< Home

Configuring Interconnection Between Switches and a Third-Party Controller

Prerequisites

There are reachable routes between switches and the third-party controller.

Context

In NETCONF over SSH mode, a third-party controller proactively sets up NETCONF sessions with switches. To achieve this, you must perform the following configurations on each switch in advance: Configure a user account used by the controller to log in to the switch through NETCONF, enable the NETCONF function, and set the IP address and port number used by the switch to communicate with the controller.

If the live network has high security requirements for NETCONF sessions, you can configure public key authentication between the controller and switches. Public key authentication uses digital signatures to authenticate clients. Currently, switches can use the RSA or DSA public key algorithm to generate digital signatures. The controller acting as a client sends a public key authentication request containing the user name, public key, and public key algorithm to the switch acting as the server. The server checks the validity of the public key. If the public key is invalid, the server returns an authentication failure message. Otherwise, the server uses the digital signature to authenticate the client and returns an authentication success or failure message.

Procedure

  1. Configure the protocol type, authentication mode, and user level in a VTY user interface.

    [HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] protocol inbound ssh    
[HUAWEI-ui-vty0-4] user privilege level 15    
[HUAWEI-ui-vty0-4] quit

  2. Configure NETCONF user information in the AAA view.

    [HUAWEI] aaa
[HUAWEI-aaa] local-user client001 password irreversible-cipher abcd@123 
[HUAWEI-aaa] local-user client001 privilege level 15    
[HUAWEI-aaa] local-user client001 service-type api    
[HUAWEI-aaa] quit

  3. Enable NETCONF on the switch and configure the IP address and port number used by the switch to communicate with the controller through NETCONF.

    [HUAWEI] netconf
[HUAWEI-netconf] source ip 192.168.10.1 port 10020  //The IP address and port number used in this command are for reference only. Set them based on the site requirements.
[HUAWEI-netconf] quit

    Skip the following steps if public key authentication is not required between the controller and switches.

  4. Configure a key pair on the controller and record the public key. For details, see the operation guide of the controller.
  5. Configure the public key generated on the controller on the switch.

    [HUAWEI] dsa peer-public-key dsakey001 encoding-type openssh    //In this example, the DSA algorithm is used. The configuration for the RSA algorithm is similar.
[HUAWEI-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".  
[HUAWEI-dsa-key-code] 30820109   /This example assumes that the public key generated on the controller is as follows:
[HUAWEI-dsa-key-code] 2820100
[HUAWEI-dsa-key-code] CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116
[HUAWEI-dsa-key-code] 87B79B0C 5698C582 69A9F4D0 45ED0E53 AF2EDEC1
[HUAWEI-dsa-key-code] A09DF4BE 459E34B6 6697B85D 2191A00E 92F3A5E7
[HUAWEI-dsa-key-code] FB0E73E7 F0212432 E898D979 8EAA491E E2B69727
[HUAWEI-dsa-key-code] 4B51A2BE CD86A144 16748D1E 4847A814 3FE50862
[HUAWEI-dsa-key-code] 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074
[HUAWEI-dsa-key-code] B839305A 7F7BCE2C 606F6C91 EA958B6D AC46C12B
[HUAWEI-dsa-key-code] 8C2B1E03 98F1C09D 3AF2A69D 6867F930 DF992692
[HUAWEI-dsa-key-code] 9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A
[HUAWEI-dsa-key-code] C0A4CDB3 ADDAE853 DB86B9FA DB13CCA9 D8CF6EC1
[HUAWEI-dsa-key-code] 530CC2F5 697C4707 90829982 4339507F F354FAF9
[HUAWEI-dsa-key-code] 0F9CD2C2 F7D6FF3D 901D700F F0588104 856B9592
[HUAWEI-dsa-key-code] 71D773E2 E76E8EEB 431FB60D 60ABC20B
[HUAWEI-dsa-key-code] 203
[HUAWEI-dsa-key-code] 10001
[HUAWEI-dsa-key-code] peer-public-key end

  6. Assign an existing public key to the user named client001.

    [HUAWEI] netconf
[HUAWEI-netconf] user client001 assign dsa public-key dsakey001 
[HUAWEI-netconf] quit

  7. Create a local DSA key pair on the switch.

    [HUAWEI] netconf
[HUAWEI-netconf] dsa local-key-pair create
Warning: DSA keys already exist. Continue? [Y/N]:y
Info: Creating the DSA keys.......
Info: The DSA keys has been created.
[HUAWEI-netconf] quit

  8. Check the public key in the local DSA key pair on the switch.

    [HUAWEI] display netconf dsa local-key-pair public
The DSA public key:
ssh-dss AAAAB3NzaC1kc3MAAACBAOAWWAtGClBH4qhgm0+ntDTZVW/tR8R9Vn+rXVA8GFWM5TVUJWXFWghy4QTJqmvg+ca0znn+c2hDGDhx1yhRsduKWmOBAzIQE/1OYhMLdK0vRmceyYtSTfVNCbtAwJNOM0JPBlbim/vjp3aX3iRn6EPU7bYaJ3A8KEUZlVKh7YU5AAAAFQCQ8znriZRmpyoAVK68YPNDnKzkGQAAAIA8f1ELwIJC9J73zg6an2Hz7P3zDAqDv2mnvOuvKEbVWY3IVNhCHaX39yBl0PT2rWmXzHI6nJWEPiuoW/eJpDxNwV1OCgSN4mhG90/iOJkLKqF6UENdQWXNKbjLHYKTkKXSnpi2ibqEzrqnbkzIVbaf2a8nBDrh1CHKRhw1dQChggAAAIA7TGIupodUc1Enn3rzTNch5rL0CKL9znjFG+lyeJU39fDWSOVfgWfz4ehs48/5Zco6H9wj1seLxh3pVXYLqJvRDR6B0g/68T3aEYEKGoHeRYC3sU80lXb8s0VFae90ohOf89ULyfVt7HVE+QKkExQIj9sAo8KbR3gNkb84PM+Z9g== root@root

  9. Copy the public key generated on the switch to the controller. Some devices can transfer the public key information to the controller through packets. In this case, skip this step and perform operations as prompted by the controller.

Verifying the Configuration

Run the display netconf connect-status command in any view to check the NETCONF configuration on the switch.

Parent Topic: NETCONF Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >