Introduction
Network management functions allow for remote management of a network device. The S-Series supports the following network management functions:
- Telnet
- HTTP
- SSH
- HTTPS
- SNMP
To connect to the S50 using any of these protocols, an IP address must be assigned. This address typically is referred to as the management IP address.
By default, the S50 uses VLAN 1 as the management VLAN, and all ports are members of vlan 1 untagged by default. As a best practice, exclude the management VLAN from all ports other than the port(s) to be used as the management interface(s). In the following example, interface 1/0/1 is configured as the management port.
Note: Since all the ports, and the management port are in VLAN 1 by default, the switch performance can be affected drastically in case of any flooding, . To avoid this situation, we can use some other VLAN number as a management VLAN, or assign ports that do not need to be part of the mangement vlan to be a member of some other vlan untagged.
The commands for configuring a VLAN and the management IP address vary with the SFTOS version. Consult the following table to determine the commands for your version of SFTOS. See also How Do I Assign an IP Address to Manage the S50? and the SFTOS Command Reference for further details on command usage.
| SFTOS Version |
Commands |
| 2.3.1 and later |
Force10 S50 #config
Force10 S50 (Config)#interface managementethernet
Force10 S50 (Config-if-ma)#ip address 10.16.128.183 255.255.255.0
Force10 S50 (Config-if-ma)#vlan participation 30
Force10 S50 (Config-if-ma)#exit
Force10 S50 (Config)#management route default 10.16.128.201
Force10 S50 (Config)#interface vlan 30
!-- Using VLAN 30 as the management vlan and
!-- interface 1/0/1 as the management interface.
Force10 S50 (Conf-if-vl-30)#untagged 1/0/1
Force10 S50 (Conf-if-vl-30)#exit
Force10 S50 (Config)#interface 1/0/1
Force10 S50 (Interface 1/0/1)#no shutdown
Force10 S50 (Interface 1/0/1)#exit
Force10 S50 (Config)#exit |
| 2.2.1 and earlier |
(Force10 S50) #network parms 10.16.128.183 255.255.255.0 10.16.128.201
(Force10 S50) #vlan database
(Force10 S50) #vlan 30
(Force10 S50) #exit
(Force10 S50) #network mgmt_vlan 30
(Force10 S50) #show network
IP Address....................... 10.16.128.183
Subnet Mask...................... 255.255.255.0
Default Gateway.................. 10.16.128.201
Management VLAN ID............... 30
Force10 S50 (Config)#vlan participation all exclude 1
Force10 S50 (Config)#interface 1/0/1
Force10 S50 (Interface 1/0/1)#vlan participation include 30
Force10 S50 (Interface 1/0/1)#vlan pvid 301
Force10 S50 (Interface 1/0/1)#no shutdown
Force10 S50 (Interface 1/0/1)#
(Force10 S50) #show vlan 30
1/0/1 Include Include Untagged |
As of SFTOS Version 2.3.1, use the show logging traplogs command to view the syslog message indicating that the management interface is up.
<5> JAN 01 05:53:40 10.16.128.183-1 TRAPMGR[244246016]: traputil.c(689) 513 %
Link Up: Unit: 1 Slot: 0 Port:
Note: In previous versions, use the
show msglog command to display the message log maintained by the switch, including system trace information.
Telnet
Before configuring Telnet access, ensure that you can ping the management IP address. Then, enable the S50 to accept incoming Telnet connections. All communication between the management server and the managed S50 through Telnet is unencrypted (in clear text). As of SFTOS Version 2.3.1, execute the command to enable Telnet in Global Config mode:
S50 (Config)#ip telnet server enable
Note: In earlier SFTOS versions, this command is issued from Privileged Exec mode.
SFTOS supports the following additional configuration and show commands for Telnet:
- show loginsession command: View the active Telnet sessions.
Force10 S50 #show loginsession
ID User Name Connection From Idle Time Session Time Session Type
--- --------------- --------------- ------------ ------------ ------------
*00 admin EIA-232 00:00:00 00:05:21 Serial Port
01 admin 10.16.128.201 00:00:36 00:00:38 Telnet
- show telnet command: Display the configured maximum number of allowed Telnet users and the Telnet session timeout. (Although the CLI help string shows that up to 10 Telnet sessions can be configured, a maximum of 5 sessions are supported on the S50.)
Force10 S50 #show telnet
Outbound Telnet Login Timeout (minutes)........ 5
Maximum Number of Outbound Telnet Sessions..... 5
Allow New Outbound Telnet Sessions............. Yes
-
ip telnet maxsessions command: Set the maximum number of allowed Telnet users.
-
ip telnet timeout command (use telnetcon timeout in versions of SFTOS before SFTOS 2.3): Set the session timeout. A value of 160 indicates a Telnet session will time out after 160 minutes. A value of 0 indicates no timeout.
Accessing the S50 via Telnet prompts the system to generate a multi-user trap, which displays on the console if the logging console command is configured and also can be seen in the output of the show logging traplogs command.
Force10 S50 #
<5> JAN 01 09:24:46 10.16.128.4-1 TRAPMGR[241206472]: traputil.c(689) 132 %
Multiple Users: Unit: 0 Slot: 3 Port: 1
Force10 S50 #show logging traplogs
Number of Traps Since Last Reset............... 1
Trap Log Capacity.............................. 256
Number of Traps Since Log Last Viewed.......... 1
Log System Up Time Trap
--- ------------------------ -------------------------------------------------
0 0 days 09:24:46 Multiple Users: Unit: 0 Slot: 3 Port: 1
SSH
If communication between the management station and the S50 must be encrypted, use SSH instead of Telnet. To enable SSH, you must download three keys (rsa1, rsa2 and dsa) into the S50, as demonstrated below.
To https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx
After downloading the keys, enable the SSH server function on the S50 with the ip ssh server enable command..
Force10 S50 #copy tftp://10.16.128.201/rsa1.key nvram:sshkey-rsa1
Mode........................................... TFTP
Set TFTP Server IP............................. 10.16.128.201
TFTP Path......................................
TFTP Filename.................................. rsa1.key
Data Type...................................... SSH RSA1 key
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
TFTP SSH key receive complete... updating key file...
Key file transfer operation completed successfully
Force10 S50 #
Force10 S50 #copy tftp://10.16.128.201/rsa2.key nvram:sshkey-rsa2
Mode........................................... TFTP
Set TFTP Server IP............................. 10.16.128.201
TFTP Path......................................
TFTP Filename.................................. rsa2.key
Data Type...................................... SSH RSA2 key
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
TFTP SSH key receive complete... updating key file...
Key file transfer operation completed successfully
Force10 S50 #
Force10 S50 #copy tftp://10.16.128.201/dsa.key nvram:sshkey-dsa
Mode........................................... TFTP
Set TFTP Server IP............................. 10.16.128.201
TFTP Path......................................
TFTP Filename.................................. dsa.key
Data Type...................................... SSH DSA key
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
TFTP SSH key receive complete... updating key file...
Key file transfer operation completed successfully
Force10 S50 #
Force10 S50 (Config)#ip ssh server enable
Note: In SFTOS Version 2.3.1, this command was moved from Privileged Exec mode to Global Config mode.
Use the show logging command in SFTOS Version 2.3.1 and later and the
show msglog command in SFTOS Version 2.2.1 and earlier to display system
messages confirming that the SSH keys have been loaded successfully onto the
S50.
<6> JAN 01 05:04:16 10.16.128.183-1 UNKN[207121192]:
sshd_control.c(451) 501 % SSHD: sshdListenTask started
<6> JAN 01 05:04:16 10.16.128.183-1 UNKN[152455280]:
sshd_main.c(596) 502 % SSHD: successfully opened file ssh_host_dsa_key
<6> JAN 01 05:04:16 10.16.128.183-1 UNKN[152455280]:
sshd_main.c(609) 503 % SSHD: successfully loaded DSA key
<6> JAN 01 05:04:16 10.16.128.183-1 UNKN[152455280]:
sshd_main.c(631) 504 % SSHD: successfully opened file ssh_host_rsa_key
<6> JAN 01 05:04:16 10.16.128.183-1 UNKN[152455280]:
sshd_main.c(643) 505 % SSHD: successfully loaded RSA2 key
<6> JAN 01 05:04:18 10.16.128.183-1 UNKN[152455280]:
sshd_main.c(353) 506 % SSHD: Done generating server key
The following example output illustrates how to SSH to the S50 from a Linux workstation.
# ssh -l tacuser 10.16.128.183
The authenticity of host '10.16.128.183 (10.16.128.183)' can't be established.
RSA key fingerprint is c2:81:7c:92:29:6d:db:58:54:c4:7e:11:78:70:db:38.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '10.16.128.183' (RSA) to the list of known hosts.
tacuser@10.16.128.183's password:
SSH and SSL keys are available from the Force10 iSupport Web site by downloading SSH and SSL on the S50. This file includes a set of keys and a program to generate your own SSH / SSL keys.
Force10 S50 #show loginsession
ID User Name Connection From Idle Time Session Time Session Type
--- --------------- --------------- ------------ ------------ ------------
00 admin EIA-232 00:00:13 00:00:27 Serial Port
*01 tacuser 10.16.128.201 00:00:00 00:00:18 SSH
Once you have confirmed that SSH is working correctly, disable Telnet on the S50.
Force10 S50 (Config)#no ip telnet server enable
Note: If you are using SFTOS Version 2.2.1 or earlier, disable Telnet on the S50 in Privileged Exec mode.
HTTPS
To enable secure HTTP (HTTPS), the S50 must have security certificates. You can generate these certificates from the downloadable, pre-configured scripts
which are bundled with the SSH and SSL keys in the
SSH and SSL on the S50 file. First download the certificates from the TFTP server, and then enable the S50's HTTP secure-server functions.
The first two downloads are the Diffie-Hellman weak and strong keys.
Force10 S50 #copy tftp://10.16.128.201/dh1024.pem nvram:sslpem-dhstrong
Mode........................................... TFTP
Set TFTP Server IP............................. 10.16.128.201
TFTP Path......................................
TFTP Filename.................................. dh1024.pem
Data Type...................................... SSL DH strong
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
TFTP SSL certificate receive complete... updating certificate file...
Certificate file transfer operation completed successfully
Force10 S50 #copy tftp://10.16.128.201/dh512.pem nvram:sslpem-dhweak
Mode........................................... TFTP
Set TFTP Server IP............................. 10.16.128.201
TFTP Path......................................
TFTP Filename.................................. dh512.pem
Data Type...................................... SSL DH weak
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
TFTP SSL certificate receive complete... updating certificate file...
Certificate file transfer operation completed successfully
Force10 S50 #copy tftp://10.16.128.201/server.pem nvram:sslpem-server
Mode........................................... TFTP
Set TFTP Server IP............................. 10.16.128.201
TFTP Path......................................
TFTP Filename.................................. server.pem
Data Type...................................... SSL Server cert
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
TFTP SSL certificate receive complete... updating certificate file...
Certificate file transfer operation completed successfully
Force10 S50 #copy tftp://10.16.128.201/rootcert.pem nvram:sslpem-root
Mode........................................... TFTP
Set TFTP Server IP............................. 10.16.128.201
TFTP Path......................................
TFTP Filename.................................. rootcert.pem
Data Type...................................... SSL Root cert
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
TFTP SSL certificate receive complete... updating certificate file...
Certificate file transfer operation completed successfully
Once all the certificate files have been downloaded into the S50, enable
HTTPS with the following command:
Force10 S50 (Config)#ip http secure-server enable
Force10 S50 (Config)#
<6> JAN 01 06:15:30 10.16.128.183-1 UNKN[152388600]: sslt_util.c(321) 519 %
SSLT: Successfully loaded all required SSL PEM files
Finally, disable HTTP server with the following command:.
Force10 S50 (Config)#no ip http server enable
!-- Execute this command from Privileged Exec
mode in SFTOS Version 2.2.1 and earlier.
Use the show ip http command to confirm your changes.
Force10 S50 #show ip http
Java Mode: Disabled
HTTP Mode (Unsecure): Disabled
HTTP Mode (Secure): Enabled
Secure Port: 443
Secure Protocol Level(s): TLS1 SSL3
SNMP
To enable SNMP on the S50, define community names using the following commands:
Force10 S50 (Config)#snmp-server community public
Force10 S50 (Config)#snmp-server community private
Force10 S50 (Config)#snmp-server community rw private
If connectivity exists between the management station and the S50, you will be able to poll the S50 with SNMP. The following example output shows how to poll the S50 from a Linux workstation.
$ snmpwalk -v 2c -c public 10.16.128.183 1.3.6.1.2.1.2.2.1.6.1
IF-MIB::ifPhysAddress.1 = STRING: 0:1:e8:d5:bc:f0
Information to Collect if You Open a TAC Case
To request further assistance from Force10 Networks on enabling network management functions on the S50, please use the
Create Service Request form on the iSupport page and include the following information if available:
-
Console captures showing the steps taken
-
Output from the show tech-support command to capture the installed hardware and the SFTOS version
-
Network diagrams or other descriptions of the network design, including VLAN configurations and IP address ranges