How to Configure Inband Management for Huawei MA5616? This topic describes how to use Telnet or secure shell (SSH) mode to log in to the MA5616 through an upstream port (inband management port) of the MA5616 for inband management. The SSH provides authentication, encryption, and authorization to ensure the network communication security. When a user logs in to the Huawei SmartAx mini DSLAM MA5616 remotely over an insecure network, SSH provides security guarantee and powerful authentication to protect the MA5616 against attacks such as IP address spoofing and interception of plain text password. The SSH mode is recommended. Prerequisites You must be logged in to the system through a local serial port. The IP address of the maintenance terminal must be properly configured. NOTE: In the following operations, the configurations of the MA5616 must be performed through a local serial port. In inband management mode, use either of the following isolation mechanism to separate the management channel from the data channel: 1. ACL: Configure firewall through ACL so that only specific IP addresses can be used to log in to the MA5616, such as the IP address of the NMS. 2. VLAN: Ensure that the management VLAN is different from the service VLAN. In addition, do not add a service port to the management VLAN. Networking - LAN The figure1 shows an example network for configuring inband management over a LAN. Figure1Example network for configuring inband management over a LAN 1
How to configure inband management for huawei ma5616
Jul 16, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
How to Configure Inband Management for
Huawei MA5616?
This topic describes how to use Telnet or secure shell (SSH) mode to log in to the MA5616 through an upstream port (inband management port) of the MA5616 for inband management. The SSH provides authentication, encryption, and authorization to ensure the network communication security. When a user logs in to the Huawei SmartAx mini DSLAM MA5616 remotely over an insecure network, SSH provides security guarantee and powerful authentication to protect the MA5616 against attacks such as IP address spoofing and interception of plain text password. The SSH mode is recommended.
Prerequisites You must be logged in to the system through a local serial port. The IP address of the maintenance terminal must be properly configured.
NOTE: In the following operations, the configurations of the MA5616 must be performed
through a local serial port. In inband management mode, use either of the following isolation mechanism to
separate the management channel from the data channel:1. ACL: Configure firewall through ACL so that only specific IP addresses can
be used to log in to the MA5616, such as the IP address of the NMS.2. VLAN: Ensure that the management VLAN is different from the service
VLAN. In addition, do not add a service port to the management VLAN.
Networking - LANThe figure1 shows an example network for configuring inband management over a LAN.Figure1Example network for configuring inband management over a LAN
1
Data Plan - LANTable 1 and Table 2 provide the data plan for configuring inband management over a LAN.Table 1 Data plan for configuring inband management over a LAN in the telnet mode
Item Data
Upstream port of the MA5616
VLAN ID: 30Port ID: 0/0/1IP address: 10.10.20.2/24
Ethernet port of the maintenance terminal
IP address: 10.10.20.3/24
Table 2 Data plan for configuring inband management over a LAN in the SSH mode
Item Data
Upstream port of the MA5616
VLAN ID: 30Port ID: 0/0/1IP address: 10.10.20.2/24User authentication mode: RSA public key authenticationRSA key name: key
New user User name/Password: huawei/test01Authority: OperatorPermitted reenter number: 4
Ethernet port of the maintenance terminal
IP address: 10.10.20.3/24
Networking - WAN2
The figure2 shows an example network for configuring inband management over a WAN.Figure2 Example network for configuring inband management over a WAN
Data Plan - WANTable 3 and Table 4 provide the data plan for configuring inband management over a WAN.
Table 3 Data plan for configuring inband management over a WAN in the telnet mode
Item Data
Upstream port of the MA5616 VLAN ID: 30Port ID: 0/0/1IP address: 10.10.20.2/24
Ethernet port of the maintenance terminal IP address: 10.10.21.3/24
Port of the LAN switch connected to the router IP address: 10.10.20.3/24
Table 4 Data plan for configuring inband management over a WAN in the SSH mode
Item Data
Upstream port of the MA5616 VLAN ID: 30Port ID: 0/0/1IP address: 10.10.20.2/24User authentication mode: RSA public key authenticationRSA key name: key
New user User name/Password: huawei/test01
3
Table 3 Data plan for configuring inband management over a WAN in the telnet mode
Item Data
Upstream port of the MA5616 VLAN ID: 30Port ID: 0/0/1IP address: 10.10.20.2/24
Ethernet port of the maintenance terminal IP address: 10.10.21.3/24
Authority: OperatorPermitted reenter number: 4
Ethernet port of the maintenance terminal IP address: 10.10.21.3/24
Router port connecting to the LAN Switch IP address: 10.10.20.3/24
Configuration FlowchartFigure 3 and Figure 4 show the flowchart for configuring inband management.Figure 3 Flowchart for configuring inband management in the telnet mode
Figure 4 Flowchart for configuring inband management in the SSH mode
4
NOTE:The blue-shaded configuration procedures are the difference in the SSH mode and the telent mode.
ProcedureSet up the configuration environment.Figure 1 or Figure 2 shows how to set up the configuration environment according to the actual requirements and conditions.
5
Configure the IP address of the VLAN L3 interface. Run the vlan command to create a VLAN.huawei(config)#vlan 30 smart Run the port vlan command to add an upstream port to the VLAN.huawei(config)#port vlan 30 0/0 1 In the VLANIF mode, run the ip address command to configure the IP address
and subnet mask of the VLAN L3 interface.huawei(config)#interface vlanif 30huawei(config-if-vlanif30)#ip address 10.10.20.2 255.255.255.0huawei(config-if-vlanif30)#quit
Add a route. If the configuration environment is set up as shown in Figure 1, you need not add
a route. If the remote WAN management environment is set up as shown in Figure 2, run
the ip route-static command to add a route to the next hop.huawei(config)#ip route-static 10.10.21.0 24 10.10.20.3Save the data.Run the save command to save the data.huawei(config)#save
Perform the following operations based on the login mode. If you login in the telnet mode, perform the following operations:Start Telnet.Choose Start > Run on the maintenance terminal. In the Open address bar, enter telnet 10.10.20.2 (10.10.20.2 is the IP address of the VLAN L3 interface of the MA5616), as shown in Figure 5 (considering the Windows OS as an example). Click OK, and the telnet interface is displayed.Figure 5 Starting Telnet
Log in to the MA5616.On the telnet interface, enter the user name and the password. By default, the super user name is root and the password is mduadmin. When the login is successful, the system displays the following information:>>User name:root 6
>>User password: Huawei Integrated Access Software (MA5616). Copyright(C) Huawei Technologies Co., Ltd. 2002-2013. All rights reserved. If you login in the SSH mode, perform the following operations:Create a user.Run the terminal user name command to create a user.huawei(config)#terminal user name User Name(length<6,15>):huawei User Password(length<6,15>):test01 //The password is not displayed on the maintenance terminal. Confirm Password(length<6,15>):test01 //The password is not displayed on the maintenance terminal. User profile name(<=15 chars)[root]: User's Level: 1. Common User 2. Operator:2 Permitted Reenter Number(0--4):4 User's Appended Info(<=30 chars): Adding user succeeds Repeat this operation? (y/n)[n]:n
Create the local RSA key pair.Run the rsa local-key-pair create command to create the local RSA key pair.
NOTICE:The prerequisite for the login through SSH is that the local RSA key pair must be configured and generated. Therefore, before performing other SSH configurations, make sure that the local RSA key pair is generated.huawei(config)#rsa local-key-pair createThe key name will be: HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Input the bits in the modulus[default = 512]:Generating keys.....++++++++++++....................++++++++++++...............................++++++++...........++++++++
Set the SSH user authentication mode.7
Run the ssh user huawei authentication-type rsa command to choose the authentication mode of the SSH user.There are four authentication modes for SSH users, as shown in the following. In this topic, authentication mode rsa is considered as an example. password: authentication based on a password. rsa: authentication based on an RSA public key. all: authentication based on a password or an RSA public key. The user can log in
to the device either by the password or the RSA public key. password-publickey: authentication based on a password and a public key. The
user can log in to the device only after both the password and the RSA public key authentication.
huawei(config)#ssh user huawei authentication-type{ all<K>|password-publickey<K>|password<K>|rsa<K> }:rsa
Command: ssh user huawei authentication-type rsa%Authentication type setted, and will be in effect next time.Generate the RSA public key.
Run the key generator.Run the client software key generator Puttygen.exe. Figure 6 shows the interface of the key generator.Figure 6 Interface of the key generator
8
Generate the client key.Select SSH-2 RSA as the key type under Parameters, click Generate, and move the cursor according to the prompt on the interface to generate the client key, as shown in Figure 7.Figure 7 Interface of the key generator
9
Click Save public key and Save private key to save the public key and the private key respectively after they are generated, as shown in Figure 8.Figure 8 Save the public key and the private key
10
Generate the RSA public key.Open sshkey.exe, click Browse, and choose the public key file saved in the preceding step. Then, click Convert to change the client public key to the RSA public key, as shown in Figure 9.Figure 9 Interface of converting the client public key to the RSA public key
11
Generate the public key for the SSH user.Create RSA public key. Copy the RSA public key to the server in the config-rsa-key-code command line mode.huawei(config)#rsa peer-public-key keyEnter "RSA public key" view, return system view with "peer-public-key end".NOTE: The number of the bits of public key must be between 769 and 2048.
huawei(config-rsa-public-key)#public-key-code beginEnter "RSA key code" view, return last view with "public-key-code end".
huawei(config-rsa-key-code)#30818702 81810098 933744B6 7C864EC7 A86A84CC 198BAC15
huawei(config-rsa-key-code)#D32834F7 365CFD17 E7FE4041 3266E416 710D13ED 22BD4D59
12
huawei(config-rsa-key-code)#DF0C3E46 A995CC61 DC4CB179 F6888B8C 3F8A3085 51EDB5C7
huawei(config-rsa-key-code)#5DEBDBE1 3AB4A256 0D0B9AA8 9A419D85 35C0E562 AE0BBFAB
huawei(config-rsa-key-code)#515299F9 D2803E84 3AE36C20 949367EA 0697EB20 2594A774
huawei(config-rsa-key-code)#9A0EFF04 26928874 FF9124C4 D28F0702 0125
huawei(config-rsa-key-code)#public-key-code end
huawei(config-rsa-public-key)#peer-public-key end
Assign the public key to the SSH user.Run the ssh user assign rsa-key command to assign the RSA public key to the SSH user.huawei(config)#ssh user huawei assign rsa-key key
Log in to the system.
Run the client software.Run the SSH client software putty.exe, choose SSH > Auth from the navigation tree, and assign a file for the RSA private key, as shown in Figure 10. Click Browse to display the window for selecting the file. In the window, select the file for the private key, and click OK.Figure 10 Interface of the SSH client software
13
Log in to the system.Choose Session from the navigation tree, and then input the IP address of the MA5616 in the Host Name (or IP address) field, as shown in Figure 11. Then, click Open to log in to the system.
NOTE:The port in the Figure 11 generally uses the default number 22, you can also use the display sysman service state command to query and then to configure.Figure 11 Interface for logging in to the system using the SSH client software
14
The user authentication mode is set to the RSA authentication mode, and the system therefore displays the prompt, as shown in Figure 12. Input the user name to log in to the system (here, the user name is huawei).Figure 12 Interface for logging in to the system using the SSH client software
Result15
After logging in to the MA5616, you can manage the MA5616.
The more information about technical support you can consult with our engineer the e-mail address is as below: [email protected]
More related topicsBasic Layout of OLTHuawei SmartAX MA5616 OverviewExample for Configuring Local Attack DefenseHow to Add and Delete ONT on the OLT DeviceHow to Configure the Auto-save Function for Huawei OLT
More Huawei products and Reviews you can visit: http://www.huanetwork.com/blog
Huanetwork.com is a world leading Huawei networking products supplier, we supply original new
Huawei networking equipments, including Huawei switches, Huawei routers, Huaweisymantec
security products, Huawei IAD, Huawei SFP and other Huawei networking products. Our
customers include telecom operators, Huawei resellers, ISP and system integrators. Right now
most of our sales are contributed by regular customers.
In Huanetwork Lab, also we have Huawei OLT, MDU, DSLAM and switch for customer do
remote testing, any potential customer are welcome to login to our lab. If you need a total Huawei
FTTx solution or Huawei ADSL solution for your network, also you may feel free to contact us.
Our website: http://www.huanetwork.com
Telephone: +852-30501940
Email: [email protected]
Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong
16
Related Documents
