VPC-SI System Administration Guide, StarOS Release 21.20 First Published: 2020-06-30 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2020 Cisco Systems, Inc. All rights reserved. CONTENTS PREFACE About this Guide xxix Conventions Used xxix Related Documentation xxxi Contacting Customer Support xxxi CHAPTER 1 Introduction to VPC-SI 1 Product Description 1 Virtualized Mobility Functions 1 VM Interconnect Architecture 2 Standalone Instance 2 Feature Set 3 Interfaces and Addressing 3 Encryption 3 Security 3 Redundancy and Availability 4 Platform Requirements 4 ICSR Support 4 Hypervisor Requirements 5 VM Configuration 5 vCPU and vRAM Options 5 vNIC Options 6 Hard Drive Storage 6 DPDK Internal Forwarder 7 Capacity, CEPS and Throughput 9 Diagnostics and Monitoring 10 StarOS VPC-SI Build Components 10 VPC-SI System Administration Guide, StarOS Release 21.20 iii Contents VPC-SI Boot Parameters 10 Format of the Boot Parameters File 11 Network Interface Identification 11 Configuring VPC-SI Boot Parameters 15 Configuring VNFM Interface Options 18 VPP Configuration Parameters 20 Software Installation and Network Deployment 23 CHAPTER 2 System Operation and Configuration 25 Terminology 25 Contexts 25 Logical Interfaces 25 Management Interface 26 Bindings 26 Services 26 AAA Servers 27 Subscribers 27 How the System Selects Contexts 28 Context Selection for Context-level Administrative User Sessions 28 Context Selection for Subscriber Sessions 31 Understanding Configuration Files 31 IP Address Notation 32 IPv4 Dotted-Decimal Notation 32 IPv6 Colon-Separated-Hexadecimal Notation 33 CIDR Notation 33 Alphanumeric Strings 34 Character Set 34 Quoted Strings 35 CHAPTER 3 Getting Started 37 Using the StarOS CLI for Initial Configuration 37 Configuring System Administrative Users 39 Limiting the Number of Concurrent CLI Sessions 39 Automatic Logout of CLI Sessions 39 VPC-SI System Administration Guide, StarOS Release 21.20 iv Contents Configuring the System for Remote Access 40 Configuring SSH Options 42 SSH Host Keys 43 Setting SSH Key Size 43 Configuring SSH Key Generation Wait Time 43 Specifying SSH Encryption Ciphers 44 MAC Algorithm Configuration 45 Generating SSH Keys 47 Setting SSH Key Pair 47 Authorized SSH User Access 48 Authorizing SSH User Access 48 SSH User Login Restrictions 48 Creating an Allowed Users List 49 SSH User Login Authentication 49 Secure Session Logout 50 Changing Default sshd Secure Session Logout Parameters 51 SSH Client Login to External Servers 51 Setting SSH Client Ciphers 51 Setting Preferred Authentication Methods 52 Generating SSH Client Key Pair 53 Pushing an SSH Client Public Key to an External Server 53 Enabling NETCONF 54 Configuring the Management Interface with a Second IP Address 54 Upgrade and Migration of Open SSH to Cisco SSH 55 Feature Summary and Revision History 55 Feature Changes 56 VM Hardware Verification 57 CHAPTER 4 System Settings 59 Verifying and Saving Your Interface and Port Configuration 59 Configuring System Timing 60 Setting the System Clock and Time Zone 60 Verifying and Saving Your Clock and Time Zone Configuration 61 Configuring Network Time Protocol Support 61 VPC-SI System Administration Guide, StarOS Release 21.20 v Contents Configuring NTP Servers with Local Sources 62 Using a Load Balancer 62 Verifying the NTP Configuration 62 Configuring Software RSS 64 DI-Network RSS Encryption 64 Feature Summary and Revision History 64 Feature Changes 65 Command Changes 65 Configuring SF Boot Configuration Pause 65 Enabling CLI Timestamping 66 Configuring CLI Confirmation Prompts 66 Enabling Automatic Confirmation 66 Requiring Confirmation for autoconfirm and configure Commands 67 Requiring Confirmation for Specific Exec Mode Commands 67 Configuring System Administrative Users 68 User Name Character Restrictions 69 Configuring Context-level Administrative Users 69 Configuring Context-level Security Administrators 69 Configuring Context-level Administrators 70 Configuring Context-level Operators 70 Configuring Context-level Inspectors 71 Segregating System and LI Configurations 71 Verifying Context-level Administrative User Configuration 72 Configuring Local-User Administrative Users 73 Verifying Local-User Configuration 73 Updating Local-User Database 73 Updating and Downgrading the local-user Database 74 Restricting User Access to a Specified Root Directory 75 Configuring an SFTP root Directory 75 Associating an SFTP root Directory with a Local User 75 Associating an SFTP root Directory with an Administrator 75 Associating an SFTP root Directory with a Config Administrator 76 Configuring TACACS+ for System Administrative Users 76 Operation 76 VPC-SI System Administration Guide, StarOS Release 21.20 vi Contents User Account Requirements 77 TACACS+ User Account Requirements 77 StarOS User Account Requirements 78 Configuring TACACS+ AAA Services 78 Configuring TACACS+ for Non-local VPN Authentication 79 Verifying the TACACS+ Configuration 79 IPv6 Address Support for TACACS+ Server 80 Separating Authentication Methods 80 Disable TACACS+ Authentication for Console 80 Disable AAA-based Authentication for Console 81 Disable TACACS+ Authentication at the Context Level 81 Limit local-user Login on Console/vty Lines 81 Limit Console Access for AAA-based Users 82 Verify Configuration Changes 82 Configuring a Chassis Key 83 Overview 83 Configuring a New Chassis Key Value 83 CLI Commands 83 Quick Setup Wizard 84 Enabling Automatic Reset of FSC Fabric 84 CHAPTER 5 Config Mode Lock Mechanisms 87 Overview of Config Mode Locking 87 Requesting an Exclusive-Lock 88 Effect of Config Lock on URL Scripts 89 Saving a Configuration File 90 Reload and Shutdown Commands 90 show administrators Command 91 CHAPTER 6 Management Settings 93 SNMP MIB Browser 93 SNMP Support 95 Configuring SNMP and Alarm Server Parameters 96 Verifying SNMP Parameters 97 VPC-SI System Administration Guide, StarOS Release 21.20 vii Contents Controlling SNMP Trap Generation 98 CHAPTER 7 Verifying and Saving Your Configuration 99 Verifying the Configuration 99 Feature Configuration 99 Service Configuration 100 Context Configuration 100 System Configuration 100 Finding Configuration Errors 100 Synchronizing File Systems 101 Saving the Configuration 101 CHAPTER 8 System Interfaces and Ports 103 Contexts 103 Creating Contexts 103 Viewing and Verifying Contexts 103 Ethernet Interfaces and Ports 104 Creating an Interface 104 Configuring a Port and Binding It to an Interface 105 Configuring a Static Route for an Interface 105 Viewing and Verifying Port Configuration 106 VLANs 107 Hypervisors 107 VLANs and Management Ports 107 CHAPTER 9 System Security 109 Protection of Passwords 109 Secure Password Encryption 109 Support for