Pravail APS 2.

0 Certification Training
Unit 3
Installation

Pravail
Objectives

At the conclusion of this unit you should be able to:

• Login to Pravail APS CLI and navigate the CLI
hierarchy
• Install Pravail APS following the Quick Start
procedure
• Install Pravail APS using CLI commands
• Discuss which protocols and ports are supported
for normal operation

Page 2 - Company Confidential

Pravail APS Installation

• CLI Overview
• Initial Quick Start
• CLI Configuration
• Nominal Operation

Page 3 - Company Confidential

Connecting to the CLI

1. Serial port with with null modem roll-over cable to either:

– Serial terminal server
– Computer running terminal emulation
2. VGA monitor
3. USB keyboard
4. Management (Ethernet) port via Telnet or SSH

Page 4 - Company Confidential

Logon and Logoff

• At CLI login prompt, type your user_name and

password

login: admin!
Password: arbor!
!
Pravail v2.0.0!
Copyright (c) 2000-2011 Arbor Networks, Inc.
All Rights Reserved.!
!
admin@demo:/# !
!
• To log off the CLI, type exit!

admin@demo:/# exit!

Page 5 - Company Confidential

CLI Prompt and Modes

user_name@system_name:current_directory{> | #}

• Edit mode
– Command prompt ends with #!
– Default for administrator logon
– Allows all configuration
• Disabled mode
– Command prompt ends with >!
– Default for non-administrator logon
– Allows read-only access and minimal configuration
– Must switch to edit mode for most configuration
• Type edit then press ENTER to switch

Page 6 - Company Confidential

CLI Hierarchy

• CLI commands arranged in hierarchical manner

– Similar to file system directory structure
• Root is represented by a / (slash)
– At log on, CLI is at root à admin@demo:/#!
• To navigate the CLI, type:
!One or more commands To move down hierarchy
!
.. (two periods) To back up one level
!
!/ (slash) To return to root
admin@demo:/# system files!
admin@demo:/system/files# ..!
admin@demo:/system# ..!
admin@demo:/# ip!
admin@demo:/ip# interfaces!
admin@demo:/ip/interfaces# /!
admin@demo:/#!

Page 7 - Company Confidential

Getting Help in the CLI

• Help is available for all commands and command

arguments
– help à lists commands available within a directory
admin@demo:/# help!
subcommands:!
ip/ IP and network configuration!
services/ System services!
system/ System configuration!
– ? à lists commands available within a directory or
the arguments available within a command
admin@demo:/# clock set ?!
[MMDDhhmm[[CC]YY][.ss]]!

Page 8 - Company Confidential

Getting Help in the CLI (Cont.)

– help global à lists commands available from all

directories
admin@demo:/# help global!
!
Global commands:!
.. Return to previous level menu!
/ Return to root level menu!
clock Show or set the system clock!
config Show or save the system configuration!
edit Enter configuration mode!
help/? Show available commands!
ping Ping a network host!
ping6 Ping a network host (IPv6)!
quit/exit Exit the command shell!
reload Reload the system!
shutdown Shutdown the system!
traceroute Trace route to a network host!
traceroute6 Trace route to a network host (IPv6)!
users Show user login summary!

Page 9 - Company Confidential

File Management
system files Command

• To view files in a directory:

/ system files directory [disk: | usb: | flash:]
• To copy a file:
/ system files copy source target
ftp://user:[email protected]:port/file_name source
ftp://user:password@\aaaa:bbbb::\:port/file_name source
http[s]://user:[email protected]:port/file_name source
http[s]://\aaaa:bbbb::\:port/file_name source
scp://[email protected]:port/file_name source
scp://user@\aaaa:bbbb::\:port/file_name source
[disk | flash | usb]:file_name Both

Page 10 - Company Confidential

File Management (Cont.)
system files Command

• Files may also be renamed and deleted

/ system files rename [disk: | usb:] old-name [disk: | usb:] new-name

/ system files delete [disk: | usb:] file-name

Page 11 - Company Confidential

System Software

admin@demo:/# system files show

Installed packages:
ArbOS_5.1 ArbOS 5.1 system files (build
BHZJ) (arch i686)
Pravail_2.0 Arbor Networks Pravail 2.0
(build BHZJ)

• System ships with software loaded on flash drive

ready to install
– Contains embedded default Arbor certificate

Page 12 - Company Confidential

Pravail APS Installation

• CLI Overview
• Initial Quick Start
• CLI Configuration
• Nominal Operation

Page 13 - Company Confidential

Quick Start Card

The basics needed to get Pravail APS running

Page 14 - Company Confidential

Quick Start Information

• Collect the information that applies to your appliance

and document it on the following worksheet:

Page 15 - Company Confidential

Back Panel Layout

• Depending on the specific model purchased, the back

panel may look different than this diagram

Page 16 - Company Confidential

Protection Ports

Page 17 - Company Confidential

Protection Ports (Cont.)

Page 18 - Company Confidential

Connecting the Pravail APS

Page 19 - Company Confidential

Installing Pravail APS

Page 20 - Company Confidential

Installing Pravail APS (Cont.)
Quick Installation Script

Page 21 - Company Confidential

Installing Pravail APS (Cont.)

• Quick installation script can only

be run once on a Pravail APS
after being shipped from Arbor
• Reinstalling software will require
configuring with equivalent CLI
commands

Page 22 - Company Confidential

Pravail APS Installation

• CLI Overview
• Initial Quick Start
• CLI Configuration
• Nominal Operation

Page 23 - Company Confidential

 A Typical CLI configuration show Command

## General system configuration %

## # AAA
system name set Demo-Pravail-1 #
system timezone set US/Eastern services aaa groups add system_analyst
system banner set
services aaa groups key add system_analyst conf_show
The EBC has a demo Pravail system!
services aaa groups key add system_analyst conf_write
services aaa groups key add system_analyst login_cli
#
# IP interfaces services aaa groups key add system_analyst sys_file
# services aaa local add admin system_admin encrypted $2a
ip interfaces media 00:E0:ED:1C:20:0A speed 10000 duplex full $05$DYUnUwztUuEXpIw7yd7.leNnakGlKMBemWHq3QSbRv2Zxbrwh0ZM6
ip interfaces media 00:E0:ED:1C:20:0B speed 10000 duplex full services aaa max_concurrent_logins set unlimited
ip interfaces ifconfig 00:15:17:BD:62:64 10.2.24.34 255.255.255.0 up #
ip interfaces ifconfig 00:15:17:BD:62:65 172.16.1.34 255.255.255.0 up # SSH service
# #
# IP loopback interfaces services ssh key host set disk:ssh_host.keys
# services ssh start
# #
# Static routes
# NTP
#
#
ip route add default 172.16.1.3 00:15:17:BD:62:65
ip route add 10.0.0.0/8 10.2.24.1 00:15:17:BD:62:64 services ntp server set primary 10.2.0.1
# services ntp start
# IP access rules #
# # External disks
ip access add cloudsignal all 0.0.0.0/0 #
ip access add https all 10.0.0.0/8 #
ip access add https all 172.16.1.0/24 # Pravail configuration
ip access add ping all 0.0.0.0/0 #
ip access add ssh all 10.0.0.0/8 services pravail start
ip access add ssh all 172.16.1.0/24
ip access commit

Page 24 - Company Confidential

General System Configuration
system Commands

system name set Demo-Pravail-1

• The system name is arbitrary

– Typically DNS-style host name (e.g., demo) or fully
qualified domain name (e.g., demo.arbor.net)
– Not used for inter-device communications in Cloud
Signaling or elsewhere

system banner set

The EBC has a demo Pravail system!

Page 25 - Company Confidential

Set System Time and Time Zone

system timezone set US/Eastern

• Time zone is one setting for Pravail APS appliance

– All users share the same time zone
– All log timestamps are in local time à not GMT
– Clock setting should be done in local time

clock set 062210222011

• Clock format is MMDDhhmm[[CC]YY][.ss]

– Good idea to set even when plans are to use NTP
• Time zone and clock can be set only when Pravail
services are not running

Page 26 - Company Confidential

Configure Interface Media
ip interfaces media Command

ip interfaces media ext0 speed 10000 duplex full

ip interfaces media int0 speed 10000 duplex full
ip interfaces media mgt0 speed 100 duplex full

• Speed and duplex can be set for both management and

protection interfaces
– Copper interfaces of both types are 10/100/1000
– Command behavior might change for fiber interfaces
• Speed and duplex might be set automatically during
software installation for some interfaces
• Media settings are currently stored according to MAC
address but can be set using interface name

Page 27 - Company Confidential

Configure Management Interfaces
ip interfaces Commands

• IP addresses on management interfaces only

– Protection interfaces are layer-2 only
admin@demo:/# ip interfaces ifconfig mgt0 10.2.24.34 255.255.255.0
admin@demo:/# ip interfaces ifconfig mgt1 172.16.1.34 255.255.255.0

• Stored configuration shows MAC addresses instead of interface

names
– Intentional to avoid race conditions during startup
• You can view verbose interface configuration information
admin@demo:/# ip interfaces show mgt0
mgt0 Gigabit Ethernet, Interface is UP, mtu 1500
Hardware: 00:15:17:BD:60:00
Media: Ethernet autoselect
Status: 100Mb/s Full
Inet: 10.2.24.34 netmask 255.255.255.0 broadcast 10.2.24.255
Inet6: fe80::215:17ff:febd:6000 prefixlen 64
Input: 172748 pkts, 12473106 bytes, 0 errors
Output: 9880 pkts, 9278881 bytes, 0 errors, 0 collisions
Interrupts: 411962

Page 28 - Company Confidential

Configure Management Interfaces (Cont.)
ip route Commands

• Configure routes to accessing clients and services

– Optionally specify an interface instead of next hop address

admin@demo:/# ip route add default 10.10.16.1

admin@demo:/# ip route add 10.0.0.0/8 10.2.24.1

• You can view routing information

admin@demo:/# ip route show

Flags Destination Gateway
Interface
UGS default 10.10.16.1 mgt0
U 10.0.0.0/24 10.2.24.1 mgt0
U 10.2.24.0/24 mgt0 mgt0
U 172.16.1.0/24 mgt1 mgt1
U fe80::/64 mgt0 mgt0
U ff00::/8 mgt0 mgt0

Page 29 - Company Confidential

Control Management Access
ip access Lists

• Configure the access control list (ACL)

!
admin@demo:/# ip access add cloudsignal mgt0 10.2.24.0/24
admin@demo:/# ip access add https all 10.0.0.0/8
admin@demo:/# ip access add https all 172.16.1.0/24
admin@demo:/# ip access add ping all 0.0.0.0/0
admin@demo:/# ip access add ssh all 10.0.0.0/8
admin@demo:/# ip access add ssh all 172.16.1.0/24
admin@demo:/# ip access commit

– Pravail APS “cloudsignal” access enables Cloud

Signaling heartbeat packets to be received on UDP
port 7550 from Cloud Signaling server

Page 30 - Company Confidential

Control Management Access (Cont.)
ip access Command

• View the access control list (ACL)

– Use to verify client access to Pravail APS
!
admin@demo:/# ip access show!
Active IP access rules:!
cloudsignal mgt0 10.2.24.0/24!
https all 10.0.0.0/8!
https all 172.16.1.0/24!
ping all 0.0.0.0/0!
ssh all 10.0.0.0/8!
ssh all 172.16.1.0/24!

Page 31 - Company Confidential

Change Administrator Password
services aaa local Command

admin@demo/:# services aaa local password admin

interactive
Changing password for user admin.
New password:
Re-enter new password:
Password changed
passwd: all authentication tokens updated
successfully.

• Always a good idea to change the admin password

before starting Pravail APS (to avoid forgetting later)
• Adding other users is easier in the Web UI but could be
done in the CLI

Page 32 - Company Confidential

Secure SHell Configuration
services ssh Command

admin@demo/:# services ssh key generate

Generating new SSH host key
file.......................................done.
admin@demo/:# services ssh key host set default
admin@demo/:# services ssh start
admin@demo/:#

• If services ssh key generate command skipped

– services ssh key host set default command
will prompt to generate key
• Default filename is ssh_host.keys

Page 33 - Company Confidential

Check for an Installed Pravail License

• If you see this, you need to install a license:

admin@demo:/# system license show

No licenses are set

• If you see this, the license is already installed:

admin@demo:/# system license show

Product: Pravail
Model: PRA-APS-2108
Expires: Never
Key: P8RG5-STWX4-F0DDW-4DYP4-DVTXW-YMDHH-Y3C1Y-
X39N3-DY2RR

Page 34 - Company Confidential

Install a Pravail License

• A Pravail APS license is …

– Located on the chassis label
– Or, obtained from the ATAC
• Copy-paste command in ATAC message into CLI

admin@demo:/# system license set Pravail

“PRA-APS-2108" P8RG5-STWX4-F0DDW-4DYP4-DVTXW-YMDHH-
Y3C1Y-X39N3-DY2RR

– Note: License string is all uppercase

admin@demo:/# system license show
Product: Pravail
Model: PRA-APS-2108
Expires: Never
Key: P8RG5-STWX4-F0DDW-4DYP4-DVTXW-YMDHH-Y3C1Y-X39N3-
DY2RR

Page 35 - Company Confidential

Pravail Service Commands
services pravail Command

• Initialize database
• Set language
• Set deployment mode
• Start Pravail services
• Stop Pravail services
admin@demo:/# services pravail ?
Subcommands:
database Initialize or reinitialize the database
language Configure the language used in the UI
mode Switch between Pravail deployment modes
show Show Pravail status
start Start Pravail services
stop Stop Pravail services

Page 36 - Company Confidential

Initialize Pravail Service Database
services pravail database Command

admin@demo:/# services pravail database ?

initialize
admin@demo:/# services pravail database initialize
admin@demo:/# No confirmation because
database did not exist

• Database initialization is required

– Creates or resets Pravail databases
– Any existing Pravail data is erased
• Any Web UI-only configuration is erased
– Any configuration that appears in CLI is retained
• This command removes all customer remnants from
Web UI after a trial
– CLI logs will still be there

Page 37 - Company Confidential

Initialize Pravail Service Database (Cont.)
services pravail database Command

• If databases already exist from a previous

deployment, Pravail will not proceed silently
– Requires two confirmations from user
– Prints progress messages
admin@demo:/# services pravail database initialize
Databases already exist, reinitializing will
destroy them.
Do you wish to proceed? [n] y
Try again: Enter one of [n|y]
Answer again to proceed [n] y

Removing old databases... done

Building all databases... done
Adding default database settings... done

Page 38 - Company Confidential

Set Web UI Language
services pravail language Command

• Web UI display language is set using two-letter

language codes (ISO 639-1)
admin@demo:/# services pravail language set ?
en (English)
ja (Japanese)
ko (Korean)
ru (Russian)
zh (Mandarin)
admin@demo:/# services pravail language set ru
• Language selection affects most UI text and should
affect all notifications
– CLI remains in English
• Language defaults to English if not set

Page 39 - Company Confidential

Set Web UI Language (Cont.)
services pravail language Command

• Language setting is shown in that language

admin@demo:/# services pravail language set ja
admin@demo:/# services pravail language show
Language:
admin@demo:/# services pravail language set ko
admin@demo:/# services pravail language show
Language: 한국어
admin@demo:/# services pravail language set ru
admin@demo:/# services pravail language show
Language: Русский
admin@demo:/# services pravail language set zh
admin@demo:/# services pravail language show
Language:

Page 40 - Company Confidential

Set Web UI Language (Cont.)
services pravail language Command

Most graphics are translated

English remnants in default config, change log, branding

Page 41 - Company Confidential

Set Pravail APS Deployment Mode
services pravail mode Command

admin@demo:/# services pravail mode show

Deployment mode: inline
admin@demo:/# services pravail mode set ?
inline
monitor
admin@demo:/# services pravail mode set monitor
admin@demo:/#

• Determines whether Pravail forwards any traffic

– Inline forwards, Monitor does not forward
• Can be changed on a running system
– Normally set at setup and not changed
• Setting appears as icon at top of Web UI

Page 42 - Company Confidential

Other CLI Commands

Things we didn’t configure in the CLI but could have:

• DNS and NTP services
– Can be set in CLI, but setting in the Web UI is
easier
• AAA maximum_concurrent_logins
– Setting is only in CLI
– Default is “unlimited”
– Can be set to any number if user load is a concern
• User Accounts

Page 43 - Company Confidential

Setting Login Authentication Method
services aaa method Command

• Three methods supported

– Local (default)
– TACACS+
– RADIUS
• May specify multiple methods and order methods applied
/ services aaa method set [local | radius | tacacs]
• User authentication tries each method in the order listed
until one succeeds or they all fail
– Enabling exclusive authentication stops searching when
any method fails
/ services aaa method exclusive [enable | disable]
– Method is always skipped if server does not respond or is
unreachable on network

Page 44 - Company Confidential

Configuring RADIUS
services aaa radius Command

• Configure primary server and optional backup server

– Tries to connect to primary first then backup if
primary cannot be reached
/ services aaa radius server set [primary | backup]
ip_address [encrypted | unencrypted] secret port

– Specify the number of times to retry connection if first

attempt fails
/ services aaa radius retries set number
• Default is 2 retries

– Specify the length of time to wait for each connection

attempt
/ services aaa radius timeout set number
• Default is 2 seconds
Page 45 - Company Confidential
Configuring TACACS+
services aaa tacacs Command

• Configure primary server and optional backup server

– Tries to connect to primary server first then backup
server if primary cannot be reached
/ services aaa tacacs server set [primary | backup]
ip_address port [encrypted | unencrypted] secret

– Specify the length of time to wait for each connection

attempt
/ services aaa tacacs timeout set number
• Default is 2 seconds

Page 46 - Company Confidential

User Groups

• Organize Pravail APS users by level of system access

– Authorization keys associated with group determine level
of system access
– Users assigned to group through user account
– Configuring user accounts is done in Web UI
• Predefined (immutable) groups
– system_admin à read and write access to all pages of
Web UI and run all CLI commands
– system_none à no access to Web UI nor CLI
– system_user à read only access to most of Web UI
pages but can edit their own user accounts; run limited
CLI commands to view status
• Custom user groups can be defined by administrators

Page 47 - Company Confidential

Default User Group

• Used in conjunction with TACACS+ and RADIUS

AAA authentication methods
– Defaults to system_user
• If remote AAA server authenticates user name and
password but returns no Pravail APS user group,
the default user group is used
• If the default user group is left as system_user, the
user has access to view Pravail APS operation
• Recommended to set to system_none
/ services aaa groups default set group_name!
– Valid Pravail APS users must then have a user
group properly configured on remote AAA server

Page 48 - Company Confidential

Custom User Groups
services aaa groups Command

• Create a new user group

/ services aaa groups add name

– Alternatively, copy existing user group

/ services aaa groups copy existing_name new_name

• Customize the authorization keys for a user group

/ services aaa groups key [add | delete] name key

– Must be repeated per key

• User groups may also be deleted when no longer
needed and not assigned to any user
/ services aaa groups delete name

Page 49 - Company Confidential

Custom User Groups (Cont.)
services aaa groups Command

• To view group authorization keys:

/ services aaa groups show [name]!
admin@demo:/# services aaa groups show!
Group system_admin (immutable):!
clock Set the system clock!
conf_imp Import a configuration from disk!
conf_show Show running or saved configuration!
conf_write Save the running configuration or
export to disk!
[output omitted]
view_changelog View System Change Log!
view_pg View Protection Groups!
Group system_none (immutable):!
Group system_user (immutable):!
conf_show Show running or saved configuration!
login_cli Access to the CLI environment!
login_ui Access to the Web Interface!
view_pg View Protection Groups!
Default group: system_user (default)!

Page 50 - Company Confidential

Start Pravail Service
services pravail start Command

admin@demo:/# services pravail start

Starting Pravail services..................done.
admin@demo:/# services pravail show
Pravail state: started
admin@demo:/#

Page 51 - Company Confidential

Save Pravail APS Configuration

• Configuration changes must be saved manually

admin@demo:/# config write

• If not saved, they will be lost on next appliance

reload

Page 52 - Company Confidential

Pravail APS Installation

• CLI Overview
• Initial Quick Start
• CLI Configuration
• Nominal Operation

Page 53 - Company Confidential

Disk Status

• View disk status

Used space
admin@demo:/# system disk show should be < 80%
Filesystem status:!
Filesystem Size/Used Inodes/Used!
boot 471M/115M (26%) 124928/60 (1%)!
data 76G/1.4G (2%) 1247232/68449 (6%)!
system 7.4G/846M (12%) 979200/39599 (5%)!
RAID volume 0,0 status:!
Controller status:!
Type: Intel(R) RAID Controller SROMBSASBN!
Volume status:!
RAID Level: Primary-1, Secondary-0, RAID Level Qualifier-0!
Size:113487MB!
State: Optimal! Normal RAID
Stripe Size: 64kB! State and Status
Number Of Drives:2!
Span Depth:1!
Default Cache Policy: WriteThrough ReadAdaptive Direct!
Current Cache Policy: WriteThrough ReadAdaptive Direct!
Access Policy: Read/Write!
Disk Cache Policy: Disabled!
Disk Size Status!
1:0 114473MB Online!
1:1 114473MB Online!
External disks:!
Page 54 - Company Confidential
Welcome to Pravail!

Connect to the Web UI  https://10.10.16.29/!

Ultimate test of whether the CLI configuration is OK

Page 55 - Company Confidential

Protocol and Port Usage

DNS
FTP
HTTP
AIF (HTTPS) NTP
RADIUS
TACACS+

Internet
SMTP
Syslog
Management Ping
SCP
(out-of-band) SNMP
SSH
Telnet

Cloud Signaling (HTTPS)

Data Center Network

mgt

ISP ext int

Pravail APS

Logical

Physical

Page 56 - Company Confidential

Protocol and Port Usage (Cont.)

Services Port Protocol Direction

Cloud Signaling 7550 UDP Pravail APS à Cloud Signaling server
Cloud Signaling server à Pravail APS
DNS 53 UDP Pravail APS à DNS server
FTP 20-21 TCP Pravail APS à FTP server
HTTP 80 * TCP Pravail APS à Web server
HTTPS 443 TCP Pravail APS à Cloud Signaling server
Pravail APS à aif.arbor.net
User workstation à Pravail APS
NTP 123 UDP Pravail APS à NTP server
ping n/a ICMP Pravail APS ßà target
Radius authentication 1812 * UDP Pravail APS à RADIUS server
Radius accounting 1813 * UDP Pravail APS à RADIUS server
SCP over SSH 22 * TCP Pravail APS à SSH host
SMTP 25 TCP Pravail APS à SMTP server
SNMP 161 UDP SNMP monitoring agentà Pravail APS
SNMP 162 UDP Pravail APS à SNMP trap collector SSH
22 TCP Workstation à Pravail APS
Syslog 514 * UDP Pravail APS à Syslog collector
TACACS+ 49 TCP/UDP Pravail APS à TACACS+ server
Telnet 23 TCP Workstation à Pravail APS

* Port number is configurable

Page 57 - Company Confidential

Page 58 - Company Confidential