No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing Communication Between the NMS and a Device Using NETCONF

Establishing Communication Between the NMS and a Device Using NETCONF

To ensure proper communication between the network management system (NMS) and the managed devices, enable the Secure Shell (SSH) service on the NETCONF agent and deploy the NMS on the NETCONF manager.

Configuring an SSH User

Context

NETCONF requires SSH as its transport layer protocol. Before using NETCONF to manage network devices, configure the SSH.

Procedure

  • Set SSH server parameters.

    Table 14-13 Setting SSH server parameters

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Generate a local key pair.

    Method 1:

    Run the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command to generate a local RSA, DSA, or ECC key pair.

    Method 2:
    1. Run the rsa key-pair label label-name [ modulusmodulus-bits ], dsa key-pair label label-name [ modulusmodulus-bits ], or ecc key-pair label label-name [ modulusmodulus-bits ] command to generate an RSA, a DSA, or a ECC key pair with a specific label name.

    2. Run the ssh server assign { rsa-host-key | rsa-server-key | dsa-host-key | ecc-host-key } label-name command to assign the generated RSA host key, RSA server key, DSA host key, or ECC host key to the SSH server.
    NOTE:

    The device can generate a maximum of 20 key pairs in method 2. You can use different key pairs in different periods to ensure a higher communication security. The maximum number of key pairs the device can generate is specified by the rsa key-pair maximum, dsa key-pair maximum, and ecc key-pair maximum command.

    In method 1:

    After the key pair is generated, you can run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair.

    In method 2:

    After the key pair is generated, you can run the display rsa key-pair [ brief | label label-name ], display dsa key-pair [ brief | label label-name ], or display ecc key-pair [ brief | label label-name ] command to view the RSA, DSA, or ECC key pair with a specific label.
    NOTE:

    A longer key pair provides higher security. The key pair of the maximum length is recommended.

    (Optional) Configure the listening port number.

    ssh server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects from all SSH clients and uses the new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the time for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the time for updating the key pair is 0. The value 0 indicates that the key pair is never updated.

    When the specified time is up, the key pair of the SSH server is updated, ensuring the server security.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable earlier versions to be compatible.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    To forbid clients to access the device using the SSH1.3 to SSH1.99, run the undo ssh server compatible-ssh1x enable command to disable the compatibility with SSH1.X.

    (Optional) Configure an ACL.

    ssh [ ipv6 ] server acl { acl-number | acl-name }

    By default, no ACL is configured for the SSH server.

    An ACL is configured to determine which clients can log in to the current device through SSH.

    (Optional) Enable the keepalive function on the SSH server.

    undo ssh server keepalive disable

    By default, the keepalive function is enabled on the SSH server.

    After the keepalive function is enabled on the SSH server, the server responds to keepalive packets received from the SSH client. If the keepalive function is disabled on the SSH server, the server will disconnect from the SSH client when there is no data exchange, which causes server resource waste due to reconnections.

    (Optional) Configuring the source IP address of the SSH server

    ssh server-source -i loopback interface-number

    By default, the source interface of a SSH server is not specified.

    NOTE:

    Before specifying the source interface of the SSH server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, this command cannot be correctly executed.

    Submit the configurations.

    commit

    -

    NOTE:
    • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs ranges from 512 bits to 2048 bits. The default length is 2048 bits.
    • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.
    • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair can be 512, 1024, or 2048 bits. The default length is 2048 bits.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. Authentication modes including RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all are supported.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-dsa authentication mode consists of the password and DSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users only need to authenticated by , DSA, ECC, password, or RSA.
    Table 14-14 Configuring SSH user information

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Create SSH users.

    ssh user user-name

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | all | dsa | password-dsa | ecc | password-ecc }

    If SSH users are not created using the ssh user command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This mode simplifies the configurations if a large number of users exist, because you need to configure only AAA users.

    Set the service type to snetconf or all for SSH users.

    ssh user username service-type { snetconf | all }

    By default, the service type of SSH users is empty.

    NOTE:
    • To establish a NETCONF connection using the well-known port 22, an SSH user must set the service type to SNETCONF.

    • To establish a NETCONF connection using the well-known port 830, an SSH user does not need to set the service type to SNETCONF.

      The user can run the protocol inbound ssh port 830 command in the NETCONF view.

    Submit the configurations.

    commit

    -

    NOTE:
    • The password authentication mode is implemented based on the AAA. To log in to the device in the password-dsa, password-ecc, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and save and configure the public key of the peer end locally.
    Perform any of the following configurations according to authentication mode you select:
    • To configure password authentication for the SSH user, see Table 14-15.

    • To configure RSA, DSA, or ECC authentication for the SSH user, see Table 14-16.

    • To configure password-RSA, password-dsa, or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA, or ECC public key. See Table 14-15 and Table 14-16.

    Table 14-15 Configuring password, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher irreversible-cipher-password

    -

    Configure the service type for the local user.

    local-user user-name service-type ssh

    -

    Configure the level for the local user.

    local-user user-name level level

    -

    Return to the system view.

    quit

    -

    Commit the configuration.

    commit

    -

    NOTE:

    The level for the local user must be set to 3 or upper levels to ensure successful connection establishment.

    Table 14-16 Configuring DSA, ECC, RSA, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Display the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    or

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    or

    ecc peer-public-key key-name

    -

    Display the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the SSH client software help.
    • You must enter the RSA, DSA, or ECC public key on the device that works as the SSH server.

    Exit the public key editing view.

    public-key-code end

    • If no key public code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view from the public key view.

    peer-public-key end

    -

    Assign an RSA, DSA, or ECC public key to an SSH user.

    ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

    -

    Commit the configuration.

    commit

    -

Enabling NETCONF

Context

An NETCONF connection can be established between the NETCONF manager and the NETCONF agent using the well-known port 22 only after NETCONF is enabled on the NETCONF agent.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    snetconf server enable

    NETCONF service is enabled.

    By default, NETCONF is disabled on device.

  3. Run:

    commit

    The configuration is committed.

Follow-up Procedure

Set correct NETCONF parameters to ensure secure NETCONF session connections.

  1. Run:

    netconf

    The NETCONF user interface view is displayed.

  2. Perform one or more operations in Table 14-17 to set the desired NETCONF parameters.

    Table 14-17 Server parameters

    Server Parameter

    Operation

    Description

    Maximum number of NETCONF users that the NETCONF user interface supports

    max-sessions

    The default maximum number of NETCONF users is 5.

    To prevent unauthorized users from logging in to the device using NETCONF, set the maximum number of NETCONF users. After the maximum number of NETCONF users is reached, subsequent users are not allowed log in to the device. This mechanism ensures network management security.

    Timeout period of an idle NETCONF connection

    idle-timeout (NETCONF user interface view)

    The default timeout period is 10 minutes.

    If no timeout period is set for an idle NETCONF connection, the idle NETCONF connection cannot be released in time to be used by other authorized users.

  3. Run:

    commit

    The configuration is committed.

(Optional) Configuring NETCONF Authorization

Context

After a NETCONF session is set up using Secure Shell (SSH), all SSH users can manage the session-related device, which renders the device insecure. To resolve this problem, you can configure NETCONF authorization to authorize specific users to perform NETCONF operations or access NETCONF resources.

Procedure

  1. Configure NETCONF authorization in the task group view and add a task to the task group.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      task-group task-group-name

      A task group is created, and the task group view is displayed.

    4. Run:

      netconf authorization-rule rule-name { { deny { rpc-operation rpc-oper-name | schema-path data-node-path } } | { permit { rpc-operation rpc-oper-name | schema-path data-node-path access-operation { read | write | execute }* } } } [ description description-text ]

      A NETCONF authorization rule for operations and data nodes is configured, and the task is added to the task group.

      By default, no NETCONF authorization rule is configured.

    5. Run:

      quit

      Return to the AAA view.

  2. Add the task group to a user group.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      user-group user-group-name

      A user group is created, and the user group view is displayed.

    4. Run:

      task-group task-group-name

      The specific task group is added to the user group.

    5. Run:

      quit

      Return to the AAA view.

  3. Run:

    local-user user-name user-group user-group-name

    A local user is added to the user group.

  4. Run:

    commit

    The configuration is committed.

Logging in to the NETCONF Agent Using the NMS

Context

The NMS can manage devices only when the NMS has connected to corresponding NEs and can communicate with them.

Before deploying NEs, properly divide sub-networks. The physical topology must be easy for routine maintenance in addition for showing the actual network structure.

For installation and maintenance of the NMS, see the relevant installation instruction and usage guidelines.

Checking the Configuration

Background

After NETCONF is configured to allow the NMS to remotely manage configuration of devices, you can view detailed SSH session information (indicating that the NETCONF manager has logged in to the NETCONF agent), and the capabilities that the NETCONF agent supports.

Procedure

  • Run the display ssh user-information [ username ] command on the SSH server (NETCONF agent) to check information about the SSH user on the NETCONF client.
  • Run the display ssh server status command on the SSH server to check its global configuration.
  • Run the display ssh server session command on the SSH server to check information about sessions between the SSH server and the SSH client (NETCONF manager).
  • Run the display netconf capability command to view the capabilities that the NETCONF agent supports.
  • Run the display netconf authorization { task-group-rules task-group-name | user-group-rules user-group-name } [ rule-name rule-name ] command to check the NETCONF authorization information.
  • Run the display netconf authorization statistics command displays the NETCONF authorization information.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57933

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next