HP Comware

 

Executive summary of this article: Following is an example for a base configuration of the router. 

 

Specials: It sets up a management IP address inside a separate VRF. The advantage is that the management is independent from other router configuration, e.g. a dynamic routing protocol will not override the static default route which could prevent management access. 

Further the example uses only one interface (one VM NIC), which is connected to a trunk containing all VLANs (e.g. ESX network with VLAN 4095 assigned). This way a new VLAN doesn't require an additional NIC, but can be setup as a sub-interface on the single NIC.

 

Prerequisites: This article assumes you already have a VSR installed with factory default configuration. Info how to install a VSR on ESXi you can find in this article.

 

Configuration tasks:

Startup the VSR, open the console window, and in the console window do some basic IP settings and enable ssh access

Assign a routername

sysname vsr01

Create a management VPN instance (route-distinguisher value basically doesn’t matter, we’re not going to use this one further. Further details on the route-distinguisher e.g. see URL http://packetlife.net/blog/2013/jun/10/route-distinguishers-and-route-targets/)

ip vpn-instance mgmt
route-distinguisher <e.g. 65000:999>

Create a subinterface for management, assign it to the mgmt VPN and assign it an IP address. Example uses VLAN 999 as the management VLAN and 10.99.9.0/24 as the management subnet

interface GigabitEthernet1/0.999
description mgmt interface
ip binding vpn-instance mgmt
 vlan-type dot1q vid 999
 ip address 10.99.9.11 24

Create a static default route in the management VRF, assuming default gateway 10.99.9.1

 ip route-static vpn-instance mgmt 0.0.0.0 0 10.99.9.1 description mgmt-route

Create a local user with admin permissions

local-user admin class manage
 password simple <password>
 service-type ssh telnet
 authorization-attribute user-role network-admin

Set authentication mode

line class vty
authentication-mode scheme

Create keys for ssh; suggesting to create with 2048 bits.

public-key local create rsa
public-key local create dsa

Enable the ssh server

 ssh server enable

 

If all done correct, and you've a valid routing path to the mgmt interface, from now on you should be able to connect to the system via ssh and use cut&paste of commands.

 

Optional/Recommended: Set an ACL to limit ssh access to specific source, e.g. 10.99.0.0/16, and assign to ssh server

acl number 2001
 description ACL to control VTY Access
 rule 0 permit vpn-instance mgmt source 10.99.0.0 0.0.255.255
 rule 98 deny vpn-instance mgmt counting
 rule 99 deny counting
ssh server acl 2001
 

Optional/recommended for troubleshooting reasons: Allow router to respond to ping & traceroute

 ip redirects enable
 ip unreachables enable
 ip ttl-expires enable

 

Optional: Increase auto-logout time and remember more commands in command history

line class vty
 idle-timeout 120 0
 history-command max-size 256

 

Optional: Set ntp to use server reachable via mgmt interface

ntp-service enable
ntp-service unicast-server 10.99.9.1 vpn-instance mgmt.

 

Optional: Set a syslog server reachable via mgmt interface

info-center loghost vpn-instance mgmt 10.99.9.1

 

Optional: Set some login header, ...

header shell %
 ________________________________________________________________
 
    Device name:    vsr01.at.my.domain
    Model:          HP VSR1000
    Location:       Germany, ESX server xyz
    Purpose:        VSR testrouter
 ________________________________________________________________
 
    This is a private system.
    Authorization is required to use this system.
    Use by unauthorized persons is prohibited.
%

 

Optional: Set timezone and daylight saving

 clock timezone Germany add 01:00:00
 clock summer-time Germany 02:00:00 March last Sunday 03:00:00 October last Sunday 01:00:00
 clock protocol ntp

Optional: Disable copyright info on login

 undo copyright-info enable

 

Optional/recommended: Save the configuration

save force

 

Comments   

0 #2 Jackie 2017-02-18 19:36
It's difficult to find experienced people about this topic, but you seem
like you know what you're talking about! Thanks

My web site ... Jackie: http://blogs.stockinvestorplace.com/?p=437>Optionsxo
Quote
0 #1 شرکت فنی مهندسی 2017-02-11 16:05
Nice post. I was checking constantly this blog and I'm impressed!
Extremely helpful info specifically the last part :) I care for such
info a lot. I was looking for this particular information for a very long time.
Thank you and best of luck.
Quote

Add comment


Security code
Refresh