Saturday , November 18 2017

configuring SNMPv3 on Huawei devices

SNMPv1 and SNMPv2c protocols security model uses the community-based pseudo-authentication. That means that a password (called a community string) is sent in a clear text between a network management station and managed devices. Both SNMPv1 and v2c are subject to packet sniffing because they do not implement encryption. Security has been the biggest weakness of the SNMP since the beginning. More about SNMPv2c concepts, operation and configuration you can find at “SNMPv2c configuration on Huawei devices“.

What if we want SNMP to be used over a public network?

SNMPv3 can be implemented. It provides important security features, which are not available in both SNMPv1 and v2c:

  • Confidentiality – encryption of packets to prevent snooping by an unauthorized source
  • Integrity – to ensure that a packet has not been tampered while in transit using optional packet reply protection
  • Authentication – to verify that a packet comes from a valid source.

Read More »

bootrom update on Huawei S5300 switch

Some time ago I had a case with damaged file system on Huawei S5300 switch. It had been caused by power failure on one site. The switch was not able to decompress VRP software and rebooted itself all the time.

BIOS LOADING ...
Copyright (c) 2008-2010 HUAWEI TECH CO., LTD.
(Ver107, Jan 18 2011, 22:52:53)

Press Ctrl+B to enter BOOTROM menu... 1
Auto-booting...
Update Epld file ............................ None
Decompressing VRP software ..................

BIOS LOADING ...
Copyright (c) 2008-2010 HUAWEI TECH CO., LTD.
(Ver107, Jan 18 2011, 22:52:53)

Press Ctrl+B to enter BOOTROM menu... 1
Auto-booting...
Update Epld file ............................ None
Decompressing VRP software ..................

Read More »

source interfaces for management communication

As you know, configuring management services on Huawei devices, you can add source interface or IP address for transmitting packets. This is an optional configuration. Below you can find configuration syntax for source interfaces in management communication. If you find out that anything else should be added to this list, just let me know.

Info-center source:
[labnario]info-center loghost source ?
  Aux              AUX interface
  Eth-Trunk        Ethernet Trunk interface
  GigabitEthernet  GigabitEthernet interface
  LoopBack         LoopBack interface
  NULL             NULL interface
  Pos              POS interface
Radius server source:
[labnario-radius-test]radius-server source interface ?
  Eth-Trunk        Ethernet Trunk interface
  GigabitEthernet  GigabitEthernet interface
  LoopBack         LoopBack interface
  Pos              POS interface

Read More »

from Huawei CLI – upgrade rollback …

As I am in the process of upgrading Huawei ATN950B routers, I decided to describe very useful command, supported by carrier class routers like NE40E, CX600 and ATN950B – “upgrade rollback enable rollback-timer time”

When you are doing upgrade, there is always a small risk that something goes wrong and you will lose this router, I mean it will fall out of management. To minimize such risk, you can use the command in question.

Let’s look at the upgrade procedure:

<labnario>startup system-software v200r002c00spc300.cc
Info: Succeeded in setting the software for booting system.
<labnario>startup system-software v200r002c00spc300.cc slave-board
Info: Succeeded in setting the software for booting system.

<labnario>startup patch v200r002sph008.pat
Info: Succeeded in setting main board resource file for system.
<labnario>startup patch v200r002sph008.pat slave-board
Info: Succeeded in setting slave board resource file for system.

Read More »

HWTACACS configuration on Huawei device

Let’s look at a typical configuration of HWTACACS server on Huawei device:

#
hwtacacs-server template labnario
 hwtacacs-server authentication 172.16.10.1
 hwtacacs-server authorization 172.16.10.1
 hwtacacs-server accounting 172.16.10.1
 hwtacacs-server source-ip 172.16.10.10
 hwtacacs-server shared-key cipher %$%$;XioR#N`7=~][vLDTr2S(2.#%$%$
 undo hwtacacs-server user-name domain-included
#
aaa 
 authentication-scheme hwtacacs
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
 domain default_admin  
  authentication-scheme hwtacacs 
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server labnario
 local-user labnario password cipher %$%$'3N&Y#>c>Ibb;f:!o4mW(7#h%$%$
 local-user labnario privilege level 15
 local-user labnario service-type telnet terminal ssh ftp
#
user-interface vty 0 4
 authentication-mode aaa

Read More »