <n.n.n.n> name [hostname]

You may repeat this step as many times as necessary.

2. Activate and save your configuration.

TCP keepalive

The objective of this feature is to allow the console server to recognize when the socket client, SSH or Telnet goes down without closing the connection properly. The TCP engine of the console server sends a TCP keepalive message (ACK) to the client. If the maximum retry number is reached without an answer from the client, the connection is closed.

To configure TCP keepalive:

1. Configure the pool interval in milliseconds.

cli> config physicalports all other tcpkeepalive <number>

2. Activate and save your configuration.

Firewall Configuration (IP Filtering)

IP filtering consists of blocking the passage of IP packets based on rules defined in the characteristics of the packets, such as the contents of the IP header, the input/output interface or the protocol. This feature is used mainly in firewall applications, which filter the packets that could crack the network system or generate unnecessary traffic.

Network Address Translation (NAT) allows the IP packets to be translated from local netw ork to global network and vice-versa. This feature is particularly useful when there is demand for more IP addresses in the local network than available as global IP addresses. In the console server, this feature is used mainly for clustering (one master console server works as the interface between the global network and the slave console servers).

NOTE: The NAT table is not used with IPv6.

The console server uses the Linux utility iptables to set up, maintain and inspect both the filter and the NAT tables of IP packet rules in the Linux kernel. Besides filtering or translating packets, the iptables utility is able to count the packets which match a rule and to create logs for specific rules.

Chapter 2: Network Configuration 21

Structure of the iptables

The iptables are structured in three levels: table, chain and rule. A table may contain several chains and each chain may contain several rules.

Table

The table indicates how the iptables works. There are currently three independent tables supported by the iptables but only two are used.

• filter: This is the default table.

• nat: This table is consulted when a packet that creates a new connection is encountered.

Chain

Each table contains a number of built-in chains and may also contain user-defined chains. The built-in chains are called according to the type of packet. User-defined chains are called when a rule, matched by the packet, points to the chain. Each table has a specific set of built-in chains.

For the filter table:

• INPUT - For packets coming into the box itself.

• FORWARD - For packets being routed through the box.

• OUTPUT - For locally-generated packets. For the nat table (IPv4 only):

• PREROUTING - For altering packets as soon as they come in.

• OUTPUT - For altering locally-generated packets as soon as they come in.

• POSTROUTING - For altering packets as they are about to go out.

Rule

Each chain has a sequence of rules. These rules contain:

• How the packet should appear in order to match the rule: Some information about the packet is checked according to the rule, such as the IP header, the input and output interfaces, the TCP flags and the protocol.

• What to do when the packet matches the rule: The packet may be accepted, blocked, logged or jumped to a user-defined chain. For the nat table, the packet may also have its source IP address and source port altered (for the POSTROUTING chain) or have the destination IP address and destination port altered (for the PREROUTING and OUTPUT chain).

When a chain is analyzed, the rules of this chain are reviewed one-by-one until the packet matches one rule. If no rule is found, the default action for that chain is taken.

22 Cyclades ACS 5000 Advanced Console Server Command Reference Guide

Configuring IP tables IPv4 Syntax

# iptables -command chain rule-specification [-t table] [options] # iptables -E old-chain-name new-chain-name

where,

•table - May be filter or nat. If the option -t is not specified, the filter table is assumed.

•chain

• For filter table: INPUT, OUTPUT, FORWARD or a user-created chain.

• for nat table: PREROUTING, OUTPUT, POSTROUTING or a user-created chain.

IPv6 Syntax

# ip6tables -command chain rule-specification [-t table] [options] # ip6tables -E old-chain-name new-chain-name

where,

•table - May only be a filter table. The option -t does not need to be specified.

• chain - INPUT, OUTPUT, FORWARD or a user-created chain.

NOTE: Fragmented packets cannot be filtered in IPv6 configurations.

Command

Only one command may be specified on the command line unless otherwise specified in Table 2.9.

Table 2.9: iptables Commands Options

Command Description

-A --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule is added for each possible address combination.

-D --delete Delete one or more rules from the selected chain. There are two versions of this command. The rule may be specified as a number in the chain (starting at 1 for the first rule) or as a rule to match.

-R --replace Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command fails. Rules are numbered starting at 1.

-I --insert Insert one or more rules in the selected chain as the given rule number. Thus if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

+ 122 hidden pages

Avocent CYCLADES ACS 5000 Command Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual