Best Practise AOS

Best Practise Guide
9000/6850
Jerry Poh
23rd July 2010
Agenda
1. Preparing the switch

2. Initial Configuration
3. Minimum Information for Fault Reporting
Preparing the switch
3 | APAC Technical Support
All Rights Reserved Alcatel-Lucent 2007
Preparing the switch

Always upgrade to the latest maintenance build (for new installation).
For RMA replacement, down/up grade to the same code.
Default the configuration.
6850@Bld2.Flr5.Rm10.Rack3-> ls
rm /flash/working/boot.cfg
Listing Directory /flash:
Clear the switch log.

swlog clear
Verify for unnecessary file. No pmd and no dmp file
ls
Restart the switch.
reload working no rollback-timeout
drw
4096 Jul 29 21:26 working/
drw
4096 Jul 28 14:38 certified/
drw
4096 Jul 22 04:03 switch/
drw
4096 Jun
8 11:11 network/
-rw
64000 Jul 30 19:50 swlog1.log
-rw
64000 Jul 23 21:11 swlog2.log
-rw
350 Jul 28 14:38 boot.params
-rw
11 Jul 22 03:43 boot.slot.cfg
-rw
20 Jul 22 04:03 installed
-rw
66402 Jul 29 22:11 command.log

77131776 bytes free
Initial Configuration
Initial Configuration Change Password for admin

Passwords must have a minimum length of 8 characters.
Passwords must consist of at least 3 of the following:
(1) Lower case letters (a z)
(2) Upper case letters (A Z)
(3) Digits (0 9)
(4) Special characters ( [!"#$%&'*+,-./;<=>?@\^_`)|}~] )
There should be no duplication of passwords within the switch as well as with other
switches on the network.
Individual usernames and passwords should be used.
Passwords should be changed once a quarter and must not be re-used within one year.
user admin password MoThEr@09
Initial Configuration User Account setup

user lockout-window 5
within 5 mins
user lockout-threshold 3
3 times wrong password
user lockout-duration 99999
account lock out forever
user operator password OpErAtOr@CS1 read-only all read-write none

user manager password MaNaGeR@CS1 read-write all
-> show user

User name = operator,
User name = manager,

Password expiration
Password allow to be modified date

Account lockout
Password expiration
= None,
= None,
Password bad attempts
= 0,
= None,
= None,
Password allow to be modified date

Account lockout
= None,
Password bad attempts
= 0,
Read Only for domains
= None,
Read Only for domains
= All ,
Read/Write for domains
= All ,
Read/Write for domains
= None,
Snmp allowed
= NO
Snmp allowed
= NO
= None,
Initial Configuration Chassis Management and Monitoring

Person to contact in case of problem
Switch name, Switch location
Local timezone, Local date, Local time
Synchronize date and time (for redundant CMM)
system contact "Peter@+65-62408805"
system name "Finance@6850"
system location "6850@Bld2.Flr5.Rm10.Rack3"
system timezone zp8
-> show system

System:
system date 07/23/2009
Description:
6.3.3.277.R01 GA, August 06, 2008.,
system time 19:00:00
Object ID:
1.3.6.1.4.1.6486.800.1.1.2.1.10.1.1,
system time-and-date synchro
Up Time:
9 days 4 hours 50 minutes and 52 seconds,
Contact:
Peter@+65-62408805,
Name:
Finance@6850,
Location:
6850@Bld2.Flr5.Rm10.Rack3,
Services:
72,
Date & Time:
THU JUL 23 2009
19:00:03 (ZP8)
Initial Configuration Session Management(1)

To identify the switch
session prompt default "6850@Bld2.Flr5.Rm10.Rack3->"
-> session prompt default "6850@Bld2.Flr5.Rm10.Rack3->"

-> exit
login : admin
password :
Welcome to the Alcatel-Lucent OmniSwitch 6400
Software Version 6.3.3.277.R01 GA, August 06, 2008.
Copyright(c), 1994-2008 Alcatel-Lucent. All Rights reserved.
OmniSwitch(TM) is a trademark of Alcatel-Lucent registered
in the United States Patent and Trademark Office.
6850@Bld2.Flr5.Rm10.Rack3->
Initial Configuration Session Management(2)

Keep track of what was changed in the switch
command-log enable
-> show command-log

Command : rename boot.cfg boot_bkup.cfg
UserName : admin
Date
: THU JUL 23 19:59:49
Ip Addr
: console
Result
: WARNING: moving file /flash/working/boot.cfg -> /flash/working/boot_bkup.cfg
Command : cd working
UserName : admin
Date
: THU JUL 23 19:59:35
Ip Addr
: console
Result
: SUCCESS
Initial Configuration stacking

Minimize recalculation for LACP
Minimize recalculation for STP
Minimize update of ARP table
Objective is to use the old primary unit MAC address
6850@Bld2.Flr5.Rm10.Rack3-> show mac-retention status
mac-retention status enable

mac-retention dup-mac-trap enable
Admin State
: Enabled,
Trap admin state
: Enabled,
EEPROM MAC address
: 00:e0:b1:a7:63:b1,
Current MAC address : 00:e0:b1:a7:63:b1,
MAC address source
: EEPROM,
Topology Status
: Ring Not Present
Initial Configuration IP Service

Disable all IP TCP/UDP ports in the switch
no ip service all
During miniboot/uboot upgrade, we need to enable the ftp services

ip service ftp
For switch with multiple IP interfaces (router)

Single management for SNMP
Redundant CMM or stack
ip interface Loopback0 address 192.168.10.1
ip router primary-address 192.168.10.1
ip router router-id 192.168.10.1
Initial Configuration NTP

Without Authentication
ip service network-time
ntp client enable
ntp server 10.146.1.1 prefer
Create a text file name "ntp.keys with text like below.

2 [tab] M [tab] RIrop8KPPvQvYotM
# md5 key as an ASCII random string
Save it in /flash/network directory.

This file should be loaded in the NTP server as well.
ip service network-time
ntp key load
ntp key 2 trusted
ntp client enable
ntp server 10.146.1.1 key 2 prefer
Initial Configuration Switch Management (1)

Secure Web Management
SSH Management
ip service secure-http
ip service ssh
aaa authentication http local
aaa authentication ssh local
http ssl
Telnet Management
FTP Management
ip service telnet
ip service ftp
aaa authentication telnet local
aaa authentication ftp local

SNMP Version 1/2
ip service snmp
aaa authentication snmp local
user <name_read> read-only all read-write none no auth password <password string>
user <name_write> read-only none read-write all no auth password <password string>
snmp security no security
snmp authentication trap enable
snmp community map <get community name> user <name_read>
snmp community map <set community name> user <name_write>
snmp station <OmniVista ip address> <name_read> v2 enable

SNMP Version 3
ip service snmp
aaa authentication snmp local
user <name_write> read-only none read-write all password <password string> md5+des
snmp authentication trap enable
snmp station <OmniVista ip address> <name_write> v3 enable
Initial Configuration port link trap

Enable trap for uplink port
Send a trap to NMS when port goes up or down
Not send to swlog
trap s/p port link enable

6850@Bld2.Flr5.Rm10.Rack3-> show interfaces status
DETECTED
Slot/ AutoNego
Port
CONFIGURED
Speed Duplex Hybrid

(Mbps)
Type
Speed
Duplex Hybrid
(Mbps)
Mode
Trap
LinkUpDown
-----+--------+------+------+------+--------+------+------+-----1/1
Enable
1/1
Enable
1/2
Enable
1/2
Enable
1000
Auto
1000
Auto
Full
PF
Enable
Auto
PF
Enable
Full
PF
Auto
PF
Initial Configuration DHCP Relay

For L2 switch, ignore first 3 statements
Enable trust port on port link to DHCP server
In 6.4.2 onwards, option82 is not mandatory
ip service udp-relay
ip helper address 10.146.10.1
ip helper forward delay 0
ip helper dhcp-snooping enable
ip helper dhcp-snooping port s/p trust
Initial Configuration Syslog

Send switch log to external syslog server
swlog output socket 10.146.1.1
6850@Bld2.Flr5.Rm10.Rack3-> show swlog

Switch Logging is :
- INITIALIZED.
- RUNNING.
Log Device(s)
------------flash
console
socket ipaddr 10.146.1.1
Syslog FacilityID: local0(16)
Console display level is set to the level 'debug3' (9)
All Applications have their trace level set to the level 'info' (6)
Initial Configuration Spanning tree

To prevent user port to become root port
bridge 1x1 s/p restricted-role enable
To shutdown a port when it received BPDU

Port LED will still light up
qos no user-port filter user-port shutdown bpdu
6850@Bld2.Flr5.Rm10.Rack3-> show interfaces port
policy port group UserPorts s/p
Slot/
Admin
qos apply
Port
Status
Link
Violations
Status
-----+----------+---------+----------+----------
1/10
enable
down
none
""
1/11
enable
down
none
""
1/12
enable
down
none
""
1/13
enable
down
STP
""
1/14
enable
down
STP
""
1/15
enable
down
none
""
1/16
enable
down
none
""
Initial Configuration UDLD

Prevent loop due to link failure
Enable on inter-switch link only
6850@Bld2.Flr5.Rm10.Rack3-> show udld neighbor port 1/1

Neighbor Id
Device Id
Port Id
-----------------+-------------------+--------------------
Cannot work with Cisco
00:e0:b1:a6:fa:e6
00:e0:b1:a6:fa:e8
udld enable
6850@Bld2.Flr5.Rm10.Rack3-> show udld status port 1/1
udld port s/p enable

udld port s/p mode aggressive
Admin State
: enabled,
Operational State
: bidirectional
6850@Bld2.Flr5.Rm10.Rack3-> show udld statistics port 1/1

UDLD Port Statistics
Hello Packet Send
: 18,
Echo Packet Send
: 4,
Flush Packet Recvd
: 0
UDLD Neighbor Statistics

Neighbor ID
Hello Pkts Recv
Echo Pkts Recv
---------------+-----------------------+----------------------1
17
Minimum information for fault reporting
Fault Report Procedure - 1

Customer details (BP):
End-Customer Info
Reseller name
Customer name
Contact person
Contact person*
Email address
Email address*
Phone number
Phone number*
(* Optional)
Severity of problem:
S1: Network down, causing a critical impact to business operations if service is not restored quickly.
S2: Network severely degraded with a significant impact to business operations.
S3: Network impaired but most business operations continue.
S4: Question on product capabilities, system installation or configuration.

Indicate whether remote dial in is possible
One line problem description:
A short problem description to put it into the summary (one liner).
Detailed problem description:
Describe as accurately as possible the problem you are facing.
Topology information and logs for all products involved in the Issue

1. boot.cfg files
2. tech_support log files. Please refer to next slide
3. swlog1.log and swlog2.log files
4. PMD files (Post Mortem Dump) if present (crash*, *.pmd, *.dmp)
5. Captures of the following commands:
ls r
show configuration status
show command-log
6. Network drawing
Please transfer binary files like the swlog/command-log and the dump files in binary FTP mode.

For Redundant CMM or Stack
If a physical access to the console port of the secondary CMM or unit is available, please provide
the output of the following commands when logged in on that port:
show microcode loaded
show microcode working
show microcode certified
show system
show hardware info
show running-directory
ls -r
show log swlog

Chassis
rls /
rls /working
rls /certified
rcp cmm-b:swlog1.log swlog1.sec
rcp cmm-b:swlog2.log swlog2.sec
rcp cmm-b:allfiles.pmd allfiles.sec.pmd
Stacking
rls x /working
rls x /certified
rcp x:swlog1.log swlog1.x.log
rcp x:swlog2.log swlog2.x.log
rcp x:allfiles.pmd allfiles.x.pmd

Capture 3 versions at few mins interval
If RIP, PIMSM, OSPF, MROUTE, IPX, DVMRP or BGP are configured on the switch:
show tech-support layer3 rip, show tech-support layer3 pimsm
show tech-support
show tech-support
show tech-support layer2
show tech-support layer3 ospf
mv tech_support.log tech_1.log
mv tech_support_layer2.log layer2_1.log
mv tech_support_ospf.log ospf_1.log

show tech-support
Reboot
show tech-support
mv tech_support.log tech_OK.log
mv tech_support_layer2.log layer2_OK.log
mv tech_support_layer3.log layer3_OK.log
mv tech_support_ospf.log ospf_OK.log
www.alcatel-lucent.com
www.alcatel-lucent.com

Best Practise AOS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best Practise AOS

Uploaded by

Copyright:

Available Formats

Best Practise Guide

1. Preparing the switch

Preparing the switch

3 | APAC Technical Support

All Rights Reserved Alcatel-Lucent 2007

Preparing the switch

Listing Directory /flash:

Clear the switch log.

4096 Jul 29 21:26 working/

4096 Jul 28 14:38 certified/

4096 Jul 22 04:03 switch/

64000 Jul 30 19:50 swlog1.log

64000 Jul 23 21:11 swlog2.log

350 Jul 28 14:38 boot.params

11 Jul 22 03:43 boot.slot.cfg

20 Jul 22 04:03 installed

66402 Jul 29 22:11 command.log

4 | APAC Technical Support

All Rights Reserved Alcatel-Lucent 2007

5 | APAC Technical Support

All Rights Reserved Alcatel-Lucent 2007

Initial Configuration Change Password for admin

user admin password MoThEr@09

6 | APAC Technical Support

All Rights Reserved Alcatel-Lucent 2007

Initial Configuration User Account setup

3 times wrong password

user lockout-duration 99999

account lock out forever

user operator password OpErAtOr@CS1 read-only all read-write none

-> show user

User name = manager,

Password allow to be modified date

Password bad attempts

Password allow to be modified date

Password bad attempts

Read Only for domains

Read Only for domains

Read/Write for domains

Read/Write for domains

7 | APAC Technical Support

All Rights Reserved Alcatel-Lucent 2007

Initial Configuration Chassis Management and Monitoring

-> show system

system date 07/23/2009

6.3.3.277.R01 GA, August 06, 2008.,

system time 19:00:00

system time-and-date synchro

9 days 4 hours 50 minutes and 52 seconds,

Date & Time:

THU JUL 23 2009

8 | APAC Technical Support

All Rights Reserved Alcatel-Lucent 2007

Initial Configuration Session Management(1)

session prompt default "6850@Bld2.Flr5.Rm10.Rack3->"

-> session prompt default "6850@Bld2.Flr5.Rm10.Rack3->"

9 | APAC Technical Support

All Rights Reserved Alcatel-Lucent 2007

Initial Configuration Session Management(2)

-> show command-log

: THU JUL 23 19:59:49

: WARNING: moving file /flash/working/boot.cfg -> /flash/working/boot_bkup.cfg

: THU JUL 23 19:59:35

10 | APAC Technical Support