Out of Band (OOB) Management Configuration on Huawei Routers (SSH,SNMP,NTP,AAA,Syslog)

Objective: To separate management traffic from data/customer traffic in your Huawei Routers

Preferably, Data and Management are into 2 separate network domains.

Pre-requisite:
UTP cables (for each MPU management port in case for switchover) are connected to a network switch to access the OOB management gateway

To go configuration mode:

system-view

To preview configuration change before commiting

display configuration candidate

Management IP Configuration

a. Configure the vpn instance for management

ip vpn-instance <vpn instance name>
description <description>
ipv4-family

b. Set the physical IP address of management port.

MPU:

interface <interface name>
description <description>
undo shutdown
ip binding vpn-instance <vpn instance name>
ip address <IP> <subnet mask>

Sample Output:

ip vpn-instance  management
  description Management
  ipv4-family

interface GigabitEthernet0/0/0
 description OOB MPU
 undo shutdown
  ip binding vpn-instance management
  ip address 10.10.10.100 255.255.255.0
c. Configure static default route to the management gateway
Gateway = 10.10.10.1
ip route-static vpn-instance <vpn instance name> 0.0.0.0 0.0.0.0 <OOB Gateway> description <description>
Sample Output:
ip route-static vpn-instance management 0.0.0.0 0.0.0.0 10.10.10.1 description OOB Management
**SSH Configuration*
Authorized IP to SSH in: 10.20.20.20
a. Create ACL:
acl number <number>
 description SSH-ACL
rule 10 permit ip vpn-instance management source <SSH Jumphost IP>
rule 20 deny ip vpn-instance management
b. Apply ACL
ssh server acl <number>
user-interface vty 0 4
acl <number> inbound
  protocol inbound ssh
Sample Output:
acl number 888
 description SSH-ACL
 rule 10 permit ip vpn-instance management source 10.20.20.20 0
 rule 20 deny ip vpn-instance management
ssh server acl 888
user-interface vty 0 4
  acl 888 inbound
  protocol inbound ssh
**SNMPv2c Configuration**
SNMP Polling Server = 10.20.20.20
SNMP Trap Server = 10.30.30.30
SNMP Community = MyP0llingP455
Trap Community = trapcommunity123
a. Create ACL
acl number <number>
description SNMP Server
rule 10 permit ip vpn-instance management source <SNMP IP>
rule 20 deny ip vpn-instance management
b. Apply ACL
snmp-agent sys-info version all
snmp-agent
snmp-agent local-engineid <Engine ID>
snmp-agent community read{password}  acl <ACL>

Sample Output:

acl number 1234
 description SNMP Server
  rule 10 permit ip vpn-instance management source 10.20.20.20
  rule 20 deny ip vpn-instance management
snmp-agent sys-info version all
snmp-agent
snmp-agent local-engineid 800007DB0000ABC11D2D88
snmp-agent community read cipher %^%#*JAZgT9C0XPI~”fyw36753Mkn&ZZ]3Nh+u(n%|X%^# acl 1234
**SNMPv3 Configuration**

username : FNT
group: FNT_GROUP
Auth type: SHA
Auth Pass: ABcD123456
Priv : AES256
Priv Pass: FNT@fr33netw0rk

snmp-agent usm-user v3 <username>
snmp-agent usm-user v3 <username> group <group>
snmp-agent usm-user v3 <username> authentication-mode md5/sha/sha2-224/sha2-256/sha2-384/sha2-512
snmp-agent usm-user v3 <username> privacy-mode 3des168/aes128/aes192/aes256/des56

If you try to use old authentication type:
snmp-agent usm-user v3 FNT authentication-mode sha
Please configure the authentication password (8-255)
Enter Password:
Confirm Password:
Warning: The algorithm SHA1 is insecure. Using SHA2-256 or higher algorithm is recommended.

Sample Output:
snmp-agent usm-user v3 FNT
snmp-agent usm-user v3 FNT group FNT_GROUP
snmp-agent usm-user v3 FNT authentication-mode sha cipher %^%#:#Id6B%PMFW|~m`OoPNgR(p$Hb1$9d=PuQke87h7^%#
snmp-agent usm-user v3 FNT privacy-mode aes256 cipher %^%#H*E’QC$HTvB2*”tK*lHVQlP=}rHpDZn7}XApKf2%^%#
snmp-agent usm-user v3 FNT acl 1234

SNMP Traps:
snmp-agent trap enable
snmp-agent trap type base-trap
snmp-agent trap source <interface>
snmp-agent target-host trap address udp-domain <Trap Server IP> vpn-instance <vpn instance name> params securityname { communityname } <version>
Sample Output:
snmp-agent trap enable
snmp-agent trap type base-trap
snmp-agent trap source GigabitEthernet0/0/0
snmp-agent target-host trap address udp-domain 10.30.30.30 vpn-instance  management params securityname cipher %^%#Kh’jV+)9@d(FNTu2cK9*2<#Y%:ABh1Q^%# v2c
**Syslog Configuration**
Remote Syslog Server IP = 10.50.50.50
Pre-configured:
sysname <device hostname>
a. Enable the logging functionality
info-center enable
b. Configure the channel to send logs to the remote syslog server
info-center channel 6 name <channel name>
info-center source <source> channel <channel name> trap level <level> debug level <debug level>
info-center source <source> channel <channel name> log level <notification | warning>
c. Configure the source interface of the logging
info-center loghost source <source interface>
4. Configure the remote syslog IP where to send logs
info-center loghost <syslog IP> vpn-instance <vpn instance name> channel loghost facility <localnum>
Optional:
info-center timestamp log date precision-time millisecond
info-center logbuffer channel <channel> size <value>
Sample Output:
info-center channel 6 name freenetworklog
info-center source default channel freenetworklog log level notification
info-center source default channel freenetworklog trap level error debug level informational
info-center loghost source GigabitEthernet0/0/0
info-center loghost 10.50.50.50 vpn-instance management channel loghost facility local2
info-center timestamp log date precision-time millisecond
info-center logbuffer channel  freenetworklog size 1024
**NTP Configuration**
NTP Server1: 192.168.10.101
NTP Server1: 192.168.10.102

Configuration:

ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-server <NTP IP#1> vpn-instance <vpn instance name>
ntp-service unicast-server <NTP IP#2> vpn-instance <vpn instance name>

Verification:

display ntp-service status
display ntp-service sessions

Sample Output:

ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-server 192.168.10.101 vpn-instance management
ntp-service unicast-server 192.168.10.102 vpn-instance management

If authentication is enabled on your NTP server.

-Enable the NTP service authentication function
-Configure the NTP authentication key
-Specify the NTP key
-Configure the NTP server(s) with the authentication key id

ntp-service authentication enable
ntp-service authentication-keyid <key-id> authentication-mode { md5 | hmac-sha256 } { cipher } <password>
ntp-service reliable authentication-keyid <keyid>
ntp-service unicast-server <NTP IP#1> authentication-keyid <key-id> vpn-instance <vpn instance name>
ntp-service unicast-server <NTP IP#2> authentication-keyid <key-id> vpn-instance <vpn instance name>

**AAA Configuration**
10.10.10.10 – Tacacs+/ACS/ISE/AAA server#1
10.10.10.11 – Tacacs+/ACS/ISE/AAA server#2
20.20.20.2 –  Source IP

a. Configure the tacacs server profile or template

hwtacacs-server template <PROFILENAME>
hwtacacs-server authentication <TACACS IP#1> vpn-instance <vpn instance name>
hwtacacs-server authentication <TACACS IP#2> secondary
hwtacacs-server authorization <TACACS IP#1> <vpn instance name>
hwtacacs-server authorization <TACACS IP#2> secondary
hwtacacs-server accounting <TACACS IP#1> <vpn instance name>
hwtacacs-server accounting <TACACS IP#2> secondary
hwtacacs-server source-ip <SOURCE IP>
hwtacacs-server shared-key cipher <TACACS KEY>
hwtacacs-server user-name original

Sample Config:
hwtacacs-server template freenetworktutorials
   hwtacacs-server authentication 10.10.10.10 vpn-instance management
   hwtacacs-server authentication 10.10.10.11 secondary
   hwtacacs-server authorization 10.10.10.10 vpn-instance management
   hwtacacs-server authorization 10.10.10.11 secondary
   hwtacacs-server accounting 10.10.10.10 vpn-instance management
   hwtacacs-server accounting 10.10.10.11 secondary
   hwtacacs-server source-ip 20.20.20.2
   hwtacacs-server shared-key cipher %^%#;@A~ktB2)8`FLf~1/84h,}fnt;f>XY%^%#
   hwtacacs-server user-name original

b. Configure AAA scheme. Set “local” as the backup authentication/authorization in case the tacacs+ server becomes unreachable

aaa
authentication-scheme <NAME>
authentication-mode hwtacacs local

authorization-scheme <NAME>
authorization-mode hwtacacs local
authorization-cmd <privilege level> hwtacacs local

accounting-scheme <NAME>
accounting-mode hwtacacs
accounting start-fail online

(Optional: “accounting start-fail online” command is to allow users to be online if starting accounting happens to fail)

Sample Config:
aaa
authentication-scheme freenetworktutorials

   authentication-mode hwtacacs local

authorization-scheme freenetworktutorials
  authorization-mode hwtacacs local
  authorization-cmd 0 hwtacacs local
  authorization-cmd 15 hwtacacs local

accounting-scheme freenetworktutorials
  accounting-mode hwtacacs

c. Configure the local user as backup authentication if AAA server is unreachable

aaa
local-user <USER> password irreversible-cipher <password>
local-user <USER> service-type ssh
local-user <USER> level <value>
local-user <USER> state block fail-times 3 interval 5

Optional commands:
local-user <USER> privilege level 15
local-user <USER> state block fail-times 3 interval 5

Sample  Config:
aaa
  local-user freeuser password irreversible-cipher +\$GKCa6WJ!N4[QH.OY6(C6GCPt#U/’HIa@AoU>;R”Z8SfNT`
  local-user freeuser service-type ssh
  local-user freeuser level 3
  local-user freeuser privilege level 15
  local-user freeuser state block fail-times 3 interval 5

d. Configure the domain to associate the AAA scheme and tacacs server template

aaa
domain <domain name>
authentication-scheme <AAA scheme>
authorization-scheme <AAA scheme>
accounting-scheme <AAA scheme>
hwtacacs-server <AAA scheme>

Sample  Config:
aaa
   domain FNT
   authentication-scheme freenetworktutorials
   authorization-scheme freenetworktutorials
   accounting-scheme freenetworktutorials
   hwtacacs-server freenetworktutorials

e. Optional AAA configuration for event reporting

aaa
recording-scheme <AAA scheme>
recording-mode hwtacacs <AAA scheme>
system recording-scheme <AAA scheme>
outbound recording-scheme <AAA scheme>
cmd recording-scheme <AAA scheme>

Sample  Config:
aaa
  recording-scheme freenetworktutorials
    recording-mode hwtacacs freenetworktutorials
system recording-scheme freenetworktutorials
outbound recording-scheme freenetworktutorials
cmd recording-scheme freenetworktutorials

Note: Netflow traffic should not go through the management ports because of the traffic volume and may cause high CPU utilization.

Be First to Comment

Leave a Reply

Your email address will not be published.