No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring an NMS to Communicate with a Device by SSH over a VPN

Example for Configuring an NMS to Communicate with a Device by SSH over a VPN

This section provides an example for configuring an NMS to communicate with a device by SSH over a VPN.

Networking Requirements

On the network shown in Figure 9-27, an NMS, Router A, and AAA server are connected over a VPN. The NMS is integrated with the SSH client and SFTP server functions. The SSH client uses SSH to log in to and communicate with the Router A. The SFTP server uses SFTP for file transfer with the Router A functioning as an SFTP client.

Figure 9-27  Networking diagram for configuring an NMS to communicate with a device by SSH over a VPN

NOTE:

The interfaces are bound to the same VPN instance.

Precautions

Ensure that the route between the device and NMS is reachable.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a VPN instance.
  2. Bind the interfaces connecting the device to the NMS and HWTACACS server to the VPN instance.
  3. Configure a default VPN instance used by the NMS to manage the device.
  4. Configure an HWTACACS server.
  5. Configure a local AAA user and set its access mode to SSH and authentication mode to HWTACACS.
  6. Configure an SSH user and set its authentication and service modes.
  7. Configure an SNMPv3 USM user to allow the NMS to access the device.
  8. Configure an SFTP client to use SFTP for file transfer.

Procedure

  1. Configure a VPN instance.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] ip vpn-instance vrf1
    [RouterA-vpn-instance-vrf1] ipv4-family
    [RouterA-vpn-instance-vrf1-af-ipv4] route-distinguisher 22:1
    [RouterA-vpn-instance-vrf1-af-ipv4] vpn-target 111:1 both
    [RouterA-vpn-instance-vrf1-af-ipv4] quit
    [RouterA-vpn-instance-vrf1] quit
    

  2. Bind interfaces to the VPN instance.

    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip binding vpn-instance vrf1
    [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip binding vpn-instance vrf1
    [RouterA-GigabitEthernet2/0/0] ip address 10.2.1.2 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    [RouterA] interface gigabitethernet 3/0/0
    [RouterA-GigabitEthernet3/0/0] ip binding vpn-instance vrf1
    [RouterA-GigabitEthernet3/0/0] ip address 10.3.1.1 255.255.255.0
    [RouterA-GigabitEthernet3/0/0] quit

  3. Configure a default VPN instance used by the NMS to manage the device.

    [RouterA] set net-manager vpn-instance vrf1
    NOTE:

    The VPN configured using this command affects the following service modules on the device: TFTP client, FTP client, SFTP client, SCP client, Info Center, SNMP, PM, IP FPM, and TACACS. To access the public network, you must set the public-net parameter.

  4. Configure an HWTACACS server.

    # Enable the HWTACACS function and configure an HWTACACS server template named ht.

    [RouterA] hwtacacs enable
    [RouterA] hwtacacs-server template ht

    # Configure an IP address and port number for the primary HWTACACS authentication and authorization server.

    [RouterA-hwtacacs-ht] hwtacacs-server authentication 10.2.1.1 49
    [RouterA-hwtacacs-ht] hwtacacs-server authorization 10.2.1.1 49

    # Configure a key for the server.

    [RouterA-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret123
    [RouterA-hwtacacs-ht] quit

    # Enter the AAA view.

    [RouterA] aaa

    # Configure an authentication scheme named scheme1 and set the authentication mode to HWTACACS authentication.

    [RouterA-aaa] authentication-scheme scheme1
    [RouterA-aaa-authen-scheme1] authentication-mode hwtacacs
    [RouterA-aaa-authen-scheme1] quit

    # Configure an authorization scheme named scheme2 and set the authorization mode to HWTACACS authorization.

    [RouterA-aaa] authorization-mode scheme2
    [RouterA-aaa-authen-scheme2] authorization-mode hwtacacs
    [RouterA-aaa-authen-scheme2] quit

    # Configure the huawei domain. Use the scheme1 authentication scheme, scheme2 authorization scheme, and ht template in the domain.

    [RouterA-aaa] domain huawei
    [RouterA-aaa-domain-huawei] authentication-scheme scheme1
    [RouterA-aaa-domain-huawei] authorization-mode scheme2
    [RouterA-aaa-domain-huawei] hwtacacs-server ht
    [RouterA-aaa-domain-huawei] quit

  5. Create a local AAA user named sshuser001. Set the access mode to SSH and authentication mode to HWTACACS.

    # Configure a local user named sshuser001 in the huawei domain. After the configuration is complete, the sshuser001 user uses the authentication and authorization modes in the huawei domain.

    [RouterA-aaa] local-user sshuser001@huawei password
    Please configure the password (8-128)
    Enter Password:                                                                 
    Confirm Password:
    [RouterA-aaa] local-user sshuser001@huawei service-type ssh
    [RouterA-aaa] quit

  6. Configure authentication for the SSH user.

    [RouterA] ssh user sshuser001 authentication-type password

  7. Enable the STelnet.

    [RouterA] stelnet server enable

  8. Configure an SNMPv3 USM user to allow the NMS to access the device.

    # Enable the SNMP agent function.

    [RouterA] snmp-agent

    # Set the SNMP version to SNMPv3.

    [RouterA] snmp-agent sys-info version v3

    # Configure a MIB view.

    [RouterA] snmp-agent mib-view iso include iso

    # Configure a user group and users in the group, and authenticate and encrypt user data.

    [RouterA] snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
    [RouterA] snmp-agent usm-user v3 nms-admin group admin
    [RouterA] snmp-agent usm-user v3 nms-admin authentication-mode sha
    Please configure the authentication password (10-255)
    Enter Password:
    Confirm Password: 
    [RouterA] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
    Please configure the privacy password (10-255)
    Enter Password:
    Confirm Password:

    # Configure the alarm function.

    [RouterA] snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc
    [RouterA] snmp-agent trap enable

  9. Enable the device functioning as an SFTP client to transfer files with the NMS functioning as an SFTP server over the VPN.

    [RouterA] ssh client first-time enable
    [RouterA] sftp 10.1.1.1
    [RouterA] put aaa.cfg

  10. Verify the configuration.

    After completing the configuration, perform the following operations to check whether the configuration takes effect.

    # Display the SNMP version.

    [RouterA] display snmp-agent sys-info version
       SNMP version running in the system:
               SNMPv3
    

    # Display information about an SNMPv3 user.

    [RouterA] display snmp-agent usm-user
       User name: nms-admin,
       Engine ID: 800007DB0300259E0370C3 active
       Group-name: admin
       Authentication mode: sha
       Privacy mode: aes128
       User state: Active
    

Configuration Files

  • Router A configuration file

    #
    sysname RouterA
    #
    hwtacacs enable
    #
    ip vpn-instance vrf1
     ipv4-family
      route-distinguisher 22:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    hwtacacs-server template ht
     hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
     hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1
     hwtacacs-server shared-key cipher %^%#x@ZaCImt|X79[^A&]DEYC6[>U]OD(8n&BVHvsu2R{=zVSySB'|H[;I`|ef#%^%#
    #
    aaa
     local-user sshuser001@huawei password irreversible-cipher $1c$\h[;D"`M79$GN]A=y;*4EFG%t>vIJI=rJvxWe/V%Xbd;(J+AzC+$
     local-user sshuser001@huawei service-type ssh
     #
     authentication-scheme scheme1
      authentication-mode hwtacacs
     #
     authorization-scheme scheme2
      authorization-mode hwtacacs
     #
     accounting-scheme default0
     #
     accounting-scheme default1
     #
     domain huawei
      authentication-scheme scheme1
      authorization-scheme scheme2
      hwtacacs-server ht
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.1.1.2 255.255.255.0
    interface GigabitEthernet2/0/0
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.2.1.2 255.255.255.0
    interface GigabitEthernet3/0/0
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.3.1.1 255.255.255.0
    #
    snmp-agent
    snmp-agent local-engineid 800007DB0300313D6A1FA0
    #
    snmp-agent sys-info version v3
    snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
    snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc
    #
    snmp-agent mib-view iso include iso
    snmp-agent usm-user v3 nms-admin group admin
    snmp-agent usm-user v3 nms-admin authentication-mode sha %#%##/L&Fd]S.!i*S7<\jCh2DkfkE4+:<%Wap|8zZWwPL+[a>h$wy>VJsp9(L{%B%#%#
    snmp-agent usm-user v3 nms-admin privacy-mode aes128 %#%#CM-]HDuhH6VX)**J<186nf({M823f(0Z73++7(A#%,1jODj}D>_HS>W,'Ss=%#%#
    #
    stelnet server enable
    ssh user sshuser001 authentication-type password
    #
    ssh client first-time enable
    #
    return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034225

Views: 44840

Downloads: 100

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next