Summary on the RADIUS Authentication Implemented on Huawei OLT

Some FAQs in the implementation of RADIUS authentication:

Q: By default, the reported username for RADIUS authentication is with domain name. You can run the undo radius-server user-name domain-included command to exclude it. After this configuration, whether the domain name needs to be included in the username for logging in to the device?

A:Yes, the domain name must be included in the user username for logging in to the device no matter whether the user of RADIUS authentication has configured the username that excludes the domain name by running the undo radius-server user-name domain-included command.

Q:There are two domains existing on the MA5600T after the Radius authentication is configured: a default domain, and a huawei domain authenticated by Radius. If the default domain is deleted, does the domain name need to be included in the username for login?

A: Huawei MA5600T(V800R006C02): No matter whether the user uses the default username or configured username, the domain name must be included in the username for logging in. MA5600T (V800R007 and later versions): The username can be configured by running the terminal user authentication-mode AAA domain-name command. After the configuration, system will add a domain name for the username automatically when the user logs in to the RADIUS server for authentication.

Q: Can the username of RADIUS authentication can be displayed by running the display terminal user command?

A: The display terminal user command is used to query users without domain names.

Q:Why the user authority for Radius authentication is limited and does not support config mode?

A:The user with domain name has limited authority on the Radius server, and needs to configure the priority to 2 on the Radius to enter the config mode.

Q:Does Huawei OLT support the configuration that the local account can be used only when the user logs in through a serial port but cannot be used when the user logs in remotely?

A:MA5600T of version V800R006C02 does not support it. The V800R007 and later versions of MA5600T can support this configuration for some accounts (excluding the root and admin account): run the terminal user authentication-mode AAA domain-name command to set the authentication mode of the terminal user to AAA. In this case:

• The system can add an .@huawei to the username that has no domain name.
• The AAA account can be used to log in remotely, and the account can pass the authentication. If the local account is used to log in remotely, then the account cannot pass the authentication. However, the root and admin account can pass the authentication for remote login, other local accounts cannot.

How to Log In to Huawei S2300 S3300 Switch System for the First Time?

How to Log In to Huawei S2300 S3300 Switch System for the First Time?

Example for Performing Basic Configuration on the Device at First Login

Networking Requirements
After logging in to the device through the console port, set the user level for Telnet users 0
through 4 to 15, and set the authentication mode to AAA authentication.

Networking diagram for configuring the device through the console port

Configuration Roadmap
1. Log in to the device through the console port.

The HyperTerminal of Windows XP can be used as the terminal emulation software on the PC.
2. Configure the device

Procedure
Step 1 Log in to the device from PC1 through the console port. For details, see Logging In Through
the Console Port.
Step 2 Configure the device.
# Set the system date, time, and time zone.
<Quidway> clock timezone BJ add 08:00:00
<Quidway> clock datetime 20:10:0 2012-07-26
# Set the device name and IP address of the management interface.
<Quidway> system-view
[Quidway] sysname Server
[Server] vlan 10
[Server-vlan10] quit
[Server] interface ethernet 0/0/1
[Server-Ethernet0/0/1] port hybrid pvid vlan 10
[Server-Ethernet0/0/1] port hybrid untagged vlan 10
[Server-Ethernet0/0/1] quit
[Server] interface vlanif 10
[Server-Vlanif10] ip address 10.137.217.177 24
[Server-Vlanif10] quit
# Set the user level and authentication mode for Telnet users.
[Server] user-interface vty 0 4
[Server-ui-vty0-4] user privilege level 15
[Server-ui-vty0-4] authentication-mode aaa
[Server-ui-vty0-4] quit
[Server] aaa
[Server-aaa] local-user huawei password cipher huawei2012
[Server-aaa] local-user huawei privilege level 15
[Server-aaa] local-user huawei service-type telnet
[Server-aaa] quit
Step 3 Verify the configuration.
When completing the configuration, you can log in to the device such as S3328TP-PWR-EI
through Telnet on PC2.
Access the command line interface of Windows XP and log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.137.217.177
Press Enter. On the displayed login page, enter the user name and password. If the authentication
succeeds, the command line interface for the user view is displayed. (The following information
is only for reference.)
Login authentication
Username:huawei
Password:
Info: The max number of VTY users is 15, and the number

Huawei GPON Service board GPBH

GPBH is a 8-port GPON Interface Board apply to Huawei MA5600T, MA5603T, MA5608T. It works with the optical network terminal (ONT) to provide GPON access service.

Working principle of the GPBH board 

The basic working principle of the GPBH board is as follows:

• The control module loads the board software, controls the running of the board, and manages the board.
• The switching module aggregates the signals from eight GPON ports.
• The interface module converts between GPON signals and Ethernet packets.
• The power module supplies power to other functional modules of the board.
• The clock module provides the working clock for other functional modules of the board.

What is the System Architecture of Huawei OTN OSN8800?

The OptiX OSN 8800 system uses the L0 + L1 + L2 architecture. Ethernet/MPLS-TP switching is implemented on Layer 2, ODUk/VC switching on Layer 1, and wavelength switching on Layer 0.

System architecture of the OptiX OSN 8800 (MS-OTN) 

System architecture of the OptiX OSN 8800 (OCS) ]

Functions of modules are as follows:

• Optical-layer boards are classified into optical multiplexer and demultiplexer boards, optical add/drop multiplexing (OADM) boards, optical amplifier (OA) boards, optical supervisory channel (OSC) boards, optical spectrum analysis boards, optical variable attenuator boards, and optical power and dispersion equalization boards. These boards are intended to process optical-layer services, for example, to cross-connect wavelengths at the optical layer.
• Electrical-layer boards such as OTU, tributary, and line boards like 40G TN54NS3 are used to process electrical-layer signals, and perform conversion between optical and electrical signals. The OptiX OSN 8800 uses a tributary-line-separate architecture, and a centralized cross-connect unit to flexibly groom electrical-layer signals at different granularities.
• For OptiX OSN 8800, an universal line board is used to process electrical-layer signals and perform conversion between optical and electrical signals. In addition, an universal line board can work with a centralized cross-connect board to achieve hybrid transmission and fine-grained grooming of OTN, SDH, and packet services.
• For OptiX OSN 8800, EoO, EoW, Ethernet over SDH (EoS), and packet boards have L2 processing capabilities. They can add, strip, and exchange MPLS or VLAN tags, learn MAC addresses, and forward packets. Only packet boards can add, strip, or exchange MPLS tags.
• As the control center of the entire system, the system control and communication (TN52SCC) board cooperates with the network management system (NMS) to manage boards in the system and to implement inter-subrack communication.
• The clock board provides system clock signals and frame header signals to each service board, and synchronizes the local system time with the upstream system time, achieving clock and time synchronization.
• The power supply and fan systems with a redundancy protection design ensure highly-reliable equipment operation.
• The auxiliary interface board provides functional ports such as clock/time input/output ports, management serial port, alarm output and cascading ports, and alarm input/output ports.
• Inter-board communication and service cross-connections, clock synchronization, and power supplies are implemented using the backplane buses. Backplane buses include control and communication buses, clock buses, and power buses.

FTTH Networking and Configuration Scenarios

Typical FTTH networking diagram 

Bridging ONT + HGW Network Scenario

The HGW integrating an IAD provides Internet, voice over Internet Protocol (VoIP), and Internet Protocol television (IPTV) services to users.

Services are implemented on the HGW, and the bridging ONT works with the OLT to provide Layer 2 channels.

Bridging+Voice ONT Network Scenario

The ONT integrating an integrated access device (IAD) provides Internet, VoIP, and IPTV services to users.

The bridging+voice ONT provides Layer 2 data and voice services. This scenario provides transparent transmission channels and requires simple service configuration, so this scenario applies to Layer 2 networking.

• For data services, a PC directly performs dial-up. Then, the upper-layer broadband remote access server (BRAS) device authenticates and accesses the PC. The PC can also access the Internet using the Dynamic Host Configuration Protocol (DHCP) or static IP address.
• The ONT with a built-in voice module encapsulates voice service packets, and the OLT transmits them to the upstream next generation network (NGN) or IP multimedia subsystem (IMS).

Gateway ONT Network Scenario

Huawei ONT integrating an IAD provides Internet, VoIP, and IPTV services to users.

The HGW ONT facilitates interconnection of home devices by providing Layer 3 services, such as Point-to-Point Protocol over Ethernet (PPPoE)/DHCP dial-up, network address translation (NAT), and Internet Group Management Protocol (IGMP) snooping. This scenario provides fine-grained management channels and service control, and applies to Layer 3 networking.

FTTH Deployment Schemes

FTTH service application includes the deployment process and service provisioning process. The FTTH deployment process includes OLT deployment (configuration) and configuration of basic data. No deployment, however, is required on the ONT and the ONT is plug and play once services are provisioned.

FTTH deployment schemes

Scheme

• On the NMS: Profiles can be issued in batches.
• Using commands on the OLT: Configuration scripts containing commands can be imported to the OLT.

• Using the OSS: This method is recommended and it can implement automatic service provisioning, and eliminate problems caused by manual service provisioning, such as large workload, low efficiency, and difficult management.
• Using OSS+ITMS: This method is recommended if the multiple private nodes are customized for carriers. Using a TR069 server, new gateways and value-added voice services can be simply added.
  • Layer 2 configuration data is issued on the NMS or OLT MA5603T or MA5600T.
  • Other configuration data such as voice, Layer 3, and Wi-Fi data is issued using the ITMS.
• On the NMS: It applies to the scenario when no OSS is available and services need to be provisioned manually on the NMS.
• On the ONT web page: When it is not feasible to provision services on the OSS or NMS, you can log in to the ONT web page and configure or modify parameters to provision services.

Parameter

• DBA profile
• Line profile
• Service profile
• IP traffic profile
• Service level profile
• Global OLT configurations (rather than FTTH user configurations) such as multicast VLAN, multicast mode, and policy of forwarding unknown packets
• FTTH user service VLAN configurations including adding VLANs, setting the attributes of VLANs, and adding upstream ports for VLANs

ONT service provisioning parameters are classified into common parameters and customized parameters:

• Customized parameters are usually issued by the upper-layer system during service provisioning.
• Common parameters are usually configured at delivery or during data pre-configuration.

Huawei S2700 Series Enterprise Switches

Product Overview

Huawei S2700 series enterprise switches (S2700 for short), including S2710, S2720, S2750, and S2751 series, are next-generation energy-saving intelligent 100M Ethernet switches developed by Huawei. The S2700 utilizes cutting-edge switching technologies and Huawei Versatile Routing Platform (VRP) software to meet the demand for multi-service provisioning and access on Ethernet networks. It is easy to install and maintain. With its flexible network deployment, comprehensive security and quality of service (QoS) policies, and energy-saving technologies, the S2700 helps enterprise customers build next-generation IT networks.

The S2700 is a box device that is 1 U (44.45 mm or 1.75 in.) high. It is available in a standard version (SI) or an enhanced version (EI).

Product Appearance

Below take S2700-9TP-EI-DC for an example.

• 8 Ethernet 10/100 ports, 1 dual-purpose 10/100/1000 or SFP
• AC and DC power supply for the EI version; AC power supply
for the SI version
• Forwarding performance: 2.7 Mpps

Product Features and Highlights

Easy Operation
• The S2700 supports Huawei Easy Operation function. Thanks to this function, the S2700 implements easy installation, configuration, monitoring, and troubleshooting, greatly reduces initial installation and configuration costs, improves upgrade efficiency and lowers engineering costs. It provides a Web network management system (NMS) with a user-friendly graphical user interface (GUI) to implement alarm management and visual configuration, facilitating operation and maintenance. In addition, it supports faulty device replacement without configuration.

• The S2700 offers a new application-specific integrated circuit (ASIC) switching technique and a fanfree design. This design reduces mechanical faults and protects the device against damages caused by condensed water and dust.

Flexible service control
• The S2700-EI supports various ACLs. ACL rules can be applied to VLANs to flexibly control ports and schedule VLAN resources.

PoE function Switch
• The S2700 PWR series support improved Power over Ethernet (PoE) solutions and you can determine whether a PoE port provides power and the time a PoE port provides power. The S2700 PWR can use PoE power supplies with different power levels to provide the PoE function. Powered devices (PDs) such as IP Phones, WLAN APs, and Bluetooth APs can be connected to the S2700 PWR through network cables. The S2700 PWR provides -48V DC power for the PDs.

• In its role as power sourcing equipment (PSE), the S2700 PWR complies with IEEE 802.3af and 802.3at (PoE+), and can work with PDs that are incompatible with 802.3af or 802.3at (PoE+). Each port provides a maximum of 30 W of power, complying with IEEE 802.3at. The PoE+ function increases the maximum power available on each port and implements intelligent power management for high-power consumption applications. This process facilitates the ease of PD use. PoE ports are still able to work while in power-saving mode.

Do you know Huawei small-size DSLAM MA5616 and the Highlights? (1)

Huawei DSLAM SmartAX MA5616 Multi-service Access Module (MA5616 for short) is a 2-U high and 19-inch wide board-inserted device. It provides four service slots for flexible board configurations.

The MA5616 applies in fiber to the building (FTTB) and fiber to the curb (FTTC) scenarios. It can also function as a mini-digital subscriber line access multiplexer (DSLAM) or multiservice access node (MSAN). The MA5616 can be installed in corridors or cabinets (indoor or outdoor).

Each MA5616 provides user-to-network interfaces (UNIs), such as ADSL2+, VDSL2, SHDSL, POTS, FE, P2P, ISDN, or combo ports, and two network-to-network interfaces (NNIs) that support autonegotiation among GPON, EPON

Product Display

The following figure shows the appearance of the MA5616 equipped with a CCUE control board and PAIC power board.

CCUE control board

Hardware Structure

Commissioning serial port/Environment monitoring port

For the CON port: supports local and remote maintenance, which allows users to configure the MA5616 using software, such as HyperTerminal, through CLI. The default baud rate is 9600 bit/s.

For the ESC port: connects to an environment monitoring unit (EMU), which sends monitored environment monitoring parameters to the MA5616.

Uplink optical port

Supports auto-negotiation among GPON, EPON, and GE. Provides GPON, EPON, and GE upstream transmission or GE cascading. When this uplink optical port is used as a GE port, it is an alternative to the GE electrical (RJ45) port.

Maintenance network port

A 100M Base-T commissioning network port, which is a front-access-cabled FE port and supports 100 Mbit/s full-duplex in auto-negotiation mode.

Clock port

Outputs 2 MHz clock pulse signals.

Environment parameter monitoring port

Can be connected to a sensor to monitor environment parameters.

GE electrical port

Supports 1000 Mbit/s full-duplex upstream transmission or cascading in auto-negotiation mode. It is an alternative to the uplink optical (SFP) port.