No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Interoperation Between CE Series Switches and eSight

Configuring Interoperation Between CE Series Switches and eSight

Applicable Products and Versions

This example applies to CE series switches running V100R001C00SPC200 or later versions.

This example applies to eSight running V300R001C00 or later versions.

Networking Requirements

eSight is a next-generation network management system (NMS) designed for enterprise agile campus networks and enterprise branch networks. It uniformly manages and intelligently associates enterprise resources, services, and users. Before using eSight, you need to perform related configurations on CE series switches and eSight so that the switches can communicate with eSight. eSight then can detect the switches, deliver configurations to the switches, and discover network links.

In Figure 3-10, eSight has reachable routes to SwitchA and SwitchB. It is required that eSight perform O&M and management on SwitchA and SwitchB.

Figure 3-10 Interoperation between CE series switches and eSight

Configuration Roadmap

eSight detects the switches using SNMP, logs in to the switches and delivers configurations to them using Telnet or STelnet (SSH), and discovers links using LLDP. For security purposes, you are advised to use SNMPv3 and STelnet. The configuration roadmap is as follows:
  1. Configure SNMPv3 on SwitchA and SwitchB.

    When configuring security levels, ensure that the security level of the trap host is not lower than that of the user, and the security level of the user is not lower than that of the user group.

    The security levels in descending order by security are as follows:
    • Privacy: authentication and encryption
    • Authentication: authentication and no encryption
    • None: no authentication and no encryption
  2. Configure STelnet on SwitchA and SwitchB.
  3. Configure LLDP on SwitchA and SwitchB.
  4. Add the switches to eSight.
  5. Configure STelnet on eSight.

Procedure

  1. Configure SNMPv3 on SwitchA. The configuration of SwitchB is similar to that of SwitchA and is not provided here.

    1. Configure the SNMP version.

      <HUAWEI> system-view 
      [~HUAWEI] sysname SwitchA 
      [*HUAWEI] commit 
      [~SwitchA] snmp-agent sys-info version v3  //Set the SNMP version to SNMPv3, which must be the same as the SNMP version on eSight.
      [*SwitchA] commit 

    2. Configure the access rights.

      [~SwitchA] snmp-agent mib-view included myview iso  //Configure the MIB view accessible to eSight. The MIB view must contain the iso object to ensure that eSight can properly manage the switch, for example, eSight can discover the link to the switch using LLDP.
      [*SwitchA] commit

    3. Configure an SNMPv3 user group and an SNMPv3 user, and set the authentication and encryption modes.

      NOTE:

      SNMPv3 authentication modes are MD5 and SHA, and SNMPv3 encryption modes are 3DES168, AES128, AES192, AES256, and DES56. For security purposes, you are advised to set the SNMPv3 authentication mode to SHA and the SNMPv3 encryption mode to AES128, AES192, or AES256.

      [~SwitchA] snmp-agent group v3 admin privacy write-view myview notify-view myview
      [*SwitchA] snmp-agent usm-user v3 eSight-admin group admin  //Set the SNMPv3 user name to eSight-admin, which must be the same as the security name on eSight.
      [*SwitchA] snmp-agent usm-user v3 eSight-admin authentication-mode sha  //Configure the authentication mode and authentication password of the user eSight-admin, which must be the same as the authentication protocol and authentication password on eSight. 
      Please configure the authentication password (8-255)
      Enter Password:               //Enter the authentication password, which is Authe@1234 in this example.
      Confirm Password:             //Confirm the authentication password, which is Authe@1234 in this example.
      [*SwitchA] snmp-agent usm-user v3 eSight-admin privacy-mode aes128  //Configure the encryption mode and encryption password of the user eSight-admin, which must be the same as the proprietary protocol and encryption password on eSight.
      Please configure the privacy password (8-255)
      Enter Password:              //Enter the encryption password, which is Priva@1234 in this example.
      Confirm Password:            //Confirm the encryption password, which is Priva@1234 in this example.
      [*SwitchA] commit

    4. Configure a trap host.

      NOTE:

      Before configuring the switch to send traps, ensure that the information center has been enabled. If the information center is not enabled, run the info-center enable command in the system view to enable it.

      [~SwitchA] snmp-agent trap enable  //Enable the trap function for all modules. By default, the trap function is disabled for some modules.
      [*SwitchA] snmp-agent target-host trap address udp-domain 10.7.60.66 params securityname eSight-admin v3 privacy  //Set the IP address of the trap host to the IP address of eSight, the security name to the SNMPv3 user name, and the SNMP version to SNMPv3.
      [*SwitchA] commit

  2. Configure STelnet (SSH) on SwitchA. SwitchA functions as the SSH server. The configuration of SwitchB is similar to that of SwitchA and is not provided here.
    1. Generate a local key pair on SwitchA.

      [~SwitchA] rsa local-key-pair create
      The key name will be:SwitchA_Host
      The range of public key size is (2048 ~ 2048).   
      NOTE: Key pair generation will take a short while.
      [*SwitchA] commit

    2. Create an SSH user on SwitchA.

      NOTE:

      There are eight authentication modes for SSH users: password, RSA, password-rsa, DSA, password-dsa, ECC, password-ecc, and all. The password authentication mode is used in this example.

      # Configure the VTY user interface.

      [~SwitchA] user-interface vty 0 4
      [~SwitchA-ui-vty0-4] authentication-mode aaa
      [*SwitchA-ui-vty0-4] protocol inbound ssh   //Set the protocol type supported by the VTY user interface to SSH.
      [*SwitchA-ui-vty0-4] quit

      # Create the SSH user named esight-ssh and configure the password authentication mode for the user.

      [*SwitchA] aaa
      [*SwitchA-aaa] local-user esight-ssh password irreversible-cipher Huawei@123  //Create the user named esight-ssh and configure a password for the user. The user name and password must be the same as those of the STelnet login user on eSight.
      [*SwitchA-aaa] local-user esight-ssh level 3
      [*SwitchA-aaa] local-user esight-ssh service-type ssh  //Set the access type of the user esight-ssh to SSH, which must be the same as the login protocol on eSight.
      [*SwitchA-aaa] quit
      [*SwitchA] ssh user esight-ssh authentication-type password  //Set the authentication mode of the user esight-ssh to password authentication, which must be the same as the authentication mode on eSight.
      [*SwitchA] commit

    3. Enable the STelnet service on SwitchA.

      [~SwitchA] stelnet server enable
      [*SwitchA] commit

    4. Set the service type of the SSH user esight-ssh to STelnet on SwitchA.

      [~SwitchA] ssh user esight-ssh service-type stelnet
      [*SwitchA] commit

  3. Configure LLDP on SwitchA. The configuration of SwitchB is similar to that of SwitchA and is not provided here.

    [~SwitchA] lldp enable  //By default, LLDP is disabled on CE series switches.
    [*SwitchA] commit

  4. Add the switches to eSight.

    eSight provides three methods of adding devices:
    • Discovering devices automatically: eSight discovers devices by IP address segment.
    • Adding a single device: You can manually add a small number of devices to eSight.
    • Importing devices in a batch: You can import devices to eSight using a file.
    The following uses eSight V300R007C00 as an example and eSight automatically discovers devices. For details about other methods of adding devices, see the appropriate eSight product documentation.
    # Create an SNMP template on eSight.
    1. Log in to eSight and choose Resource > Resource Management > Protocol Template.

    2. Choose SNMP Template > Create to access the Add Template page.

    3. Set parameters in the SNMP template, confirm the information, and click OK.
      Table 3-18 Parameters in the SNMP template

      Parameter

      Value

      Remarks

      Template name

      SNMPv3

      -

      Parameter type

      V3: indicates that the SNMP version on eSight is SNMPv3.

      The SNMP versions configured on the CE series switches must include SNMPv3.

      Authentication protocol

      HMAC_SHA

      The authentication protocol must be the same as the authentication mode of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the authentication mode of the SNMPv3 user eSight-admin is SHA.

      Authentication password

      Authe@1234

      The authentication password must be the same as that of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the authentication password of the SNMPv3 user eSight-admin is Authe@1234.

      Proprietary protocol

      AES_128

      The proprietary protocol must be the same as the encryption mode of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the encryption mode of the SNMPv3 user eSight-admin is AES128.

      Encryption password

      Priva@1234

      The encryption password must be the same as that of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the encryption password of the SNMPv3 user eSight-admin is Priva@1234.

      User name

      eSight-admin

      The user name must be the same as that of the SNMPv3 user configured on the CE series switches.

      Context

      -

      -

      Engine ID

      -

      -

      Port number

      161

      The port number must be the same as the SNMP port number configured on the CE series switches. By default, the SNMP port number on a CE series switch is 161. To change the SNMP port number, run the snmp-agent udp-port port-num command in the system view.

      Timeout period

      4

      If the network quality is not high, set a longer timeout period.

      Retries

      3

      -

    # Add the switches to eSight.

    1. Choose Resource > Add Resource > Automatic Discovery.

    2. Enter required information and click Discover.

      Basic Settings: Set Start IP address, End IP address, and Add to subnet.

      Task Settings: Retain the default settings.

      SNMP Settings: Click Select SNMP Protocol Template and select the created SNMP template SNMPv3.

    3. If is displayed on the page, the switches are added successfully. Click Finish.

  5. Configure STelnet on eSight.

    # Create an STelnet template on eSight.

    1. Choose Resource > Resource Management > Protocol Template.

    2. Choose Telnet Template > Create to access the Create page.

    3. Set parameters in the Telnet template, confirm the information, and click OK.
      Table 3-19 Parameters in the Telnet template

      Parameter

      Value

      Remarks

      Template name

      SSH

      -

      Protocol

      STelnet: indicates that eSight remotely logs in to the switches and delivers configurations to the switches using STelnet.

      The STelnet login mode must be configured on the CE series switches.

      Port number

      22

      The port number must be the same as the STelnet port number configured on the CE series switches. By default, the STelnet port number on a CE series switch is 22. To change the STelnet port number, run the ssh [ ipv4 | ipv6 ] server port port-number command in the system view.

      NOTE:

      The switch supports the ipv4 and ipv6 parameters in V200R005C00 and later versions.

      Timeout period

      20

      -

      Authentication

      Password

      The authentication mode must be the same as that of the SSH user configured on the CE series switches. In this example, the authentication mode of the SSH user configured on the CE series switches is password authentication.

      User name

      esight-ssh

      The user name must be the same as that of the SSH user configured on the CE series switches.

      Password

      Huawei@123

      The password must be the same as that of the SSH user esight-ssh configured on the CE series switches. In this example, the password of the SSH user esight-ssh configured on the CE series switches is Huawei@123.

    # Configure eSight to remotely log in to the switches using STelnet.

    1. Choose Resource > Resource Management > Network Device.

    2. Select the switches, and choose Set Protocol > Set Telnet Parameters to access the Set telnet parameters page.

    3. You can set Telnet parameters using either of the following methods:
      • Manually editing Telnet parameters: You can directly configure Telnet parameters. For detailed Telnet parameters, see Table 3-19.

      • Selecting Telnet parameters from an existing Telnet template: You need to configure the Telnet template in advance.

      In this example, use the second method, select the configured Telnet template SSH, and click OK.

Verifying the Configuration

# Check the link status.
  1. Choose Resource > Resource Management > Link Management.

  2. Click Discover Link, set the devices to be discovered at both ends of the link, and click Discover. After link discovery is complete, eSight discovers that a link exists between SwitchA and SwitchB, indicating that LLDP takes effect between SwitchA and SwitchB.

# Check whether eSight can log in to a switch using STelnet.
  1. Choose Resource > Resource Management > Network Device.

  2. Click the switch name SwitchA.

  3. Choose View > Basic Information to access the Device Information page. Click .

  4. When the following information is displayed, eSight has logged in to the switch using STelnet successfully.

    Stelnet Connecting 10.7.6.6 22

    <SwitchA>

Configuration Files

  • SwitchA configuration file
    • Excluding V200R002C50 and V200R003C00 versions

      # 
      sysname SwitchA  
      #
      aaa
       local-user esight-ssh password irreversible-cipher $1c$SHC5!`(,hA$QT2y#RXzh,gmqY@{&ofF+\'zXPODoFYQ<f)Um%GI$  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
       local-user esight-ssh service-type ssh
       local-user esight-ssh level 3
      #
      snmp-agent
      snmp-agent local-engineid 800007DB03749D8F4CDAD1
      #
      snmp-agent sys-info version v3
      snmp-agent group v3 admin privacy write-view myview notify-view myview
      snmp-agent target-host trap address udp-domain 10.7.60.66 params securityname eSight-admin v3 privacy
      #
      snmp-agent mib-view included myview iso
      snmp-agent usm-user v3 eSight-admin
      snmp-agent usm-user v3 eSight-admin group admin
      snmp-agent usm-user v3 eSight-admin authentication-mode sha cipher %^%#OZm+Go>*C4;2(lWT&GM%LO6b6ok}>"-&fb=+~^W;%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
      snmp-agent usm-user v3 eSight-admin privacy-mode aes128 cipher %^%#|9u".#KR+;rlDcW1NWJW$OX@P<RK%>1$~QBSippH%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
      #
      snmp-agent trap enable
      #
      lldp enable
      #
      stelnet server enable
      ssh user esight-ssh
      ssh user esight-ssh authentication-type password
      ssh user esight-ssh service-type stelnet
      ssh authorization-type default aaa  //This command is supported in V100R005C10 and later versions.
      
      #
      user-interface vty 0 4
       authentication-mode aaa
       protocol inbound ssh
      #
      return
    • V200R002C50 and V200R003C00 versions
      # 
      sysname SwitchA  
      #
      aaa
       local-user esight-ssh password irreversible-cipher $1c$SHC5!`(,hA$QT2y#RXzh,gmqY@{&ofF+\'zXPODoFYQ<f)Um%GI$
       local-user esight-ssh service-type ssh
       local-user esight-ssh level 3
      #
      snmp-agent
      snmp-agent local-engineid 800007DB03749D8F4CDAD1
      #
      snmp-agent sys-info version v3
      snmp-agent group v3 admin privacy write-view myview notify-view myview
      snmp-agent target-host trap address udp-domain 10.7.60.66 params securityname eSight-admin v3 privacy
      #
      snmp-agent mib-view included myview iso
      snmp-agent usm-user v3 eSight-admin
      snmp-agent usm-user v3 eSight-admin group admin
      snmp-agent usm-user v3 eSight-admin authentication-mode sha cipher %^%#OZm+Go>*C4;2(lWT&GM%LO6b6ok}>"-&fb=+~^W;%^%#
      snmp-agent usm-user v3 eSight-admin privacy-mode aes128 cipher %^%#|9u".#KR+;rlDcW1NWJW$OX@P<RK%>1$~QBSippH%^%#
      #
      snmp-agent trap enable
      #
      lldp enable
      #
      stelnet ipv4 server enable
      stelnet ipv6 server enable
      ssh user esight-ssh
      ssh user esight-ssh authentication-type password
      ssh user esight-ssh service-type stelnet
      ssh authorization-type default aaa
      #
      user-interface vty 0 4
       authentication-mode aaa
       protocol inbound ssh
      #
      return
  • SwitchB configuration file
    • Excluding V200R002C50 and V200R003C00 versions

      # 
      sysname SwitchA  
      #
      aaa
       local-user esight-ssh password irreversible-cipher $1c$SHC5!`(,hA$QT2y#RXzh,gmqY@{&ofF+\'zXPODoFYQ<f)Um%GI$  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
       local-user esight-ssh service-type ssh
       local-user esight-ssh level 3
      #
      snmp-agent
      snmp-agent local-engineid 800007DB03749D8F4CDAD1
      #
      snmp-agent sys-info version v3
      snmp-agent group v3 admin privacy write-view myview notify-view myview
      snmp-agent target-host trap address udp-domain 10.7.60.66 params securityname eSight-admin v3 privacy
      #
      snmp-agent mib-view included myview iso
      snmp-agent usm-user v3 eSight-admin
      snmp-agent usm-user v3 eSight-admin group admin
      snmp-agent usm-user v3 eSight-admin authentication-mode sha cipher %^%#*,%e*/(8\'L^V(=Z&tz57(;,&A57[O)V,S';'n#B%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
      snmp-agent usm-user v3 eSight-admin privacy-mode aes128 cipher %^%#'I5CWSmhYG)u1+#LT/pFmdhT4W(s("u_{VBdaX:Z%^%#  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
      #
      snmp-agent trap enable
      #
      lldp enable
      #
      stelnet server enable
      ssh user esight-ssh
      ssh user esight-ssh authentication-type password
      ssh user esight-ssh service-type stelnet
      ssh authorization-type default aaa  //This command is supported in V100R005C10 and later versions.
      #
      user-interface vty 0 4
       authentication-mode aaa
       protocol inbound ssh
      #
      return
    • V200R002C50 and V200R003C00 versions

      # 
      sysname SwitchB  
      #
      aaa
       local-user esight-ssh password irreversible-cipher $1c$tg$[%U4O]($v_KQQ:y9--9U(q~,b3bTXwbHVoE;>#GlHt/NN8tA$
       local-user esight-ssh service-type ssh
       local-user esight-ssh level 3
      #
      snmp-agent
      snmp-agent local-engineid 800007DB0300259E957C21
      #
      snmp-agent sys-info version v3
      snmp-agent group v3 admin privacy write-view myview notify-view myview
      snmp-agent target-host trap address udp-domain 10.7.60.66 params securityname eSight-admin v3 privacy
      #
      snmp-agent mib-view included myview iso
      snmp-agent usm-user v3 eSight-admin
      snmp-agent usm-user v3 eSight-admin group admin
      snmp-agent usm-user v3 eSight-admin authentication-mode sha cipher %^%#*,%e*/(8\'L^V(=Z&tz57(;,&A57[O)V,S';'n#B%^%#
      snmp-agent usm-user v3 eSight-admin privacy-mode aes128 cipher %^%#'I5CWSmhYG)u1+#LT/pFmdhT4W(s("u_{VBdaX:Z%^%#
      #
      snmp-agent trap enable
      #
      lldp enable
      #
      stelnet ipv4 server enable
      stelnet ipv6 server enable
      ssh user esight-ssh
      ssh user esight-ssh authentication-type password
      ssh user esight-ssh service-type stelnet
      ssh authorization-type default aaa
      #
      user-interface vty 0 4
       authentication-mode aaa
       protocol inbound ssh
      #
      return
Download
Updated: 2019-10-14

Document ID: EDOC1000039339

Views: 148612

Downloads: 7846

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next