< Home

Example for Configuring a Management VLAN to Implement Remote Management

Networking Requirements

In Figure 1, users need to securely log in to the Switch for remote management. There is no idle management interface on the Switch.

Figure 1 Configuring a management VLAN to implement remote management

Configuration Roadmap

A management interface or VLANIF interface of a management VLAN can be used to log in to the device for remote management. The device has no idle management interface, so the management VLAN is used. STelnet is used to ensure login security. The configuration roadmap is as follows:

  1. Configure a management VLAN on the Switch and add an interface to the management VLAN.

  2. Configure a VLANIF interface and assign an IP address to it on the Switch.

  3. Enable STelnet on the Switch and configure an SSH user.

  4. Log in to the Switch using STelnet from a user PC.

  • The user PC needs to be configured with software for logging in to the SSH server, key pair generation software, and public key conversion software.
  • To ensure device security, change the password frequently.

Procedure

  1. Configure a management VLAN and add an interface to the management VLAN.

    # Create VLAN 10 on the Switch, configure VLAN 10 as the management VLAN, and add GE0/0/1 to VLAN 10 in tagged mode.

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] management-vlan
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit

  2. Configure a VLANIF interface and assign an IP address to the VLANIF interface.

    # Create VLANIF 10 on the Switch and configure the IP address of 10.10.10.2/24 for it.

    [Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24
[Switch-Vlanif10] quit

  3. Enable the STelnet service and create an SSH user.

    1. Generate a local key pair on the Switch.

      [Switch] rsa local-key-pair create
The key name will be: Switch_Host
The range of public key size is (2048 ~ 2048).
NOTES: If the key modulus is greater than 512,
 it will take a few minutes.
Input the bits in the modulus[default = 2048]:     //Press Enter.
Generating keys...
...................+++++
........................++
....++++
...........++

    2. Create an SSH user.

      # Configure the VTY user interface on the Switch.

      [Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound ssh
[Switch-ui-vty0-14] quit

      # Create an SSH user named client001 on the Switch and configure password authentication.

      [Switch] aaa
[Switch-aaa] local-user client001 password irreversible-cipher Huawei@123
[Switch-aaa] local-user client001 privilege level 3
[Switch-aaa] local-user client001 service-type ssh
[Switch-aaa] quit
[Switch] ssh user client001 authentication-type password

    3. Enable the STelnet service.

      # Enable the STelnet service on the Switch.

      [Switch] stelnet server enable

      # Configure the STelnet service for SSH user client001.

      [Switch] ssh user client001 service-type stelnet

    The PC connects to the switch through the intermediate device. The intermediate device needs to be able to transparently transmit packets from management VLAN 10 and have a route from 10.1.1.1/24 to 10.10.10.2/24.

  4. Verify the configuration.

    After the configuration is complete, the user can log in to the Switch from the PC using password authentication.

    # Run the PuTTY software on the user PC. The dialog box shown in Figure 2 is displayed. Enter 10.10.10.2 (IP address of the Switch) and select SSH.

    Figure 2 Configuring a management VLAN to implement remote management

    # Click Open. On the page that is displayed on the Switch, enter the user name and password, and press Enter.

    login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:

Info: The max number of VTY users is 10, and the number
      of current VTY users on line is 1.
      The current login time is 2014-02-25 05:45:41+00:00.
<Switch>

    The user can successfully log in to the Switch for remote management.

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 10
#
vlan 10
 management-vlan
#
aaa
 local-user client001 password irreversible-cipher $1a$EqZEVTq=/@T2XM0q0W{Ec[Fs2@&4YII@-=(lbr[K>4Dq76]3#BgqMOAxu^%$$
 local-user client001 privilege level 3
 local-user client001 service-type ssh
#
interface Vlanif10
 ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
# 
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
# 
user-interface vty 0 14
 authentication-mode aaa
#
return
Parent Topic: Configuration Examples for VLANs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >