System management

The 7705 SAR-Hm series of routers supports system management parameters as covered in the following topics:

Security

For general information about system security support, see the following topics in the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, "Security":

  • Authentication, authorization, and accounting

    • Authentication

      • Local authentication

      • RADIUS authentication

      • TACACS+ authentication

    • Authorization

      • Local authorization

      • RADIUS authorization

      • TACACS+ authorization

    • Security controls

  • RADIUS VSAs

  • TACACS+ services and VSAs

  • Control and management traffic protection

    • TTL security

    • Management Access Filter

  • Other security features

    • SSH

      • SSH PKI authentication

      • MAC client and server list

      • KEX client and server list

      • Host key algorithm list
      • Regenerate the SSH key without disabling SSH

    • Exponential login backoff

    • User lockout

    • CLI login scripts

    • File access controls

    • 802.1x network access control

    • TCP enhanced authentication option

  • Configuring security with CLI
Note: On the 7705 SAR-Hm and 7705 SAR-Hmc, 802.1x network access control is supported only WLAN interface access points.

For descriptions of security commands, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide and the 7450 ESS, 7750 SR, 7950 XRS, and VSR Clear, Monitor, Show, and Tools CLI Command Reference Guide.

SNMP

For general information about SNMP support, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, "SNMP".

Event logs

For general information about event log support, see the following topics in the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, "Event and accounting logs":

  • Logging overview

  • Log destinations

    • Console

    • Session

    • CLI logs

    • Memory logs

    • Log and accounting files

      • Log file encryption
    • SNMP trap group

    • Syslog

  • Event logs

  • Configuration notes

  • Configuring logging with CLI

Public key infrastructure

For general information about public key support, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, "Public key infrastructure".

TLS

For general information about TLS support, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, "TLS".

In-band management over LTE

The 7705 SAR-Hm series of routers supports the following modes of operation over a cellular network:

  • static cellular system IPv4 mode

  • static cellular interface IPv4 mode or IPv6 mode

  • dynamic cellular interface IPv4 mode or IPv6 mode

The way in which the node is managed depends on which mode of operation is in use. See Services over the cellular PDN interface for more information about the modes of operation.

When a cellular port on the node is operating in static cellular system IP mode, the system IP address is identical to the cellular IP address assigned during the initial PDN attachment process. To manage the node in this mode, the NSP NFM-P or other network management platform reaches the node without using the system IP address directly over the cellular network. This is the only mode that does not require a pre-established in-band management service to manage the node.

When a cellular port on the node is operating in static cellular interface IP mode or dynamic cellular interface IP mode, the NSP NFM-P or other network management platform can only reach the node through an in-band management VPRN service. For these modes of operation, the system IP address used to manage the node is private and differs from the cellular port IP address assigned when connecting to the cellular network. The system IP address must be advertised from the 7705 SAR-Hm series node to the head-end node by the in-band management VPRN service. Routing in the private IP/MPLS network past the head-end node must allow management traffic to reach the head-end node which will then send the management traffic over the VPRN to the node being managed.

The NSP NFM-P automatically configures the required in-band management VPRN service during the ADP-Hm process; see ADP-Hm for more information.

On the 7705 SAR-Hm series nodes, there are two methods for enabling in-band management over a VPRN service:

  • performing a Global Routing Table (GRT) lookup and VPRN-to-GRT route leaking

  • using port cross-connect

GRT lookup and VPRN-to-GRT route leaking

GRT lookup and VPRN-to-GRT route leaking shows the GRT lookup and VPRN-to-GRT route leaking option for in-band management over a VPRN on the 7705 SAR-Hm.

Figure 1. GRT lookup and VPRN-to-GRT route leaking

In-band management using the GRT lookup and VPRN-to-GRT route leaking option is enabled by configuring the following elements:

  • A base router policy statement that includes a prefix list used to leak VPRN reachable addresses to the GRT. This prefix list includes the NSP NFM-P addresses and the management loopback interface that allows the CPM to respond to management queries or commands from the NSP NFM-P.

  • A management loopback interface configured under the VPRN to allow the CPM to respond to management queries from the NSP NFM-P.

  • A static route from the VPRN to the GRT for the system IP address of the node

  • Enable a GRT lookup from the VPRN to the GRT so that management traffic received over the VPRN from the NSP NFM-P to the 7705 SAR-Hm series node can reach the CPM. This uses the grt-lookup, enable-grt, and allow-local-management CLI commands in the config>service>vprn context. For descriptions of these commands, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

  • A VPRN-to-GRT route leak that populates the GRT routing table with addresses that are reachable by the VPRN, using the export-grt command. For a description of this command, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide. The reachable addresses include those for the NSP NFM-P and the local management loopback interface that allows responses from the CPM to return to the corresponding VPRN.

The following CLI output shows a configuration example of in-band management using GRT lookup and VPRN-to-GRT route leaking, based on GRT lookup and VPRN-to-GRT route leaking.

#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
        policy-options
            begin
            prefix-list "NSP"
                prefix 1.1.1.1/24 exact
                prefix 2.2.2.2/24 exact
                prefix 192.168.255.0/32 exact
            exit
            policy-statement "NSP-leak"
                entry 10
                    from
                        prefix-list "NSP"
                    exit
                    action accept
                    exit
                exit
            exit
            commit
        exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        customer 1 name "1" create
            description "Default customer"
        exit
        vprn 1 name "1" customer 1 create
            interface "NSP" create
            exit
        exit
        vprn 1 name "1" customer 1 create
            route-distinguisher 65650:1
            auto-bind-tunnel
                resolution-filter
                    gre
                exit
                resolution filter
            exit
            vrf-target target:65650:1
            interface "Mgmnt-interface" create
                address 192.168.255.0/32
                loopback
            exit
            static-route-entry 10.10.10.1/32
                grt
                    no shutdown
                exit
            exit
            grt-lookup
                enable-grt
                    allow-local-management
                exit
                export-grt "NSP-leak"
            exit
            no shutdown
        exit
    exit

Port cross-connect (PXC)

For information about PXC, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR Interface Configuration Guide, "Port Cross-connect".

In-band management using a VPRN service and PXC shows an example of the operation of in-band management using a VPRN and PXC.

Figure 2. In-band management using a VPRN service and PXC

The following CLI example shows the configuration of the PXC based on the example shown in In-band management using a VPRN service and PXC.

Example:
A:DUT>config>port 1/2/6 shutdown
A:DUT>config>port-xc
A:DUT>config>port-xc# pxc 1 create
A:DUT>config>port-xc>pxc# port 1/2/6
A:DUT>config>port-xc>pxc# no shutdown
A:DUT>config>port-xc>pxc# exit all
A:DUT>>configure
A:DUT>>config# port pxc-1.a no shutdown
A:DUT>>config# port pxc-1.b no shutdown
A:DUT>>config# port 1/2/6 no shutdown

To ensure management traffic from the CPM can reach the NSP NFM-P over the VPRN, an interface in the Global Routing Table (GRT) is configured on one of the PXC ports. In the example shown in In-band management using a VPRN service and PXC, the GRT PXC port is port pxc-1.b. This port is looped internally together with PXC port pxc-1.a, the SAP of the in-band management VPRN. A router interface is required on port pxc-1.b:1 (VLAN 1) and used to route management traffic from the CPM toward the in-band management VPRN. A static route is configured in the GRT for the NSP NFM-P address, 1.1.1.1, with a next hop of the VPRN SAP, or port pxc-1.a:1. The following CLI output shows configuration examples in the GRT.

*A:DUT>config>service>vprn# info
----------------------------------------------
    interface "pxc"
        address 192.168.255.0/31
        port pxc-1.b:1
        no shutdown
    exit
...
    static-route-entry 1.1.1.1/24
        next-hop 192.168.255.1
            no shutdown
        exit
    exit
...
----------------------------------------------
*A:DUT>config>router#

A SAP interface on the other PXC port is required by the in-band management VPRN to route management traffic toward the CPM. A static route is configured in the VPRN for the CPM system IP address 10.10.10.1, with a next hop of the GRT interface port pxc-1.b:1. The following CLI output shows configuration examples for the VPRN.

*A:ALU-1>config>service# info
----------------------------------------------
...
    vprn 1 customer 1 create
        autonomous-system 65200
        route-distinguisher 65200:1
        auto-bind-tunnel
            resolution-filter
                gre
                exit
            exit
        vrf-target target:65200:1
        interface "pxc" create
                address 192.168.255.1/31
                sap pxc-1.a:1 create
                exit
        exit
        static-route-entry 10.10.10.1/32 next-hop 192.168.255.0
        no shutdown
    exit
...