Configuring Interoperation Between CE Series Switches and eSight

Procedure

1. Configure SNMPv3 on SwitchA. The configuration of SwitchB is similar to that of SwitchA and is not provided here.
   1. Configure the SNMP version.

      <HUAWEI> system-view 
      [~HUAWEI] sysname SwitchA 
      [*HUAWEI] commit 
      [~SwitchA] snmp-agent sys-info version v3  //Set the SNMP version to SNMPv3, which must be the same as the SNMP version on eSight.
      [*SwitchA] commit 

   2. Configure the access rights.

      [~SwitchA] snmp-agent mib-view included myview iso  //Configure the MIB view accessible to eSight. The MIB view must contain the iso object to ensure that eSight can properly manage the switch, for example, eSight can discover the link to the switch using LLDP.
      [*SwitchA] commit

   3. Configure an SNMPv3 user group and an SNMPv3 user, and set the authentication and encryption modes.

      SNMPv3 authentication modes are MD5 and SHA, and SNMPv3 encryption modes are 3DES168, AES128, AES192, AES256, and DES56. For security purposes, you are advised to set the SNMPv3 authentication mode to SHA and the SNMPv3 encryption mode to AES128, AES192, or AES256.

      [~SwitchA] snmp-agent group v3 admin privacy write-view myview notify-view myview
      [*SwitchA] snmp-agent usm-user v3 eSight-admin group admin  //Set the SNMPv3 user name to eSight-admin, which must be the same as the security name on eSight.
      [*SwitchA] snmp-agent usm-user v3 eSight-admin authentication-mode sha  //Configure the authentication mode and authentication password of the user eSight-admin, which must be the same as the authentication protocol and authentication password on eSight. 
      Please configure the authentication password (8-255)
      Enter Password:               //Enter the authentication password, which is Authe@1234 in this example.
      Confirm Password:             //Confirm the authentication password, which is Authe@1234 in this example.
      [*SwitchA] snmp-agent usm-user v3 eSight-admin privacy-mode aes128  //Configure the encryption mode and encryption password of the user eSight-admin, which must be the same as the proprietary protocol and encryption password on eSight.
      Please configure the privacy password (8-255)
      Enter Password:              //Enter the encryption password, which is Priva@1234 in this example.
      Confirm Password:            //Confirm the encryption password, which is Priva@1234 in this example.
      [*SwitchA] commit

   4. Configure a trap host.

      Before configuring the switch to send traps, ensure that the information center has been enabled. If the information center is not enabled, run the info-center enable command in the system view to enable it.

      [~SwitchA] snmp-agent trap enable  //Enable the trap function for all modules. By default, the trap function is disabled for some modules.
      [*SwitchA] snmp-agent target-host trap address udp-domain 10.7.60.66 params securityname eSight-admin v3 privacy  //Set the IP address of the trap host to the IP address of eSight, the security name to the SNMPv3 user name, and the SNMP version to SNMPv3.
      [*SwitchA] commit

2. Configure STelnet (SSH) on SwitchA. SwitchA functions as the SSH server. The configuration of SwitchB is similar to that of SwitchA and is not provided here.
   1. Generate a local key pair on SwitchA.

      [~SwitchA] rsa local-key-pair create
      The key name will be:SwitchA_Host
      The range of public key size is (2048 ~ 2048).   //In V200R019C10 and later versions, the key pair length can be 2048 or 3072 bits. For device security purposes, you are advised to set the key pair length to 3072 bits.
      NOTE: Key pair generation will take a short while.
      [*SwitchA] commit

   2. Create an SSH user on SwitchA.

      There are eight authentication modes for SSH users: password, RSA, password-rsa, DSA, password-dsa, ECC, password-ecc, and all. The password authentication mode is used in this example.

      # Configure the VTY user interface.

      [~SwitchA] user-interface vty 0 4
      [~SwitchA-ui-vty0-4] authentication-mode aaa
      [*SwitchA-ui-vty0-4] protocol inbound ssh   //Set the protocol type supported by the VTY user interface to SSH.
      [*SwitchA-ui-vty0-4] quit

      # Create the SSH user named esight-ssh and configure the password authentication mode for the user.

      [*SwitchA] aaa
      [*SwitchA-aaa] local-user esight-ssh password irreversible-cipher Huawei@123  //Create the user named esight-ssh and configure a password for the user. The user name and password must be the same as those of the STelnet login user on eSight.
      [*SwitchA-aaa] local-user esight-ssh level 3
      [*SwitchA-aaa] local-user esight-ssh service-type ssh  //Set the access type of the user esight-ssh to SSH, which must be the same as the login protocol on eSight.
      [*SwitchA-aaa] quit
      [*SwitchA] ssh user esight-ssh authentication-type password  //Set the authentication mode of the user esight-ssh to password authentication, which must be the same as the authentication mode on eSight.
      [*SwitchA] commit

   3. Enable the STelnet service on SwitchA.

      [~SwitchA] stelnet server enable
      [*SwitchA] commit

   4. Set the service type of the SSH user esight-ssh to STelnet on SwitchA.

      [~SwitchA] ssh user esight-ssh service-type stelnet
      [*SwitchA] commit

3. Configure LLDP on SwitchA. The configuration of SwitchB is similar to that of SwitchA and is not provided here.

   [~SwitchA] lldp enable  //By default, LLDP is disabled on CE series switches.
   [*SwitchA] commit

4. Add the switches to eSight.
   eSight provides three methods of adding devices:

   • Discovering devices automatically: eSight discovers devices by IP address segment.
   • Adding a single device: You can manually add a small number of devices to eSight.
   • Importing devices in a batch: You can import devices to eSight using a file.

   The following uses eSight V300R007C00 as an example and eSight automatically discovers devices. For details about other methods of adding devices, see the appropriate eSight product documentation.
   # Create an SNMP template on eSight.

   1. Log in to eSight and choose Resource > Resource Management > Protocol Template.

   2. Choose SNMP Template > Create to access the Add Template page.

   3. Set parameters in the SNMP template, confirm the information, and click OK.

      Table 2-18 Parameters in the SNMP template

      Parameter	Value	Remarks
      Template name	SNMPv3	-
      Parameter type	V3: indicates that the SNMP version on eSight is SNMPv3.	The SNMP versions configured on the CE series switches must include SNMPv3.
      Authentication protocol	HMAC_SHA	The authentication protocol must be the same as the authentication mode of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the authentication mode of the SNMPv3 user eSight-admin is SHA.
      Authentication password	Authe@1234	The authentication password must be the same as that of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the authentication password of the SNMPv3 user eSight-admin is Authe@1234.
      Proprietary protocol	AES_128	The proprietary protocol must be the same as the encryption mode of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the encryption mode of the SNMPv3 user eSight-admin is AES128.
      Encryption password	Priva@1234	The encryption password must be the same as that of the SNMPv3 user eSight-admin configured on the CE series switches. In this example, the encryption password of the SNMPv3 user eSight-admin is Priva@1234.
      User name	eSight-admin	The user name must be the same as that of the SNMPv3 user configured on the CE series switches.
      Context	-	-
      Engine ID	-	-
      Port number	161	The port number must be the same as the SNMP port number configured on the CE series switches. By default, the SNMP port number on a CE series switch is 161. To change the SNMP port number, run the snmp-agent udp-port port-num command in the system view.
      Timeout period	4	If the network quality is not high, set a longer timeout period.
      Retries	3	-

   # Add the switches to eSight.

   1. Choose Resource > Add Resource > Automatic Discovery.

   2. Enter required information and click Discover.

      Basic Settings: Set Start IP address, End IP address, and Add to subnet.

      Task Settings: Retain the default settings.

      SNMP Settings: Click Select SNMP Protocol Template and select the created SNMP template SNMPv3.

   3. If is displayed on the page, the switches are added successfully. Click Finish.

5. Configure STelnet on eSight.

   # Create an STelnet template on eSight.

   1. Choose Resource > Resource Management > Protocol Template.

   2. Choose Telnet Template > Create to access the Create page.

   3. Set parameters in the Telnet template, confirm the information, and click OK.

      Table 2-19 Parameters in the Telnet template

      Parameter	Value	Remarks
      Template name	SSH	-
      Protocol	STelnet: indicates that eSight remotely logs in to the switches and delivers configurations to the switches using STelnet.	The STelnet login mode must be configured on the CE series switches.
      Port number	22	The port number must be the same as the STelnet port number configured on the CE series switches. By default, the STelnet port number on a CE series switch is 22. To change the STelnet port number, run the ssh [ ipv4 | ipv6 ] server port port-number command in the system view. NOTE: The switch supports the ipv4 and ipv6 parameters in V200R005C00 and later versions.
      Timeout period	20	-
      Authentication	Password	The authentication mode must be the same as that of the SSH user configured on the CE series switches. In this example, the authentication mode of the SSH user configured on the CE series switches is password authentication.
      User name	esight-ssh	The user name must be the same as that of the SSH user configured on the CE series switches.
      Password	Huawei@123	The password must be the same as that of the SSH user esight-ssh configured on the CE series switches. In this example, the password of the SSH user esight-ssh configured on the CE series switches is Huawei@123.

   # Configure eSight to remotely log in to the switches using STelnet.

   1. Choose Resource > Resource Management > Network Device.

   2. Select the switches, and choose Set Protocol > Set Telnet Parameters to access the Set telnet parameters page.

   3. You can set Telnet parameters using either of the following methods:

      • Manually editing Telnet parameters: You can directly configure Telnet parameters. For detailed Telnet parameters, see Table 2-19.

      • Selecting Telnet parameters from an existing Telnet template: You need to configure the Telnet template in advance.

      In this example, use the second method, select the configured Telnet template SSH, and click OK.