Friday , December 27 2024

bootrom update on Huawei S5300 switch

Some time ago I had a case with damaged file system on Huawei S5300 switch. It had been caused by power failure on one site. The switch was not able to decompress VRP software and rebooted itself all the time.

BIOS LOADING ...
Copyright (c) 2008-2010 HUAWEI TECH CO., LTD.
(Ver107, Jan 18 2011, 22:52:53)

Press Ctrl+B to enter BOOTROM menu... 1
Auto-booting...
Update Epld file ............................ None
Decompressing VRP software ..................

BIOS LOADING ...
Copyright (c) 2008-2010 HUAWEI TECH CO., LTD.
(Ver107, Jan 18 2011, 22:52:53)

Press Ctrl+B to enter BOOTROM menu... 1
Auto-booting...
Update Epld file ............................ None
Decompressing VRP software ..................

To reactivate this switch we decided to upload a new software file to the flash of the switch. It was not enough space to do it, so format flash was necessary.

Press Ctrl+B to enter BOOTROM menu...
password: 
          BOOTROM  MENU
    1. Boot with default mode
    2. Enter serial submenu
    3. Enter startup submenu
    4. Enter ethernet submenu
    5. Enter filesystem submenu
    6. Modify BOOTROM password
    7. Reboot

Enter your choice(1-7): 5

         FILESYSTEM SUBMENU

    1. Erase Flash            
    2. Format flash           
    3. Delete file from Flash 
    4. Rename file from Flash 
    5. Display Flash files    
    6. Update EPLD file       
    7. Update FansCard File   
    8. Return to main menu    

Enter your choice(1-8): 5
No. File Size(bytes)     Created Date       File Name
=================================================================                    
6:  14139156 bytes   Apr 26 2013 00:20:11   s5300ei-v200r001c00spc300.cc        
7:  384384   bytes   Oct 01 2008 00:12:05   bootrom009.bin                      
8:  15355    bytes   Oct 28 2013 12:36:13   vrpcfg.cfg                                        
11:  11113860 bytes   Apr 24 2013 14:37:10   s5300ei-v100r005c01spc100.cc        
12:  58044    bytes   Apr 26 2013 00:13:51   s5300ei-v200r001sph006.pat                   
Total: 30008KB(Free: 4240KB)

 FILESYSTEM SUBMENU

    1. Erase Flash            
    2. Format flash           
    3. Delete file from Flash 
    4. Rename file from Flash 
    5. Display Flash files    
    6. Update EPLD file       
    7. Update FansCard File   
    8. Return to main menu    

Enter your choice(1-8): 2

Note: Format flash will damage Flash file system.
      Format flash? Yes or No(Y/N): y

Formatting Flash, please waiting several minutes ............................................................................................................................................................. done

Let’s look at free space on the flash memory:

FILESYSTEM SUBMENU

    1. Erase Flash            
    2. Format flash           
    3. Delete file from Flash 
    4. Rename file from Flash 
    5. Display Flash files    
    6. Update EPLD file       
    7. Update FansCard File   
    8. Return to main menu    

Enter your choice(1-8): 5
No. File Size(bytes)     Created Date       File Name
=================================================================
Total: 30008KB(Free: 30000KB)

The memory has been freed.

Glad we started loading the new VRP file to the flash by FTP. How to upload a new file to S5300 you can see on the article: “console password recovery Huawei S5300“.

And we encountered the second problem. We were not able to upload this file due to lack of free space of the flash memory, even though it has been formatted. To solve this problem we decided to update bootrom. Below a whole procedure how to do this:

BOOTROM  MENU

    1. Boot with default mode
    2. Enter serial submenu
    3. Enter startup submenu
    4. Enter ethernet submenu
    5. Enter filesystem submenu
    6. Modify BOOTROM password
    7. Reboot

Enter your choice(1-7): 4

          ETHERNET  SUBMENU

    1. Download file to SDRAM through ethernet interface and reboot the system
    2. Download file to Flash through ethernet interface
    3. Modify ethernet interface boot parameter
    4. Return to main menu

Be sure to select 3 to modify boot parameter before downloading!

Enter your choice(1-4): 3

          BOOTLINE  SUBMENU

    1. Set TFTP protocol parameters
    2. Set FTP protocol parameters
    3. Return to ethernet menu

Enter your choice(1-3): 2
'.' = clear field;  '-' = go to previous field;  ^D = quit
Load File name      : SV100R002C02B152_for_5300.cc S5300EI-bootrom.bin
Switch IP address   : 192.168.130.53 
Server IP address   : 192.168.130.137 
FTP User Name       : a huawei
FTP User Password   : a huawei

Starting to write BOOTLINE into flash ... done

           BOOTLINE  SUBMENU

    1. Set TFTP protocol parameters
    2. Set FTP protocol parameters
    3. Return to ethernet menu

Enter your choice(1-3): 3

          ETHERNET  SUBMENU

    1. Download file to SDRAM through ethernet interface and reboot the system
    2. Download file to Flash through ethernet interface
    3. Modify ethernet interface boot parameter
    4. Return to main menu

Be sure to select 3 to modify boot parameter before downloading!
Enter your choice(1-4): 1
boot device          : mottsec
unit number          : 0 
processor number     : 0 
host name            : host
file name            : S5300EI-bootrom.bin
inet on ethernet (e) : 192.168.130.53
host inet (h)        : 192.168.130.137
user (u)             : huawei
ftp password (pw)    : huawei
flags (f)            : 0x0 

Attached TCP/IP interface to mottsec0.
Warning: no netmask specified.
Attaching network interface lo0... done.
Loading... 
Read file to sdram .Done
Warning: Don't Power-off or Reset the Device!!!
Update bootrom system ... done !

           ETHERNET  SUBMENU

    1. Download file to SDRAM through ethernet interface and reboot the system
    2. Download file to Flash through ethernet interface
    3. Modify ethernet interface boot parameter
    4. Return to main menu

Enter your choice(1-4): 4

          BOOTROM  MENU

    1. Boot with default mode
    2. Enter serial submenu
    3. Enter startup submenu
    4. Enter ethernet submenu
    5. Enter filesystem submenu
    6. Modify BOOTROM password
    7. Reboot

Enter your choice(1-7): 7
Reboot...

The bootrom has been updated.

After update you can see that the command for updating bootrom has also been changed. It looks more intuitively now:

BOOTROM  MENU

    1. Boot with default mode
    2. Enter serial submenu
    3. Enter startup submenu
    4. Enter ethernet submenu
    5. Enter filesystem submenu
    6. Modify BOOTROM password
    7. Clear password for console user 
    8. Reboot

Enter your choice(1-8): 4

          ETHERNET  SUBMENU

    1. Update BOOTROM system
    2. Download file to Flash through ethernet interface
    3. Upload Configuration file to Ftp through ethernet interface
    4. Modify ethernet interface boot parameter
    5. Return to main menu

Be sure to select 4 to modify boot parameter before downloading!
Enter your choice(1-5):

After bootrom update there was not any problem to upload the new VRP software file to the switche’s flash memory.

Read More »

source interfaces for management communication

As you know, configuring management services on Huawei devices, you can add source interface or IP address for transmitting packets. This is an optional configuration. Below you can find configuration syntax for source interfaces in management communication. If you find out that anything else should be added to this list, just let me know.

Info-center source:
[labnario]info-center loghost source ?
  Aux              AUX interface
  Eth-Trunk        Ethernet Trunk interface
  GigabitEthernet  GigabitEthernet interface
  LoopBack         LoopBack interface
  NULL             NULL interface
  Pos              POS interface
Radius server source:
[labnario-radius-test]radius-server source interface ?
  Eth-Trunk        Ethernet Trunk interface
  GigabitEthernet  GigabitEthernet interface
  LoopBack         LoopBack interface
  Pos              POS interface
HWtacacs server source:
[labnario-hwtacacs-test]hwtacacs-server source-ip ?
  X.X.X.X  IP address

FTP server source:

[labnario]ftp server-source ?
  -a  Set the FTP server source address
  -i  Set a source interface of an FTP server
FTP client source:
[labnario]ftp client-source ?
  -a  Set the FTP client source
  -i  Set loopback for FTP client source interface
TFTP client source:
[labnario]tftp client-source ?
  -a  Set TFTP client's source address
  -i  Configure the source interface of a TFTP client
Telnet server source:
[labnario]telnet server-source -i ?
  Loopback  Interface type
Telnet client source:
[labnario]telnet client-source ?
  -a  Set TELNET client's source address
  -i  Configure the source interface of a TELNET client
SSH server source:
[labnario]ssh server-source -i ?
  Loopback  Interface type
SNMP source:
[labnario]snmp-agent trap source ?
  Atm-Trunk         ATM Trunk interface
  Aux               AUX interface
  Cpos-Trunk        CPOS Trunk interface
  Eth-Trunk         Ethernet Trunk interface
  GigabitEthernet   GigabitEthernet interface
  Global-Mp-Group   Global-Mp-group interface
  Ima-group         ATM IMA interface
  Ip-Trunk          IP Trunk interface
  Logic-Channel     Logic tunnel interface
  LoopBack          LoopBack interface
  MTunnel           MTunnel interface
  Mp-group          Mp-group interface
  Pos               POS interface
  Ring-if           RPR logic interface
  Tunnel            Tunnel interface
  Virtual-Ethernet  Virtual ethernet interface
  Virtual-Template  Virtual template interface
  Vlanif            Vlan interface
NTP source:
[labnario]ntp-service source-interface ?
  Aux              AUX interface
  Eth-Trunk        Ethernet Trunk interface
  GigabitEthernet  GigabitEthernet interface
  LoopBack         LoopBack interface
  NULL             NULL interface
  Pos              POS interface

Read More »

from Huawei CLI – upgrade rollback …

As I am in the process of upgrading Huawei ATN950B routers, I decided to describe very useful command, supported by carrier class routers like NE40E, CX600 and ATN950B – “upgrade rollback enable rollback-timer time”

When you are doing upgrade, there is always a small risk that something goes wrong and you will lose this router, I mean it will fall out of management. To minimize such risk, you can use the command in question.

Let’s look at the upgrade procedure:

<labnario>startup system-software v200r002c00spc300.cc
Info: Succeeded in setting the software for booting system.
<labnario>startup system-software v200r002c00spc300.cc slave-board
Info: Succeeded in setting the software for booting system.

<labnario>startup patch v200r002sph008.pat
Info: Succeeded in setting main board resource file for system.
<labnario>startup patch v200r002sph008.pat slave-board
Info: Succeeded in setting slave board resource file for system.

<labnario>display startup
MainBoard:
  Configured startup system software:        cfcard:/v200r001c02spc300.cc
  Startup system software:                   cfcard:/v200r001c02spc300.cc
  Next startup system software:              cfcard:/v200r002c00spc300.cc
  Startup saved-configuration file:          cfcard:/vrpcfg.cfg
  Next startup saved-configuration file:     cfcard:/vrpcfg.cfg
  Startup paf file:                          default
  Next startup paf file:                     default
  Startup license file:                      default
  Next startup license file:                 default
  Startup patch package:                     cfcard:/v200r001sph005.pat
  Next startup patch package:                cfcard:/v200r002sph008.pat
SlaveBoard:
  Configured startup system software:        cfcard:/v200r001c02spc300.cc
  Startup system software:                   cfcard:/v200r001c02spc300.cc
  Next startup system software:              cfcard:/v200r002c00spc300.cc
  Startup saved-configuration file:          cfcard:/vrpcfg.cfg
  Next startup saved-configuration file:     cfcard:/vrpcfg.cfg
  Startup paf file:                          default
  Next startup paf file:                     default
  Startup license file:                      default
  Next startup license file:                 default
  Startup patch package:                     cfcard:/v200r001sph005.pat
  Next startup patch package:                cfcard:/v200r002sph008.pat
<labnario>check startup next
Main board:
Check startup software.......ok
Check configuration file.....ok
Check PAF....................ok
Check License................ok
Check Patch..................ok
PAF is fitted with startup software
License is fitted with startup software
Patch is fitted with startup software
Slave board:
Check startup software.......ok
Check configuration file.....ok
Check PAF....................ok
Check License................ok
Check Patch..................ok
PAF is fitted with startup software
License is fitted with startup software
Patch is fitted with startup software
Startup software in slave board is fitted with main board.

<labnario>upgrade rollback enable rollback-timer 30
Info:The state of upgrade rollback is enable. Limit time is 30 minutes.
If no User cancels the function, the main MPU will restart by the bootfile cfcard:/v200r001c02spc300.cc.The slave MPU will restart by the bootfile cfcard:/v200r001c02spc300.cc.

<labnario>display upgrade rollback
Info:The state of upgrade rollback is enable. Limit time is 30 minutes.
If no User cancels the function, the main MPU will restart by the bootfile cfcard:/v200r001c02spc300.cc.The slave MPU will restart by the bootfile cfcard:/v200r001c02spc300.cc.

<labnario>reboot

By default, the version rollback function is disabled. Before restarting ATN 950B, during the upgrade, you can run the upgrade rollback enable command to specify the period, from the time when the system software is restarted to the time when ATN 950B performs the rollback. During the specified period, if you don’t telnet to ATN 950B or run the undo upgrade rollback command, by connecting the PC to ATN 950B through the serial port, ATN 950B will perform the rollback.

After the upgrade rollback enable command is run to enable the version rollback function for ATN 950B, you can disable the function after telneting to ATN 950B:

<labnario>display upgrade rollback
Info:The state of upgrade rollback is disable.

As you can see, version rollback has been automatically disabled, after you had entered the router by telnet.

If you log in to ATN 950B through a serial port, you need to run the undo upgrade rollback command to disable the function. Otherwise, the router will perform the rollback.

<labnario>undo upgrade rollback
Info:The state of upgrade rollback is disable.

Read More »

HWTACACS configuration on Huawei device

Let’s look at a typical configuration of HWTACACS server on Huawei device:

#
hwtacacs-server template labnario
 hwtacacs-server authentication 172.16.10.1
 hwtacacs-server authorization 172.16.10.1
 hwtacacs-server accounting 172.16.10.1
 hwtacacs-server source-ip 172.16.10.10
 hwtacacs-server shared-key cipher %$%$;XioR#N`7=~][vLDTr2S(2.#%$%$
 undo hwtacacs-server user-name domain-included
#
aaa 
 authentication-scheme hwtacacs
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
 domain default_admin  
  authentication-scheme hwtacacs 
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server labnario
 local-user labnario password cipher %$%$'3N&Y#>c>Ibb;f:!o4mW(7#h%$%$
 local-user labnario privilege level 15
 local-user labnario service-type telnet terminal ssh ftp
#
user-interface vty 0 4
 authentication-mode aaa
What do we have to do to configure HWTACACS AAA?
  • Configure an HWTACACS server template.
  • Configure authentication, authorization, and accounting schemes.
  • Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to the domain.

To ensure redundancy we can configure secondary HWTACAC server:

#
hwtacacs-server template labnario
 hwtacacs-server authentication 172.16.11.1 secondary
 hwtacacs-server authorization 172.16.11.1 secondary
 hwtacacs-server accounting 172.16.11.1 secondary

In such case, if primary server is not available, secondary server is used.

Let’s look at AAA schemes. As you can see the there are backups for authentication and authorization. If HWTACAC authentication fails, local authentication is used. We have the same situation for HWTACAC authorization.

But what happens if accounting fails?

There is not possible to configure backup for accounting. We have 3 options: HWTACAC, local or RADIUS. But only one of them can be selected.

Let’s assume that you use accounting like in the configuration above. After an accounting scheme is applied, if a user goes online, the device sends an accounting-start packet to an accounting server. When the network is working properly, the accounting server responds to the accounting-start packet. If a fault occurs in the network, the device may not receive the response packet from the accounting server. As a result, accounting fails. Finally, when you are trying to log in as local user labnario, you are immediately disconnected with information:

The connection was closed by the remote host.

Of course there is a way out of this situation by using “accounting start-fail online” command.

The final backup configuration of AAA should look like:

# 
aaa 
 authentication-scheme hwtacacs 
  authentication-mode hwtacacs local 
 authorization-scheme hwtacacs 
  authorization-mode hwtacacs local 
 accounting-scheme hwtacacs 
  accounting-mode hwtacacs 
  accounting start-fail online

Read More »

Huawei eNSP – news

A new version of Huawei network simulation platform has been released. The new eNSP supports AC6605 POE feature. Besides that a few bugs have been solved, among other firewall crashed (often reported) problem when running on Win8 and Win8.1.

Just click on the picture and download it:

huawei-enterprise-network-simulation-platform

 

Read More »