5.8. Configuring the BOF with the CLI

This section provides information to configure BOF parameters with the CLI.

Topics in this section include:

  1. BOF Configuration Overview
  2. Basic BOF Configuration
  3. Configuring BOF Parameters
  4. Configuring BOF Encryption
  5. Configuring Configuration File Encryption
  6. Service Management Tasks

5.9. BOF Configuration Overview

The 7705 SAR routers do not contain a boot EEPROM. The boot loader code is loaded from the boot.ldr file. The BOF file performs the following tasks:

  1. Sets up the CSM Management port (speed, duplex, auto)
  2. Assigns the IP address for the CSM Management port
  3. Creates static routes for the CSM Management port
  4. Sets the console port speed
  5. Configures the Domain Name System (DNS) name and DNS servers
  6. Configures the primary, secondary, tertiary configuration source
  7. Configures the primary, secondary, and tertiary image source
  8. Configures operational parameters
    Note:

    The CSM Management port is referred to as the CPM Management port in the CLI to align with the CLI syntax used with other SR products.

5.10. Basic BOF Configuration

The parameters that specify the location of the image filename that the router will try to boot from and the configuration file are in the BOF.

The most basic BOF configuration should have the following:

  1. primary address
  2. primary image location
  3. primary configuration location

The following displays an example of a basic BOF configuration.

A:ALU-1# show bof
===============================================================================
BOF (Memory)
===============================================================================
    primary-image    ftp://*:*@xxx.xxx.xxx.xx/home/csahwreg17/images/both.tim
    primary-config   ftp://*:*@ xxx.xxx.xxx.xx /home/csahwreg17/images/dut-a.cfg
    address          xxx.xxx.xxx.xx /24 active
    address          xxx.xxx.xxx.xx /24 standby
    primary-dns      xxx.xxx.xxx.xx
    dns-domain       labs.ca.alcatel-lucent.com
    static-route     xxx.xxx.0.0/16 next-hop xxx.xxx.xxx.x
    autonegotiate
    duplex           full
    speed            100
    wait             3
    persist          off  
    FIPS-140-2         
    console-speed    115200
===============================================================================
A:ALU-1#

5.11. Configuring BOF Parameters

Use the CLI syntax displayed below to configure BOF parameters:

CLI Syntax:
bof
address ip-prefix/ip-prefix-length [active | standby]
auto-discover
autonegotiate
console-speed baud-rate
dns-domain dns-name
duplex {full | half}
encrypt {on | off}
encryption-key key
fips-140-2
password password
persist {on | off}
primary-config file-url
primary-dns ip-address
primary-image file-url
save [cflash-id]
secondary-config file-url
secondary-dns ip-address
secondary-image file-url
speed speed
static-route ip-prefix/ip-prefix-length next-hop ip-address
tertiary-config file-url
tertiary-dns ip-address
tertiary-image file-url
wait seconds

The following example displays BOF command usage:

Example:
ALU-1# bof
ALU-1>bof# address 10.10.10.103/8 active
ALU-1>bof# dns-domain ca.alcatel.com
ALU-1>bof# duplex full
ALU-1>bof# encrypt on
ALU-1>bof# encryption-key hashed
ALU-1>bof# fips-140-2
ALU-1>bof# password hashed
ALU-1>bof# persist on
ALU-1>bof# wait 3
ALU-1>bof# primary-image cf3:\TIMOS.5.0.R0
ALU-1>bof# primary-config cf3:\test123.cfg
ALU-1>bof# primary-dns 10.10.10.103
ALU-1>bof# save cf3:
A:ALU-1# show bof
===============================================================================
BOF (Memory)
===============================================================================
    primary-image    ftp://*:*@192.168.192.64/cephwreg10/images/both.tim
    primary-config   ftp://*:*@192.168.192.64/cephwreg10/images/dut-a.cfg
    encryption-key   *
    password         *
    address          xxx.xxx.xxx.xx /24 active
    primary-dns      138.120.252.55
    secondary-dns    138.120.252.48
    tertiary-dns     138.120.252.49
    dns-domain       labs.ca.alcatel-lucent.com
    static-route     135.121.0.0/16 next-hop 192.168.192.63
    static-route     138.120.0.0/16 next-hop 192.168.192.63
    static-route     152.148.0.0/16 next-hop 192.168.192.63
    autonegotiate
    duplex           full
    speed            100
    wait             4
    persist          off  
    no fips-140-2         
    console-speed    115200
    encrypt          on
===============================================================================
A:ALU-1#

5.12. Configuring BOF Encryption

Use the following CLI syntax to enable encryption of the BOF (bof.cfg) using the AES256 cipher algorithm.

CLI Syntax:
bof
encrypt on

After the BOF is encrypted, it can still be modified using the BOF interactive menu. Access to the BOF interactive menu is controlled using a password.

Use the following syntax to set the interactive menu password.

CLI Syntax:
bof
password password [hash | hash2]

The password can be in one of the following formats:

  1. a plaintext string between 8 and 32 characters; the plaintext string cannot contain embedded nulls or end with “hash” or “hash2”
  2. a hashed string between 1 and 64 characters; the selected hashing scheme can be hash or hash2
    Note:

    The hash2 encryption scheme is node-specific and the password cannot be transferred between nodes.

After the password is set, editing of the BOF during a boot process is allowed only if the password is entered correctly (the boot process can be interrupted in order to make BOF changes). If the password is not entered correctly within 30 s, the node reboots whether the BOF is encrypted or not. This adds an additional layer of security that ensures that the BOF is not exposed to any unauthorized user. After the system is booted, changes can be made to the BOF without entering the password.

Note:

After BOF encryption is configured, use the bof save command to save the encrypted file.

5.13. Configuring Configuration File Encryption

Use the following syntax to set the configuration file encryption key using the AES256 cipher algorithm. This key is used for all configuration files (primary, secondary, and tertiary).

CLI Syntax:
bof
encryption-key key [hash | hash2]

The encryption key can be in one of the following formats:

  1. a plaintext string between 8 and 32 characters; the plaintext string cannot contain embedded nulls or end with “hash” or “hash2”
  2. a hashed string between 1 and 64 characters; the selected hashing scheme can be hash or hash2
Note:

  1. The hash2 encryption scheme is node-specific and the key cannot be transferred between nodes.
  2. After creating the encryption key, use the admin save command to save the encrypted configuration file.
  3. If the admin rollback save command is used, the rollback files are also encrypted.

5.14. Service Management Tasks

This section describes system administration commands.

5.14.1. System Administration Commands

Use the following administrative commands to perform management tasks.

CLI Syntax:
admin
display-config
reboot [active | standby | upgrade] [now]
save [file-url] [detail] [index]

5.14.1.1. Viewing the Current Configuration

Use the following CLI command to display the current configuration. The detail option displays all default values. The index option displays only the persistent indexes.

CLI Syntax:
admin display-config [detail | index]

The following displays an example of a configuration file:

A:ALU-1# admin display-config
# TiMOS-B-0.0.R3 both/hops NOKIA SAR 7705 
# Copyright (c) 2018 Nokia. 
# All rights reserved. All use subject to applicable license agreements.
# Built on Wed Jan 17 01:05:13 EST 2016 by csabuild in /re8.0/I297/panos/main
 
# Generated THU JAN 18 21:21:21 2018 UTC
 
exit all
configure
#--------------------------------------------------
echo "System Configuration"
#--------------------------------------------------
    system
        name "ALU-1"
exit
        login-control
            idle-timeout disable
            pre-login-message "CSAxxx - 7705" name
        exit
        time
            sntp
                server-address 192.0.2.37 preferred
                server-address 192.0.2.200
                no shutdown
            exit
            zone EST
        exit
        thresholds
            rmon
            exit
        exit
    exit
#--------------------------------------------------
echo "System Security Configuration"
#--------------------------------------------------
    system
        security 
            telnet-server
            ftp-server
            snmp
    exit
...exit all
 
# Finished THU JAN 17 21:57:11 2016 UTC
A:ALU-1# 

5.14.1.2. Modifying or Deleting BOF Parameters

You can modify or delete BOF parameters. The no form of these commands removes the parameter from configuration. The changes remain in effect only during the current power cycle unless a save command is executed. Changes are lost if the system is powered down or the router is rebooted without saving.

Caution:

All BOF parameters can be configured, modified, or deleted locally through a console session or remotely using Telnet or SSH. However, when modifying or deleting the BOF address, the following behaviors must be considered.

  1. If you have a dual IPv4/IPv6 BOF address configuration and you are running a Telnet IPv6 session or an SSH session, changing or deleting the active IPv4 address will not affect the session.
  2. If you have a dual IPv4/IPv6 BOF address configuration and you are running a Telnet IPv4 session or an SSH session, changing or deleting the active IPv6 address will not affect the session.
  3. If you have a dual IPv4/IPv6 BOF address configuration and you change or delete the active IP address that is the same version as the session (for example, you delete the active IPv4 address while running a Telnet IPv4 session), the session will hang once the change executes, and CLI access will be lost. You can either close the session (if possible) or wait until it times out. You must start a new session, using the new or existing active BOF address, to regain CLI access.
  4. If there is only one active BOF address on the port (that is, not the dual IPv4/IPv6 configuration), and it is deleted through a Telnet or SSH session, the session will hang and CLI access will be lost. You must use a directly connected console session to create a new BOF address. It is strongly recommended that you do not delete a single active BOF address through Telnet or SSH.

Use the following CLI syntax to remove BOF configuration parameters:

CLI Syntax:
bof
save [cflash-id]
Example:
ALU-1# bof
ALU-1>bof# save cf3:
ALU-1>bof#
bof#
no address ip-prefix/ip-prefix-length [active | standby]
no autonegotiate
no console-speed
no dns-domain
encrypt off
no encryption-key
no password
no primary-config
no primary-dns
no primary-image
no secondary-config
no secondary-dns
no secondary-image
no static-route ip-prefix/ip-prefix-length next-hop ip-address
no tertiary-config
no tertiary-dns
no tertiary-image

5.14.1.3. Saving a Configuration

If you modify a configuration file, the changes remain in effect only during the current power cycle unless a save command is executed. Changes are lost if the system is powered down or the router is rebooted without saving.

  1. Specify the file URL location to save the running configuration. If a destination is not specified, the files are saved to the location where the files were found for that boot sequence. The same configuration can be saved with different filenames to the same location or to different locations.
  2. The detail option adds the default parameters to the saved configuration.
  3. The index option forces a save of the index file.

Use either of the following CLI syntaxes to save a configuration:

CLI Syntax:
bof
save [cflash-id]
Example:
ALU-1# bof
ALU-1>bof# save cf3:
ALU-1>bof#
CLI Syntax:
admin save [file-url] [detail] [index]
Example:
ALU-1# admin save cf3:\test123.cfg
Saving config.# Saved to cf3:\test123.cfg
... complete
ALU-1#
Note:

  1. If the persist option is enabled and the admin save file-url command is executed with an FTP path used as the file-url parameter, two FTP sessions simultaneously open to the FTP server. The FTP server must be configured to allow multiple sessions from the same login; otherwise, the configuration and index files will not be saved correctly.
  2. If BOF encryption is on, the contents of the BOF will be encrypted and unreadable when saved.

5.14.1.4. Saving a Configuration to a Different Filename

Save the current configuration with a unique filename to have additional backup copies and to edit parameters with a text editor. You can save your current configuration to an ASCII file.

Use either of the following CLI syntaxes to save a configuration to a different location:

CLI Syntax:
bof
save [cflash-id]
Example:
ALU-1# bof
ALU-1>bof# save cf3:
ALU-1>bof#

or

CLI Syntax:
admin save [file-url] [detail] [index]
Example:
ALU-1>admin save cf3:\testABC.cfg
Saving config.# Saved to cf3:\testABC.cfg
... complete
ALU-1#

5.14.1.5. Rebooting

When an admin>reboot command is issued, routers with redundant CSMs are rebooted. Changes are lost unless the configuration is saved. Use the admin>save file-url command to save the current configuration. If no command line options are specified, the user is prompted to confirm the reboot operation.

Use the following CLI syntax to reboot:

CLI Syntax:
admin
reboot [active | standby] [now]
Example:
ALU-1>admin# reboot
A:DutA>admin# reboot
Are you sure you want to reboot (y/n)? y
Resetting...OK
Nokia 7705 Boot ROM. Copyright 2016
Nokia.
All rights reserved. All use is subject to applicable
license agreements.
....