No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Logging In to a Device

Logging In to a Device

Logging In to a Device for the First Time

This example describes setup operations to perform after logging in to your networking device for the first time.

Applicable Products and Versions

This configuration example applies to all router series products running V8.

Networking Requirements

The first time you power on your device, you must log in to it through the console interface to perform initial setup. For example, you can configure an IP address so that Telnet login can be used subsequently.

NOTE:

After a device (such as an NE20E-S2 series device) that supports Plug-and-Play (PnP) is powered on for the first time, STelnet login is supported by default. The default IP address of the management interface (GE0/0/0 or Ethernet0/0/0) is 192.168.0.1. If the device has network access when it is first powered on, this default address is automatically changed to a new address assigned by DHCP. By default, the username is root, and the password is Changeme_123. After logging in to the device, change the password promptly.

Procedure

  1. Power on all devices and ensure that the self-check is normal.
  2. Connect a COM interface on a PC to the console interface of a device through a configured cable. Use the configured cable delivered with the product to connect the PC and device, confirming before insertion that the identifier indicates the correct interface.

    NOTE:
    • If the PC uses terminal emulation software of the system (for example, HyperTerminal for Windows 2000/XP system), no additional preparation is required. If the system does not have terminal emulation software (for example, Windows 7 system), obtain a third-party terminal emulation package (for example, SecureCRT of VanDyke Software). For details about how to use the third-party software, see its usage guide or online help.

    • The PC may have multiple connection ports. You must select the port connected to the console cable. Generally, COM1 is selected. If the serial port communication parameters of the device are modified, change the communication parameters on the PC to be consistent with those of the device, then reconnect the device.

  3. Enable a terminal emulation program such as SecureCRT on the PC. Establish a connection and select the Serial protocol, as shown in Figure 1-40.

    Figure 1-40  New connection

  4. Set communication port parameters, as shown in Figure 1-41.

    Figure 1-41  Communication port parameters

  5. After the connection is established, enter and confirm an authentication password. The device automatically saves the password.

    An initial password is required for the first login via the console.
    Set a password and keep it safe! Otherwise you will not be able to login via the console. 
    Please configure the login password (8-16)
    Enter Password: 
    Confirm Password: 
    

    Then, the device displays a prompt, for example, <HUAWEI>. The user view is displayed. In the user view, you can enter commands to view device information, including its running status. To get help, enter a question mark (?) before you determine which keyword to enter.

Using STelnet (SSH) to Remotely Log In to a Device

This section describes how to securely log in to a remote device through STelnet (SSH).

Applicable Products and Versions

This configuration example applies to all router series products running V8.

Networking Requirements

An enterprise has high security requirements, requiring strict authentication and authorization on device login and CLI permissions.

Configuration Roadmap

In scenarios with high network security requirements, SSH is recommended, and AAA can be used for authentication and authorization. To prevent user information loss from causes such as hardware damage, you are advised to combine local authentication and remote server authentication. The authentication protocol can be RADIUS or HWTACACS. This example uses HWTACACS, which requires CLI authorization, encrypts all traffic, and is more secure.

Table 1-40  Data planning

Parameter

Planned Value

Protocol

SSH

Authentication type

Password authentication

Authentication method

AAA

Authentication mode

Local authentication first and then HWTACACS authentication

CLI authorization mode

HWTACACS authorization first and then local authorization

Procedure

  1. Configure a VTY user interface.

    #
    acl name ACL_VTY basic       //Create a basic ACL.
     description ACL_FOR_VTY    //Configure a description for the ACL to prevent misuse of the ACL.
     rule 10 permit vpn-instance MGT source 10.7.16.0 0.0.0.255  //Allow a user at 10.7.16.0/24 to log in to the device.
     rule 20 permit vpn-instance MGT source 10.8.34.135 0      //Allow a user at 10.8.34.135/32 to log in to the device.
     …..//Add other IP addresses that are allowed to log in as required.
    #
    user-interface vty 0 14
     acl ACL_VTY inbound          //Configure permission control on the user interface to allow only users that satisfy a specified ACL rule to access the device.
     authentication-mode aaa      //Specify the authentication mode as AAA authentication.
     idle-timeout 5 0             //Set the VTY interface to be disconnected if it is idle for more than 5 minutes 0 seconds.
     protocol inbound ssh         //Set the VTY interface to support only the SSH protocol.
    #
    

  2. Configure AAA user management.
    1. Configure HWTACACS.

      #
      hwtacacs-server template for_aaa             //Configure a HWTACACS server template.
       hwtacacs-server authentication 10.7.35.63 vpn-instance MGT  //Set the IP address of the primary HWTACACS authentication server.
       hwtacacs-server authentication 10.7.35.64 vpn-instance MGT secondary  //Set the IP address of the secondary HWTACACS authentication server.
       hwtacacs-server authorization 10.7.35.63 vpn-instance MGT       //Set the IP address of the primary HWTACACS authorization server.
       hwtacacs-server authorization 10.7.35.64 vpn-instance MGT secondary //Set the IP address of the secondary HWTACACS authorization server.
       hwtacacs-server shared-key cipher %^%#BG%G;uUm2ns<(X5@mt^%#2eIf1^Jqz#%^:,;N>D)`y4(#b%#  //Specify a shared key displayed in ciphertext.
       hwtacacs-server user-name original  //Specify the user name format of the HWTACACS server to be the same as that entered by the user.
      #
      

    2. Configure AAA.

      #
      aaa
       local-user admin password irreversible-cipher %^%#8[*1[4M;$e{}F$iU6_f*MWX"I:7a)-e}F$i1[4M;$e{ M;$e{}F$"I:7a)$i    //Create a local user admin and set the login password of the user to an irreversible ciphertext key.
       local-user admin service-type ssh               //Configure the admin user to access only in SSH mode.
       local-user admin level 3                       //Set the level of admin to level 3 (management level).
       local-user admin state block fail-times 3 interval 5  //Set admin to be locked out for 5 minutes after three consecutive failed login attempts.
      …..//Add other users that are allowed to log in as required. For details, see the preceding configuration method of the admin user.
      #
       authentication-scheme default            //Configure an AAA authentication template.
        authentication-mode local hwtacacs      //Configure an authentication mode of local authentication first and then HWTACACS authentication.
       #
       authorization-scheme default            //Configure an AAA authorization template.
        authorization-mode local hwtacacs      //Configure an authorization mode of local authorization first and then HWTACACS authorization.
        authorization-cmd 0 hwtacacs local      //Set the level-0 CLI authorization mode to HWTACACS authorization first and then local authorization. That is, if the HWTACACS server does not respond, the CLI authorization is performed locally.
        authorization-cmd 1 hwtacacs local
        authorization-cmd 3 hwtacacs local
        authorization-cmd 15 hwtacacs local
      #
       domain default_admin
        authorization-scheme default           //Apply the configured AAA authentication template.
        accounting-scheme default              //Apply the configured AAA authorization template.
        hwtacacs-server for_aaa                //Apply the configured HWTACACS server template.
      #
      

  3. Configure SSH user management.

    #
    ssh authentication-type default password   //Configure password authentication as the default authentication mode for SSH users.
    ssh user admin     //Create an SSH user named admin.
    ssh user admin authentication-type password  //Configure password authentication for the admin user.
    ssh user admin service-type stelnet          //Configure the service type for the admin user.
    … …  //Add other SSH users as required. For details, see the preceding configuration method of the admin user.
    ssh authorization-type default aaa       //Set the authorization type of SSH connections to AAA.
    #
    ssh client first-time enable      //Enable initial authentication for the SSH client, so that the validity of the public key of the SSH server is not checked when a user logs in to the SSH server for the first time. After the login, the system automatically allocates and saves a public key for authentication upon next login.
    #
    

  4. Enable the STelnet server function.

    #
    stelnet server enable
    #
    

  5. Verify SSH-based remote login.

    Use an SSH client such as PuTTY to log in to the device.

    1. As shown in Figure 1-42, set the IP address of the device's management interface (GE0/0/0 or Ethernet0/0/0) to 192.168.0.1. (The default IP address of the management interface is automatically changed after logging in to the device through a console port. This example uses the default IP address.) Configure SSH as the login mode.

      Figure 1-42  Logging in to the device using PuTTY (1)
      NOTE:

      After a device (such as the NE20E-S2 series) that supports Plug-and-Play (PnP) is powered on for the first time, STelnet login is supported by default. The default IP address of the management interface (GE0/0/0 or Ethernet0/0/0) is 192.168.0.1. If the device has network access when it is first powered on, this default address is automatically changed to a new address assigned by DHCP. By default, the user name is root, and the password is Changeme_123. After logging in to the device, change the password promptly.

    2. Enter the user name and password.

      Figure 1-43  Logging in to the device using PuTTY (2)

Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 25945

Downloads: 872

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next