CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - System Monitoring (2023)

Intended Audience

This document is intended for network engineers responsible for switch management and maintenance. You should be familiar with basic Ethernet knowledge and have extensive network management experience. In addition, you should understand your network well, including the network topology and deployed network services.

Symbol Conventions

The symbols used in this document are described in the following table. They are defined as follows.

Command Conventions

Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing interface numbers on devices.

Security Conventions

• Password setting
  • Configuring a ciphertext password is recommended. For security purposes, do not disable password complexity check, and change the password periodically.
  • When configuring a cleartext password, do not start and end the password with %@%# because this will allow the password to be considered as a valid ciphertext that can be decrypted by the device and make it visible in the configuration file.
  • Multiple features cannot use the same ciphertext password. For example, the ciphertext password set for the AAA feature cannot be used for other features.
• Encryption algorithms

  Currently, the device supports the following encryption algorithms: DES, 3DES, AES, DSA, RSA, DH, ECDH, HMAC, SHA1, SHA2, and MD5. Select an encryption algorithm according to the application scenario. Use the recommended encryption algorithm; otherwise, security protection requirements may not be met.

  • Recommended symmetric encryption algorithm: AES (with a 128-bit or longer key).
  • Recommended asymmetric encryption algorithm: RSA (with a 2048-bit or longer key). Use different key pairs for encryption and signature.
  • Recommended encryption algorithm for the digital signature: RSA (with a 2048-bit or longer key).
  • Recommended encryption algorithm for key negotiation: DH (with a 3072-bit or longer key) or ECDH (with a 256-bit or longer key).
  • Recommended hash algorithm: SHA2 (256-bit or higher).
  • Recommended hash-based message authentication code (HMAC) algorithm: HMAC-SHA2.
  • The SHA1, SHA2, and MD5 encryption algorithms are irreversible, and the DES, 3DES, RSA, and AES encryption algorithms are reversible.
  • In SSH2.0, when the symmetric encryption algorithm in CBC mode is used, data may be subject to a plaintext-recovery attack, causing disclosure of encrypted data. Therefore, you are not advised to use the CBC mode for data encryption in SSH2.
  • SSL provides a handshake mechanism that allows a client and a server to establish a session, authenticate each other's identity, and negotiate the key and cipher suite. It is recommended that a cipher suite of TLS 1.2 or a later version be used during communication. In TLS versions, when the symmetric encryption algorithm in CBC mode is used, data may be subject to a plaintext-recovery attack, causing disclosure of encrypted data. Therefore, you are not advised to use the CBC mode for data encryption in TLS versions.
• Personal data

  Some personal data (such as MAC or IP addresses of terminals) may be obtained or used during operation or fault locating of your purchased products, services, or features, so you have an obligation to make privacy policies and take proper measures according to applicable laws of the country to fully protect personal data.

• The terms mirrored port, port mirroring, flow mirroring, and mirroring in this document are mentioned only to describe the purpose of detecting faults and errors in communication transmission. They do not involve collection or processing of any personal information or communication data of users.
• Reliability design declaration

  Network planning and site design must comply with reliability design principles and provide device- and solution-level protection. Device-level protection includes planning principles of dual-network and inter-card dual-link to avoid single point or single link of failure. Solution-level protection refers to fast convergence protection mechanisms such as FRR and VRRP. If solution-level protection is used, ensure that the primary and backup paths do not share links or transmission devices. Otherwise, solution-level protection may fail to take effect.

Reference Standards and Protocols

To obtain reference standards and protocols, log in to Huawei official website, search for "standard and protocol compliance list", and download the Huawei S-Series Switch Standard and Protocol Compliance List.

Feature Usage Declaration

• Due to variations in security performance between protocols, some protocols may pose security risks. You can run the display security risk command to check security risks in the system, and eliminate the risks according to the recommended solutions.
• For security purposes, you are not advised to use insecure protocols Telnet, FTP, and TFTP and weak security algorithms or weak security protocols in SSH, SNMP, IS-IS, IS-ISv6, RIP, SSL, NTP, OSPF, PKI, and Keychain. If necessary, run the install feature-software WEAKEA command to install the weak security algorithm or protocol feature package WEAKEA. By default, the device provides the weak security algorithm or protocol feature package WEAKEA. For details about how to install or uninstall the feature package, see "Upgrade Maintenance Configuration" in CLI Configuration Guide > System Management Configuration.
• After the FIPS mode is enabled, protocols and algorithms with low security cannot be used. For example, FTP, TFTP, and Telnet cannot be used. When the device connects to a gRPC client, an AD server, or an LDAP server, SSL encryption is required.

  After the FIPS mode is enabled, the device clears all certificates, keys, and passwords except the preset certificate and private key.

  After the FIPS mode is enabled, the weak security algorithm/protocol feature package can be installed on the device, but does not take effect. That is, the weak security algorithm/protocol still cannot be used.

• The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and SCP. FTP, TFTP, and SFTPv1 have security risks. You are advised to use SFTPv2 or SCP to transfer files.
• Telnet, STelnet V1, and STelnet V2 can be used to log in to the device. Telnet and STelnet V1 have security risks. You are advised to use STelnet V2 to log in to the device.
• SNMPv1, SNMPv2c, and SNMPv3 can be used to manage the device. SNMPv1 and SNMPv2c have security risks. You are advised to use SNMPv3 to manage the device.
• The device supports the mirroring function, which is used for network detection and fault management and may involve some communication information of individual users. Huawei does not independently collect or store user communication information. You are responsible for complying with applicable laws and regulations when enabling related functions used to collect or store user communication information. During user communication information usage and storage, proper measures must be taken to protect user communication information.
• The device supports the packet obtaining function, which is used to detect transmission faults and errors. Huawei does not independently collect or store user communication information. You are responsible for complying with applicable laws and regulations when enabling related functions used to collect or store user communication information. During user communication information collection and storage, proper measures must be taken to protect user communication information.
• The device supports the NetStream function, which is used to collect statistics about and analyze service traffic on the network and may involve obtaining personal data such as IP address and MAC address. Huawei will not collect or store users' communication information without prior user approval. Therefore, you must use this function in compliance with the local laws and regulations, and take proper security protection measures to ensure that personal data of users is fully protected. For example, technical support engineers must not use this function to obtain packets unless they have been authorized by customers. Ensure obtained packets are deleted completely and immediately after the fault is located and analyzed. Huawei will not bear any legal responsibility or liabilities for any security events (such as personal data leakage) that are not the result of Huawei's misconduct.
• The device supports the Packet Event function, which is used to quickly locate faults and analyze network delay and may involve obtaining personal data such as IP addresses and MAC addresses. Huawei does not independently collect or store user communication information. Therefore, you must use this function in compliance with the local laws and regulations, and take proper security protection measures to ensure that personal data of users is fully protected. For example, technical support engineers must not use this function to obtain packets unless they have been authorized by customers. Ensure obtained packets are deleted completely and immediately after the fault is located and analyzed. Huawei will not bear any legal responsibility or liabilities for any security events (such as personal data leakage) that are not the result of Huawei's misconduct.
• The device supports the NAC function. This function is used to authenticate users and control users' network access rights, which may involve some communication information of individual users. You are responsible for complying with applicable laws and regulations when enabling related functions used to collect or store user communication information. During user communication information usage and storage, proper measures must be taken to protect user communication information.

简体中文