Performing Basic Configuration

This chapter covers the following topics:

Introduction

Setting the system date

Setting the log level

Configuring the shelf-controller IP address

Configuring a default gateway

Configuring basic DNS information

Pinging the MAX TNT from a local host

Recommended basic security measures

Where to go next

Introduction

Table 3-1 lists the sections describing the tasks you should perform for the MAX TNT basic configuration. The table includes a brief description of each task and lists the commands and parameters you will use.

For information about more advanced configuration of your MAX TNT, refer to MAX TNT Network Configuration Guide.
Table 3-1. Basic MAX TNT configuration tasks

Task

Description

Related commands or parameters

Setting the system date.

Specify the date and time for the MAX TNT system clock.

Date

Setting the system name.

Specify the name of the MAX TNT. This name is used for authentication.

System profile > Name

Setting the log level.

Specify the level of event information the MAX TNT displays at the console.

Log profile > Save-level

Configuring the shelf-controller IP address

Typically, the shelf-controller IP address that you specify is used as the IP address for the MAX TNT system as a whole.

IP-Interface profile > IP-address

Configuring a default gateway

Designate a default gateway so that the MAX TNT can forward packets for which it has no route.

IP-Route > gateway-address

Configuring basic DNS information.

Specify a Domain Name System (DNS) server so that you can use names instead of IP addresses to reach IP hosts.

IP-global profile > Domain-name
IP-global profile > DNS-primary-server
IP-global profile > DNS-secondary-server

Pinging the MAX TNT from a local host.

After configuring the MAX TNT with its basic settings, you can use Ping to verify that it is communicating on the network.

Ping

Recommended basic security measures

Before making the MAX TNT accessible to users, you should configure some basic security on the unit.

User > Password
Serial > Auto-Logout
Serial > User
IP-global profile > Must-Accept-Address-Assign
IP-global profile >Ignore-ICMP-Redirects
SNMP profile

Setting the system date

If the system date displayed on your screen is incorrect, set the correct date and time with the Date command. For example, to set the date and time to October 22, 1997, 8:50 in the morning:

admin> date 9710220850

The format for setting the date and time is:

Enter the hour in military (24-hour) time.

Setting the system name

You can assign the MAX TNT a system name of up to 24 characters. Because the system name is used for authenticating connections, you should probably keep it relatively simple and use only standard characters.

Here is an example of how to set the MAX TNT system name:

admin> read system
SYSTEM read
admin> list
name = ""
system-rmt-mgmt = no
use-trunk-groups = no
idle-logout = 0
parallel-dialing = 5
single-file-incoming = yes
admin> set name = tnt01
admin> write

Setting the log level

While you are configuring the MAX TNT, you might want to increase the log level to display messages that are of interest only when debugging configuration settings. First display the current settings, then enter a new one.

To display the system-wide event-logging parameters, use the Read and List commands:

admin> read log
LOG read
admin> list
save-level = info
save-number = 100
syslog-enabled = no
host = 0.0.0.0
facility = local0

To change the log level, specify an option for the Save-Level parameter:

admin> set save-level = [none|emergency|alert|critical|error|warning|notice|info|debug]
admin> write

(If your local network supports a Syslog server, you can configure the server's IP address and the syslog facility number by setting the Host and Facility parameters in this profile.)

Configuring the shelf-controller IP address

All MAX TNT systems have an Ethernet port on the shelf-controller. This Ethernet port is designed for out-of-band management and light traffic loads. It is not intended to be the primary Ethernet interface for the system. If your MAX TNT will be routing heavy Ethernet traffic use an Ethernet card.

To assign an IP address to the Ethernet interface of the MAX TNT shelf controller, use the Read and List commands to display the shelf's IP-Interface profile, and then set the IP-Address parameter. For example:

admin> read ip-interface {{1 controller 1 } 0 }
IP-INTERFACE/{ { shelf-1 controller 1 } 0 } read
admin> list
interface-address* = { { shelf-1 controller 1 } 0 }
ip-address = 0.0.0.0/0
2nd-ip-address = 0.0.0.0/0
rip-mode = routing-off
ignore-def-route = no
proxy-mode = off
rarp-enabled = no
[More? <ret>=next entry, <sp>=next page, <^C>=abort]
admin> set ip-address = 10.2.3.4/24
admin> write

After you assign the MAX TNT host name and IP address, you might need to modify the host information on your local DNS server to include the MAX TNT.

Configuring a default gateway

If the MAX TNT does not have a route for the destination address of a packet, it forwards the packet to the default router. Most sites use the default router (such as a GRF router or a UNIX host running the route daemon) to distribute routing tasks among devices. If you do not configure a default route, the MAX TNT drops packets for which it has no route.

You configure the default route in the IP-Route profile. The name of the default IP-Route profile is always Default, and its destination is always 0.0.0.0.

To configure the default route, first Read and List the default IP-Route profile, then set the Gateway-Address parameter. For example:

admin> read ip-route default
IP-ROUTE/default read
admin> list
name* = default
dest-address = 0.0.0.0/0
gateway-address = 0.0.0.0
metric =1
cost =1
preference = 100
third-party = no
ase-type = type-1
ase-tag = c0:00:00:00
private-route = no
active-route = no
admin> set gateway-address = 10.2.3.17
admin> set active-route=yes
admin> write
IP-ROUTE/default written

Configuring basic DNS information

The example in this section uses the domain name abc.com and sets the IP address of the primary Data Name Service (DNS) server on the local network. Setting this basic information enables you to access IP hosts by name instead of by IP address.

Here is an example that shows how to configure the DNS information:

admin> read ip-global
IP-GLOBAL read
admin> list
domain-name = ""
dns-primary-server = 0.0.0.0
dns-secondary-server = 0.0.0.0
netbios-primary-ns = 0.0.0.0
netbios-secondary-ns = 0.0.0.0
must-accept-address-assign = no
pool-base-address = [ 0.0.0.0 0.0.0.0 ]
[More? <ret>=next entry, <sp>=next page, <^C>=abort]
admin> set domain-name = abc.com
admin> set dns-primary-server = 10.1.2.3
admin> set dns-secondary-server = 10.24.112.57
admin> write -f

Pinging the MAX TNT from a local host

After you configure the MAX TNT for IP network access, go to an IP host on the local network and use the Ping command to verify that the unit can communicate on the network. For example:

host-1% ping 10.2.3.4

or, if the MAX TNT is integrated into your DNS system:

host-1% ping tnt01

Recommended basic security measures

When the MAX TNT is shipped from the factory, its security features are all set to defaults that enable you to configure and set up the unit without any restrictions. Before you make the MAX TNT generally accessible, you should change these default security settings to protect the configured unit from unauthorized access.

You should set these important security features before bringing the MAX TNT online:

Changing the Admin password
Securing the serial port
Assigning a Telnet password
Requiring a caller to accept a dynamic IP address
Ignoring ICMP redirects
Configuring SNMP access to the MAX TNT

For more details about security, see the MAX TNT Network Configuration Guide.

Changing the Admin password

A user who knows the password to the Admin level will be able to perform any operation on the MAX TNT, including changing the configuration. The Admin password is set to Ascend by default, and you should assign a secret password immediately.

The following example changes the Admin password:

default> auth admin
Password: Ascend

admin> read user admin
USER/admin read

admin> set password = secret

admin> write
USER/admin written

Note that the Allow-Password permission is set to No in the Admin login. While this protects the unit's passwords, it also prevents the Save command from storing passwords in a configuration file. To save passwords in a configuration file, you can either set Allow-Password to Yes in the Admin profile, or create another User profile for the purpose of backing up the unit, and set Allow-Password to Yes in that profile.

Securing the serial port

By default, when users connect to the serial port on the shelf controller, they are logged in with the Admin User profile. To secure the serial port with a username and password, proceed as follows:

Read the Serial profile:
Set the User-Profile to null:
Set Auto-Logout to Yes:
This automatically logs out the current User profile if DTR is lost on the serial port.
Write the profile:

Now users connecting to the serial port must supply a valid username and password for access to the MAX TNT through the serial port.

Assigning a Telnet password

Ascend recommends that you assign a Telnet password to prevent unauthorized Telnet sessions. The Telnet password can be up to 21 characters in length. A user who opens a Telnet session to the MAX TNT will be prompted to supply this password.

Following is an example that assigns a Telnet password:

admin> read ip-global
IP-GLOBAL read

admin> set telnet-password = SDwiw87

admin> write
IP-GLOBAL written

All users attempting to access the MAX TNT unit via Telnet are prompted for the Telnet-Password. They are allowed three tries, each with a 60-second time limit, to enter the correct password. If all three tries fail, the connection attempt times out.

Requiring acceptance of the pool address

During PPP negotiation, a caller could reject the IP address offered by the MAX TNT and present its own IP address for consideration. For security reasons, you might want to set the Must-Accept-Address-Assign parameter to ensure that the MAX TNT terminates such a call:

admin> read ip-global
IP-GLOBAL read

admin> set must-accept-address-assign = yes

admin> write
IP-GLOBAL written

If you enforce acceptance of the assigned address, the Answer-Defaults profile must enable dynamic assignment, the caller's configured profile must specify dynamic assignment, and the caller's PPP dial-in software must be configured to acquire its IP address dynamically. For more details, see MAX TNT Network Configuration Guide.

Ignoring ICMP redirects

ICMP was designed to find the most efficient IP route to a destination. ICMP redirect packets are one of the oldest route-discovery methods on the Internet. They are also one of the least secure, because it is possible to counterfeit ICMP redirects and change the way a device routes packets. The following commands configure the MAX TNT to ignore ICMP redirect packets:

admin> read ip-global
IP-GLOBAL read

admin> set ignore-icmp-redirects = yes

admin> write
IP-GLOBAL written

Configuring SNMP access to the unit

An SNMP manager must be running on a host on the local IP network, and the MAX TNT must be able to find that host, via either a static route or RIP. In addition to these restrictions, the MAX TNT has its own SNMP password security (community strings), which you should set up to protect the MAX TNT from being reconfigured from an unauthorized SNMP station.

Overview of SNMP security

The SNMP profile contains SNMP-readable information related to the unit itself and to its SNMP security. There are two levels of security:

Community strings, which must be known by a community of SNMP managers to access the box.
Address security, which excludes SNMP access unless it is initiated from a specified IP address.

Following are the parameters related to SNMP security:

SNMP
      enabled = no
      read-community = public
      read-write-community = write
      enforce-address-security = no
      read-access-hosts = [ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ]
      write-access-hosts = [ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ]
      contact = ""
      location = ""
      queue-depth = 0

Enabling SNMP in the MAX TNT

If you leave the Enabled parameter in the SNMP profile set to No (the default), SNMP utilities cannot access the MAX TNT. The following commands enable SNMP on a unit:

admin> read SNMP
SNMP read

admin> set enabled = yes

admin> write
SNMP written

Setting community strings

You can specify up to 32 characters as the Read-Write-Community string. The following example changes the default community strings:

admin> read snmp
SNMP read

admin> list
enabled = yes
read-community = ******
read-write-community = *****
enforce-address-security = no
read-access-hosts = [ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ]
write-access-hosts = [ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ]
contact = ""
location = here
queue-depth = 0

admin> set read-community = private

admin> set read-write-community = secret

admin> write
SNMP written

Setting up address security

If the Enforce-Address-Security parameter is set to No (its default value), any SNMP manager that presents the right community name will be allowed access. If it is set to Yes, the MAX TNT checks the source IP address of the SNMP manager and allows access only to those IP addresses listed in the Read-Access-Host and Write-Access-Host arrays. Each array can include up to five host addresses.

The following commands enforce address security and specifies a trusted address for both read and write access:

admin> read snmp
SNMP read

admin> list
enabled = no
read-community = public
read-write-community = write
enforce-address-security = no
read-access-hosts = [ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ]
write-access-hosts = [ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ]
contact = ""
location = ""

admin> set enforce-address-security = yes

admin> set read-access 1 = 10.2.3.4

admin> set write-access 2 = 10.2.56.123

admin> write
SNMP written

Where to go next

If you are configuring a multishelf system, go to Chapter 4, "Installing a Multishelf System."

Otherwise, proceed to the appropriate chapters to configure your MAX TNT slot cards.

techpubs@eng.ascend.com

Copyright © 1997, Ascend Communications, Inc. All rights reserved.