Lenovo Network Application Guide for Lenovo Cloud Network Operating System 10.1 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD, and the Warranty Information document that comes with the product. First Edition (June 2016) © Copyright Lenovo 2016 Portions © Copyright IBM Corporation 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925. Lenovo and the Lenovo logo are trademarks of Lenovo in the United States, other countries, or both. Contents Preface . 17 Who Should Use This Guide . .18 Application Guide Overview . .19 Additional References . .22 Typographic Conventions . .23 Part 1: Getting Started . 25 Chapter 1. Switch Administration . 27 Administration Interfaces . .28 Industry Standard Command Line Interface . .28 Establishing a Connection . .29 Using the Switch Management Interface . .29 Using the Switch Ethernet Ports . .30 Using Telnet . .31 Using Secure Shell. .32 Using SSH with Password Authentication . .32 Using SSH with Public Key Authentication . .33 Using Simple Network Management Protocol. .34 DHCP IP Address Services. .35 DHCP Client Configuration . .35 DHCPv4 Hostname Configuration (Option 12) . .36 DHCPv4 Syslog Server (Option 7) . .36 DHCPv4 NTP Server (Option 42) . .37 DHCPv4 Vendor Class Identifier (Option 60) . .37 DHCP Relay Agent . .38 DHCPv4 Option 82 . .39 Switch Login Levels. .40 Ping . .42 Ping Configurable Parameters . .43 Test Interruption . .43 Ping Count . .43 Ping Packet Interval . .43 Ping Packet Size . .44 Ping Source . .44 Ping DF-Bit . .44 Ping Timeout . .45 Ping VRF . .45 Ping Interactive Mode . .46 Traceroute . .47 Traceroute Configurable Parameters. .48 Test Interruption . .48 Traceroute Source . .48 Traceroute VRF . .48 Traceroute Interactive Mode . .49 © Copyright Lenovo 2016 3 Network Time Protocol . 50 NTP Synchronization Retry . 50 NTP Client and Peer . 51 NTP Authentication Field Encryption Key . 52 NTP Polling Intervals . 52 NTP Preference . 53 Dynamic and Static NTP Servers . 53 NTP Authentication. 53 NTP Authentication Configuration Example . 54 System Logging . 55 Syslog Outputs . 56 Syslog Severity Levels . 57 Syslog Time Stamping . 58 Syslog Rate Limit . 58 Syslog Servers . 59 Idle Disconnect. .60 Python Scripting . 61 REST API Programming. 62 Chapter 2. System License Keys . 63 Obtaining License Keys . 64 Installing License Keys . 65 Uninstalling License Keys . 66 Transferring License Keys . 67 ONIE License Key . 68 Chapter 3. Switch Software Management . 69 Installing New Software to Your Switch . 70 Installing System Images from a Remote Server . 70 Installing System Images from a USB Device . 72 Installing U-boot from a Remote Server . 73 Installing U-boot from a USB Device . 74 Selecting a Software Image to Run . 75 Reloading the Switch . 76 Copying Configuration Files . 77 Copy Configuration Files via a Remote Server . 77 Copy Configuration Files to a USB Device . 77 The Boot Management Menu . 78 Boot Recovery Mode . 79 Recover from a Failed Image Upgrade using TFTP . 80 Recovering from a Failed Image Upgrade using XModem Download . 82 Physical Presence . 84 ONIE submenu . 85 4 G8272 Application Guide for CNOS 10.1 ONIE . .86 Installing ONIE from a Remote Server . .86 Installing ONIE from a USB Device . .87 Booting in ONIE Mode. .88 Booting in ONIE Install Mode . .88 Booting in ONIE Uninstall Mode . .89 Booting in ONIE Update Mode . .89 Booting in ONIE Rescue Mode . .89 Part 2: Securing the Switch . 91 Chapter 4. Securing Administration . 93 Secure Shell and Secure Copy . .94 SSH Encryption and Authentication . .95 Generating RSA/DSA Host Key for SSH Access . .95 SSH Integration with TACACS+ Authentication . .95 Configuring SSH on the Switch . .96 Using SSH Client Commands . .97 To Log In to the Switch. .97 Using Secure Copy . .98 Copying a File Using SCP. .98 Copying Startup Configuration Using SCP . .98 Copying Running Configuration Using SCP . .98 Copying Technical Support Using SCP . .98 End User Access Control. .99 Considerations for Configuring End User Accounts . .99 Strong Passwords . .99 User Access Control . 100 Setting up Users . 100 Defining a User’s Access Level . 101 Deleting a User . 101 The Default User . 102 Administrator Password Recovery. 102 Chapter 5. Authentication & Authorization Protocols . .105 TACACS+ Authentication . 106 How TACACS+ Authentication Works. 106 TACACS+ Authentication Features in Cloud NOS . 107 Authorization . 107 Accounting . 107 Configuring TACACS+ Authentication on the Switch . 108 Authentication, Authorization and Accounting . 109 AAA Groups . 110 Group Lists . 110 Configuring AAA Groups . 111 Authentication . 112 Configuring AAA Authentication . 112 Authorization . 114 Configuring AAA Authorization . 114 Accounting. 115 Configuring AAA Accounting. 115 © Copyright Lenovo 2016 : Contents 5 Chapter 6. Access Control Lists. 117 Supported ACL Types . 118 Summary of Packet Classifiers . 119 Summary of ACL Actions . 121 Configuring Port ACLs (PACLs) . 122 Configuring Router ACLs (RACLs) . 123 Configuring.