Comware

So I'm trying to manage ACLs across a large environment. As such, there are lots of comments in these ACLs to explain why they exist, what they affect, who to contact to talk about an ACL, etc.  The problem is that the switch/routers themselves do not hold this many comments. 

What we want to do (and are doing with cisco gear) is maintain large ACL lists off of a TFTP server that we then periodically load into the switch/router/etc on an as needed basis.  For instance, lets assume the following for a short ACL file:

# FILE UNDER RCS CONTROL (aclmgmt.domainname.com)

# $Id: twilight.acl,v 1.76 2013/06/17 20:47:40 root Exp root $

# $Source: /var/lib/tftpboot/acl/RCS/twilight.acl,v $

#

# remove the running ACL prior to installing the replacement

undo acl number 2010

# ACL 2010

#   Author:  person-x-y-z +1.xxx.xxx.xxxx

#   Purpose: This ACL was designed to allow a specific block of addresses to

#            pass through this router chokepoint and onward to the firewall

#            where they will later be NAT'd to the public space.

#

acl number 2010 name access-public-acl
 rule 50 permit source 172.24.192.0 0.0.3.255
 rule 50 comment Addresses allowed to communicate with the Internet
 rule 90 deny

This is a rather simple example, however the point is that we can manage the files under RCS control on a unix box, we can put whatever comments we want in the file, and that only the executable lines are actually loaded by the router.

With Cisco equipment, we use "configure net" and it pulls in this fragment (we replace "undo" with "no", etc) to the router to get our new ACL in place.

We have been unable to figure this one out with COMWARE devices nor have we seen anywhere on the web comments one way or another on how to deal with TFTP configs that are NOT the entire configuration of the file (the point of these ACLs are that we might install the same ACL list on a dozen devices. Its up to the interfaces to use or not use the ACLs, but at least they are common across the entire data center).

Any suggestions? ideas? pointers?

Thanks in advanced!

Hi,

I had been looking for this myself for a while and did not find a cli option to get it done.

Recently I discovered the configfile snmp operations, and through SNMP comware allows a tftp to running config.

This would be the setup:

1/ Install management system with net-snmp

Copy these files to the shared mibs folder of net-snmp:

hh3c-oid.mib
hh3c-common-system.mib
hh3c-config-man.mib
hh3c-sys-man.mib
rfc2578.sm2
rfc2579.sm2
rfc2580.sm2

2/ Configure devices with SNMP write (I used v2c, but v3 should work as well)

3/ Configure tftp server with config file. Sample file acl.cfg :

undo acl number 3001
# testing comments
acl number 3001
 rule 0 permit tcp destination-port eq www
 rule 5 permit ip
return

4/ on the management system, run this command:

# tell snmpset to use the MIBS folder and load all mibs. Configure snmp community and host ip as required.

# config file management creates "job" rows, which must be unique. In order to be sure the new record is available, delete the record first. In this example, record 1 is deleted (this record may not exist, so just to be safe)

snmpset -v 2c -M C:\usr\share\snmp\mibs -m ALL -c private 10.0.0.1 hh3cCfgOperateRowStatus.1 i destroy

# create new job record, with tftp server ip and filename:

snmpset -v 2c -M C:\usr\share\snmp\mibs -m ALL -c private 10.0.0.1 hh3cCfgOperateType.1 i net2Running hh3cCfgOperateProtocol.1 i tftp hh3cCfgOperateFileName.1 s acl.cfg hh3cCfgOperateServerAddress.1 a 10.0.1.100   hh3cCfgOperateRowStatus.1 i createAndGo

That is it, this worked for me (download and execute to running config).

To save the running to startup config ( did not lookup the correct MIB naming ...)

snmpset -v 2c -c private 10.0.0.1 1.3.6.1.4.1.25506.2.4.1.2.4.1.2.1 i 1 1.3.6.1.4.1.25506.2.4.1.2.4.1.9.1 i 4

See attached H3C doc for config file reference,

Hope this helps,

Best regards,Peter.

Attachment(s)

Configuration_Examples_for_Configuration_File_Management_...pdf   703 B 1 version

Yikes, thats way convoluted. Ok, let me get some dinner and plan on an evening of joyous SNMP work to see what I can do... *sigh*

 Looks like the latest MIB is MIBs_V8 built on 05-Nov-2014. I found the latest (for the MSR20-20) at https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=JF283A with of course the latest MSR30-20 at https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=JF284A

Geesh, 236MB of MIBs... whats in there, the kitchen sink?

Hi Mdella,

On the 7500 (comware 5), you can use the "execute" command.

Upload a file "<mycmds>.bat" with the commands you want to execute (yes it MUST have the ".bat" extension ...) , and do a

] execute <mycmds>.bat 

Regards.