Getting Started with Huawei Command Line (VRP) on AR1000v

This post is about 1st hands on experience on the command line interface of Huawei routers, which is called VRP (Versatile Routing Platform). This is like the IOS of Cisco, JUNOS of Juniper etc but it seems the syntax is bit different from those, so I am going through some initial configurations like router management to understand how it works.

I am doing this on EVE-NG and the exact image I am using is huaweiar1k-5.170 which is used in AR1000v router. I think this is the Huawei's equivalent for Cisco's CSR1000v, the cloud services router..

It will start booting saying "Booting Wind River Linux" & it will take sometime showing lot of console messages and finally will rest asking to give the credentials..

Following are the default login credentials.

username: admin

password: Admin@huawei.com / admin@huawei.com / Admin@huawei / admin@huawei / admin

But the image I use in EVE-NG which I got from somewhere internet has different credentials like the following, so may be in your lab also the following will be the credentials.

username: super

password: super

After you login with default credentials, the 1st thing you will have to do will be to change the password..

You will notice that the default mode is <Huawei> which is called user-view (this is like the privilege mode of Cisco Cisco#) and the config mode is [Huawei] which is called system-view (this is like the config mode of Cisco Cisco(config)#). Also note that the display commands can be issued at system-view mode too.

Command help is just like in Cisco where you hit ? and it lists down the commands and there is context sensitive help with command completion with 'Tab'

Show commands now starts with display, let's see the version info with display version command..

Now let's see the configured interface IPs..

Let's configure an IP address to g0/0/0 interface.

There is a helpful command in VRP which Cisco does not have, which is display this command. It shows the configuration of the current section where the user is in right now. As an example, if I hit it here, the configuration in interface g0/0/0 will be shown..

Let's configure something like console password and idle-timeout for console to 5 mins. idle-timeout 5 0  means 5 mins and 0 seconds..

Let's configure a login banner..

Command is header shell information "TEXT"

Now you can see it works when you logout and login again using the console password configured..

You can also upload a text file for the banner too.

Now let's view the routing table,

And the ARP table,

This 100.1.1.50 is a PC I have which is connected to the Gi0/0/0 interface and it is learned because I pinged from it for testing..

Basic ping and trace commands are like the following..

If you want to change the hostname, following command will do that, 

sysname NAME

Finally  save command will save the current configuration and following commands will view the config files,

display current-configuration

display saved-configuration

I think this is enough to getting started with Huawei VRP, also unlike in Cisco routers, there is a web GUI too for this. We can use the IP address I configured to access it.

Username to the Web GUI is just same credentials as the CLI, but If you use the EVE image like me, the username super will not be able to login to the Web UI. For that you have to give that user the service type of http like the following and everything will be fine..

[Huawei]aaa

[Huawei-aaa]local-user super service-type telnet terminal http

Running Cisco FMC + FTD Initially on EVE-NG

Well I am going to share my experience of FMC + FTD initial lab setup. You will have to have an EVE-NG server with a lot RAM otherwise it won't work.

32 GB RAM For FMC
8 GB RAM per FTD

It takes a long time to come up even with above amount of RAM.. more than 30 minutes perhaps!

Also remember to get FMC and FTD in same version.
ex:- If FMC is 6.2.0 the FTD must also be 6.2.0


I used 6.2.0 version, 6.3.0 was not working for me..

For both FMC & FTD, the default credentials are as follows..

username: admin

password: Admin123

If  it seems FMC or FTD is booted up but not accepting the credentials all the time, just give it some time and try, it must be still booting.. If it is not connecting and showing database connecting error or something, reboot it and hit enter when the red screen appears..

1st let's look at FMC,

After you enter the default login credentials just enter the following command and will go through the initial setup wizard..

sudo configure-network

As you can see, the Management IP address for FMC is 10.1.3.10

This is the IP I use to log in to FMC and also to register FTDs.

After the above are configured, you can access it through a web browser, It will go through a configuration verification page 1st time you login, where you will configure the new password..

Now it's time to register this in evaluation mode,

Go to System > Licenses > Smart Licenses and click on evaluation mode. 

This give you 90 days of full features.

Now to the FTD,

After you enter the default credentials you will be asked to accept the EULA (End User License Agreement) and then it will ask you to change the default password to something new and the wizard will come up then..

You can verify the configuration by the following command after this.

>show network

Now let's try adding the FTD to FMC.

Just add the FMC address at FTD by following command,

>configure manager add 10.1.3.10 cisco123

cisco123 was the key

Now you can verify the FMC address by following command,

>show managers

Now at FMC GUI, 

Go to Devices > Device Management > +Add Device

You will need to create an Access Policy because the FTD must have it before it is added.

Just create click on the drop down and create new one with action of network discovery like the following..

If it is successfully added, you will see it like the following,

Notes:-

You will notice on FTD that you cannot ping anywhere from it,

This is because there is no route to anywhere no ip address seen on Management interface,

This is because you are at the ASA engine, to go to the Firepower engine enter the following command,

>expert

Now you can see the gateway gave at the beginning and you should be able to ping FMC from here. Remember this is a Linux shell..

By the way, there is a command in Converged CLISH mode to ping the FMC,

ping system 10.1.3.10

If you ever needed to change the IP address of the FMC, you can do it via the following CLI command from expert mode,

sudo /usr/local/sf/bin/configure-network

Adding PaloAlto Panorama to EVE-NG (A Node not in Drop Down List)

Though it says in documents that Panorama is supported in EVE-NG, you will notice that you really cannot find a device name called Panorama in drop down menu where you try to add a new node.

The real reason for this is that there is no template created for Panorama. May be it will be fixed in future releases because they have even added Panorama icons to the system. 

Anyhow here is the way to do it.

1st of  all you need a KVM image of Panorama. You will fill find it on Palo Alto Customer Support Portal of course if you have a login.

I cannot put a link to it here because they are copyrighted content. 😒

Go to Customer Support Portal > Updates > Software Updates & Select Panorama Base Images.

I downloaded Panorama-KVM-8.1.2.qcow2

Now you will have to access the EVE-NG through CLI or and a file transfer software like WinSCP.

I used WinSCP as the software..

Because this new versions of EVE uses different set of templates for different hardware CPU processors (Intel or AMD), you will have to find out what is yours..

If you don't know that, follow the following command on CLI,

lsmod | grep ^kvm_

So as you can see, my one is Intel,

Now use WinSCP to navigate to the following location on EVE,

opt/unetlab/html/templates/intel

If your one was based on AMD, the path will be opt/unetlab/html/templates/amd

Now grab a one YML script which suits the Panorama mostly. There was this newimage.yml script so I thought to use it for this. Just copy it from EVE to your working PC desktop and the open it;

Now you will see something like the above, note that I have edited the underlined parameters to match with Panorama.

 

Note:-

Icon name was the icon image file which shows in the workspace when we add this to a lab. I didn't want to upload an image for that because it was already there.

Also remember that the description is the key which will be seen on the dropdown list where you try to add a new device.

Ok then I renamed the file as panorama.yml and uploaded it to opt/unetlab/html/templates/intel

Then I navigated to /opt/unetlab/addons/qemu and created a folder named panorama-8.1.2

Note:-

This naming of folders are very important, I should use a name starting with panorama- as the folder name because I named the YML file as panorama. If I have used something like pano.yml as the script name, I would have to use an image folder name starting with "pano-". Rest of the folder name can be anything like the version of the image.

Now go inside the image folder and upload the KVM image and rename it as virtioa.qcow2

Now go the EVE CLI and enter the following command to fix permissions..

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Now the drop down will show it & you will be able to add a Panorama to a lab successfully..

Default username and passwords are admin/admin