No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E-M2 V800R010C10SPC500 Configuration Guide - System Management 01

This is NE40E-M2 V800R010C10SPC500 Configuration Guide - System Management
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing Communication Between the NMS and a Device Using NETCONF

Establishing Communication Between the NMS and a Device Using NETCONF

To ensure secure and smooth communication between the network management system (NMS) and a device managed by the NMS, enable the Secure Shell (SSH) service on the server and deploy the NMS on the client. This section describes only the configuration of the server. For details about the NMS configuration, see the related NMS configuration manual.

Usage Scenario

NETCONF ensures security and extensibility. When the NMS is used to manage network devices, you can use NETCONF to ensure communication between the NMS and the devices.

As shown in Figure 17-1, the NMS is deployed on the client that functions as the SSH client. The server functions as the SSH server that receives connection requests from and establishes the connection with the SSH client. SSH is a security protocol at the application layer, enhancing the reliability of NETCONF. In this networking, NETCONF is used to manage the configuration of the SSH server.

Figure 17-1 Networking diagram for establishing communication between the NMS and a device using NETCONF

Pre-configuration Tasks

Before establishing communication between the NMS and a device using NETCONF, deploy NMS on the client.

Configuration Procedures

Figure 17-2 Flowchart for establishing communication between the NMS and a device using NETCONF

Configuring an SSH User

When specifying Secure Shell (SSH) as the transport protocol of NETCONF, you must configure an SSH user with administrative rights, SSH server to generate a local Rivest-Shamir-Adleman (RSA) or Elliptic Curves Cryptography (ECC) key pair, user authentication mode, and SSH user service type.

Context

Before configuring an SSH user, you must configure the authentication mode. Creating a local key is not mandatory. Local key is auto-generated, if it is not already configured. Save the configuration file to ensure that this local key pair is not changed after the system restarts.

  • Create a local RSA/Digital Signature Algorithm (DSA) or ECC key pair on the SSH server. Table 17-2 shows the difference between the RSA/DSA and ECC algorithms.

    Table 17-2 RSA and ECC algorithm differences

    Algorithm

    Description

    RSA/DSA

    An asymmetric public key encryption algorithm that can improve encryption efficiency and simplify key management. With this algorithm, the server checks whether the SSH user, public key, and the numeric signature are valid. User authentication succeeds only when all of them are consistent with those configured on the server.

    ECC

    An asymmetric encryption algorithm similar to RSA/DSA. Compared with the RSA/DSA algorithm, the ECC algorithm has the following advantages:
    • Provides the same security with shorter key length.
    • Features a shorter computing process and higher processing speed.
    • Requires less storage space.
    • Requires lower bandwidth.
  • Password authentication is performed based on AAA. Before a user logs in to the device with the password authentication mode, a local user with the same user name must be created in the AAA view.

Perform the following steps on the server (SSH server):

Procedure

  1. Run system-view

    The system view is displayed.

  2. If password authentication is configured for the SSH user, create the same SSH user in the AAA view and set the local user access type to SSH. Perform the following steps to configure the local user:
    1. Run aaa

      The AAA view is displayed.

    2. Run local-user user-name password [ cipher password | irreversible-cipher irreversible-cipher-password ]

      A local user name and a password are configured.

      NOTE:
      • The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters.

      • For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.

    3. Run local-user user-name user-group manage-ug

      The local user is configured with administrative rights.

      NOTE:

      Users without administrator rights can also establish NETCONF connections with limited rights and perform NETCONF-related operations.

    4. Run local-user user-name service-type ssh

      The local user access type is set to SSH.

      You can specify an access type to allow only users configured with the specified access type to log in to the device.

    5. Run local-user user-name password expire days

      The period after which a password for a local user expires is configured.

      NOTE:

      To harden network security, administrators can run the local-user password expire command to configure the period after which a password expires.

      When the password for a local user is changed, the system resets the period.

      The local-user password expire command applies only to local users. After a password expires, reconfigure a new password for users. Otherwise, users fail to log in.

    6. Run user-password expire expire-days prompt prompt-days

      The password validity period and advance warning before the password expires are configured.

      NOTE:

      To prevent account stealing due to unchanged passwords, run the user-password expire command to set the password validity period and the period for advance warning before the password expires.

      Only a level-3 or higher-level administrator can run the user-password expire command.

      • The user-password expire command applies only to administrators. The system prompts the administrator to change the password N days before the password expires.
      • If the administrator does not change the password till the password expires, the administrator is denied access to the device.

    7. Run quit

      Exit from the AAA view.

    NOTE:

    In addition to local users, server users can also log in to the NMS through NETCONF. If a server user logs in to the NMS through NETCONF, a user group or user level needs to be configured on the AAA server. For details about the configuration, see the configuration guide provided by the associated vendor.

  3. (Optional) Run either of the following commands to create a key pair:

    • If the user requirements for system security are not high, run the rsa local-key-pair create command to configure a local RSA key pair or run the dsa local-key-pair create command to configure a local DSA key pair.

      NOTE:

      To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits or DSA algorithm.

    • If you have high requirements for the system security, run the ecc local-key-pair create command to create a local ECC key pair.

  4. Select either of the SSH user authentication modes listed in Table 17-3.

    Table 17-3 Configurations of the SSH user authentication mode

    Objective

    Operation

    Remarks

    To configure password authentication

    Run the ssh user user-name authentication-type password command.

    If local or HWTACACS authentication server is used and there are only a few users to be authenticated, use password authentication.

    To configure default password authentication

    Run the ssh authentication-type default password command.

    If there are a large number of users to be authenticated, use default password authentication, which can simplify the configuration.

    To configure RSA authentication

    1. Run the ssh user user-name authentication-type rsa command to configure RSA authentication.

    -

    2. Run the rsa peer-public-key key-name command to enter the public RSA key view.

    -

    3. Run the public-key-code begin command to enter the public key edit view.

    -

    4. Enter hex-data to edit the public key.

    • In the public key edit view, only hexadecimal strings complying with the public key format can be entered. Each string is randomly generated on an SSH client. For detailed operations, see the help document of SSH client software.
    • In the public key edit view, copy the RSA public key generated on the client to the server.

    5. Run the public-key-code end command to exit the public key edit view.

    -

    6. Run the peer-public-key end command to return to the system view.

    • A public key can be generated only after a valid hex-data complying with the public key format is entered and the peer-public-key end command is run.
    • If you run the peer-public-key end command after key-name specified in Step 2 is deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view.

    7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user the public key.

    -

    To configure DSA authentication

    1. Run the ssh user user-name authentication-type dsa command to configure DSA authentication.

    -

    2. Run the dsa peer-public-key key-name command to enter the public DSA key view.

    -

    3. Run the public-key-code begin command to enter the public key edit view.

    -

    4. Enter hex-data to edit the public key.

    • In the public key edit view, only hexadecimal strings complying with the public key format can be entered. Each string is randomly generated on an SSH client. For detailed operations, see the help document of SSH client software.
    • In the public key edit view, copy the DSA public key generated on the client to the server.

    5. Run the public-key-code end command to exit the public key edit view.

    -

    6. Run the peer-public-key end command to return to the system view.

    • A public key can be generated only after a valid hex-data complying with the public key format is entered and the peer-public-key end command is run.
    • If you run the peer-public-key end command after key-name specified in Step 2 is deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view.

    7. Run the ssh user user-name assign dsa-key key-name command to assign the SSH user the public key.

    -

    To configure ECC authentication

    1. Run the ssh user user-name authentication-type ecc command to configure ECC authentication.

    -

    2. Run the ecc peer-public-key key-name command to enter the public ECC key view.

    -

    3. Run the public-key-code begin command to enter the public key edit view.

    -

    4. Enter hex-data to edit the public key.

    • In the public key edit view, only hexadecimal strings complying with the public key format can be entered. Each string is randomly generated on an SSH client. For detailed operations, see the help document of SSH client software.
    • In the public key edit view, copy the ECC public key generated on the client to the server.

    5. Run the public-key-code end command to exit the public key edit view.

    -

    6. Run the peer-public-key end command to return to the system view.

    • A public key can be generated only after a valid hex-data complying with the public key format is entered and the peer-public-key end command is run.
    • If you run the peer-public-key end command after key-name specified in Step 2 is deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view.

    7. Run the ssh user user-name assign ecc–key key-name command to assign the SSH user the public key.

    -

  5. (Optional) Configure the SSH server parameters. For details, see Configure the SSH server parameters.
  6. Run ssh user username service-type snetconf

    The service type of an SSH user is set to SNETCONF.

  7. (Optional) Run ssh user username sftp-directory directoryname

    The authorized directory of the SFTP service for SSH users is set.

  8. Run commit

    The configuration is committed.

Enabling NETCONF

A NETCONF connection can be established between the client and the server using the well-known port 22 only after NETCONF is enabled on the server.

Context

A switch functions as an SSH server to connect to the client through the following two ports:
  • Known port 22: When the NETCONF connection is set up using this port, the snetconf server enable command must be run on the SSH server.

  • Known port 830: Only the protocol inbound ssh port 830 command needs to be run on the SSH server, but the snetconf server enable command does not need to be run.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Enable NETCONF.

    Both the snetconf server enable and protocol inbound ssh port 830 commands can enable the NETCONF function. If both commands are run, the client can use either port 22 or port 830 to set up a NETCONF connection with the server.

    • Enable the NETCONF service of SSH server on TCP port 22.

      Run snetconf [ ipv4 | ipv6 ] server enable

      The NETCONF service of SSH server on TCP port 22 is enabled.

    • Enable the NETCONF service of SSH server on port 830.

      1. Run netconf

        The NETCONF user interface view is displayed.

      2. Run protocol inbound ssh [ ipv4 | ipv6 ] port 830

        The NETCONF service of SSH server is enabled on port 830.

      3. Run quit

        Exit from the NETCONF user interface view.

    After the NETCONF service of SSH server is disabled on TCP port 22 or 830, all clients connecting to port 22 or 830 through NETCONF are disconnected.

  3. (Optional) Set correct NETCONF parameters to ensure secure NETCONF session connections. The default parameters are recommended.

    1. Run netconf

      The NETCONF user interface view is displayed.

    2. Run max-sessions max-sessions-count

      The maximum number of NETCONF users that the NETCONF user interface supports is set.

      To prevent unauthorized users from using NETCONF, set the maximum number of NETCONF users. After the maximum number of users that are using NETCONF is reached, subsequent users are not allowed to use NETCONF. This mechanism ensures network management security.

    3. Run idle-timeout minutes [ seconds ]

      The timeout period of an idle NETCONF connection is set.

      If no timeout period is set for an idle NETCONF connection, the idle NETCONF connection cannot be released in time for other authorized users.

  4. Run commit

    The configuration is committed.

(Optional) Configuring NETCONF Authorization

You can configure NETCONF authorization to authorize specific users to perform NETCONF operations or access NETCONF resources. NETCONF authorization ensures the device security.

Configuring HUAWEI-NACM

You can configure NETCONF authorization to authorize specific users to perform NETCONF operations or access NETCONF resources. NETCONF authorization ensures the device security.

Context

After a NETCONF session is set up using SSH, all SSH users can manage the session-related device, which renders the device insecure. To resolve this problem, you can configure NETCONF authorization to authorize specific users to perform NETCONF operations or access NETCONF resources.

Procedure

  1. Configure NETCONF authorization in the task group view and add a task to the task group.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run task-group (AAA view) task-group-name

      A task group is created, and the task group view is displayed.

    4. Run netconf authorization-rule rule-name { { deny { rpc-operation rpc-oper-name | schema-path data-node-path } } | { permit { rpc-operation rpc-oper-name | schema-path data-node-path access-operation { read | write | execute }* } } } [ description description-text ]

      A NETCONF authorization rule for operations and data nodes is configured, and the task is added to the task group.

    5. Run quit

      Return to the AAA view.

  2. Add the task group to a user group.
    1. Run user-group user-group-name

      A user group is created, and the user group view is displayed.

    2. Run task-group (user group view) task-group-name

      The specific task group is added to the user group.

    3. Run quit

      Return to the AAA view.

  3. Run local-user user-name user-group user-group-name

    A local user is added to the user group.

  4. Run commit

    The configuration is committed.

Configuring NACM

To improve NETCONF device security, configure NACM to control user permissions for performing NETCONF operations and accessing NETCONF resources.

Context

NACM is an IETF-defined flexible access control method. It allows you to define NACM rules to control specific users' permissions for performing NETCONF operations and accessing NETCONF resources.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run netconf

    The NETCON view is displayed.

  3. Run nacm

    The NACM view is displayed.

  4. Run nacm enable

    The NACM function is enabled.

  5. (Option) Run read-default permit

    Users are enabled to perform query operations.

  6. (Option) Run write-default permit

    Users are enabled to perform configuration operations.

  7. (Option) Run execute-default permit

    Users are enabled to have the default execution permission for RPC operations.

  8. Run group-name group-name

    An NACM user group is created, and the NACM user group view is displayed.

  9. Run user-name user-name

    A user is specified for the NACM user group.

  10. Run quit

    Exit the NACM user group view.

  11. Run rule-list-name rule-list-name

    An NACM rule list is created, and the NACM rule list view is displayed.

  12. Run group group-name

    The NACM user group is associated with the NACM authentication rule list.

  13. Run rule-name rule-name action action

    A name is set for an NACM rule in the NACM rule list view.

  14. (Option) Run description description

    A description is configured for the NACM rule.

  15. Run module-name module-name

    The name of a feature module is specified in the NACM rule.

  16. Run rule-type { rpc-name rpc-name | notification-name notification-name | path path }

    A type is specified for the NACM rule.

  17. Run access-operation { { create | read | update | delete | exec } * | * }

    Access operations are configured.

  18. Run commit

    The configuration is committed.

Logging in to the server Using the NMS

After the preceding configuration is complete, you can log in to the server from the client using the NMS. This allows you to remotely configure the device.

Context

The NMS can manage devices only when the NMS has connected to corresponding NEs and can communicate with them.

Before deploying NEs, properly divide sub-networks. The physical topology must be easy for routine maintenance in addition for showing the actual network structure.

NOTE:

If the Huawei NMS is used, creating NEs will consume specific upgrade licenses or NE resource licenses. If there are no remaining NE resources or specific upgrade licenses, the system displays that an NE fails to be created. If this occurs, apply for NE resources or specific upgrade licenses.

For installation and maintenance of the NMS, see the relevant installation instruction and usage guidelines.

Verifying the Configuration of Communication Between the NMS and a Device Using NETCONF

After NETCONF is configured to allow the NMS to remotely manage device configurations, check detailed SSH session information (indicating that the client has logged in to the server) and the capabilities that the server supports.

Prerequisites

NETCONF has been configured to manage device configurations.

Procedure

  • Run the display ssh user-information username command on the SSH server (server) to check information about the SSH user on the NETCONF client.
  • Run the display ssh server status command on the SSH server to check its global configuration.
  • Run the display ssh server session command on the SSH server to check information about sessions between the SSH server and the SSH client (client).
  • Run the display netconf capability command to check the capabilities that the server supports.
  • Run the display netconf authorization command to check the NETCONF authorization information.
  • Run the display netconf session command to check information about all NETCONF sessions.

Example

Run the display ssh user-information username command to view information about a specified SSH user and the service mode.

<HUAWEI> display ssh user-information client001
--------------------------------------------------------------------------------
User Name             : client001
Authentication-Type   : password
User-public-key-name  : -
User-public-key-type  : -
Sftp-directory        : -
Service-type          : snetconf
--------------------------------------------------------------------------------
Total 1, 1 printed 

If no SSH user is specified, information about all SSH users logging in to the SSH server is displayed.

Run the display ssh server status command to view global configuration of the SSH server.

<HUAWEI> display ssh server status
SSH Version                                : 2.0
SSH authentication timeout (Seconds)       : 60
SSH authentication retries (Times)         : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility              : Enable
SSH server keepalive                       : Disable
SFTP IPv4 server                           : Disable
SFTP IPv6 server                           : Disable
STELNET IPv4 server                        : Disable
STELNET IPv6 server                        : Disable
SNETCONF IPv4 server                       : Enable
SNETCONF IPv6 server                       : Enable
SNETCONF IPv4 server port(830)             : Disable
SNETCONF IPv6 server port(830)             : Disable
SCP IPv4 server                            : Enable
SCP IPv6 server                            : Enable
SSH server DES                             : Disable
SSH IPv4 server port                       : 22
SSH IPv6 server port                       : 22
SSH server source address                  : 10.1.1.1
SSH ipv6 server source address             : 0::0 
SSH ipv6 server source vpnName             : 
ACL name                                   :
ACL number                                 :
ACL6 name                                  :
ACL6 number                                :
SSH server ip-block                        : Enable

Run the display ssh server session command to view sessions between the SSH server and the SSH client.

<HUAWEI> display ssh server session
--------------------------------------------------------------------------------
Session                                 : 1
Conn                                    : SFTP 0
Version                                 : 2.0
State                                   : Started
Username                                : user1
Retry                                   : 1
CTOS Cipher                             : aes128-cbc
STOC Cipher                             : aes128-cbc
CTOS Hmac                               : hmac-md5
STOC Hmac                               : hmac-md5
CTOS Compress                           : none
STOC Compress                           : none
Kex                                     : diffie-hellman-group-exchange-sha1
Public Key                              : ecc
Service Type                            : SFTP
Authentication Type                     : password
Connection Port Number                  : 22
Idle Time                               : 00:00:49
Total Packet Number                     : 90
Packet Number after Rekey               : 0
Total Data(MB)                          : 0
Data after Rekey(MB)                    : 0
Time after Session Established(Minute)  : 0
Time after Rekey(Minute)                : 1
--------------------------------------------------------------------------------

Run the display netconf capability command to view the capabilities that the server supports.

<HUAWEI> display netconf capability
--------------------------------------------------
Capability                                        
--------------------------------------------------
urn:ietf:params:netconf:base:1.0                  
urn:ietf:params:netconf:base:1.1                  
urn:ietf:params:netconf:capability:writable-running:1.0
urn:ietf:params:netconf:capability:candidate:1.0  
urn:ietf:params:netconf:capability:confirmed-commit:1.0
urn:ietf:params:netconf:capability:confirmed-commit:1.1
urn:ietf:params:netconf:capability:rollback-on-error:1.0
urn:ietf:params:netconf:capability:validate:1.0   
urn:ietf:params:netconf:capability:validate:1.1   
urn:ietf:params:netconf:capability:startup:1.0    
urn:ietf:params:netconf:capability:url:1.0?scheme=file,ftp,sftp
urn:ietf:params:netconf:capability:xpath:1.0      
urn:ietf:params:netconf:capability:notification:1.0
urn:ietf:params:netconf:capability:interleave:1.0 
urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode=report-all&also-supported=report-all-tagged,trim
urn:ietf:params:netconf:capability:yang-library:1.0?revision=2016-06-21&module-set-id=1903662584
--------------------------------------------------
# Run the display netconf authorization command to view information about the NETCONF authorization rule list named rule1 for task-group tg.
<HUAWEI> display netconf authorization task-group-rules tg rule-name rule1
--------------------------------------------------------------------------------
Name          : rule1
RPC operation : get
Action        : permit
Rule-type     : operationRule
Description   : permit get operation
--------------------------------------------------------------------------------

Run the display netconf session command to view information about all NETCONF sessions.

<HUAWEI> display netconf session
--------------------------------------------------------------------------------
NETCONF Session ID  : 303
Transport           : netconf-ssh
User Name           : root1234
Host Identifier     : 187.7.1.1
Login Time          : 2017-06-30 03:57:46
Input Rpc           : 0
Input Bad Rpc       : 0
Output Rpc Error    : 0
Output Notification : 0
--------------------------------------------------------------------------------
Download
Updated: 2019-01-02

Document ID: EDOC1100058392

Views: 18302

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next