By Default
– No access security enabled.
– SNMPv1/SNMPv2c is enabled using read and write community strings of public and private.
– For added security, a source IP manager control list can be added. This list can contain anywhere from 1 to 50 source IPv4 and/or IPv6 addresses, up to 50 each, that are allowed access to the switch. This control list in turn can be applied to any access method including SNMP, SSH, Telnet, and/or WEB.
– On the ERS 2500, ERS 4500, or ERS 5000 series switch, serial port and telnet/web access is allowed without any password protection.
– No password security enabled on standard image, but not secure image.
– ICMP enabled
Here is basic CLI show command list
show vlan
show audit log telnet
show ip route
show ipmgr
show running-config
show license all
show clie password
show cli password type
show tacacs
show ssh session
show ssh global
show snmp-server
show snmp-server view
clear license all
Change VLAN assignment
Avaya_ERS5530>enable
Avaya_ERS5530# conf t
Avaya_ERS5530(config)# vlan members remove 100 1/23
Avaya_ERS5530(config)# vlan members add 100 1/24
Avaya_ERS5530(config)# vlan ports 2/23 pvid 55
Save configuration
Avaya_ERS5530# copy config nvram
conf t
interface vlan 3
ip add 172.30.0.2 netmask 255.255.255.0
ip routing
exit
Enable SSH(D)
Avaya_ERS5530>enable
Avaya_ERS5530# conf t
Avaya_ERS5530(config)# ssh secure
Enable secure mode will cut off all remote access. Telnet, snmp
and web will be disabled. Are you sure (y/n) ? y
Avaya_ERS5530(config)# ssh secure force
* If SSH is required, the secure version of the software must be installed on the switch. For each switch model, there is a secure image and standard software image available. All switches ship with the standard agent image installed.
Enable Password Security;
It will make hash your password and complexity.
Avaya_ERS5530(config)# password security
Avaya_ERS5530(config)# no password security
Enable local telnet authentication
Avaya_ERS5530(config)# cli password telnet local
or
Avaya_ERS5530(config)# cli password switch telnet local
or
Avaya_ERS5530(config)# cli password stack telnet local
Avaya_ERS5530(config)# show cli password type
* The default user names can be changed using the following CLI command:
Avaya_ERS5530(config)# username
Enable RADIUS telnet authentication
Avaya_ERS5530(config)# radius reachability use-icmp ; to allow ICMP to RADIUS srv.
Avaya_ERS5530(config)# radius reachability use-radius ; to send regular request.
Avaya_ERS5530(config)# radius-server host 192.168.1.1 key ipBalance
Avaya_ERS5530(config)# radius accounting enable
Avaya_ERS5530(config)# cli password telnet radius
If the switch is used in a stack, enter the following:
Avaya_ERS5530(config)# cli password stack telnet radius
Avaya_ERS5530(config)# radius-server password fallback ; If RADIUS is not available use local user/pwd
Avaya_ERS5530(config)# radius use-management-ip
Enable TACACS authentication
Add TACACS+ server, enable TACACS+, and enable TACACS+ accounting
Avaya_ERS5530(config)# tacacs server host 192.168.1.2 key
Enter key: *****
Confirm key: *****
Avaya_ERS5530(config)# tacacs authorization enable
Avaya_ERS5530(config)# tacacs accounting enable
Avaya_ERS5530(config)# tacacs authorization level all
Enable CLI password using TACACS+
Avaya_ERS5530(config)# cli password switch telnet tacacs
% Warning: SNMP/WEB/Console will be disabled
Avaya_ERS5530 level-15># cli password serial tacacs
% Warning: SNMP/WEB will be disabled
Create user
There are only two users can be created for switch and stack each.(RO and RW level)
Avaya_ERS5530(config)# username admin stack rw
Enter password: *********
Confirm password: *********
Avaya_ERS5530(config)# username tech stack ro
Enter password: *********
Confirm password: *********
To delete users, you need to overwrite with default value
Avaya_ERS5530(config)# username ro user switch ro
Avaya_ERS5530(config)# username rw secure switch rw
Avaya_ERS5530(config)# username ro user stack ro
Avaya_ERS5530(config)# username rw secure stack rw
Create a prompt to login
There are only two users can be created for switch and stack each.(RO and RW level)
Avaya_ERS5530(config)# cli password telnet local <– using local user account
Avaya_ERS5530(config)# cli password telnet radius <– using radius
Avaya_ERS5530(config)# cli password telnet tacacs <– using tacacs
Avaya_ERS5530(config)# cli password telnet none <– disable
Avaya_ERS5530(config)# cli password stack telnet local
Avaya_ERS5530(config)# cli password stack telnet radius
Avaya_ERS5530(config)# cli password stack telnet tacacs
Avaya_ERS5530(config)# cli password stack telnet none
* Don’t forget fallback command when you setup with RADIUS or TACACS.
Enable WEB authentication
Avaya_ERS5530(config)# web-server enable / disable
Avaya_ERS5530(config)# cli password
Configure a management IP
Layer 2 method ; Mgt VLAN is 100 using a standalone switch
Avaya_ERS5530>enable
Avaya_ERS5530# conf t
Avaya_ERS5530(config)# vlan create 100 name mgmt type port 1
Avaya_ERS5530(config)# vlan mgmt 100
Avaya_ERS5530(config)# ip address switch 10.10.10.1 netmask 255.255.255.0 default-gateway
Layer 3 method ; Mgt VLAN is 100
Avaya_ERS5530>enable
Avaya_ERS5530# conf t
Avaya_ERS5530(config)# vlan create 100 name mgmt type port 1
Avaya_ERS5530(config)# vlan mgmt 100
Avaya_ERS5530(config)# interface vlan 100
Avaya_ERS5530(config-if)# ip address 10.10.10.1 255.255.255.0
Avaya_ERS5530(config-if)# exit
Avaya_ERS5530(config)# ip routing
Avaya_ERS5530(config)# ip route
Configure IP manager
Avaya_ERS5530(config)# ipmgr telnet
Avaya_ERS5530(config)# ipmgr source-ip 1 192.168.1.1 mask 255.255.255.255
Avaya_ERS5530(config)# ipmgr source-ip 2 192.168.2.0 mask 255.255.255.0
Enable SNMP
Avaya_ERS5530(config)# snmp-server enable/disable
Avaya_ERS5530(config)# snmp-server community
Avaya_ERS5530(config)# snmp-server community
Avaya_ERS5530(config)# snmp-server name switch-007
Avaya_ERS5530(config)# snmp-server contact
Avaya_ERS5530(config)# default snmp-server location
Avaya_ERS5530(config)# default snmp-server contact
Avaya_ERS5530(config)# default snmp-server name
SNMPv1
Avaya_ERS5530(config)# snmp-server host
SNMPv2
Avaya_ERS5530(config)# snmp-server host
SNMPv3
Avaya_ERS5530(config)# snmp-server host
SNMPv3 example
Avaya_ERS5530(config)# snmp-server enable
Add SNMPv3 authPriv read-only user
Avaya_ERS5530(config)# snmp-server user userr0 md5 readonly 3des despasswdro read-view snmpv1Objs
If using password security is enabled:
Avaya_ERS5530(config)# snmp-server user userro md5 read-view snmpv1Objs 3des read-view snmpv1Objs
Enter MD5 pass-phrase: ******** (readonly)
Confirm MD5 pass-phrase: ******** (readonly)
Enter 3Des pass-phrase: *********** (despasswdro)
Confirm 3Des pass-phrase: *********** (despasswdro)
Add SNMPv3 authPriv read-write user
Avaya_ERS5530(config)# snmp-server user userrw md5 readwrite 3des despasswdrw write-view snmpv1Objs read-view snmpv1Objs
If using password security is enabled:
Avaya_ERS5530(config)# snmp-server user userrw md5 3des read-view snmpv1Objs write-view snmpv1Objs
Enter MD5 pass-phrase: ********* (readwrite)
Confirm MD5 pass-phrase: ********* (readwrite)
Enter 3Des pass-phrase: *********** (despasswdrw)
Confirm 3Des pass-phrase: *********** (despasswdrw)
To restore the SNMP host back to it‟s default value, clear the table, enter the following command:
Avaya_ERS5530(config)# default snmp-server host
To disable SNMPv1 and SNMPv2
Avaya_ERS5530(config)# no snmp-server community rw
Avaya_ERS5530(config)# no snmp-server community ro
Enable Syslog
Avaya_ERS5530(config)# logging remote address 192.168.1.3
Avaya_ERS5530(config)# logging remote level informational
Avaya_ERS5530(config)# logging remote enable