Professional Documents
Culture Documents
How To Configure Inband Management For Huawei MA5616?: Prerequisites
How To Configure Inband Management For Huawei MA5616?: Prerequisites
Huawei MA5616?
This topic describes how to use Telnet or secure shell (SSH) mode to log in to
the MA5616 through an upstream port (inband management port) of the MA5616 for
inband management. The SSH provides authentication, encryption, and authorization
to ensure the network communication security. When a user logs in to the Huawei
SmartAx mini DSLAM MA5616 remotely over an insecure network, SSH provides
security guarantee and powerful authentication to protect the MA5616 against attacks
such as IP address spoofing and interception of plain text password. The SSH mode is
recommended.
Prerequisites
You must be logged in to the system through a local serial port.
The IP address of the maintenance terminal must be properly configured.
NOTE:
In the following operations, the configurations of the MA5616 must be performed
through a local serial port.
In inband management mode, use either of the following isolation mechanism to
separate the management channel from the data channel:
1. ACL: Configure firewall through ACL so that only specific IP addresses can
be used to log in to the MA5616, such as the IP address of the NMS.
2. VLAN: Ensure that the management VLAN is different from the service
VLAN. In addition, do not add a service port to the management VLAN.
Networking - LAN
The figure1 shows an example network for configuring inband management over a
LAN.
Figure1Example network for configuring inband management over a LAN
1
Data Plan - LAN
Table 1 and Table 2 provide the data plan for configuring inband management over a
LAN.
Table 1 Data plan for configuring inband management over a LAN in the telnet mode
Item Data
Table 2 Data plan for configuring inband management over a LAN in the SSH mode
Item Data
Networking - WAN
2
The figure2 shows an example network for configuring inband management over a
WAN.
Figure2 Example network for configuring inband management over a WAN
Item Data
Table 4 Data plan for configuring inband management over a WAN in the SSH mode
Item Data
3
Table 3 Data plan for configuring inband management over a WAN in the telnet mode
Item Data
Authority: Operator
Permitted reenter number: 4
Configuration Flowchart
Figure 3 and Figure 4 show the flowchart for configuring inband management.
Figure 3 Flowchart for configuring inband management in the telnet mode
4
NOTE:
The blue-shaded configuration procedures are the difference in the SSH mode and the
telent mode.
Procedure
Set up the configuration environment.
Figure 1 or Figure 2 shows how to set up the configuration environment according to
the actual requirements and conditions.
5
Configure the IP address of the VLAN L3 interface.
Run the vlan command to create a VLAN.
huawei(config)#vlan 30 smart
Run the port vlan command to add an upstream port to the VLAN.
huawei(config)#port vlan 30 0/0 1
In the VLANIF mode, run the ip address command to configure the IP address
and subnet mask of the VLAN L3 interface.
huawei(config)#interface vlanif 30
huawei(config-if-vlanif30)#ip address 10.10.20.2 255.255.255.0
huawei(config-if-vlanif30)#quit
Add a route.
If the configuration environment is set up as shown in Figure 1, you need not add
a route.
If the remote WAN management environment is set up as shown in Figure 2, run
the ip route-static command to add a route to the next hop.
huawei(config)#ip route-static 10.10.21.0 24 10.10.20.3
Save the data.
Run the save command to save the data.
huawei(config)#save
NOTICE:
The prerequisite for the login through SSH is that the local RSA key pair must be
configured and generated. Therefore, before performing other SSH configurations,
make sure that the local RSA key pair is generated.
huawei(config)#rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
..++++++++++++
....................++++++++++++
...............................++++++++
...........++++++++
Command:
ssh user huawei authentication-type rsa
%Authentication type setted, and will be in effect next time.
Generate the RSA public key.
8
Generate the client key.
Select SSH-2 RSA as the key type under Parameters, click Generate, and move the
cursor according to the prompt on the interface to generate the client key, as shown
in Figure 7.
Figure 7 Interface of the key generator
9
Click Save public key and Save private key to save the public key and the private key
respectively after they are generated, as shown in Figure 8.
Figure 8 Save the public key and the private key
10
Generate the RSA public key.
Open sshkey.exe, click Browse, and choose the public key file saved in the preceding
step. Then, click Convert to change the client public key to the RSA public key, as
shown in Figure 9.
Figure 9 Interface of converting the client public key to the RSA public key
11
Generate the public key for the SSH user.
Create RSA public key. Copy the RSA public key to the server in the config-rsa-key-
code command line mode.
huawei(config)#rsa peer-public-key key
Enter "RSA public key" view, return system view with "peer-public-key end".
NOTE: The number of the bits of public key must be between 769 and 2048.
huawei(config-rsa-public-key)#public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
12
huawei(config-rsa-key-code)#DF0C3E46 A995CC61 DC4CB179 F6888B8C
3F8A3085 51EDB5C7
huawei(config-rsa-key-code)#public-key-code end
huawei(config-rsa-public-key)#peer-public-key end
13
Log in to the system.
Choose Session from the navigation tree, and then input the IP address of
the MA5616 in the Host Name (or IP address) field, as shown in Figure 11. Then,
click Open to log in to the system.
NOTE:
The port in the Figure 11 generally uses the default number 22, you can also use
the display sysman service state command to query and then to configure.
Figure 11 Interface for logging in to the system using the SSH client software
14
The user authentication mode is set to the RSA authentication mode, and the system
therefore displays the prompt, as shown in Figure 12. Input the user name to log in to
the system (here, the user name is huawei).
Figure 12 Interface for logging in to the system using the SSH client software
Result
15
After logging in to the MA5616, you can manage the MA5616.
The more information about technical support you can consult with our engineer the
e-mail address is as below:
support@huanetwork.com
Huanetwork.com is a world leading Huawei networking products supplier, we supply original new
Huawei networking equipments, including Huawei switches, Huawei routers, Huaweisymantec
security products, Huawei IAD, Huawei SFP and other Huawei networking products. Our
customers include telecom operators, Huawei resellers, ISP and system integrators. Right now
most of our sales are contributed by regular customers.
In Huanetwork Lab, also we have Huawei OLT, MDU, DSLAM and switch for customer do
remote testing, any potential customer are welcome to login to our lab. If you need a total Huawei
FTTx solution or Huawei ADSL solution for your network, also you may feel free to contact us.
16