No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Configuration Examples

Typical Configuration Examples

This section describes typical configuration examples in typical application scenarios, helping users complete various operations based on the actual scenarios.

Example for Configuring Automatic Device Discovery Using SNMPv2c

This example illustrates how to configure SNMPv2c to enable eSight to automatically discover devices on a network. S9700 V200R003C00 is used as an example to describe the configuration on eSight-managed device.

Applicable Products and Versions

eSight V200R005C00 or later versions

NOTE:

For configurations on other devices, see the configuration manuals of the devices.

Networking Requirements

An enterprise administrator wants to use eSight to manage devices of the enterprise.

  • The enterprise replans the network recently, and the number of devices on the entire network increases to about 1000. It is labor-consuming if the administrator logs in to each device to configure and manage the devices. The administrator needs to use a network management system (NMS) to uniformly manage all the devices on the network.
  • Devices on the enterprise network belong to the R&D Dept and finance Dept, and devices in the R&D Dept are divided into two service groups. The R&D Dept has 800 devices and the finance Dept has 200 devices. The administrator wants to manage the devices by group, view the device status in different departments, and batch configure services for devices in the same service group during the maintenance process.
Figure 12-5 Networking of automatic device discovery
Requirement Analysis
  • Enabling automatic device discovery: A large number of security devices and network devices need to be deployed on a network. The automatic device discovery function provided by eSight can reduce the administrator's workload, improve the operation efficiency, and lower misoperations.
  • Selecting the SNMPv2c protocol: A majority of the security devices and network devices use SNMPv2c. SNMPv2c has higher security than SNMPv1, and is simple and easy to configure compared with SNMPv3.
  • Enabling the subnet function in topology monitoring: The subnet function in topology monitoring enables eSight to monitor devices by area according to the subnet on which the devices are located. The administrator can divide the enterprise network into multiple subnets by department to implement differentiated management.
  • Enabling the grouping function: During routine maintenance, the administrator needs to batch configure devices that provide similar services. The grouping function enables eSight to automatically add devices to different groups after grouping rules are set. The administrator can batch perform authentication and alarm filtering operations for devices in the same group.
Data Plan

Item

Data

Description

SNMP parameters

Template name: SNMP_v2c

Version: SNMPv2c

Read community: Public123

Write community: Private123

NE port: 161

Timeout interval(s): 3

Resending times: 3

It is recommended that the read and write community names have high complexity and meet complexity requirements on devices to ensure security. The highest complexity is recommended because there are different complexity requirements for devices. For example, the combination of upper-case letters, lower-case letters, and digits.

IP address

Different network segment IP addresses are allocated based on the service group.

  • R&D Dept A
    • Service group 1: 192.168.11.0-192.168.11.255
    • Service group 2: 192.168.12.0-192.168.12.255
  • R&D Dept B
    • Service group 3: 192.168.31.0-192.168.31.255
    • Service group 4: 192.168.32.0-192.168.32.255
  • Finance Dept: 192.168.51.0-192.168.51.255

IP addresses are allocated based on the service group and department. Devices in a service group can only use IP addresses in a specified network segment, so that subnets can be divided and devices can be grouped based on IP addresses.

Subnet

The network is divided into three subnets and assigned subnet IP address ranges.

  • subnet_rda (R&D Dept A): 192.168.11.0-192.168.12.255
  • subnet_rdb (R&D Dept B): 192.168.31.0-192.168.32.255
  • subnet_finance (Finance Dept): 192.168.51.0-192.168.51.255

One subnet on eSight can contain up to 500 devices. It is recommended that the R&D Dept with 800 devices be divided into two subnets, and the finance Dept into one subnet.

Grouping rule

Five groups are divided based on the service type and department.

  • group_rda1 (R&D Dept A, service group 1): 192.168.11.0-192.168.11.255
  • group_rda2 (R&D Dept A, service group 2): 192.168.12.0-192.168.12.255
  • group_rdb3 (R&D Dept B, service group 1): 192.168.31.0-192.168.31.255
  • group_rdb4 (R&D Dept B, service group 2): 192.168.32.0-192.168.32.255
  • group_finance (Finance Dept): 192.168.51.0-192.168.51.255

The start and end IP addresses are specified in grouping rules. After eSight discovers the devices, they are automatically added to different groups.

Configuration Roadmap
  1. Configure SNMP parameters on the devices.
  2. Create subnets on eSight.
  3. Set grouping rules on eSight.
  4. Create an SNMP template on eSight.
  5. Enable eSight to discover devices using SNMP.
Prerequisites

IP addresses have been configured for devices on the network according to Data Plan, and the devices can successfully communicate with eSight.

NOTE:

This example provides the configurations on Huawei S9700 V200R003C00. For configurations on other devices, see the related product manual.

Procedure
  1. Configure SNMP parameters on the devices.

    <SwitchA> system-view
    [SwitchA] snmp-agent   //Start the SNMP Agent service.
    [SwitchA] snmp-agent sys-info version v2c   //Set the SNMP protocol version to v2c.
    [SwitchA] snmp-agent mib-view included View_ALL iso   //Create the MIB view parameter View_ALL.
    [SwitchA] snmp-agent community read cipher Public123 mib-view View_ALL   //Set the read community name and MIB view permission.
    [SwitchA] snmp-agent community write cipher Private123 mib-view View_ALL   //Set the write community name and MIB view permission.
    [SwitchA] snmp-agent trap source MEth0/0/1   //Configure the interface for adding the device on eSight.
    [SwitchA] snmp-agent trap enable   //Enable the trap upload alarm function.
    [SwitchA] snmp-agent target-host trap address udp-domain 192.168.10.10 params securityname Public123 v2c private-netmanager ext-vb //192.168.10.10 is the IP address of eSight. securityname is the same as the read community. private-netmanager specifies Huawei NMS as the destination host for receiving trap messages. This parameter needs to be configured when Huawei NMS is used. Alarms sent to the NMS can carry more information, including the alarm type, alarm sending sequence, and alarm sending time. ext-vb specifies the alarm sent to the destination host to carry extended binding variables. If alarm nodes defined by the public MIB are extended for Huawei data communication devices, the ext-vb parameter can specify whether the alarm sent to the NMS carries the extended binding variables. If the Huawei NMS tool is used, it is recommended that the ext-vb parameter be used so that the alarm can carry more information. If a third-party NMS tool is used, it is recommended that ext-vb not be used to ensure that the third-party NMS tool can normally receive alarms sent by Huawei data communication devices.

  2. Create subnets.

    1. Choose Resource > Common > Resources Group > Subnet from the main menu.

    2. Click Create.

    3. In the dialog box that is displayed, enter the subnet name and description, and click OK.

      Repeat the steps to create the other two subnets.

  3. Set grouping rules.

    1. Choose Resource > Common > Resources Group > Group Management from the main menu.

    2. In the navigation tree, choose Device Group and click next to User Defined Groups.
    3. In the Information dialog box, set the group name and description.
    4. Expand Add Members by Condition to set grouping rules.
      1. Select satisfy all conditions.
      2. Set the rule to IP Address start with"192.168.11.0".
      3. Click next to the rule. A line is displayed under the rule. Set the other rule to IP Address end with"192.168.11.255".
    5. Click Confirm. The first grouping rule is set. Repeat the steps to set other grouping rules according to Data Plan.

  4. Create an SNMP template on eSight.

    1. Choose Resource > Common > Add Resource > Protocol Template > SNMP Template from the main menu.

    2. Click Create, set parameters in the SNMP template according to Data Plan and click OK.

  5. Use the automatic device discovery function to add devices to eSight.

    1. Choose Resource > Common > Add Resource > Automatic Discovery from the main menu.

    2. Specify start and end IP addresses of network segments and add them to subnets.

      Click Add, specify start and end IP addresses of the network segment and add it to the corresponding subnet.

    3. Select Select template and select the template SNMP_v2c created in the preceding step from the template list.
    4. Select Auto add to NMS and click Start Discovery.
    5. After automatic device discovery is complete, check whether all the devices matching parameters in the template are added to eSight. Click Complete.

  6. Adjust the topology layout.

    1. Choose Topology > Topology Management from the main menu.
    2. On the Physical topology page, adjust the device locations.
    3. Click to save the new locations of the devices in the topology.

Verification
  1. Check devices on subnets.
    1. Choose Topology > Topology Management from the main menu.

    2. Double-click the icon of subnet_finance in the topology to display the subnet topology. Check whether all the devices in the finance Dept are added to the subnet. If so, the operations are correct. Perform similar steps to check the other two subnets. If devices are not added to the corresponding subnet, check the IP address segments of the subnets.
  2. Check grouping of devices.
    1. Choose Resource > Common > Resources Group > Group Management from the main menu.

    2. Choose Device Group> User Defined Groups > group_rda1. Check whether all the devices in the service group 1 of R&D Dept A are added to the group. If so, the operations are correct. Perform similar steps to check the other four groups. If devices are not added to the corresponding group, check whether the devices are added to eSight and whether grouping rules are correctly set.

Example for Using SNMPv3 to Import Network Devices in a Batch

This example illustrates how to use SNMPv3 to import various types of network devices to eSight.

Applicable Products and Versions

eSight V200R005C00 or later versions

Networking Requirements

An enterprise has constructed a campus network and wants to use eSight to manage all network devices on the campus network.

The enterprise has the following requirements:

  • The enterprise administrator uses the SNMPv3 protocol with high security to manage network devices.
  • If automatic discovery is used, the enterprise administrator needs to perform discovery tasks multiple times because the device types on the campus network are diversified, and the authorization protocols and passwords are different. As a result, the enterprise administrator wants to use the batch import function to add various network devices to eSight in a batch.
Figure 12-6 Enterprise campus network
Data Plan

Layer 1 Subnet

IP Address

Name

Protocol Type

Protocol Version

Port

Security Name

Authentication Protocol

Authentication Password

Privacy Protocol

Privacy Password

Subnet_A

192.168.3.105

AR1

SNMP

V3

161

SNMPv3user

HMAC_SHA

Changeme_123

AES_128

Changeme@123

Subnet_A

192.168.3.101

S1

SNMP

V3

161

SNMPv3user

HMAC_SHA

Changeme_234

AES_128

Changeme@234

Subnet_A

192.168.3.102

S2

SNMP

V3

161

SNMPv3user

HMAC_SHA

Changeme_235

AES_128

Changeme@235

Subnet_A

192.168.3.103

S3

SNMP

V3

161

SNMPv3user

HMAC_SHA

Changeme_236

AES_128

Changeme@236

Subnet_A

192.168.3.104

S4

SNMP

V3

161

SNMPv3user

HMAC_SHA

Changeme_237

AES_128

Changeme@237

Prerequisites

You have obtained the operation rights for Access Resource and Modify Topology.

Procedure
  1. Set SNMP parameters on the network devices.

    The following uses Huawei AR2200 V200R007C00SPC900 as an example to describe the configuration. For other device models, see the configuration manual. The configuration commands vary depending on the model and version of network devices.

    <AR1> system-view
    [AR1] snmp-agent 
    [AR1] snmp-agent sys-info version v3
    [AR1] snmp-agent mib-view View_ALL include iso   
    //Set View_ALL to specify the MIB view. To ensure that eSight can manage devices normally (for example, finding device links through the LLDP protocol), the MIB view must contain the iso node.
    [AR1] snmp-agent group v3 snmpv3group privacy  write-view View_ALL notify-view View_ALL  
    //snmpv3group is the set user group. The write view name and notification view name are specified as View_ALL. By default, the write view has the read permission. Therefore, you do not need to set the read-view. The notification view is used to limit the MIB node of the device for sending alarms to eSight. 
    [AR1] snmp-agent usm-user v3 snmpv3user group snmpv3group   
    //snmpv3user is the configured user name, which is consistent with the security name of eSight. The security level of a user cannot be lower than the security level of the user group to which the user belongs. Otherwise, the user cannot perform communication normally. For example, if the security level of the user group snmpv3group is privacy, the security level of the user snmpv3user must be authentication and encryption. 
    [AR1] snmp-agent usm-user v3 snmpv3user authentication-mode sha  
    Please configure the
    authentication password (8-255)
    Enter Password:
    Confirm Password:
    //Set the user authentication protocol and password, which are consistent with the authentication protocol and password of eSight. You need to enter the authentication protocol and password twice.
    [AR1] snmp-agent usm-user v3 snmpv3user privacy-mode aes128   
    Please configure the privacy
    password (8-255)
    Enter Password:
    Confirm Password:
    //Set the user encryption protocol and password, which are consistent with the proprietary protocol and password of eSight. You need to enter the authentication protocol and password twice.
    [AR1] snmp-agent target-host trap-paramsname snmpv3user v3 securityname snmpv3user privacy private-netmanager binding-private-value
    //Configure parameters for devices to send trap messages. Both trap-paramsname and securityname are set to snmpv3user. You can modify them based on the site requirements. private-netmanager specifies Huawei NMS as the destination host for receiving trap messages. This parameter needs to be configured when Huawei NMS is used. Alarms sent to the NMS can carry more information, including the alarm type, alarm sending sequence, and alarm sending time. binding-private-value specifies the alarm sent to the destination host to carry extended binding variables. If alarm nodes defined by the public MIB are extended for Huawei data communication devices, the binding-private-value parameter can specify whether the alarm sent to the NMS carries the extended binding variables. If the Huawei NMS tool is used, it is recommended that the binding-private-value parameter be used so that the alarm can carry more information. If a third-party NMS tool is used, it is recommended that binding-private-value not be used to ensure that the third-party NMS tool can normally receive alarms sent by Huawei data communication devices.
    [AR1] snmp-agent target-host trap-hostname eSightServer address 192.168.3.100 trap-paramsname smnpv3user 
    //Set the alarm reporting host. In the information, eSightServer is the name of the eSight server and 192.168.3.100 is the IP address of the eSight server. The eSight server name is used to identify the eSight server and can be customized based on the site requirements. 
    [AR1] snmp-agent trap enable  //Enable the trap alarm function.

  2. Choose Resource > Common > Add Resource > Import Resource from the main menu.

  3. Click next to Download Template to download the Excel file to a local device.
  4. Open the template, fill in device information, and save the template.
  5. On the Import Device page, click next to Upload Resource File and select the saved Excel file.
  6. Click to upload a file.

    Device information and device check results are displayed on the right of the page. If Result is empty, device check succeeds.

  7. Select a device and click Create.

    eSight starts to import the devices.

    • If the device is created successfully, the Result column is The resource is created successfully.
    • If the device cannot be created, the reason for the failure is displayed in the Result column. You can attempt to solve the problem and import devices again based on the failure reason. If the fault persists, contact the technical support personnel.

  8. Import network devices in a batch and adjust their locations in the topology.

    1. Choose Topology > Topology Management from the main menu.
    2. Adjust locations of the network devices in the topology based on the campus networking.
      • Adjust locations of subnets or devices in the physical view: In the physical view, click a subnet or device to be adjusted and drag the subnet or device to the specified location.
      • Perform the following operations to change the subnet to which a device belongs:
    3. Select the device in the topology tree or the physical view.
    4. Click on the toolbar in the topology.
    5. In the topology navigation tree or physical view, select the target subnet. In the physical view, double-click the target subnet to open it, and click . In the topology tree or the physical view, you can find that the device has been moved to the target subnet.

Verification

After devices are successfully added to eSight, you can view network devices that are imported in a batch on the Equipment Resources page and view subnet and location information of the devices on the Topology Management page.

Example for Using eSight to Discover Links Between Devices from Different Vendors

This example illustrates how to use eSight to discover links between devices from different vendors, such as Huawei, Cisco, and H3C, after they are added to eSight.

Prerequisites

Devices from multiple vendors, such as Huawei, Cisco, and H3C, have been added to eSight, and Telnet parameters on eSight are the same as those on the devices.

Applicable Products and Versions

eSight V200R005C00 or later versions

Networking Requirements

Network devices on a company's network are from Huawei, Cisco, and H3C. The company wants to monitor the devices and the status of links among the devices in the topology view.

Figure 12-7 Networking on the user side

Configuration Roadmap
  1. Log in to Cisco devices and enable CDP to discover links between them.
  2. Deliver the LLDP configuration from eSight to Huawei devices to discover links between them.
  3. Manually create links for devices from different vendors.
Procedure
  1. Enable CDP on Cisco devices to discover links between them.

    1. Run the cdp run command to enable CDP globally.
    2. Run the cdp enable command to enable CDP on an interface.

  2. Discover links between Huawei devices on eSight.

    1. Choose Resource > Network > Equipment > Link Management from the main menu.

    2. Click Discover Link.

    3. In the search area in the left pane, select devices in Root, select Deliver commands, and click Discover.

    4. After the link discovery operation is complete, click Delivery result to view the link discovery result.

  3. Create links between devices from two vendors.

    1. Choose Topology > Topology Management from the main menu.

    2. Right-click the blank area in the topology and choose Add > Create Link.
      NOTE:

      You can also Choose Resource > Network > Equipment > Link Management from the main menu and click Creating Link to create the specified link.

    3. Click HUAWEI Device1 and Cisco Device4. The Creating Link page is displayed.
    4. On the Creating Link page, Set Linkname and Category to *** and Layer 2 Link, and set Source Port Name and Destination Port Name to the ports on the two ends of the link.

    5. Click OK. A link is created. Right-click in the blank area in the topology view and choose Refresh. The direct link between the two devices is displayed in the topology view.
    6. Repeat steps 2 to 5 to create the other three links.

Verification

After link discovery operations are complete, the links displayed in the topology view are the same as those on the actual network.

Translation
Download
Updated: 2019-08-10

Document ID: EDOC1100011877

Views: 298028

Downloads: 611

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next