Cisco Systems 78-16019-02 User Manual

CHAPTER
3
Initial Configuration
This chapter describes how to configure the Cisco ONS 15530 so it can be accessed by other devices.
About the CPU Switch Module, page 3-1
Using the Console Ports, NME Ports, and Auxiliary Ports, page 3-2
About Passwords, page 3-3
Configuring IP Access on the NME Interface, page 3-4
Configuring the Host Name, page 3-6
About NTP, page 3-7
Configuring NTP, page 3-8
Configuring Security Features, page 3-9
About CPU Switch Module Redundancy, page 3-12
Configuring CPU Switch Module Redundancy, page 3-15
About the Software Configuration Register, page 3-25
Changing the Software Configuration Register, page 3-29
About Fan Failure Shutdown, page 3-30
Configuring Fan Failure Shutdown, page 3-30

About the CPU Switch Module

The CPU switch module provides intelligence to the Cisco ONS 15530. The CPU switch module supports SNMP (Simple Network Management Protocol) and many MIBs (Management Information Bases).
The Cisco ONS 15530 uses a QED RM7000 RISC processor. It runs at 78 MHz externally and at 234 MHz internally. It has a 64-bit multiplexed address and data bus with byte parity running at 78 MHz. It has separate internal L1 instruction and data caches of 16 KB each and internal L2 combined instruction/data cache of 256 KB.
The CPU switch modules also contains a 32 by 32 switch fabric that directs traffic from client cards to trunk cards. The switch fabric supports 2.5 Gbps data signals with 2R transparency.
78-16019-02, Cisco IOS Release 12.2(18)SV2
Cisco ONS 15530 Configuration Guide and Command Reference
3-1
Starting Up the Cisco ONS15530
The CPU switch module provides a slot on the front panel that accommodates a CompactFlash card. You can use the CompactFlash card for system image upgrades, FPGA image upgrades, statistics gathering, and other file system applications.
The Cisco ONS 15530 supports redundant operation with dual CPU switch modules. The CPU switch modules reside in slots 5 and 6, the sixth and seventh slots from the left as you face the chassis. For more information about redundancy, see the “About CPU Switch Module Redundancy” section on page 3-12.
For more information on the CPU switch module, refer to the Cisco ONS 15530 ESP Hardware
Installation Guide.
Starting Up the Cisco ONS 15530
Before starting up the Cisco ONS 15530, you should verify the following:
The system is set for the correct AC (or DC) power voltages.
Refer to the Cisco ONS 15530 Hardware Installation Guide for correct power voltages.
The cables are connected to the system.
A console terminal is connected to the system.
Refer to the Cisco ONS 15530 Hardware Installation Guide for instructions.
When you start up the Cisco ONS 15530, the CLI (command-line interface) prompts you to enter the initial configuration dialog. Answer no to this prompt:
Would you like to enter the initial dialog? [yes]: no
Chapter 3 Initial Configuration
You see the following user EXEC prompt:
Switch>
You can now begin configuring the CPU switch module.

Using the Console Ports, NME Ports, and Auxiliary Ports

You can configure the Cisco ONS 15530 from a direct console connection to the console port or remotely through its NME (network management Ethernet) port.
If you are using a direct console connection, configure your terminal emulation program for
9600 baud, 8 data bits, no parity, and 1 stop bit.
If you are using the NME port interface, you must assign an IP address to the interface
(fastethernet 0). For interface configuration instructions, see the “Configuring IP Access on the NME Interface”
section on page 3-4.
For further details on configuring ports and lines for management access, refer to the
Cisco IOS Configuration Fundamentals Configuration Guide.
3-2
Cisco ONS 15530 Configuration Guide and Command Reference
78-16019-02, Cisco IOS Release 12.2(18)SV2
Chapter 3 Initial Configuration

Modem Support

The auxiliary port of the Cisco ONS 15530 provides modem connection support. The following settings on the modem are required:
Enable auto answer mode.
Suppress result codes.
Ensure auxiliary port terminal characteristics, such as speed, stop bits, and parity, match those of
the modem.
You can configure your modem by setting the DIP switches on the modem itself or by setting them through terminal equipment connected to the modem. Refer to the user manual provided with your modem for the correct configuration information.
For further details on configuring ports and modems for management access, refer to the Cisco IOS
Configuration Fundamentals Configuration Guide and the Cisco IOS Dial Services Configuration Guide: Terminal Services.

About Passwords

About Passwords
You can configure both an enable password and an enable secret password. For maximum security, the enable password should be different from the enable secret password.

Enable Password

The enable password is a nonencrypted password that controls access to various commands and configuration modes. It contains from 1 to 25 uppercase and lowercase alphanumeric characters. Give the enable password only to users permitted to make configuration changes to the Cisco ONS 15530.

Enable Secret Password

The enable secret password is a secure, encrypted password. On systems running Cisco IOS, you must type in the enable secret password before you can access global configuration mode.You must type in the enable secret password to access boot ROM software.
Caution If you specify an encryption-type and then enter a clear text password, you will not be able to reenter
enable mode. You cannot recover a lost password that has been encrypted by any method.
An enable secret password contains from 1 to 25 uppercase and lowercase alphanumeric characters. The first character cannot be a number. Spaces are valid password characters. Leading spaces are ignored; trailing spaces are recognized.
You will configure passwords in the next section, Configuring IP Access on the NME Interface.
78-16019-02, Cisco IOS Release 12.2(18)SV2
Cisco ONS 15530 Configuration Guide and Command Reference
3-3

Configuring IP Access on the NME Interface

Configuring IP Access on the NME Interface
The Fast Ethernet interface, or NME, on the active CPU switch module, named fastethernet 0, is the management interface that allows multiple, simultaneous Telnet or SNMP network management sessions.
You can remotely configure the Cisco ONS 15530 through the Fast Ethernet interface, but first you must configure an IP address so that the active CPU switch module is reachable. You can configure the NME interface two ways: manually from the CLI or by copying the configuration from the BOOTP server into NVRAM.
For information on configuring the NME interface on the standby CPU switch module, fastethernet-sby 0, see the “Booting from a TFTP Server” section on page 13-6.
Note Before you begin to manually configure an NME interface, obtain its IP address and IP subnet mask.
Also make sure the console cable is connected to the console port.
To configure IP access on the NME port fastethernet 0 from the CLI, perform these steps from the console interface:
Chapter 3 Initial Configuration
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Command Purpose
Switch> enable
Enters privileged EXEC mode.
Switch# Switch# show hardware Verifies the installed hardware part numbers and serial
numbers.
Switch# configure terminal
Enters global configuration mode.
Switch(config)# Switch(config)# enable password [level
level] password
Sets the enable password. You can specify one of 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. The default level is 15 (traditional enable privileges).
Switch(config)# enable secret [level level]
password
Specifies an enable secret password. You can specify one of 16 privilege levels,usingnumbers 0 through 15. Level 1 is normal EXEC-mode user privileges. The default level is 15 (traditional enable privileges).
Switch(config)#privilege mode {level level | reset} command-string
Configures or resets the privilege level to allow access to a specific command.
Note Configure the password for a privilege level
defined using the privilege command with the enable secret command.
Switch(config)# interface fastethernet 0 Switch(config-if)#
Switch(config-if)# ip address ip-address
subnet-mask
Enters interface configuration mode on interface fastethernet 0, the NME port on the active CPU switch module.
Specifies the IP address and IP subnet mask for the management port interface.
Switch(config-if)# speed {10 | 100 | auto} Specifies the transmission speed. The default is auto
(autonegotiation).
3-4
Cisco ONS 15530 Configuration Guide and Command Reference
78-16019-02, Cisco IOS Release 12.2(18)SV2
Chapter 3 Initial Configuration
Command Purpose
Step 10
Step 11 Step 12
Switch(config-if)# duplex {auto | full | half} Specifies the duplex mode. The default is auto
Switch(config-if)# no shutdown Enables the interface. Switch(config-if)# exit Switch(config)#
Step 13
Switch(config)# line vty line-number Switch(config-line)#
Step 14 Step 15
Switch(config-line)# password password Specifies a password for Telnet sessions. Switch(config-line)# end Switch#
Step 16
Switch# copy system:running-config nvram:startup-config
The Cisco ONS 15530 NME interface should now be operating correctly.
Configuring IP Access on the NME Interface
(autonegotiation).
Returns to global configuration mode.
Enters line configuration mode for virtual terminal connections. Commands entered in this mode control the operation of Telnet sessions.
Returns to privileged EXEC mode.
Saves the configuration changes to NVRAM.
Note If a CPU switch module switchover occurs, you can use the same IP address to access the redundant
CPU switch module after it becomes active.
Note In a multiple shelf node configuration, perform these steps on the NME interfaces on all shelves in
the node.

Displaying the NME Interface Configuration

To display the configuration of the NME interface, use the following EXEC command:
Command Purpose
show interfaces fastethernet 0 Displays the NTP status.
78-16019-02, Cisco IOS Release 12.2(18)SV2
Cisco ONS 15530 Configuration Guide and Command Reference
3-5

Configuring the Host Name

Example
Switch# show interfaces fastethernet 0 FastEthernet0 is up, line protocol is up Hardware is AmdFE, address is 0000.1644.28ea (bia 0000.1644.28ea)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 3000 bits/sec, 6 packets/sec 5 minute output rate 1000 bits/sec, 3 packets/sec 36263 packets input, 3428728 bytes Received 17979 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 20363 packets output, 4279598 bytes, 0 underruns 0 output errors, 8 collisions, 0 interface resets 0 babbles, 0 late collision, 72 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
Chapter 3 Initial Configuration
Internet address is 172.20.54.152/24
Half-duplex, 10Mb/s, 100BaseTX/FX

Displaying the Operating Configurations

You can display the configuration file when you are in privileged EXEC (enable) mode.
To see the current operating configuration, enter the following command at the enable prompt:
Switch# more system:running-config
To see the configuration saved in NVRAM, enter the following command:
Switch# more nvram:startup-config
If you made changes to the configuration, but did not yet write the changes to NVRAM, the contents of the running-config file will differ from the contents of the startup-config file.
Configuring the Host Name
In addition to passwords and an IP address, your initial configuration should include the host name to make it easier to configure and troubleshoot the Cisco ONS 15530. To configure the host name, perform the following steps:
Command Purpose
Step 1
Step 2
Switch# configure terminal Switch(config)# Switch(config)# hostname name Specifies a system name.
Enters global configuration mode.
3-6
Cisco ONS 15530 Configuration Guide and Command Reference
78-16019-02, Cisco IOS Release 12.2(18)SV2
Chapter 3 Initial Configuration
Command Purpose
Step 3
name(config)# end name#
Step 4
name# copy system:running-config nvram:startup-config
Note The host name is also synchronized with the standby CPU switch module. The host name prompt on
the standby CPU switch module appears with “sby-” as a prefix.
Example
The following example shows how to configure a new host name, beginning in privileged EXEC mode:
Switch# configure terminal Switch(config)# hostname ONS15530 ONS15530(config)# end ONS15530# copy system:running-config nvram:startup-config

About NTP

Returns to privilegedEXECmode.Theprompt indicates that the host name has been set to the new name.
Saves your configuration changes to NVRAM.
About NTP
The NTP (Network Time Protocol) is a utility for synchronizing system clocks over the network, providing a precise time base for networked workstations and servers. In the NTP model, a hierarchy of primary and secondary servers pass timekeeping information by way of the Internet to cross-check clocks and correct errors arising from equipment or propagation failures.
An NTP server must be accessible by the client switch. NTP runs over UDP (User Datagram Protocol), which in turn runs over IP. NTP is documented in RFC 1305. All NTP communication uses UTC (Coordinated Universal Time), which is the same as Greenwich Mean Time. An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of one another.
NTP uses a stratum to describe how many NTP hops away a machine is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receivesits time from a stratum 1 time server, and so on. A machine running NTP automatically chooses as its time source the machine with the lowest stratum number that it is configured to communicate with through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP has two ways to avoid synchronizing to a machine whose time might be ambiguous:
NTP never synchronizes to a machine that is not synchronized itself.
NTP compares the time reported by several machines and does not synchronize to a machine whose
time is significantly different from the others, even if its stratum is lower.
The communications between machines running NTP, known as associations, are usually statically configured;eachmachine is giventhe IP address of all machines with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association.
The Cisco implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that you obtain the time service for your network from the public NTP servers available in the IP Internet. If the network is isolated from the Internet, the Cisco NTP
78-16019-02, Cisco IOS Release 12.2(18)SV2
Cisco ONS 15530 Configuration Guide and Command Reference
3-7

Configuring NTP

implementation allows a machine to be configuredso that it acts as though it is synchronized using NTP, when in fact it has determined the time using other means. Other machines then synchronize to that machine using NTP.
A number of manufacturers include NTP software for their host systems, and a version for systems running UNIX and its various derivatives is also publicly available. This software allows host systems to be time-synchronized as well.
Configuring NTP
NTP services are enabled on all interfaces by default.You can configureyourCisco ONS 15530 in either of the following NTP associations:
Peer association—This system either synchronizes to the other system or allows the other system to
synchronize to it.
Server association—This system synchronizes to the other system, and not the other way around.
From global configuration mode, use the following procedure to configure NTP in a server association that transmits broadcast packets and periodically updates the calendar:
Chapter 3 Initial Configuration
Command Purpose
Step 1 Step 2
Step 3
Switch(config)# ntp update-calendar Updates hardware calendar with NTP time. Switch(config)# ntp server ip-address Forms a server association with another system. You can
Switch(config)# end Switch#
Step 4
Switch# copy system:running-config nvram:startup-config
For information on other optional NTP configurations, see the Cisco IOS Configuration Fundamentals
Configuration Guide.

Displaying the NTP Configuration

To view the current NTP configuration and status, use the following EXEC command:
Command Purpose
show ntp status Displays the NTP status.
Example
The following example shows the NTP configuration and status:
Switch# show ntp status Clock is synchronized, stratum 4, reference is 198.92.30.32 nominal freq is 250.0000 Hz, actual freq is 249.9999 Hz, precision is 2**24 reference time is B6C04F19.41018C62 (18:21:13.253 UTC Thu Feb 27 1997) clock offset is 7.7674 msec, root delay is 113.39 msec root dispersion is 386.72 msec, peer dispersion is 1.57 msec
specify multiple associations. Returns to privileged EXEC mode.
Saves your configuration changes to NVRAM.
3-8
Cisco ONS 15530 Configuration Guide and Command Reference
78-16019-02, Cisco IOS Release 12.2(18)SV2
Chapter 3 Initial Configuration

Configuring Security Features

The Cisco ONS 15530 supports the following Cisco IOS software security features:
AAA (authentication, authorization, and accounting)
Kerberos
RADIUS
TACACS+
Traffic filters and firewalls
Passwords and privileges

Configuring AAA

This section describes the AAA features supported by the Cisco ONS 15530.

Configuring Authentication

Configuring Security Features
To configure AAA authentication, perform the following tasks:
Step 1 Enable AAA by using the aaa new-model global configuration command. Step 2 Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are using a
security server. Refer to the “Configuring RADIUS” chapter, the “Configuring TACACS+” chapter, or the “Configuring Kerberos” chapter in the Cisco IOS Security Configuration Guide.
Step 3 Define the method lists for authentication by using an AAA authentication command. Step 4 Apply the method lists to a particular interface or line, if required.
Refer to the “Configuring Authentication” chapter in the Cisco IOS Security Configuration Guide.

Configuring Authorization

The AAA authorization feature enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configuretheuser's session. Once this is done, the user is granted access to a requested service only if the information in the user profile allows it.
Refer to the “Configuring Authorization” chapter in the Cisco IOS Security Configuration Guide.

Configuring Accounting

The AAA accounting feature enables you to track the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the network access server reports user activity to the TACACS+ or RADIUS security server (depending on which security
78-16019-02, Cisco IOS Release 12.2(18)SV2
Cisco ONS 15530 Configuration Guide and Command Reference
3-9
Configuring Security Features
method you have implemented) in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.This data can then be analyzed for network management, client billing, and auditing.
Refer to the “Configuring Accounting” chapter in the Cisco IOS Security Configuration Guide.

Configuring Kerberos

For hosts and the KDC in your Kerberos realm to communicate and mutually authenticate, you must identify them to each other.To do this, you add entries for the hosts to the Kerberos database on the KDC and add SRVTAB files generated by the KDC to all hosts in the Kerberos realm. You also make entries for users in the KDC database.
Refer to the “Configuring Kerberos” chapter in the Cisco IOS Security Configuration Guide.

Configuring RADIUS

RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on ATM switch router systems and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available.
To configure RADIUS on your Cisco router or access server, perform the following tasks:
Chapter 3 Initial Configuration
Step 1 Use the aaa new-model global configurationcommand to enable AAA. AAA must be configured if you
plan to use RADIUS. Refer to the “AAA Overview” chapter in the Cisco IOS Security Configuration
Guide.
Step 2 Use the aaa authentication global configuration command to define method lists for RADIUS
authentication.Refer to the “Configuring Authentication” chapter in the Cisco IOS Security
Configuration Guide.
Step 3 Use line and interface commands to enable the defined method lists to be used. Refer to the
Configuring Authentication” chapter in the Cisco IOS Security Configuration Guide.
The following configuration tasks are optional:
You may use the aaa group server command to group selected RADIUS hosts for specific services.
You may use the aaa dnis map command to select RADIUS server groups based on DNIS number.
To use this command, you must define RADIUS server groups using the aaa group server command.
You may use the aaa authorization global command to authorize specific user functions. Refer to
the “Configuring Authorization” chapter in the Cisco IOS Security Configuration Guide.
You may use the aaa accounting command to enable accounting for RADIUS connections. Refer
to the “Configuring Accounting” chapter in the Cisco IOS Security Configuration Guide.
You may use the dialer aaa interface configuration command to create remote site profiles that
contain outgoing call attributes on the AAA server.
Refer to the “Configuring RADIUS” chapter in the Cisco IOS Security Configuration Guide.
3-10
Cisco ONS 15530 Configuration Guide and Command Reference
78-16019-02, Cisco IOS Release 12.2(18)SV2
Loading...
+ 22 hidden pages