• No se han encontrado resultados

En el Código Orgánico de la Niñez y Adolescencia

2.2. MARCO TEÓRICO REFERENCIAL

2.2.5. En el Código Orgánico de la Niñez y Adolescencia

Avaya Aura

®

Out of Band Management

Out of Band Management is defined as a physical or logical separation of user and management traffic, either to different VLANs or different physical interfaces on the server for increased security of the system. Only administrator can gain access to the management interfaces from a specific network, users of the system cannot gain access. This prevents unauthorized login from the user network to applications.

Only the ports and servers that are required for user functions are provided to the user network. Management interfaces are provided to the management network. In Out of Band Management setup, an administrator username and password is not sufficient to gain access to the system. The login attempt must also be able to access the Out of Band Management network.

When out of band management is enabled, Avaya Aura® applications run:

• User services on one network interface. For example, IP phone registration, user configuration, and media traffic

• Management services on another network interface. For example, administration webpages, SSH connections, and management traffic from System Manager.

The following Avaya Aura® applications support Out of Band Management starting in Release 7.0:

• Communication Manager • Session Manager

• System Manager

• Application Enablement Services • Avaya Breeze™ with Presence

• Appliance Virtualization Platform • SAL

• Utility Services

• Branch Session Manager • WebLM

Avaya Aura® Media Server and Avaya Diagnostic Server does not support the Out of Band

Management feature.

Appliance Virtualization Platform Out of Band

Management

Overview

When you install Appliance Virtualization Platform, the public network of virtual machines is assigned to vmnic0 or Server Ethernet port 1 of the server.

In the installation spreadsheet, if Out of Band Management is:

• Disabled: The public and management interfaces of virtual machines are assigned on the public network. Assign public and management interfaces of virtual machines on the same network.

• Enabled: The public interfaces of virtual machines are assigned to vmnic0 or Server Ethernet port 1, and the Out of Band Management interfaces are assigned to vmnic2 or Server Ethernet port 3. Assign separate network ranges to the public and management interfaces of virtual machines. The management port must be given an appropriate IP address of the public and Out of Band Management network.

Note:

All virtual machines on an Out of Band Management enabled Appliance Virtualization Platform host must support and implement Out of Band Management.

When Out of Band Management is:

• Disabled: The management port of Appliance Virtualization Platform is assigned to the public interface.

• Enabled: The management port of Appliance Virtualization Platform is assigned to the Out of Band Management network.

The vmnic1 or Server Ethernet port 2 of the server is assigned to the services port. The hypervisor is 192.168.13.6 on the services port network (VMNIC1 or eth1).

After Utility Services OVA is deployed, from your computer by using an SSH client, gain access to the Utility Services shell from the services port with the following:

• IP address: 192.11.13.5 or 192.11.13.30 • Gateway: 192.11.13.6

Common servers

When Appliance Virtualization Platform is installed, VMNIC0 is assigned to the public interface of virtual machines.

When deploying or reconfiguring Appliance Virtualization Platform, if Out of Band Management is: • Disabled: VMNIC0 is used for both network and management traffic.

• Enabled: VMNIC2 is used for management by all the virtual machines on that hypervisor.

S8300D

When you install the connection through the media gateway using Appliance Virtualization Platform , Ethernet ports are assigned to the public interface of the virtual machines. When you install the connection through the media gateway backplane using Appliance Virtualization Platform, the LAN port on the G4x0 Gateway is assigned to the public interface of virtual machines.

If Out of Band Management is enabled, the Out of Band Management network is assigned to a separate VLAN on the public interface. Otherwise all virtual machine interfaces are on the same network.

The Appliance Virtualization Platform management interface is assigned to: • The public VLAN if Out of Band Management is disabled

• The Out of Band Management VLAN if Out of Band Management is enabled

Note:

To support Out of Band Management on S8300D, you require specific versions of gateway firmware. To ensure that you are running the correct version, see the gateway documentation.

S8300E

When Appliance Virtualization Platform installs the connection through the media gateway, Ethernet ports are assigned to the public interface of virtual machines. When Appliance Virtualization

Platform installs the connection through the media gateway backplane, the LAN port on the G4x0 Gateway is assigned to the public interface of virtual machines.

If Out of Band Management is enabled, the Out of Band Management network is on the LAN2 interface on the S8300E faceplate.

The Appliance Virtualization Platform management interface is assigned to: • The public VLAN if Out of Band Management is disabled

• The Out of Band Management network if Out of Band Management is enabled

Out of Band Management in Virtualized Environment

In the Virtualized Environment offer where the customer has control of the hypervisor network setup, the customer creates the desired networking and assigns the virtual Ethernet port of the applications on deployment. Public interfaces are assigned to the user network port groups and Out of Band Management ports are assigned to the management network port group.

Utility Services Out of Band Management

Out of Band Management is a physically and logically separate network connection. It connects to a customer’s private IT management network and provides for secure management and

administration of Avaya products.

From Utility Services Release 7.0.1, you can activate out-of-band management even after deployment.

Utility Services Release 7.0.1 and later support a full out of band management configuration. Therefore, you can deploy Utility Services with two IP addresses and split the user and management traffic to different Ethernet interfaces on different IP networks.

When Utility Services is set for out of band management, the following services are allocated for full or Utility Services-only mode:

Application Interfaces for traffic

Phone firmware download Public Phone settings file Public Gateway firmware download Public

DHCP Server Public

Myphone User Public

SSH Out of Band Management / Services Myphone Admin Out of Band Management

CDR connection to CM Out of Band Management

Main admin web pages Out of Band Management / Services Alarm source Out of Band Management

SAL connection (SSH, HTTP) Out of Band Management

When Utility Services is set for out of band management, the following services are allocated for services port-only mode:

Application Interfaces for traffic

SSH Out of Band Management / Services Alarm source Out of Band Management

SAL connection (SSH, HTTP) Out of Band Management Main admin web pages Disabled

Phone firmware download Disabled Gateway firmware download Disabled Phone settings Disabled Gateway firmware download Disabled

DHCP Server Disabled

Myphone Server Disabled CDR connection to CM Disabled Myphone admin Disabled

Note:

If a network is not mentioned for service when Out of Band Management is enabled, the service must be disabled on that interface.

System Manager Out of Band Management

Out of Band Management in System Manager

System Manager provides the following network interfaces:

• The regular eth0 interface that was present in releases earlier than System Manager Release 7.0, is called the Management interface or Out of Band Management interface. The IP address is called as the Management IP address. The Management interface is mandatory for

configuration.

The following are the examples of System Manager Management network traffic: - Database replication with Session Manager

- Element management. For example, Session Manager, Communication Manager, and Avaya Breeze™.

- User management

- Solution deployment, upgrades, and software patch install

• If Out of Band Management is enabled, then the public interface is configured with Public IP

The following are the examples of System Manager nonmanagement or public network traffic: - End-user self-provisioning

- Client devices getting certificates through SCEP - Tenant Management

Out of Band Management configuration persists across System Manager upgrades, updates, and restarts.

For configuring Out of Band Management in System Manager, System Manager must be installed on an Appliance Virtualization Platform host that is configured with Out of Band Management. Out of Band Management is enabled during the deployment of Appliance Virtualization Platform.

Out of Band Management in a Geographic Redundancy setup

When you configure Geographic Redundancy, provide Management network details only. Validation fails if you configure Geographic Redundancy with Public network details. In Geographic

Redundancy setup, you do not disable or enable Out of Band Management on both primary and secondary System Manager virtual machine. You can enable Out of Band Management on the primary System Manager virtual machine and disable Out of Band Management on the secondary System Manager virtual machine, and vice versa.

Restoring System Manager backup

While restoring backup on System Manager with different Out of Band Management network details, the restore operation fails at validation phase.

Tenant Management on Out of Band Management-enabled System Manager

By default, the Multi Tenancy feature is disabled on System Manager when Out of Band

Management is enabled. You must enable Multi Tenancy on Out of Band Management-enabled System Manager for the Tenant Management administrator to manage tenant users.

Configuring Out of Band Management on System Manager

About this task

If you do not configure Out of Band Management during the deployment of System Manager OVA from Solution Deployment Manager on an Avaya-provided server, you can use the

configureOOBM command to configure Out of Band Management anytime after the deployment.

Before you begin

• Enable Out of Band Management on Appliance Virtualization Platform.

• Install System Manager on the Appliance Virtualization Platform host on which Out of Band Management is installed.

• Ensure that IP address or hostname of Public network and Management network are different. If both are in the same network, Out of Band Management configuration might not function as expected.

• Log in to System Manager by using an SSH client utility.

When you enable Out of Band Management configuration, you might lose the connection as the system does a network restart. You can login to System Manager from the Console of

VMware vSphere Client. that is configured to connect to the Appliance Virtualization Platform host server.

Procedure

1. To enable Out of Band Management, type configureOOBM -EnableOOBM.

The system enables Out of Band Management on the System Manager virtual machine. With EnableOOBM, the system configures the additional Ethernet interface, updates network configuration, and sets the firewall rules.

2. To disable Out of Band Management, type configureOOBM -DisableOOBM.

The system disables Out of Band Management on the System Manager virtual machine. With DisableOOBM, the system disables the additional Ethernet interface that you configured earlier and sets the firewall rules to default.

3. To add the IP address and subnet ranges in the Management IP range, type configureOOBM -AddIPtoManagementIPRange.

You can now gain access to System Manager from the network.

Configuring Out of Band Management on System Manager in the

Geographic Redundancy setup

About this task

Note:

You cannot enable Out of Band Management on secondary System Manager server when Out of Band Management on primary System Manager server is disabled.

Before you begin

Identify one of the following:

• Enable Out of Band Management on both the primary and secondary System Manager server. • Enable Out of Band Management on the primary System Manager server and not enable Out

of Band Management on the secondary System Manager server.

• Disable Out of Band Management on secondary System Manager server.

• Disable Out of Band Management on both the primary and secondary System Manager server.

Procedure

1. To enable Out of Band Management on both primary and secondary System Manager server, perform the following:

a. Disable Geographic Redundancy replication on primary System Manager server. b. Convert primary System Manager server to standalone System Manager server and

activate the secondary System Manager server.

d. Reconfigure the Geographic Redundancy on the secondary System Manager server. e. Enable Geographic Redundancy replication on primary System Manager server. 2. To enable Out of Band Management on the primary System Manager server and not enable

Out of Band Management on secondary System Manager server, perform the following: a. Disable Geographic Redundancy replication on primary System Manager server. b. Convert primary System Manager server to standalone System Manager server. c. Enable Out of Band Management on primary System Manager server.

d. Once Out of Band Management on primary System Manager server is enabled, reconfigure Geographic Redundancy on secondary System Manager server. e. Enable Geographic Redundancy replication on primary System Manager server. 3. To disable Out of Band Management on secondary server, perform the following:

a. Disable Geographic Redundancy replication on primary System Manager server. b. Convert primary System Manager server to standalone System Manager server. c. Activate secondary System Manager server and disable Out of Band Management. d. Reconfigure primary System Manager server from the web console of the secondary

System Manager server.

e. Enable Geographic Redundancy replication on primary System Manager server. 4. To disable Out of Band Management on both servers, perform the following:

a. Disable Geographic Redundancy replication on primary System Manager server. b. Convert primary System Manager server to standalone System Manager server and

disable Out of Band Management.

c. Activate secondary System Manager server and disable Out of Band Management. d. Reconfigure Geographic Redundancy on secondary System Manager server with old

primary System Manager server which is now standalone.

e. Enable Geographic Redundancy replication on primary System Manager server.

Communication Manager Out of Band Management

With the Out of Band Management feature, you can set up a dedicated network connection to securely manage Communication Manager. The network connection can be physical or virtual.

Detailed description of Out of Band Management

Communication Manager has a virtual NIC for a dedicated Ethernet connection for management functions. You can use System Management Interface (SMI) to manage the Avaya products using

this dedicated Ethernet connection. The dedicated network connection administration persists after a Communication Manager upgrade.

With the dedicated network connection, you can create separate channels for the user functions and the management functions. You can use the dedicated network connection for the management functions to manage the system, perform IA scans, and update the firmware. You can also use the network connection for other network services such as system logging, backup, NTP, and WebLM licensing. For the user functions, you can set up more specific user access controls. You can also have more specific auditing processes to detect insider threats.

Out of Band Management management administration

To configure the Out of Band Management of management data on Communication Manager, you must do the following:

• Depending on your Communication Manager configuration, assign an IP address and a subnetwork mask to the eth1 or eth2 Ethernet connection.

• Select Out of Band Management as the functional assignment. • Enable Out of Band Management of management data.

• Add a static route between the Out of Band Management interface and the enterprise network.

Screens for administering Out-of-Band management

Screen name Purpose Fields

Network Configuration Configure the IP address and the subnetwork mask to administer the Ethernet connection.

IPv4 Address

Mask

Functional Assignment

Restrict Management traffic to Out-of-Band interface is currently

Status Routes Create a static route between the Out-of-Band management interface and the enterprise network to route all management function data through the Out-of- Band management interface.

IP Address

Mask / Prefix

Gateway

Interface

Administering the Out of Band Management of management data

Procedure

3. In the navigation pane, click Server Configuration > Network Configuration. 4. Configure the following eth1 fields:

IPv4 Address: The IP address of the Ethernet connection • Mask: The subnetwork mask of the IP address

Functional Assignment: Out-of-Band Management

If the Communication Manager instance is a duplex configuration, configure the eth2 fields. 5. Verify that you can gain access to Communication Manager using the Out-of-Band Ethernet

interface.

Important:

You must be able to gain access to Communication Manager using the Out of Band Management Ethernet interface before you perform the next step.

6. Add a static route between the Out of Band Management interface and the enterprise network.

You must ensure that you add a static route between the Out of Band Management interface and the enterprise network to restrict access. For more information, see “Add a static route between the Out of Band Management interface and the enterprise network”.

7. From the Restrict Management traffic to Out-of-Band interface is currently drop-down list, select enabled.

Note:

Restrict Management traffic to Out-of-Band interface is set to enabled. Restrict Management traffic to Out-of-Band will restrict traffic on ports 80, 443, 22, 2222, 5022, 23, 5023, 161, and 162 to the management interface only.

Port restriction

When the Restrict Management traffic to Out-of-Band field is set to enable, the system restricts traffic on the following ports:

Port Use 22 ssh 23 telnet 80 http 161 snmp 162 snmp trap 443 https 2222 high priority ssh 5022 sat over ssh

5023 sat over telnet

Adding a static route between the Out-of-Band management

interface and the enterprise network

About this task

Create a static route between the Out-of-Band management interface and the enterprise network to route all management functions data through the Out-of-Band management interface.

Procedure

1. Log in to Communication Manager SMI.

2. Click Administration > Server (Maintenance).

3. In the navigation pane, click Server Configuration > Static Routes. 4. Configure the following fields:

IP Address: Enter the enterprise network IP address.

Mask / Prefix: Enter the subnetwork mask of the network IP address. • Gateway: Enter the gateway address.

Interface: Select eth1. If the Communication Manager instance is a duplex configuration, select eth2.

5. Click Add Route.

Session Manager Out of Band Management ports

Component Interface Description

Security Module (secmod) th1(public IP) The interface that manages SIP and HTTP traffic to and from the WebSphere Application Server (WAS) traffic. Security Module is the front-end of Session Manager running Linux operating system 6.5 with Avaya proprietary applications providing SIP protection, TLS termination, and firewall.

WebSphere (WAS) eth0 (public IP) A converged JSR289 container that processes SIP messages received from SIP entities or endpoints.

Component Interface Description

Management Agent (MGMT) eth0 (public IP) A management console that is used to listen on port 8643 for an HTTPS connection to add,

Documento similar