display elabel [ backplane | slot-id ]
Using this command lets you to display electronic labels of the boards installed. If you do not specify slot-id you will see information about all the boards. An output of this command includes among others:
As you already know you can assign a different privilege level for each user, configured on a Huawei device. How to configure local user and how to access Huawei device you can read in one of my previous posts.
Today I want to focus on the privilege level of local user. Each year lots of accidents in IP networks are caused by inexperienced employees. We can decrease the number of such accidents setting privilege level for local users, logging into network devices. Setting a lower privilege level for such employees increases networks’ safety. For more experienced engineers we can either configure higher privilege level or set a super password, to let them to perform advanced operation.
Let’s assume that we have created a local user with the lowest priority:
# local-user labnario password cipher &EU15O"Q3/;Q=^Q`MAF4<1!! local-user labnario service-type telnet local-user labnario level 0 #
After you are logged as user “labnario” and putting a question mark you can see all commands available in level 0:
<CX600>? User view commands: cluster Run cluster command display Display LPUF-10 work-mode hwtacacs-user HWTACACS user language-mode Specify the language environment local-user Local user ping Ping function quit Exit from current command view return Exit to user view save Save file super Privilege current user a specified priority level telnet Establish a Telnet connection trace Trace route (switch) to host on Data Link Layer tracert Trace route to host
As this is the lowest privilege level we cannot even display current-configuration and interfaces’ statistics:
Labnario Huawei From Scratch
<CX600>display current-configuration
^
Error: Unrecognized command found at '^' position.
<CX600>display interface GigabitEthernet7/0/0
^
Error: Unrecognized command found at '^' position.
But we can assign additional commands to this level in advance, as needed:
# command-privilege level 0 view shell display current-configuration command-privilege level 0 view system display current-configuration command-privilege level 0 view shell display interface GigabitEthernet7/0/0 #
Now it is possible to display current-configuration and statistics of GE7/0/0:
<CX600>display ?
current-configuration Current configuration
interface Status and configuration information for the
interface
Let’s come back to super password. What we want to do is to the set super password, in advance, for privilege level 15:
[CX600]super password level 15 cipher &EU15O"Q3/;Q=^Q`MAF4<1!!
And now if you are logged as level 0 user, you can switch to level 15. If you want to recall about a level’s arrangement on Huawei devices you can read huawei cli introduction.
<CX600>super 15 Password: Now user privilege is 15 level, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
Now you have full rights to configure and manage this device.
Remember to lock your current user terminal interface if you are away of your desk. It prevents your device against unauthorized users operations on the current terminal interface:
<CX600>lock Enter Password: Confirm Password: Info: The terminal is locked. Enter Password: <CX600>Read More »
header { login | shell }
login – header text is displayed after you are trying to log into a device
shell – header text is displayed after you are successfully logged into a device
[labnario]header login information % The banner text supports 220 characters max, including the start and the end character.If you want to enter more than this, use banner file instead.Input banner text, and quit with the character '%': welcome to labnario network lab!!!%
Remember that the initial and end characters must be the same. In this case % has been used. The interaction starts after you put % and then enter and automatically closes when you write your header text and put % again.
And now if you want to log into the device by telnet or ssh you will see the following prompt:
welcome to labnario network lab!!! Login authentication Username:
You will achieve the same result when you use the following command:
[labnario]header login file header.txt
But the only thing you have to remember about is to create this header.txt file and place it in memory of the device (flash or CFcard). How to upload files by FTP I was describing in the following post.
Read More »Is it worth to pass Huawei certification exams?
Maybe some of you will say “yes, it is”.
Maybe some of you will be sceptical.
For those who want to know more about Huawei certification I am sending a link to official Huawei website.
For those who want to read more news about Huawei certification I can recommend an interview by IT Certification Master.
What is your opinion about Huawei certification? Have you had any experience with Huawei certification track?
Be invited to express your opinion. Any comments are appreciated.
For sure it is worth to talk 🙂
Read More »If you want to look into packets sent or received by a router, and there is no possible to display them by command, the simplest and fastest way is to use mirroring. Unfortunately, in case of AR routers, you have to go on-site to connect packets’ analyser (for example Wireshark). Comparing to NE routers, AR routers do not support remote mirroring.
There are two types of mirroring on AR routers:
Port mirroring is to copy all packets from mirroring port to another port, which is called monitor port. Monitor port is that where a monitoring device is connected to. AR routers support local port mirroring for inbound and outbound direction.
Traffic mirroring is to copy specified packets, by QoS policy, to a specific destination and send them to an interface for analysis. Traffic mirroring is supported on AR29 and AR49 routers.
Create a local mirroring group:
[labnario] mirroring-group 1 local
Configure mirroring port (source port):
[labnario] mirroring-group 1 mirroring-port ethernet 1/2 inbound
Finally configure monitor port for local mirroring group:
[labnario] mirroring-group 1 monitor-port ethernet 1/1
Connect packets’ analyser to ethernet 1/1 and capture packets.
You can also configure port mirroring in interface view. The result is the same.
Let’s assume that we have a host, with IP 10.255.1.10, connected to interface ethernet 1/2 of AR29 router. What we want to do is to monitor all packets being received from this host. As monitor port we will use interface ethernet 1/3.
Create ACL to permit all packets from source IP address 10.255.1.10:
[labnario] acl number 2100 [labnario-acl-basic-2100] rule permit source 10.255.1.10 0
Configure traffic classifier that match ACL 2100:
[labnario] traffic classifier mirroring [labnario-classifier-mirroring] if-match acl 2100
Configure traffic behavior that mirrors traffic to interface ethernet 1/3:
[labnario] traffic behavior mirroring [labnario-behavior-mirroring] mirror-to interface ethernet 1/3
Bind traffic classifier with traffic behavior to create qos policy and apply this policy to ethernet 1/2 as inbound:
[labnario] qos policy mirroring [labnario-qospolicy-mirroring] classifier mirroring behavior mirroring [labnario-qospolicy-mirroring] quit [labnario] interface ethernet 1/2 [labnario-Ethernet1/2] qos apply policy mirroring inbound
Connect packets’ analyser to ethernet 1/3 and capture packets.
Read More »