Getting Started with Huawei Command Line (VRP) on AR1000v

This post is about 1st hands on experience on the command line interface of Huawei routers, which is called VRP (Versatile Routing Platform). This is like the IOS of Cisco, JUNOS of Juniper etc but it seems the syntax is bit different from those, so I am going through some initial configurations like router management to understand how it works.

I am doing this on EVE-NG and the exact image I am using is huaweiar1k-5.170 which is used in AR1000v router. I think this is the Huawei's equivalent for Cisco's CSR1000v, the cloud services router..

It will start booting saying "Booting Wind River Linux" & it will take sometime showing lot of console messages and finally will rest asking to give the credentials..

Following are the default login credentials.

username: admin

password: Admin@huawei.com / admin@huawei.com / Admin@huawei / admin@huawei / admin

But the image I use in EVE-NG which I got from somewhere internet has different credentials like the following, so may be in your lab also the following will be the credentials.

username: super

password: super

After you login with default credentials, the 1st thing you will have to do will be to change the password..

You will notice that the default mode is <Huawei> which is called user-view (this is like the privilege mode of Cisco Cisco#) and the config mode is [Huawei] which is called system-view (this is like the config mode of Cisco Cisco(config)#). Also note that the display commands can be issued at system-view mode too.

Command help is just like in Cisco where you hit ? and it lists down the commands and there is context sensitive help with command completion with 'Tab'

Show commands now starts with display, let's see the version info with display version command..

Now let's see the configured interface IPs..

Let's configure an IP address to g0/0/0 interface.

There is a helpful command in VRP which Cisco does not have, which is display this command. It shows the configuration of the current section where the user is in right now. As an example, if I hit it here, the configuration in interface g0/0/0 will be shown..

Let's configure something like console password and idle-timeout for console to 5 mins. idle-timeout 5 0  means 5 mins and 0 seconds..

Let's configure a login banner..

Command is header shell information "TEXT"

Now you can see it works when you logout and login again using the console password configured..

You can also upload a text file for the banner too.

Now let's view the routing table,

And the ARP table,

This 100.1.1.50 is a PC I have which is connected to the Gi0/0/0 interface and it is learned because I pinged from it for testing..

Basic ping and trace commands are like the following..

If you want to change the hostname, following command will do that, 

sysname NAME

Finally  save command will save the current configuration and following commands will view the config files,

display current-configuration

display saved-configuration

I think this is enough to getting started with Huawei VRP, also unlike in Cisco routers, there is a web GUI too for this. We can use the IP address I configured to access it.

Username to the Web GUI is just same credentials as the CLI, but If you use the EVE image like me, the username super will not be able to login to the Web UI. For that you have to give that user the service type of http like the following and everything will be fine..

[Huawei]aaa

[Huawei-aaa]local-user super service-type telnet terminal http

Running Cisco FMC + FTD Initially on EVE-NG

Well I am going to share my experience of FMC + FTD initial lab setup. You will have to have an EVE-NG server with a lot RAM otherwise it won't work.

32 GB RAM For FMC
8 GB RAM per FTD

It takes a long time to come up even with above amount of RAM.. more than 30 minutes perhaps!

Also remember to get FMC and FTD in same version.
ex:- If FMC is 6.2.0 the FTD must also be 6.2.0


I used 6.2.0 version, 6.3.0 was not working for me..

For both FMC & FTD, the default credentials are as follows..

username: admin

password: Admin123

If  it seems FMC or FTD is booted up but not accepting the credentials all the time, just give it some time and try, it must be still booting.. If it is not connecting and showing database connecting error or something, reboot it and hit enter when the red screen appears..

1st let's look at FMC,

After you enter the default login credentials just enter the following command and will go through the initial setup wizard..

sudo configure-network

As you can see, the Management IP address for FMC is 10.1.3.10

This is the IP I use to log in to FMC and also to register FTDs.

After the above are configured, you can access it through a web browser, It will go through a configuration verification page 1st time you login, where you will configure the new password..

Now it's time to register this in evaluation mode,

Go to System > Licenses > Smart Licenses and click on evaluation mode. 

This give you 90 days of full features.

Now to the FTD,

After you enter the default credentials you will be asked to accept the EULA (End User License Agreement) and then it will ask you to change the default password to something new and the wizard will come up then..

You can verify the configuration by the following command after this.

>show network

Now let's try adding the FTD to FMC.

Just add the FMC address at FTD by following command,

>configure manager add 10.1.3.10 cisco123

cisco123 was the key

Now you can verify the FMC address by following command,

>show managers

Now at FMC GUI, 

Go to Devices > Device Management > +Add Device

You will need to create an Access Policy because the FTD must have it before it is added.

Just create click on the drop down and create new one with action of network discovery like the following..

If it is successfully added, you will see it like the following,

Notes:-

You will notice on FTD that you cannot ping anywhere from it,

This is because there is no route to anywhere no ip address seen on Management interface,

This is because you are at the ASA engine, to go to the Firepower engine enter the following command,

>expert

Now you can see the gateway gave at the beginning and you should be able to ping FMC from here. Remember this is a Linux shell..

By the way, there is a command in Converged CLISH mode to ping the FMC,

ping system 10.1.3.10

If you ever needed to change the IP address of the FMC, you can do it via the following CLI command from expert mode,

sudo /usr/local/sf/bin/configure-network

Adding PaloAlto Panorama to EVE-NG (A Node not in Drop Down List)

Though it says in documents that Panorama is supported in EVE-NG, you will notice that you really cannot find a device name called Panorama in drop down menu where you try to add a new node.

The real reason for this is that there is no template created for Panorama. May be it will be fixed in future releases because they have even added Panorama icons to the system. 

Anyhow here is the way to do it.

1st of  all you need a KVM image of Panorama. You will fill find it on Palo Alto Customer Support Portal of course if you have a login.

I cannot put a link to it here because they are copyrighted content. 😒

Go to Customer Support Portal > Updates > Software Updates & Select Panorama Base Images.

I downloaded Panorama-KVM-8.1.2.qcow2

Now you will have to access the EVE-NG through CLI or and a file transfer software like WinSCP.

I used WinSCP as the software..

Because this new versions of EVE uses different set of templates for different hardware CPU processors (Intel or AMD), you will have to find out what is yours..

If you don't know that, follow the following command on CLI,

lsmod | grep ^kvm_

So as you can see, my one is Intel,

Now use WinSCP to navigate to the following location on EVE,

opt/unetlab/html/templates/intel

If your one was based on AMD, the path will be opt/unetlab/html/templates/amd

Now grab a one YML script which suits the Panorama mostly. There was this newimage.yml script so I thought to use it for this. Just copy it from EVE to your working PC desktop and the open it;

Now you will see something like the above, note that I have edited the underlined parameters to match with Panorama.

 

Note:-

Icon name was the icon image file which shows in the workspace when we add this to a lab. I didn't want to upload an image for that because it was already there.

Also remember that the description is the key which will be seen on the dropdown list where you try to add a new device.

Ok then I renamed the file as panorama.yml and uploaded it to opt/unetlab/html/templates/intel

Then I navigated to /opt/unetlab/addons/qemu and created a folder named panorama-8.1.2

Note:-

This naming of folders are very important, I should use a name starting with panorama- as the folder name because I named the YML file as panorama. If I have used something like pano.yml as the script name, I would have to use an image folder name starting with "pano-". Rest of the folder name can be anything like the version of the image.

Now go inside the image folder and upload the KVM image and rename it as virtioa.qcow2

Now go the EVE CLI and enter the following command to fix permissions..

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Now the drop down will show it & you will be able to add a Panorama to a lab successfully..

Default username and passwords are admin/admin

Essential Getting Around Linux Commands

Linux is essential for networking in future because of the rise of network automation and evolving concepts. I am writing this post as a reference of basic Linux commands and their outputs which you will come across in a Linux CLI / Bash environment.

Most people like to use an Ubuntu VM on top of VMware in their Windows PC's, I like to use the Ubuntu App in Windows 10 App Store for my networking work.

Because of this app, both my RAM and time are saved. I just need to open it like Windows command prompt and perform Linux tasks right away.


Switch User / Switch User to root
su <username>
su - or sudo su

You will have to give the password for the switching user.

Installing a Package
apt install

You can use -y at the end of the command to say Yes to any dialog there to be appear in installation.

Uninstalling a Package
apt purge 

If you specify a wildcard name Ex:- apt purge *impacket* will get rid of everything with impacket.

Go back and forth a directory
cd .. & cd

If the directory is not where you currently in, you should use '/' before the directory name.

Listing items in a directory
ls

See all files in long listing format with read/write capabilities
ls -la

Things starts with dots (.) are hidden files.

Let's analyze the permissions notation of the 1st raw.



The letter sequence drwxr-xr-x stands for permissions.
d means a directory, if a file it will be -
After d, next letters are grouped into 3 letter groups.
In the above example, 1st group 'rwx', 2nd group 'r-x' and the 3rd group is 'r-x'.

Within these 3 letter groups 1st letter is always r = read, 2nd letter is always w = write and the 3rd letter is x = executable. If the particular right is not set it will be marked as a dash -

1st group 'rwx' is for file / directory owner
2nd group 'r-x' is for group owner
3rd group 'r-x' all others

In the above example, group owner can read and execute but cannot write.

Note:-
When you try to execute python scripts etc in networking, they should have executable rights.

Making Permissions to a file or folder
chmod

chmod 777 will make the file rwx to everyone while chmod 755 will permit read and execute access for everyone and also write access for the owner of the file.


chmod +x new.text will make the file executable for everyone

Create a directory
mkdir

Remove an empty directory
rmdir

Remove a non empty directory
rm -rf

Create a new text file with a text
echo

View a text file content on CLI
cat

You can view this content in a text editor like nano using nano new.text command.




Copy a file or a folder
cp

Following command will rename the file at destination when you copy..

Moving file or folder
mv

You can see the file is gone from the original location..

Remove a file
rm

Find a file
locate

Newly created files or folders may not be seen by this command until you run updatedb command.



View Interface Configuration
ifconfig

for wireless interfaces and configuration, we can use iwconfig

Network Troubleshooting Commands

ping <ip address>

traceroute <ip address>

arp -a

View all the ports that are open and whats connected to that ports
netstat -ano

View Routing Table
route

View command history
history

You can use grep to find a matching command in command history.
Ex:- history | grep ping

Clone a Git Repository 
git clone <github link>

Start / Stop Service
service ssh start
service ssh stop

Above commands will start and stop ssh service.

You can view the manual / get help for any command using man <command>

Route Leaking with Inter VRF Tunneling

Inter VRF routing can be achieved by several methods. Following are 6 ways you can do it. There can be some more methods but most commonly you will see one of the following methods in your network.

1. Using static routes
2. Using route maps
3. Import - Export Policies plus Multi-Protocol BGP
4. Connecting two interfaces which belongs to two VRFs
5. Pointing traffic to a Firewall
6. Inter VRF Tunneling

Go here to know how to do inter VRF routing using static routes.
Go here to know how to do inter VRF routing using route maps.
Go here to know how to do inter VRF routing using import export policies.

In this post I am doing it using GRE Tunnels. Advantages of this method are easiness to achieve global to VRF connectivity even inside a one router, configure dynamic routing between VRFs etc.

First let's configure 2 Loopbacks in global table for underlay routing.. (you can use existing interfaces for this too)

interface Loopback1
 ip address 1.1.1.1 255.255.255.255

interface Loopback2
 ip address 2.2.2.2 255.255.255.255

Now let's create 2 Tunnel interfaces for overlay routing..

interface Tunnel1
 ip vrf forwarding ONE
 ip address 10.10.10.1 255.255.255.252
 tunnel source Loopback1
 tunnel destination 2.2.2.2

interface Tunnel2
 ip vrf forwarding TWO
 ip address 10.10.10.2 255.255.255.252
 tunnel source Loopback2
 tunnel destination 1.1.1.1

Now the 3 routing tables (global, ONE, TWO) look like the following..

As you can see, VRF ONE and TWO has the same tunnel as connected interfaces. So you can add static routes or dynamic routing as per your requirement.

In the routing tables you can see there are 2 more Loopback interfaces which only belongs to a specific VRF..

Loopback 100 = 100.1.1.1/24 vrf ONE
Loopback 200 = 200.1.1.1/24 vrf TWO

I added these to test the route-leaking..
As an example, let's say we want to ping Loopback 200 which is in VRF TWO from VRF ONE.

I will add an static route,

ip route vrf ONE 200.1.1.1 255.255.255.255 10.10.10.2

See, It was enough, how about pining sourcing from Loopback 100,

Well it fails, because there is no route for the returning traffic..
Let's fix it by adding anther static route..

ip route vrf TWO 100.1.1.1 255.255.255.255 10.10.10.1



Now let's see how dynamic routing can be configured for this. Le's remove above static routes and use OSPF to leak routes.

Following commands will enable OSPF in interfaces,

interface Loopback100
ip ospf 1 area 0
interface Loopback200
 ip ospf 2 area 0

or you can use following format too..

router ospf 1 vrf ONE
 network 10.10.10.1 0.0.0.0 area 0
 network 100.1.1.1 0.0.0.0 area 0
router ospf 2 vrf TWO
 network 10.10.10.2 0.0.0.0 area 0
 network 200.1.1.1 0.0.0.0 area 0

You can see the neighbors are up and the routing tables get leaked via OSPF..