HPS IT Banner
Home Date-book NMS Library PP8600 Index


Nortel Networks Passport 8600 Config Management & Security Hints



Some helpful advice from our Nortel account SE on how to wrangle and secure an 8600:


Clearing configuration:

On a dual Fabric/CPU 8600 you would perform the following commands.  Assumes direct connection as IP addressing will be cleared:

Defaulting the Standby CPU:

  • Login to Primary CPU (on console port select "enter" and login as RWA level authority.
  • telnet to Standby CPU - "telnet 127.0.0.6" (last digit corresponds to slot number of Standby CPU)
  • config bootconfig flags factorydefaults true (activates boot from factory default option)
  • save bootconfig (saves change just made for re-boot)
  • boot (this will reboot the Standby CPU with no effect on Primary - will return you to the Primary CPU prompt)
  • telnet 127.0.0.6 (from Master, telnet back to the standby)
  • save config (saves blank config to config.cfg file)
  • config bootconfig flags factorydefaults false (shuts off boot from factory default option)
  • save bootconfig (saves boot options - reverts to booting from config.cfg)

Defaulting the Primary CPU after Standby is defaulted:

  • Login to Primary CPU (on console port select "enter" and login as RWA level authority.
  • copy 127.0.0.6 /flash/config.cfg  (This copies the default config file from the standby flash to the active flash)
  • boot

Shortcut:
 
Keep a copy of a factory default config.cfg file, re-named default.cfg, on TFTP server or accessible 8600
TFTP default.cfg from server to standby and Primary - rename files to config.cfg during copy process and reboot both CPU's.

Example: copy 47.140.52.134:default.cfg /flash/config.cfg

****Helpful hint****:

You can view the contents of a configuration file using the "more" command from the 8600 console - this will help keep things straight if your are unsure of which file is which.  If you capture your screen, you will have a flat text file of your configuration.

Example: more /flash/config.cfg

CLI commands to change the console/Telnet password:

The following commands change the console/Telnet login name and the password
for each different login access level:

config cli password ro < username> [< password>]
config cli password rw < username> [< password>]
config cli password l1 < username> [< password>]
config cli password l2 < username> [< password>]
config cli password l3 < username> [< password>]
config cli password rwa < username> [< password>]

Example - to change read/write/all password:

config cli password rwa ron 190xyz

To display information about the access levels for login and password, type:
show cli password

For each access level, the default login and passwords are as follows:

Passport_8100:5# show cli password

ACCESS  LOGIN PASSWORD
rwa             rwa     rwa
rw              rw      rw
l2              l2      l2
l1              l1      l1
ro              ro      ro

Device Manager commands to change the console/Telnet password:

Note:  On a default 8600, fill in Read and Write community string on DM fields as "secret" for authority to set these access levels - otherwise the fields will be blank and change access denied.

  • From the Device Manager menu bar, choose Edit > Security.   The Security dialog box opens with the Access Policy tab displayed.
  • Click the CLI tab.
  • Fill in the appropriate choices, Click Apply then Close


SNMP from CLI:

config sys set snmp commands

The config sys set snmp commands allow you to configure the SNMP settings for your switch.
The config sys set snmp commands include the following options:

config sys set snmp  followed by:

info Displays the current SNMP settings

community <ro|rw|l1|l2|l3|rwa> < commstr> Sets the SNMP community string for the selected community:
* ro is read-only.
* rw is read/write.
* l1 is layer 1 read/write.
* l2 is layer 2 read/write.
* l3 is layer 3 (and layer 2) read/write.
* rwa is read/write/all.
* commstr is the input community string.

DEFUALT COMMUNITY STRINGS
ro - public               
rw - private                                  
l1 - private                                 
l2 - private                       
l3 - private                               
rwa - secret

del-trap-recv < ipaddr> Deletes the SNMP trap receiver.   ipaddr is the IP address of the trap receiver.

trap-recv < ipaddr> <v1|v2c> < commstr> Sets an SNMP trap receiver.
* ipaddr is the IP address of the trap receiver.
* v1|v2c is the SNMP version; select version 1 or version 2c.
* commstr is the input community string from 1 to 1024 characters.

Saving Configurations from CLI:

To synchronize, execute save config and save config standby in succession.  Re-execute commands with pcmcia in path if desired.

save config - saves running configuration to /flash/config.cfg

save config file /pcmcia/config.cfg - saves running configuration to pcmcia with a filename of config.cfg

save config standby /flash/config.cfg   - saves running configuration to /flash/config.cfg on standby CPU.

save config standby /pcmcia/config.cfg - saves running configuration to standby CPU pcmcia with a filename of config.cfg.

Options: you can save bootconfig information in the same manner - "save bootconfig"


Let me know if there are any other questions.

Regards,

Ron







Hartford Public Schools Information Technology Department | Updated 4-26-02 Back to top