Documente Academic
Documente Profesional
Documente Cultură
Huawei MA5616?
This topic describes how to use Telnet or secure shell (SSH) mode to log in to
the MA5616 through an upstream port (inband management port) of the MA5616 for
inband management. The SSH provides authentication, encryption, and authorization
to ensure the network communication security. When a user logs in to the Huawei
SmartAx mini DSLAM MA5616 remotely over an insecure network, SSH provides
security guarantee and powerful authentication to protect the MA5616 against attacks
such as IP address spoofing and interception of plain text password. The SSH mode is
recommended.
Prerequisites
You must be logged in to the system through a local serial port.
The IP address of the maintenance terminal must be properly configured.
NOTE:
In the following operations, the configurations of the MA5616 must be performed
through a local serial port.
In inband management mode, use either of the following isolation mechanism to
separate the management channel from the data channel:
1. ACL: Configure firewall through ACL so that only specific IP addresses can
be used to log in to the MA5616, such as the IP address of the NMS.
2. VLAN: Ensure that the management VLAN is different from the service
VLAN. In addition, do not add a service port to the management VLAN.
Networking - LAN
The figure1 shows an example network for configuring inband management over a
LAN.
Figure1Example network for configuring inband management over a LAN
Item
Upstream port
the MA5616
Data
of VLAN ID: 30
Port ID: 0/0/1
IP address: 10.10.20.2/24
Item
Upstream port
the MA5616
New user
Data
of VLAN ID: 30
Port ID: 0/0/1
IP address: 10.10.20.2/24
User authentication mode: RSA public key authentication
RSA key name: key
User name/Password: huawei/test01
Authority: Operator
Permitted reenter number: 4
Networking - WAN
2
The figure2 shows an example network for configuring inband management over a
WAN.
Figure2 Example network for configuring inband management over a WAN
Item
Data
VLAN ID: 30
Port ID: 0/0/1
IP address: 10.10.20.2/24
IP address: 10.10.21.3/24
IP address: 10.10.20.3/24
Table 4 Data plan for configuring inband management over a WAN in the SSH mode
Item
Data
VLAN ID: 30
Port ID: 0/0/1
IP address: 10.10.20.2/24
User authentication mode:
RSA
public
key
authentication
RSA key name: key
New user
User
name/Password:
huawei/test01
Table 3 Data plan for configuring inband management over a WAN in the telnet mode
Item
Data
VLAN ID: 30
Port ID: 0/0/1
IP address: 10.10.20.2/24
IP address: 10.10.21.3/24
Authority: Operator
Permitted reenter number: 4
IP address: 10.10.21.3/24
IP address: 10.10.20.3/24
Configuration Flowchart
Figure 3 and Figure 4 show the flowchart for configuring inband management.
Figure 3 Flowchart for configuring inband management in the telnet mode
NOTE:
The blue-shaded configuration procedures are the difference in the SSH mode and the
telent mode.
Procedure
Set up the configuration environment.
Figure 1 or Figure 2 shows how to set up the configuration environment according to
the actual requirements and conditions.
5
>>User password:
Run the ssh user huawei authentication-type rsa command to choose the
authentication mode of the SSH user.
There are four authentication modes for SSH users, as shown in the following. In this
topic, authentication mode rsa is considered as an example.
password: authentication based on a password.
rsa: authentication based on an RSA public key.
all: authentication based on a password or an RSA public key. The user can log in
to the device either by the password or the RSA public key.
password-publickey: authentication based on a password and a public key. The
user can log in to the device only after both the password and the RSA public key
authentication.
huawei(config)#ssh user huawei authentication-type
{ all<K>|password-publickey<K>|password<K>|rsa<K> }:rsa
Command:
ssh user huawei authentication-type rsa
%Authentication type setted, and will be in effect next time.
Generate the RSA public key.
Run the key generator.
Run the client software key generator Puttygen.exe. Figure 6 shows the interface of
the key generator.
Figure 6 Interface of the key generator
Click Save public key and Save private key to save the public key and the private key
respectively after they are generated, as shown in Figure 8.
Figure 8 Save the public key and the private key
10
11
365CFD17
E7FE4041
3266E416
huawei(config-rsa-key-code)#DF0C3E46
3F8A3085 51EDB5C7
A995CC61
DC4CB179
F6888B8C
huawei(config-rsa-key-code)#5DEBDBE1
35C0E562 AE0BBFAB
3AB4A256
0D0B9AA8
9A419D85
13
14
The user authentication mode is set to the RSA authentication mode, and the system
therefore displays the prompt, as shown in Figure 12. Input the user name to log in to
the system (here, the user name is huawei).
Figure 12 Interface for logging in to the system using the SSH client software
Result
15
Huanetwork.com is a world leading Huawei networking products supplier, we supply original new
Huawei networking equipments, including Huawei switches, Huawei routers, Huaweisymantec
security products, Huawei IAD, Huawei SFP and other Huawei networking products. Our
customers include telecom operators, Huawei resellers, ISP and system integrators. Right now
most of our sales are contributed by regular customers.
In Huanetwork Lab, also we have Huawei OLT, MDU, DSLAM and switch for customer do
remote testing, any potential customer are welcome to login to our lab. If you need a total Huawei
FTTx solution or Huawei ADSL solution for your network, also you may feel free to contact us.
16