Core Elements

IP elements should be reachable via 3 methods o Directly via management connection Management connection should be in the address allocation table The management name of the device should be in DNS as well o Via terminal connection o Out of band access Verify that syslog servers are receiving syslogs from device Verify SNMP traps are being generated and received Verify the configuration for the element is being backed up o http://10.100.32.53/cgibin/viewvc.cgi/rancid/prod/configs/ Device is addressed according to Address Allocation o Address_Allocation Device resolves in DNS o Perform nslookup on the device Telnet/SSH access to the Device Interface descriptions on all connected interfaces o physical interfaces

Interface Descriptions
Connected Device Connected Interface Vlan Local Interface Vlan Description o

logical interfaces

Interface Descriptions
Connected Device Connected Interface Vlan Local Interface Vlan Description Gateway components o Core router eBGP should be setup and working with standard route-maps to our upstream provider OSPF should be setup using site area for the gateway and area 0 for core links iBGP should be setup with the rest of the core network Base level ACL's should be setup on the outside interfaces to eliminate access to except from bastion host and upstream provider IPSEC tunnels should be setup between core sites and back to corporate network IPSEC tunnels should be setup to the NOC o Firewall Module Inside VRF should be setup for internal network NAT rules should allow outbound to internet for internal server network

DMZ for R3 interface should not need NAT but should be firewalled Inside VRF should include the R6 interface for the ASN IPSec Module IPSec tunnels should be setup between the corporate ASA and the core router IPSec tunnels should be setup as part of a full mesh between the cores IPSec tunnels should be setup between the NOC and Core router ASN Gateway R6 interface should be up to all BST's R3 interface should be setup to internet DMZ ASN should be communicating with regional AAA ASN should be proxying DHCP for regional DHCP server AAA Server Accessible via SSH Authentication logging working properly Accounting records being generated and directed to SAP Extentions for our setup are being sent correctly to the ASN Username + Domain authentication QOS service flow information being pushed to the ASN Failover to backup AAA working correctly DHCP Server Accessible via SSH Assigning correct addresses for regional data center Failover to backup DHCP server Terminal Server Cable run list complete for all terminal cables Verify CRL for terminal cables matches menu on terminal server Telnet access to all connected devices through terminal server Menu Access to all connected devices through terminal server

WAP components
Ethernet switch o Management: Verify domain name is openrange.prod. Use the command show run | include domain. Verify that the IP domain name is prod.openrange. Verify the version and software of the IOS software. Use the command show version | include IOS and verify that the version is 12.2(50) SE3 and software is C3560E-UNIVERSALK9-M.

Verify device name is right (name and naming convention). Use the command show run | include hostname Verify usernames and passwords from the template. Use the command show run | beg username and verify that the following username are present: ghartung, marcus, orcadmin, alvarion and nocro. Verify SSH configuration. Use the command show run | begin line vty and check whether the statement transport input ssh is present. SSH into the device to confirm the configs. Verify that Telnet is not enabled. Use the command show run | begin line vty and make sure that no transport input telnet and login statements are included. Telnet into the device to verify this. You should not be able to do so. Use two user accounts: one which is a local username (not in AAA) and one in AAA (not local).Use the AAA username to login to the device. Verify that login is possible. Remove the connectivity between device and AAA server. Now login to the device using the local username. Verify that login is possible. Physical layer test: Verify all unused ports are shut using the command show ip interface brief.Verify that the status and protocol both should be down. Verify that all shut ports are administratively down. Use the command show ip interface brief | exclude administratively and verify that the output contains only interfaces having Status and Protocol up. Layer 2: Verify that Spanning tree is configured in rapidpvst mode. Use the command show spanning-tree summary | include mode to verify that the switch is in rapid-pvst mode. Etherchannel: (only for Ceragon) Verify that etherchannel/ Port-channel is configured. Use the command show etherchannel summary. Also verify the status of the etherchannel (the flags should indicate that they are active/ in use). Verify that etherchannel protocol is PAGP. Use the command show etherchannel 1 detail | include Protocol. Verify that the protocol is PAgP. Verify this for every etherchannel configured on the device. Verify that market VLAN & trunking VLAN are configured. Use the command show interface vlan MARKETVLAN | include protocol and show interface vlan TRUNKVLAN | include protocol and verify that the VLAN and line protocol are up.

Verify that all interfaces connecting the switch to the microwaves are trunked with 802.1q encapsulation. Also verify the VLANs allowed on these links. Use the command show interfaces trunk. Verify that all interfaces listed have encapsulation as 802.1q and status as trunking. Also verify that market VLAN and trunk VLAN are the only VLAN allowed on all trunked interfaces except 0/26.For interface 0/26 (only on layer 3), verify that only trunking VLAN is allowed. Layer 3: Verify that market VLAN and trunking VLAN have IP addresses as per the handout. Use the command show interface vlan MARKETVLAN | include Internet address and show interface vlan TRUNKVLAN | include Internet address to verify. Verify default route is present in routing table (only for layer 2). Use the command show ip route | include 0.0.0.0 and look for an entry of a route 0.0.0.0 in the routing table. This route must have an asterisk sign indicating that it is a default route. Access-lists: Verify that the snmp access-list is configured on the device. Use the command Show ip access-lists snmp-acl Verify that the management access-list is configured on the device. Use the command Show ip access-lists mgmt-acl Ping tests: Ping next-hop Ping the core router Ping the ASN Ping 10.252.252.1 Application Layer: NTP: Verify NTP server IP address. Use the command show ntp association and verify that the IP address is 10.100.32.52 & 10.100.32.53.Ping the above IP addresses to verify connectivity to the IP addresses. Verify NTP associate. Use the command show ntp association and verify that the IP address for the NTP server is in master mode. Verify NTP status. Use the command show ntp status | include Clock and verify that the clock is synchronized. SNMP: Verify that SNMP is enabled. Use the command show snmp | include global | logging | enabled and verify that the status for SNMP global trap, SNMP logging and SNMP agent is enabled.

Verify that a loopback is assigned as the source of all traps. Use the command sh run | include trap-source and verify that the source is MARKET VLAN. Verify that there is TCP/IP connectivity between the NMS server and the switch. Use the command ping a.b.c.d to verify connectivity. Ping the following IP addresses and verify connectivity:10.5.1.31,10.15.32.117,192.149 .228.140 Generate sample events to verify if the traps are set. Call the NOC to verify these notifications were received: Turn an interface up and down. Login to the device (tty trap). Verify that there are SNMP hosts set to receive any SNMP notifications. Use the command show snmp host to verify the same. Verify that the IP addresses of the hosts are:10.5.1.31,10.15.32.117,192.149.228.14 0 Future Additions: QOS is setup for 802.1p classification and queueing Loopback0 checks

Address Allocation
Verify that the Address Allocation on the Wiki is populated with the new device

Cacti
Verify that the device is added to Cacti Log into Cacti Go the Graphs window and select the device name under their respective category. Verify that you see a graph for every interface that is up and running. Verify that none of the values in the graph are 'nan'

Rancid
Verify that Rancid is updated with an entry of the new device From you web browser, go to the following URL http://wiki.openrange.local/cgibin/viewvc.cgi/rancid/prod/configs/?sortby=date Rancid updates the device configs every hour. Verify that the newly added device is present on the list of devices shown. Also verify that the device is not seen as a 'new router' under Last Log Entry.

DNS
Verify that the DNS is updated with the new device

Cable Run List

Terminal server cables Power cables Fiber cables Cat5 cables With regards to cabling, going forward and when retro fitting the existing sites. o Open Range will require Alvarion to test all cables being deployed. The testing required can be done via purchasing certified premade cables or if cables are being made in the field, they must be tested with a testset that can verify pin out and capacity, not just continuity. o We require all cables to exceed 250mhz of capacity and wired in a TIA-568B pin out. o If premade cables are to be used they must be within 6 of the cut to length required so that there is not excessive slack in the wiring

Should be in the following format

Cable Run list

Circuit Type Cable Type A A A A Connector Z Z Z Z Connector Rack Device Port Type Rack Device Port Type

Rack Face Diagrams

Rack diagrams should be provided in a Visio format showing the as-built designs of the racks

Part Inventory
Full Inventory of all ORC deployed equipment in the format

Part Number Part Description Manufacturer Quanity Serial Number Rack Location

Site Pictures

High Resolution Photographs showing each piece of equipment racked both front and back of the rack. Attention to detail on the location of all cabling showing cable routing for both power and data cables.

Access
Username and Password information for all devices installed for a site Initial Username Passwords for installed devices

Device Name Device Type Username Password Access Type core*.* core*.* sw*.* sw*.* aaa*.* aaa*.* dhcp*.* dhcp*.* alvaristar*.* staracs*.* mw*.* mw*.* c7609 c7609 c7609 c7609 t2000 t2000 t2000 t2000 t2000 t2000 ceragon ceragon orcadmin noc-ro orcadmin noc-ro root orcturnup root orcturnup orcturnup orcturnup orcturnup admin noc-ro r6t4w5 7k5l22a r6t4w5 7k5122a 4r3e5rfc 9opDKa 4r3e5rfc 9opDKa 9opDKa 9opDKa 9opDKa 4r3e5rfc 9opDKa root read-only root read-only root user root user user user user root user

starquality*.* t2000

Device Name Device Type Username Password Access Type