Objective: To separate management traffic from data/customer traffic in your Huawei Routers
Preferably, Data and Management are into 2 separate network domains.
Pre-requisite:
UTP cables (for each MPU management port in case for switchover) are connected to a network switch to access the OOB management gateway
To go configuration mode:
system-view
To preview configuration change before commiting
display configuration candidate
* * Management IP Configuration* *
a. Configure the vpn instance for management
ip vpn-instance <vpn instance name>
description <description>
ipv4-family
b. Set the physical IP address of management port.
MPU:
interface <interface name>
description <description>
undo shutdown
ip binding vpn-instance <vpn instance name>
ip address <IP> <subnet mask>
Sample Output:
ip vpn-instance management
description Management
ipv4-family
description OOB MPU
undo shutdown
ip binding vpn-instance management
ip address 10.10.10.100 255.255.255.0
ip route-static vpn-instance <vpn instance name> 0.0.0.0 0.0.0.0 <OOB Gateway> description <description>
**SSH Configuration**
acl number <number>description SSH-ACL
rule 10 permit ip vpn-instance management source <SSH Jumphost IP>
rule 20 deny ip vpn-instance management
ssh server acl <number>
user-interface vty 0 4
acl <number> inboundprotocol inbound ssh
rule 10 permit ip vpn-instance management source 10.20.20.20 0
rule 20 deny ip vpn-instance management
acl 888 inbound
**SNMPv2c Configuration**
SNMP Trap Server = 10.30.30.30
SNMP Community = MyP0llingP455
acl number <number>
description SNMP Server
rule 10 permit ip vpn-instance management source <SNMP IP>
rule 20 deny ip vpn-instance management
snmp-agent sys-info version allsnmp-agent
snmp-agent local-engineid <Engine ID>
snmp-agent community read{password} acl <ACL>
Sample Output:
description SNMP Server
rule 10 permit ip vpn-instance management source 10.20.20.20
rule 20 deny ip vpn-instance management
snmp-agent
snmp-agent local-engineid 800007DB0000ABC11D2D88
snmp-agent community read cipher %^%#*JAZgT9C0XPI~”fyw36753Mkn&ZZ]3Nh+u(n%|X%^# acl 1234
username : FNT
group: FNT_GROUP
Auth type: SHA
Auth Pass: ABcD123456
Priv : AES256
Priv Pass: FNT@fr33netw0rk
snmp-agent usm-user v3 <username>
snmp-agent usm-user v3 <username> group <group>
snmp-agent usm-user v3 <username> authentication-mode md5/sha/sha2-224/sha2-256/sha2-384/sha2-512
snmp-agent usm-user v3 <username> privacy-mode 3des168/aes128/aes192/aes256/des56
If you try to use old authentication type:
snmp-agent usm-user v3 FNT authentication-mode sha
Please configure the authentication password (8-255)
Enter Password:
Confirm Password:
Warning: The algorithm SHA1 is insecure. Using SHA2-256 or higher algorithm is recommended.
Sample Output:
snmp-agent usm-user v3 FNT
snmp-agent usm-user v3 FNT group FNT_GROUP
snmp-agent usm-user v3 FNT authentication-mode sha cipher %^%#:#Id6B%PMFW|~m`OoPNgR(p$Hb1$9d=PuQke87h7^%#
snmp-agent usm-user v3 FNT privacy-mode aes256 cipher %^%#H*E’QC$HTvB2*”tK*lHVQlP=}rHpDZn7}XApKf2%^%#
snmp-agent usm-user v3 FNT acl 1234
snmp-agent trap enablesnmp-agent trap type base-trap
snmp-agent trap source <interface>
snmp-agent target-host trap address udp-domain <Trap Server IP> vpn-instance <vpn instance name> params securityname { communityname } <version>
snmp-agent trap source GigabitEthernet0/0/0
snmp-agent target-host trap address udp-domain 10.30.30.30 vpn-instance management params securityname cipher %^%#Kh’jV+)9@d(FNTu2cK9*2<#Y%:ABh1Q^%# v2c
**Syslog Configuration**
sysname <device hostname>
info-center enable
info-center channel 6 name <channel name>
info-center source <source> channel <channel name> trap level <level> debug level <debug level>
info-center source <source> channel <channel name> log level <notification | warning>
info-center loghost source <source interface>
info-center loghost <syslog IP> vpn-instance <vpn instance name> channel loghost facility <localnum>
info-center timestamp log date precision-time millisecond
info-center logbuffer channel <channel> size <value>
info-center loghost source GigabitEthernet0/0/0
info-center loghost 10.50.50.50 vpn-instance management channel loghost facility local2
info-center logbuffer channel freenetworklog size 1024
**NTP Configuration**
NTP Server1: 192.168.10.102
Configuration:
ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-server <NTP IP#1> vpn-instance <vpn instance name>
ntp-service unicast-server <NTP IP#2> vpn-instance <vpn instance name>
Verification:
display ntp-service status
display ntp-service sessions
Sample Output:
ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-server 192.168.10.101 vpn-instance management
ntp-service unicast-server 192.168.10.102 vpn-instance management
If authentication is enabled on your NTP server.
-Enable the NTP service authentication function
-Configure the NTP authentication key
-Specify the NTP key
-Configure the NTP server(s) with the authentication key id
ntp-service authentication enable
ntp-service authentication-keyid <key-id> authentication-mode { md5 | hmac-sha256 } { cipher } <password>
ntp-service reliable authentication-keyid <keyid>
ntp-service unicast-server <NTP IP#1> authentication-keyid <key-id> vpn-instance <vpn instance name>
ntp-service unicast-server <NTP IP#2> authentication-keyid <key-id> vpn-instance <vpn instance name>
**AAA Configuration**
10.10.10.11 – Tacacs+/ACS/ISE/AAA server#2
20.20.20.2 – Source IP
a. Configure the tacacs server profile or template
hwtacacs-server template <PROFILENAME>
hwtacacs-server authentication <TACACS IP#1> vpn-instance <vpn instance name>
hwtacacs-server authentication <TACACS IP#2> secondary
hwtacacs-server authorization <TACACS IP#1> <vpn instance name>
hwtacacs-server authorization <TACACS IP#2> secondary
hwtacacs-server accounting <TACACS IP#1> <vpn instance name>
hwtacacs-server accounting <TACACS IP#2> secondary
hwtacacs-server source-ip <SOURCE IP>
hwtacacs-server shared-key cipher <TACACS KEY>
hwtacacs-server user-name original
Sample Config:
hwtacacs-server template freenetworktutorials
hwtacacs-server authentication 10.10.10.10 vpn-instance management
hwtacacs-server authentication 10.10.10.11 secondary
hwtacacs-server authorization 10.10.10.10 vpn-instance management
hwtacacs-server authorization 10.10.10.11 secondary
hwtacacs-server accounting 10.10.10.10 vpn-instance management
hwtacacs-server accounting 10.10.10.11 secondary
hwtacacs-server source-ip 20.20.20.2
hwtacacs-server shared-key cipher %^%#;@A~ktB2)8`FLf~1/84h,}fnt;f>XY%^%#
hwtacacs-server user-name original
b. Configure AAA scheme. Set “local” as the backup authentication/authorization in case the tacacs+ server becomes unreachable
aaa
authentication-scheme <NAME>
authentication-mode hwtacacs localauthorization-scheme <NAME>
authorization-mode hwtacacs local
authorization-cmd <privilege level> hwtacacs localaccounting-scheme <NAME>
accounting-mode hwtacacs
accounting start-fail online
(Optional: “accounting start-fail online” command is to allow users to be online if starting accounting happens to fail)
Sample Config:
aaa
authentication-scheme freenetworktutorials
authentication-mode hwtacacs local
authorization-scheme freenetworktutorials
authorization-mode hwtacacs local
authorization-cmd 0 hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme freenetworktutorials
accounting-mode hwtacacs
c. Configure the local user as backup authentication if AAA server is unreachable
aaa
local-user <USER> password irreversible-cipher <password>
local-user <USER> service-type ssh
local-user <USER> level <value>
local-user <USER> state block fail-times 3 interval 5
Optional commands:
local-user <USER> privilege level 15
local-user <USER> state block fail-times 3 interval 5
Sample Config:
aaa
local-user freeuser password irreversible-cipher +\$GKCa6WJ!N4[QH.OY6(C6GCPt#U/’HIa@AoU>;R”Z8SfNT`
local-user freeuser service-type ssh
local-user freeuser level 3
local-user freeuser privilege level 15
local-user freeuser state block fail-times 3 interval 5
d. Configure the domain to associate the AAA scheme and tacacs server template
aaa
domain <domain name>
authentication-scheme <AAA scheme>
authorization-scheme <AAA scheme>
accounting-scheme <AAA scheme>
hwtacacs-server <AAA scheme>
Sample Config:
aaa
domain FNT
authentication-scheme freenetworktutorials
authorization-scheme freenetworktutorials
accounting-scheme freenetworktutorials
hwtacacs-server freenetworktutorials
e. Optional AAA configuration for event reporting
aaa
recording-scheme <AAA scheme>
recording-mode hwtacacs <AAA scheme>
system recording-scheme <AAA scheme>
outbound recording-scheme <AAA scheme>
cmd recording-scheme <AAA scheme>
Sample Config:
aaa
recording-scheme freenetworktutorials
recording-mode hwtacacs freenetworktutorials
system recording-scheme freenetworktutorials
outbound recording-scheme freenetworktutorials
cmd recording-scheme freenetworktutorials
Be First to Comment