Configuring Negotiated Parameters of the RADIUS Server

A RADIUS server and the ME60  must use the same RADIUS parameters and message format to communicate.

Run:

system-view

The system view is displayed.

Run:

radius-server group group-name

The RADIUS server group view is displayed.

Run:

radius-server type { standard | plus10 | plus11 }

The protocol version of the RADIUS server is configured.

Run:

radius-server shared-key key-string [ authentication | accounting ] ip-address [ vpn-instance instance-name ] port-number [ weight weight ]

The key of the RADIUS server is configured.

Run:

radius-server user-name { domain-included | original }

The format of the user name contained in the RADIUS packets is configured.

Run:

radius-server traffic-unit { byte | gbyte | kbyte | mbyte }

The traffic unit of the RADIUS packets is configured.

Run:

radius-server timeout timeout-value or radius-server retransmit retry-times

The retransmission parameters of the RADIUS packets are set.

Run:

radius-attribute agent-circuit-id format { cn | tr-101 }

The ID format of the circuit through which RADIUS packets are transmitted to the upstream device is set.

un:

radius-server calling-station-id include delimiter  { domain delimiter delimiter | mac delimiter delimiter | interface delimiter delimiter| sysname delimiter delimiter | option82 delimiter delimiter }* option82

The method of constructing NE40E-X3    the No. 31 RADIUS public attribute is set.

Configuration Example of HWTACACS Authentication

The MA5600 /MA5600T   allows the management user of the device to log in to the system by the HWTACACS authentication mode.

Configure the authentication scheme.

Configure authentication scheme named login-auth (users are authenticated through HWTACACS).

huawei(config)#aaa

huawei(config-aaa)#authentication-scheme login-auth

huawei(config-aaa-authen-login-auth)#authentication-mode hwtacacs

huawei(config-aaa-authen-login-auth)#quit

Configure the HWTACACS protocol.

Create HWTACACS server template named ma56t-login with HWTACACS server 10.10.66.66 as the primary authentication server, and HWTACACS server 10.10.66.67 as the secondary authentication server.

huawei(config)#hwtacacs-server template ma56t-login

  Create a new HWTACACS-server template

huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10.10.66.66 1812

huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10.10.66.67 1812 secondary

huawei(config-hwtacacs-ma56t-login)#quit

Create a domain named isp1.

 NOTE:

A domain is a group of users of the same type.

In the user name format userid@domain-name (for example, huawei20041028@huawei.net), "userid" indicates the user name for authentication and "domain-name" followed by "@" indicates the domain name.

The domain name for user login cannot exceed 15 characters, and the other domain names cannot exceed 20 characters.

huawei(config)#aaa

huawei(config-aaa)#domain isp1

  Info: Create a new domain 

Use the authentication scheme login-auth.

You can use an authentication scheme in a domain only after the authentication scheme is created.

huawei(config-aaa-domain-isp1)#authentication-scheme login-auth

Bind the HWTACACS server template ma56t-login to the user.

You can use an HWTACACS server template in a domain only after the HWTACACS server template is created.

huawei(config-aaa-domain-isp1)#hwtacacs-server ma56t-login

huawei(config)#aaa

huawei(config-aaa)#authentication-scheme login-auth

huawei(config-aaa-authen-login-auth)#authentication-mode hwtacacs

huawei(config-aaa-authen-login-auth)#quit

huawei(config-aaa)#quit

huawei(config)#hwtacacs-server template ma56t-login

huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10.10.66.66 1812

huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10.10.66.67 1812 secondary

huawei(config-hwtacacs-ma56t-login)#quit

huawei(config)#aaa

huawei(config-aaa)#domain isp1

huawei(config-aaa-domain-isp1)#authentication-scheme login-auth

huawei(config-aaa-domain-isp1)#hwtacacs-server ma56t-login

huawei(config-aaa-domain-isp1)#quit

huawei(config-aaa)#quit

Configuring a GPON ONT Alarm Profile

The MA5680T/MA5683T   supports up to 50 alarm profiles.

huawei(config)#gpon alarm-profile add profile-id 5                              

{ <cr>|profile-name<K> }:                                                      

                                                                               

  Command:                                                                      

          gpon alarm-profile add profile-id 5                                  

  Press 'Q' or 'q' to quit input                                               

>  GEM port loss of packets threshold (0~100)[0]:                       10

>  GEM port misinserted packets threshold (0~100)[0]:                   30

>  GEM port impaired blocks threshold (0~100)[0]:                              

>  Ethernet FCS errors threshold (0~100)[0]:                                   

>  Ethernet excessive collision count threshold (0~100)[0]:                    

>  Ethernet late collision count threshold (0~100)[0]:                         

>  Too long Ethernet frames threshold (0~100)[0]:                              

>  Ethernet buffer (Rx) overflows threshold (0~100)[0]:                        

>  Ethernet buffer (Tx) overflows threshold (0~100)[0]:                        

>  Ethernet single collision frame count threshold (0~100)[0]:                 

>  Ethernet multiple collisions frame count threshold (0~100)[0]:              

>  Ethernet SQE count threshold (0~100)[0]:                                    

>  Ethernet deferred transmission count threshold (0~100)[0]:                  

>  Ethernet internal MAC Tx errors threshold (0~100)[0]:                        

>  Ethernet carrier sense errors threshold (0~100)[0]:                         

>  Ethernet alignment errors threshold (0~100)[0]:                             

>  Ethernet internal MAC Rx errors threshold (0~100)[0]:                       

>  PPPOE filtered frames threshold (0~100)[0]:                                 

>  MAC bridge port discarded frames due to delay threshold (0~100)[0]:         

>  MAC bridge port MTU exceeded discard frames threshold (0~100)[0]:           

>  MAC bridge port received incorrect frames threshold (0~100)[0]:             

>  CES general error time threshold(0~100)[0]:                                 

>  CES severely time threshold(0~100)[0]:                                      

>  CES bursty time threshold(0~100)[0]:                                        

>  CES controlled slip threshold(0~100)[0]:                                    

>  CES unavailable time threshold(0~100)[0]:                                   

>  Drop events threshold(0~100)[0]:                                             

>  Undersize packets threshold(0~100)[0]:                                      

>  Fragments threshold(0~100)[0]:                                              

>  Jabbers threshold(0~100)[0]:                                                 

>  Failed signal of ONT threshold(Format:1e-x, x: 3~8)[3]:                     

>  Degraded signal of ONT threshold(Format:1e-x, x: 4~9)[4]:                   

>  FEC uncorrectable code words threshold(0~1101600000)[0]:

>  FEC correctable code words threshold(0~1101600000)[0]:

>  Upstream PQ discarded byte alarm threshold(0~65535)[0]:6

>  Downstream PQ discarded byte alarm threshold(0~65535)[0]:6

>  XGEM key errors threshold(0~100)[0]:

>  XGEM HEC error count threshold(0~100)[0]:

  Adding an alarm profile succeeded                                            

  Profile ID  : 5                                                              

  Profile name: alarm-profile_5            

huawei(config)#display gpon alarm-profile profile-id 5          

  --------------------------------------------------------------               

  Profile ID  : 5                                                              

  Profile name: alarm-profile_5                                                 

  --------------------------------------------------------------               

  GEM port loss of packets threshold:                        10                

  GEM port misinserted packets threshold:                    30                

  GEM port impaired blocks threshold:                        0                 

  Ethernet FCS errors threshold:                             0                 

  Ethernet excessive collision count threshold:              0                 

  Ethernet late collision count threshold:                   0                 

  Too long Ethernet frames threshold:                        0                 

  Ethernet buffer (Rx) overflows threshold:                  0                 

  Ethernet buffer (Tx) overflows threshold:                  0                 

  Ethernet single collision frame count threshold:           0                 

  Ethernet multiple collisions frame count threshold:        0                 

  Ethernet SQE count threshold:                              0                 

  Ethernet deferred transmission count threshold:            0                 

  Ethernet internal MAC Tx errors threshold:                 0                 

  Ethernet carrier sense errors threshold:                   0                 

  Ethernet alignment errors threshold:                       0                 

  Ethernet internal MAC Rx errors threshold:                 0                 

  PPPOE filtered frames threshold:                           0                  

  MAC bridge port discarded frames due to delay threshold:   0                 

  MAC bridge port MTU exceeded discard frames threshold:     0                 

  MAC bridge port received incorrect frames threshold:       0                  

  CES general error time threshold:                          0                 

  CES severely time threshold:                               0                 

  CES bursty time threshold:                                 0                 

  CES controlled slip time threshold:                        0                 

  CES unavailable time threshold:                            0                 

  Drop events threshold:                                     0                 

  Undersize packets threshold:                               0                 

  Fragments threshold:                                       0                 

  Jabbers threshold:                                         0                 

  Failed signal of ONU threshold (Format:1e-x):              3                 

  Degraded signal of ONU threshold (Format:1e-x):            4                 

  FEC uncorrectable code words threshold:                    0

  FEC correctable code words threshold:                      0

  Upstream PQ discarded byte alarm threshold:                6

  Downstream PQ discarded byte alarm threshold:              6

  XGEM key errors threshold:                                 0                 

  XGEM HEC error count threshold:                            0

  --------------------------------------------------------------               

  Binding Times:                                             0                 

  --------------------------------------------------------------    

Configuring MA5600T-1

Configure MA5620   the IP address of the inband NMS interface.

Create the NMS VLAN.

huawei(config)#vlan 10 standard

Add the upstream port.

huawei(config)#port vlan 10 0/19 0-1

  It will take several minutes, and console may be timeout, please use command 

idle-timeout to set time limit                                                 

  Are you sure to add standard port(s)? (y/n)[n]:y

Enter the NMS VLAN interface mode.

huawei(config)#interface vlanif 10

Configure the IP address of the NMS interface.

huawei(config-if-vlanif10)#ip address 10.10.1.2 255.255.255.0

Add the route.

Configure the route destined to the NMS (Trap destination address).

huawei(config)#ip route-static 2.2.2.2 255.255.255.255 10.10.1.1

 preference 1

huawei(config)#ip route-static 2.2.2.3 255.255.255.255 10.10.1.1

preference 1

Configure the route destined to the time server.

huawei(config)#ip route-static 4.4.4.4 255.255.255.255 10.10.1.1

preference 1

huawei(config)#ip route-static 4.4.4.5 255.255.255.255 10.10.1.1

preference 1

Configure the route destined to the log host.

huawei(config)#ip route-static 3.3.3.3 255.255.255.255 10.10.1.1

preference 1

huawei(config)#ip route-static 3.3.4.3 255.255.255.255 10.10.1.1

preference 1

Add the ACL rule.

huawei(config)#acl 3050

huawei(config-acl-adv-3050)#rule permit ip source any destination any

huawei(config-acl-adv-3050)#rule deny ip source any destination 10.10.1.2

 0.0.0.0

huawei(config-acl-adv-3050)#rule permit ip source 2.2.2.2 0.0.0.0

 destination 10.10.1.2 0.0.0.0

huawei(config-acl-adv-3050)#rule permit ip source 2.2.2.3 0.0.0.0

 destination 10.10.1.2 0.0.0.0

huawei(config-acl-adv-3050)#rule permit ip source 4.4.4.4 0.0.0.0

 destination 10.10.1.2 0.0.0.0 

huawei(config-acl-adv-3050)#rule permit ip source 4.4.4.5 0.0.0.0

 destination 10.10.1.2 0.0.0.0

huawei(config-acl-adv-3050)#rule permit ip source 3.3.3.3 0.0.0.0

 destination 10.10.1.2 0.0.0.0

huawei(config-acl-adv-3050)#rule permit ip source 3.3.4.3 0.0.0.0

 destination 10.10.1.2 0.0.0.0

huawei(config-acl-adv-3050)#quit

huawei(config)#packet-filter inbound ip-group 3050 port 0/19/0

huawei(config)#packet-filter inbound ip-group 3050 port 0/19/1

Configure SNMP.

Set the community name and access authority.

huawei(config)#snmp-agent community read public

huawei(config)#snmp-agent community write private

Set the SysContact.

huawei(config)#snmp-agent sys-info contact HW-075512345678

Set the SysLocation.

huawei(config)#snmp-agent sys-info location Shenzhen China

Set the SNMP version.

The SNMP version must be the same as that of the NMS. In this example, the SNMP version is set as SNMP V2C.

huawei(config)#snmp-agent sys-info version v2c

Enable the trap sending.

huawei(config)#snmp-agent trap enable standard

Set trap destination address.

huawei(config)#snmp-agent target-host trap-hostname huawei address 2.2.2.2

trap-paramsname abc 

huawei(config)#snmp-agent target-host trap-hostname huawei123 address 2.2.2.3

trap-paramsname 123

Set trap source address.

huawei(config MA5626 )#snmp-agent trap source vlanif 10

Configuring a Voice VLAN in Manual Mode

Create  S2326TP-SI  VLANs and configure the interface on the Switch.

# Create VLAN 2 and VLAN 6.

<Quidway> system-view

[Quidway] vlan batch 2 6

# Configure the link type and default VLAN of the interface.

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] port hybrid pvid vlan 6

[Quidway-Ethernet0/0/1] port hybrid untagged vlan 6

[Quidway-Ethernet0/0/1] quit

Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] voice-vlan 2 enable

# Set the voice VLAN mode to manual and add the interface to the voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan mode manual

[Quidway-Ethernet0/0/1] port hybrid tagged vlan 2

[Quidway-Ethernet0/0/1] quit

# Set the OUI of the voice VLAN.

[Quidway] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000

# Set the working mode of the voice VLAN.

[Quidway-Ethernet0/0/1] voice-vlan security enable

Step 3 Verify the configuration.

Run the display voice-vlan oui command to check the OUI of the voice VLAN.

<Quidway> display voice-vlan oui

---------------------------------------------------

OuiAddress Mask Description

---------------------------------------------------

0011-2200-0000 ffff-ff00-0000

Run the display voice-vlan 2 status command to check voice VLAN mode, security mode, and

voice VLAN aging time.

<Quidway> display voice-vlan 2 status

Voice VLAN Configurations:

---------------------------------------------------

Voice VLAN ID : 2

Voice VLAN status : Enable

Voice VLAN aging time : 1440(minutes)

Voice VLAN 8021p remark : 6

Voice VLAN dscp remark : 46

----------------------------------------------------------

Port Information:

-----------------------------------------------------------

Port Add-Mode Security-Mode S2309TP-PWR-EI  Legacy

-----------------------------------------------------------

Ethernet0/0/1 Manual Security Disable

Commissioning the Interconnection with the NMS

Configure the IP address of the maintenance Ethernet port. The IP address of the local maintenance Ethernet port (outband network management port) of theMA5600T/MA5603T/MA5608T is 10.50.1.10/24.

 NOTE:

By default, the IP address of the maintenance Ethernet port (ETH port on the control board) is 10.11.104.2, and the subnet mask is 255.255.255.0.

huawei(config)#interface meth 0

huawei(config-if-meth0)#ip address 10.50.1.10 255.255.255.0

huawei(config-if-meth0)#quit

Add a route for the outband network management. Use the static route. The destination IP address is 10.10.1.0/24 (the network segment to which the U2000 belongs), and the gateway IP address is 10.50.1.1/24 (the IP address of the gateway of the MA5600T/MA5603T/MA5608T).

huawei(config)#ip route-static 10.10.1.0 24 10.50.1.1

Set the SNMP parameters.

Configure the community name and the access authority.

The read community name is public, and the write community name is private.

 NOTE:

The configurations of the read community name and the write community name must be the same as the configurations on the U2000.

huawei(config)#snmp-agent community read public

huawei(config)#snmp-agent community write private

(Optional) Set the ID and the contact means of the administrator.

The contact means of the administrator is HW-075528780808.

huawei(config)#snmp-agent sys-info contact HW-075528780808

(Optional) Set the location of the device.

The location of the device is Shenzhen_China.

huawei(config)#snmp-agent sys-info location Shenzhen_China

Set the SNMP version.

The SNMP version is SNMP V1.

huawei(config)#snmp-agent sys-info version v1

The SNMP version is SNMP V2.

huawei(config)#snmp-agent sys-info version v2c

 NOTE:

The SNMP version must be the same as the SNMP version set on the U2000.

Enable the function of sending traps. On the MA5600T/MA5603T/MA5608T, enable the function of sending traps to the U2000.

huawei(config)#snmp-agent trap enable standard

Configure the IP address of the destination host for the traps.

When the SNMP V1 is used, the host name is huawei, the IP address of the host is 10.10.1.10/24 (IP address of the U2000), the trap parameter name is ABC, SNMP version is V1, and the parameter security name is private (the parameter security name is the SNMP community name).

huawei(config)#snmp-agent target-host trap-hostname huawei address 10.10.1.10

 trap-paramsname ABC

huawei(config)#snmp-agent target-host trap-paramsname

 ABC v1 securityname private

When the SNMP V2 is used, the host name is huawei, the IP address of the host is 10.10.1.10/24 (IP address of the U2000), the trap parameter name is ABC, SNMP version is V2, and the parameter security name is private (the parameter security name is the SNMP community name).

huawei(config)#snmp-agent target-host trap-hostname huawei address

 10.10.1.10 trap-paramsname ABC

huawei(config)#snmp-agent target-host trap-paramsname ABC

 v2c securityname private

Set the IP address of the maintenance Ethernet port as the source IP address for sending traps. Set the SNMP packets to be forwarded from the maintenance Ethernet port of the MA5600T/MA5603T/MA5683T. That is, the source address of the traps is meth 0.

huawei(config)#snmp-agent trap source meth 0

Save the data.

huawei(config)#save

Configuring ARP Detection

The MA5600T/MA5680T/MA5608T is dual-homed to BRAS 1 and BRAS 2. The working links are Link1 and Link2, and the protection link is Link3. If Link1 is faulty and Link2 is normal, the MA5600T/MA5603T/MA5608T can switch services to Link3 by using ARP detection even though the upstream port on the MA5600T/MA5603T/MA5608T is functioning properly. This ensures uninterrupted service transmission.

To configure ARP detection in such a network scenario, do as follows:

//Configure the VLAN and Layer 3 interface IP address used for ARP detection of the local device.

huawei(config)#vlan 20 smart

huawei(config)#port vlan 20 0/19 0

huawei(config)#interface vlanif 20

huawei(config-if-vlanif20)#ip address 1.1.1.2 24

huawei(config-if-vlanif20)#ip address 2.2.2.2 24 sub

huawei(config-if-vlanif20)#quit

//Configure ARP detection for the working port.

huawei(config)#arp-detect arp_test1 bind peer-ip 1.1.1.1 vlan 20 port 0/19/0

huawei(config-arp-detect-arp_test1)# detect-multiplier 3

huawei(config-arp-detect-arp_test1)# min-tx-interval 2

huawei(config-arp-detect-arp_test1)#detect enable

huawei(config-arp-detect-arp_test1)#quit

//Configure ARP detection for the protection port.

huawei(config)#arp-detect arp_test2 bind peer-ip 2.2.2.1 vlan 20 port 0/19/1

huawei(config-arp-detect-arp_test2)#detect-multiplier 3

huawei(config-arp-detect-arp_test2)#min-tx-interval 2

huawei(config-arp-detect-arp_test2)#detect enable

huawei(config-arp-detect-arp_test2)#quit

//Query configurations of the working port.

huawei(config)#display arp-detect arp_test1                                   

 ---------------------------------------------------------------------------   

  Name       : arp-test2                          Admin State : Enable        

  Peerip     : 1.1.1.1                             Interval    : 2(s)          

  Vlan       : 20                                  Multiplier  : 3             

  F/S/P      : 0/19/0                              State       : Down           

 --------------------------------------------------------------------------- 

//Query configurations of the protection port.

huawei(config)#display arp-detect arp MA5683T _test2                                   

 ---------------------------------------------------------------------------   

  Name       : arp_test2                          Admin State : Enable        

  Peerip     : 2.2.2.1                             Interval    : 2(s)          

  Vlan       : 20                                  Multiplier  : 3             

  F/S/P      : 0/19/1                              State       : Down          

 ---------------------------------------------------------------------------