Configuration Guide Basic Configurations (V200R001C01 - 03)

ATN 910 Multi - service Access Equipment V200R001C01
Configuration Guide - Basic Configurations

Issue Date 03 2012-03-19
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 03 (2012-03-19)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
ATN 910 Multi - service Access Equipment Configuration Guide - Basic Configurations
About This Document
About This Document

Related Version
The following table lists the product version related to this document. Product Name ATN 910 Version V200R001C01
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the VRP Overview, Establishment of the Configuration Environment, CLI Overview, Basic Configuration, User Management, File System, Management of Configuration Files, FTP, TFTP, Telnet and SSH, Upgrade and Maintenance features supported by the ATN 910 device. This document is intended for: l l l l Commissioning Engineer Data Configuration Engineer Network Monitoring Engineer System Maintenance Engineer
Symbol Conventions
Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.
DANGER
WARNING
Issue 03 (2012-03-19)
ii
About This Document
Symbol
Description
CAUTION
TIP
Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
NOTE
Command Conventions
Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.
[ x | y | ... ]*
GUI Conventions
Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Issue 03 (2012-03-19)
iii
About This Document
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Changes in Issue 03 (2012-03-19)

Known bugs are fixed.

Known bugs are fixed.

This document is the first release of the V200R001C01 version.
Issue 03 (2012-03-19)
iv
Contents
Contents
About This Document.....................................................................................................................ii 1 Establishment of the Configuration Environment.................................................................1
1.1 Introduction to Establishment of the Configuration Environment.....................................................................2 1.1.1 Login Through the Console.......................................................................................................................2 1.1.2 Login Through Telnet................................................................................................................................2 1.2 Logging In to the Device Through the Console Port..........................................................................................2 1.2.1 Establishing the Configuration Task.........................................................................................................3 1.2.2 Establishing the Physical Connection........................................................................................................3 1.2.3 Configuring Terminals..............................................................................................................................4 1.2.4 Logging In to the Device...........................................................................................................................4 1.3 Logging In to Device Through Telnet................................................................................................................5 1.3.1 Establishing the Configuration Task.........................................................................................................5 1.3.2 Establishing the Physical Connection........................................................................................................5 1.3.3 Configuring Login User Parameters..........................................................................................................6 1.3.4 Logging In from the Telnet Client.............................................................................................................6 1.4 Configuration Examples.....................................................................................................................................6 1.4.1 Example for Logging In Through the Console Port..................................................................................7 1.4.2 Example for Logging In Through Telnet..................................................................................................9
2 CLI Overview...............................................................................................................................12
2.1 CLI Introduction...............................................................................................................................................13 2.1.1 Command Line Interface.........................................................................................................................13 2.1.2 Command Levels.....................................................................................................................................13 2.1.3 Command Line Views.............................................................................................................................16 2.2 Online Help.......................................................................................................................................................17 2.2.1 Full Help..................................................................................................................................................17 2.2.2 Partial Help..............................................................................................................................................18 2.2.3 Error Messages of the Command Line Interface.....................................................................................18 2.3 Features of Command Line Interface...............................................................................................................19 2.3.1 Editing.....................................................................................................................................................19 2.3.2 Displaying................................................................................................................................................19 2.3.3 Regular Expressions................................................................................................................................20 2.3.4 History Commands..................................................................................................................................23 Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
2.3.5 Batch Command Execution.....................................................................................................................24 2.4 Shortcut Keys...................................................................................................................................................24 2.4.1 Classifying Shortcut Keys.......................................................................................................................25 2.4.2 Defining Shortcut Keys...........................................................................................................................26 2.4.3 Use of Shortcut Keys...............................................................................................................................26 2.5 Configuration Examples...................................................................................................................................27 2.5.1 Example for Running Commands in Batches..........................................................................................27 2.5.2 Example for Using Tab............................................................................................................................28 2.5.3 Example for Using Shortcut Keys...........................................................................................................29 2.5.4 Copying Commands Using Shortcut Keys..............................................................................................29
3 Basic Configuration.....................................................................................................................31
3.1 Basic Configuration Introduction.....................................................................................................................32 3.2 Configuring the Basic System Environment....................................................................................................32 3.2.1 Establishing the Configuration Task.......................................................................................................32 3.2.2 Switching the Language Mode................................................................................................................33 3.2.3 Configuring the Equipment Name...........................................................................................................33 3.2.4 Setting the System Clock.........................................................................................................................34 3.2.5 Configuring a Header..............................................................................................................................35 3.2.6 Configuring Command Levels................................................................................................................35 3.2.7 Configuring the Undo Command to Match in the Previous View Automatically..................................36 3.3 Configuring Basic User Environment..............................................................................................................37 3.3.1 Establishing the Configuration Task.......................................................................................................37 3.3.2 Configuring the Password for Switching User Levels............................................................................38 3.3.3 Switching User Levels.............................................................................................................................38 3.3.4 Locking User Interfaces...........................................................................................................................39 3.4 Displaying System Status Messages.................................................................................................................39 3.4.1 Displaying System Configuration...........................................................................................................40 3.4.2 Displaying System Status........................................................................................................................40 3.4.3 Collecting System Diagnostic Information.............................................................................................40
4 User Management........................................................................................................................42
4.1 User Management Introduction........................................................................................................................44 4.1.1 User Interface View.................................................................................................................................44 4.1.2 User Management....................................................................................................................................45 4.2 Configuring Console User Interface.................................................................................................................46 4.2.1 Establishing the Configuration Task.......................................................................................................47 4.2.2 Configuring Console Interface Attributes...............................................................................................47 4.2.3 Setting Console Terminal Attributes.......................................................................................................48 4.2.4 Configuring User Priority........................................................................................................................49 4.2.5 Configuring User Authentication............................................................................................................49 4.2.6 Checking the Configuration.....................................................................................................................50 4.3 Configuring VTY User Interface......................................................................................................................51 4.3.1 Establishing the Configuration Task.......................................................................................................51 Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vi
Contents
4.3.2 Configuring Maximum VTY User Interfaces.........................................................................................51 4.3.3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls..................................................52 4.3.4 Configuring VTY Terminal Attributes....................................................................................................53 4.3.5 Configuring User Authentication............................................................................................................54 4.3.6 Checking the Configuration.....................................................................................................................55 4.4 Managing User Interfaces.................................................................................................................................55 4.4.1 Establishing the Configuration Task.......................................................................................................56 4.4.2 Sending Messages to Other User Interfaces............................................................................................56 4.4.3 Clearing Online User...............................................................................................................................56 4.4.4 Checking the Configuration.....................................................................................................................57 4.5 Configuring User Authentication.....................................................................................................................57 4.5.1 Establishing the Configuration Task.......................................................................................................57 4.5.2 Configuring Authentication Mode...........................................................................................................58 4.5.3 Configuring Authentication Password.....................................................................................................58 4.5.4 Setting Username and Password for AAA Local Authentication...........................................................59 4.5.5 Configuring Non-Authentication.............................................................................................................60 4.5.6 Configuring User Priority........................................................................................................................60 4.5.7 Checking the Configuration.....................................................................................................................61 4.6 Configuring Exclusive Configuration Access..................................................................................................61 4.6.1 (Optional) Viewing the Current Locked Configuration Set....................................................................61 4.6.2 Enabling Exclusive Configuration Access..............................................................................................61 4.6.3 (Optional) Setting the Unlocking Time...................................................................................................62 4.7 Configuring Local User Management..............................................................................................................62 4.7.1 Establishing the Configuration Task.......................................................................................................62 4.7.2 Creating a Local User Account...............................................................................................................63 4.7.3 Configuring the Type of the Service That the Local User Accesses.......................................................64 4.7.4 Configuring the Local User Authority of Accessing the FTP Directory.................................................64 4.7.5 Configuring Local User Status................................................................................................................65 4.7.6 Configuring the Local User Level...........................................................................................................66 4.7.7 Setting the Maximum Number of Access Users with the Same User Name...........................................66 4.7.8 Configuring a ATN equipment to Cut off Idle Access Users..................................................................67 4.7.9 Local Users Changing the Passwords......................................................................................................67 4.7.10 Checking the Configuration...................................................................................................................68 4.8 Configuring an NM User to Log in to a Device in VTY Mode.......................................................................68 4.8.1 Establishing the Configuration Task.......................................................................................................68 4.8.2 Configuring an NM User.........................................................................................................................69 4.8.3 Configuring the Authentication Mode of an NM User............................................................................69 4.8.4 Switching to Machine-to-Machine Mode................................................................................................70 4.8.5 Checking the Configuration.....................................................................................................................70 4.9 Configuration Examples...................................................................................................................................71 4.9.1 Example for Configuring Logging In to the ATN Through Password....................................................71 4.9.2 Example for Logging In to the Device Through AAA............................................................................72 Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
4.9.3 Example for Configuring an NMS User to Manage Devices in Machine-to-machine Mode.................73
5 File System....................................................................................................................................76
5.1 File System Introduction..................................................................................................................................77 5.1.1 File System..............................................................................................................................................77 5.1.2 File System Supported by the ATN 910..................................................................................................77 5.1.3 File...........................................................................................................................................................77 5.1.4 Directory..................................................................................................................................................78 5.2 Managing Storage Devices...............................................................................................................................78 5.2.1 Establishing the Configuration Task.......................................................................................................78 5.2.2 Restoring Storage Devices with File System Troubles...........................................................................78 5.2.3 Formatting Storage Devices....................................................................................................................79 5.3 Managing the Directory....................................................................................................................................79 5.3.1 Establishing the Configuration Task.......................................................................................................79 5.3.2 Viewing the Current Directory................................................................................................................80 5.3.3 Switching a Directory..............................................................................................................................80 5.3.4 Displaying a Directory or File.................................................................................................................81 5.3.5 Creating a Directory................................................................................................................................81 5.3.6 Deleting a Directory................................................................................................................................81 5.4 Managing Files.................................................................................................................................................82 5.4.1 Establishing the Configuration Task.......................................................................................................82 5.4.2 Displaying Contents of Files...................................................................................................................82 5.4.3 Copying Files...........................................................................................................................................83 5.4.4 Moving Files............................................................................................................................................84 5.4.5 Renaming Files........................................................................................................................................84 5.4.6 Compressing Files...................................................................................................................................85 5.4.7 Deleting Files...........................................................................................................................................85 5.4.8 Deleting Files in the Recycle Bin............................................................................................................85 5.4.9 Undeleting Files.......................................................................................................................................86 5.4.10 Running Files in Batch..........................................................................................................................86 5.4.11 Configuring Prompt Modes...................................................................................................................86 5.5 Example for Managing Files............................................................................................................................87
6 Management of Configuration Files........................................................................................89

6.1 Management of Configuration Files Introduction............................................................................................90 6.1.1 Configuration Files..................................................................................................................................90 6.1.2 Configuration Files and Current Configurations.....................................................................................90 6.2 Managing Configuration Files..........................................................................................................................90 6.2.1 Establishing the Configuration Task.......................................................................................................91 6.2.2 Configuring System Software for a ATN equipment to Load for the Next Startup................................91 6.2.3 Configuring the Configuration File for ATN to Load for the Next Startup............................................92 6.2.4 Saving Configuration Files......................................................................................................................92 6.2.5 Clearing a Configuration File..................................................................................................................94 6.2.6 Comparing Configuration Files...............................................................................................................94 Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. viii
Contents
6.2.7 Checking the Configuration.....................................................................................................................95
7 FTP and TFTP...............................................................................................................................96

7.1 FTP and TFTP Introduction.............................................................................................................................97 7.1.1 FTP..........................................................................................................................................................97 7.1.2 TFTP........................................................................................................................................................97 7.2 Configuring the ATN to be the FTP Server.....................................................................................................97 7.2.1 Establishing the Configuration Task.......................................................................................................98 7.2.2 (Optional) Specifying a Port Number for the FTP Server.......................................................................98 7.2.3 Enabling the FTP Server..........................................................................................................................99 7.2.4 Configuring the Source IP Address of the FTP Server...........................................................................99 7.2.5 (Optional) Configuring the Timeout Period..........................................................................................100 7.2.6 Configuring the Local Username and the Password.............................................................................100 7.2.7 Configuring the Service Type and Authorization Information..............................................................101 7.2.8 Checking the Configuration...................................................................................................................101 7.3 Configuring FTP ACL....................................................................................................................................102 7.3.1 Establishing the Configuration Task.....................................................................................................102 7.3.2 Enabling the FTP Server........................................................................................................................102 7.3.3 Configuring a Basic ACL......................................................................................................................103 7.3.4 Configuring the Basic FTP ACL...........................................................................................................103 7.3.5 Checking the Configuration...................................................................................................................104 7.4 Configuring the ATN to Be the FTP Client...................................................................................................104 7.4.1 Establishing the Configuration Task.....................................................................................................104 7.4.2 (Optional) Configuring Source IP Address and Interface of the FTP Client........................................105 7.4.3 Logging In to the FTP Server................................................................................................................106 7.4.4 Configuring Data Type and Transmission Mode for the File...............................................................106 7.4.5 (Optional) Viewing Online Help of the FTP Command.......................................................................107 7.4.6 Uploading or Downloading Files..........................................................................................................107 7.4.7 Managing Directories............................................................................................................................108 7.4.8 Managing Files......................................................................................................................................108 7.4.9 (Optional) Changing Login Users.........................................................................................................109 7.4.10 Disconnecting from the FTP Server....................................................................................................109 7.4.11 Checking the Configuration.................................................................................................................110 7.5 Configuring the ATN to Be the TFTP Client.................................................................................................110 7.5.1 Establishing the Configuration Task.....................................................................................................110 7.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................111 7.5.3 Downloading Files Through TFTP........................................................................................................111 7.5.4 Uploading Files Through TFTP............................................................................................................112 7.6 Limiting the Access to the TFTP Server........................................................................................................112 7.6.1 Establishing the Configuration Task.....................................................................................................112 7.6.2 Configuring the Basic ACL...................................................................................................................113 7.6.3 Configuring the Basic TFTP ACL.........................................................................................................114 7.7 Configuration Examples.................................................................................................................................114 Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
7.7.1 Example for Configuring FTP...............................................................................................................114 7.7.2 Example for Configuring the FTP Client..............................................................................................116 7.7.3 Example for Configuring TFTP............................................................................................................117
8 Telnet and SSH..........................................................................................................................120

8.1 Telnet and SSH Introduction..........................................................................................................................121 8.1.1 Overview of User Login........................................................................................................................121 8.1.2 Telnet Terminal Services.......................................................................................................................121 8.1.3 SSH Terminal Services..........................................................................................................................123 8.2 Configuring Telnet Terminal Services...........................................................................................................125 8.2.1 Establishing the Configuration Task.....................................................................................................125 8.2.2 Enabling the Telnet Service...................................................................................................................126 8.2.3 (Optional) Configuring a Source IP Address for an Telnet Client........................................................127 8.2.4 Establishing a Telnet Connection..........................................................................................................127 8.2.5 (Optional) Configuring a Telnet Server Port Number...........................................................................127 8.2.6 (Optional) Scheduled Telnet Disconnection..........................................................................................128 8.2.7 Checking the Configuration...................................................................................................................128 8.3 Configuring SSH Users..................................................................................................................................129 8.3.1 Establishing the Configuration Task.....................................................................................................129 8.3.2 Creating SSH User.................................................................................................................................130 8.3.3 Configuring SSH for the VTY User Interface.......................................................................................130 8.3.4 Generating a Local RSA Key Pair.........................................................................................................131 8.3.5 Configuring the Authentication Mode for SSH Users...........................................................................131 8.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users.....................................133 8.3.7 (Optional) Authorizing SSH Users Through the Command Line.........................................................134 8.3.8 Configuring the Service Type of SSH Users.........................................................................................134 8.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users.......................135 8.3.10 Checking the Configuration.................................................................................................................135 8.4 Configuring the SSH Server Function............................................................................................................135 8.4.1 Establishing the Configuration Task.....................................................................................................136 8.4.2 Enabling the STelnet Service................................................................................................................136 8.4.3 Enabling the SFTP Service....................................................................................................................137 8.4.4 (Optional) Enabling the Earlier Version - Compatible Function...........................................................137 8.4.5 (Optional) Configuring the Number of the Port Monitored by the SSH Server....................................138 8.4.6 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server..............................138 8.4.7 Checking the Configuration...................................................................................................................139 8.5 Configuring the STelnet Client Function.......................................................................................................139 8.5.1 Establishing the Configuration Task.....................................................................................................139 8.5.2 Enabling the First-Time Authentication on the SSH Client..................................................................140 8.5.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................141 8.5.4 Enabling the STelnet Client...................................................................................................................142 8.5.5 Checking the Configuration...................................................................................................................143 8.6 Configuring the SFTP Client Function...........................................................................................................143 Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. x
Contents
8.6.1 Establishing the Configuration Task.....................................................................................................143 8.6.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................144 8.6.3 Configuring the First-Time Authentication on the SSH Client.............................................................144 8.6.4 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................145 8.6.5 Enabling the SFTP Client......................................................................................................................146 8.6.6 (Optional) Managing the Directory.......................................................................................................147 8.6.7 (Optional) Managing the File................................................................................................................148 8.6.8 (Optional) Displaying the SFTP Client Command Help.......................................................................149 8.6.9 Checking the Configuration...................................................................................................................149 8.7 Configuration Examples.................................................................................................................................150 8.7.1 Example for Configuring Telnet Services.............................................................................................150
9 Device Maintenance..................................................................................................................153
9.1 Introduction of Device Maintenance..............................................................................................................154 9.1.1 Overview of Device Maintenance.........................................................................................................154 9.1.2 Maintenance Features Supported by the ATN 910...............................................................................154 9.2 Monitoring the Device Status.........................................................................................................................154 9.2.1 Displaying the System Version Information.........................................................................................154 9.2.2 Displaying Basic Information About the Router...................................................................................155 9.2.3 Displaying the Electronic Label............................................................................................................155 9.2.4 Displaying the Threshold of the Memory Usage...................................................................................156 9.2.5 Displaying the Threshold of CPU Usage..............................................................................................156 9.2.6 Displaying Alarm Information..............................................................................................................156 9.2.7 Displaying the Board Temperature........................................................................................................157 9.2.8 Displaying the Board Voltage...............................................................................................................157 9.2.9 Displaying the Power Supply Status.....................................................................................................158 9.2.10 Displaying the Sequence Number of the MPU...................................................................................158 9.3 Board Maintence ............................................................................................................................................158 9.3.1 Resetting a Board...................................................................................................................................158
10 Patch Management..................................................................................................................160
10.1 Introduction of Patch Management..............................................................................................................161 10.1.1 Overview of Patch Management.........................................................................................................161 10.1.2 Patches Supported by the ATN 910....................................................................................................162 10.2 Checking the Running of Patch in the System.............................................................................................163 10.2.1 Establishing the Configuration Task...................................................................................................163 10.2.2 Checking the Running of Patch in the System....................................................................................164 10.2.3 (Optional) Deleting a Patch.................................................................................................................164 10.3 Loading a Patch............................................................................................................................................165 10.3.1 Establishing the Configuration Task...................................................................................................165 10.3.2 Loading a Patch...................................................................................................................................165 10.3.3 Checking the Configuration.................................................................................................................166 10.4 Installing a Patch..........................................................................................................................................166 10.4.1 Establishing the Configuration Task...................................................................................................166 Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
10.4.2 Loading a Patch...................................................................................................................................167 10.4.3 Activating a Patch................................................................................................................................167 10.4.4 Running a Patch...................................................................................................................................167 10.4.5 Checking the Configuration.................................................................................................................168 10.5 (Optional) Unactivating the activating of Patch...........................................................................................168 10.5.1 Establishing the Configuration Task...................................................................................................168 10.5.2 Deactivating a Patch............................................................................................................................169 10.5.3 Checking the Configuration.................................................................................................................169 10.6 Configuration Examples of the Patch Management.....................................................................................169 10.6.1 Example for Installing a Patch.............................................................................................................169
A Acronyms and Abbreviations................................................................................................172
Issue 03 (2012-03-19)
xii
1 Establishment of the Configuration Environment
Establishment of the Configuration Environment
About This Chapter

Before configuring ATN equipments, you need to establish the configuration environment. 1.1 Introduction to Establishment of the Configuration Environment You can log in to ATN equipments through console port, or Telnet. 1.2 Logging In to the Device Through the Console Port This section describes how to connect a terminal to a ATN equipment through the console port to establish the configuration environment. 1.3 Logging In to Device Through Telnet This section describes how to connect a terminal to a ATN equipment through Telnet to establish the configuration environment. 1.4 Configuration Examples This section provides examples for configuring users to log in to the ATN equipment through the console port or Telnet together with the configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
Issue 03 (2012-03-19)
1.1 Introduction to Establishment of the Configuration Environment

You can log in to ATN equipments through console port, or Telnet.
1.1.1 Login Through the Console

When a ATN equipment is powered on for the first time or a ATN equipment needs to be locally configured, you can log in to the ATN equipment through the console port. In the following cases, a ATN equipment can be configured only through the console port: l l The ATN equipment is powered on for the first time. The subscriber cannot login through Telnet.
1.1.2 Login Through Telnet

If you know the IP address of a ATN equipment, you can log in to the ATN equipment through Telnet to perform local or remote configurations. YYou need to pre-configure the IP addresses of interfaces, the user account, the authentication mode, and the incoming and outgoing call restriction through the console interface on the ATN equipment. Also, ensure that directly-connected or reachable ATN equipment exist between terminals and the ATN equipment. The destination ATN equipment authenticates the user based on the configured parameters in three modes: l l l Password authentication: indicates that the login user should enter the correct password. AAA local authentication: indicates that the login user should enter the correct username and password. None authentication: indicates that the login user need not enter the username or password.
If the login succeeds, a command line prompt such as <HUAWEI> appears on the Telnet client interface. Enter a command to check the running status of the ATN equipment or to configure the ATN equipment. Enter "?" for help.
NOTE
Do not modify the IP address of the ATN equipment when you configure the ATN equipment through Telnet because the modification may terminate Telnet connection. Otherwise, set up the connection again after entering a new IP address.
1.2 Logging In to the Device Through the Console Port

This section describes how to connect a terminal to a ATN equipment through the console port to establish the configuration environment.
Issue 03 (2012-03-19)
1.2.1 Establishing the Configuration Task

Before configuring log in to the ATN equipment through the console port, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain any data required for the configuration. This will help you complete the configuration task quickly and correctly.
Applicable Environment
If you log in to the ATN equipment for the first time or perform the local configuration, you need to log in to the ATN equipment through the console port.
NOTE
If you cannot use Telnet to log in to the ATN equipment, you need to log in to the ATN equipment through the console port.
Pre-configuration Tasks
Before configuring login to the ATN equipment through the console port, complete the following tasks: l l Preparing the PC/terminal (including serial port and RS-232 cables) Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)
Data Preparation
To log in to the ATN equipment through the console port, you need the following data.
NOTE
If the AAA authentication mode is configured for users to log in to the ATN equipment through the console port, the correct username and password must be entered for a successful login.
No. 1
Data Terminal communication parameters l Baud rate l Data bit l Parity l Stop bit l Flow-control mode
(Optional) Username and password to be entered for a successful login in AAA authentication mode
1.2.2 Establishing the Physical Connection

This part describes how to physically connect a terminal to a ATN equipment before login to the ATN equipment through the console port.
Issue 03 (2012-03-19) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3
Context
Do as follows on the ATN equipment:
Procedure
Step 1 Connect the COM port on the PC and the console port on the ATN equipment by a cable. Step 2 Power on all devices to perform a self-check. ----End
1.2.3 Configuring Terminals

This part describes how to configure the terminal before login to the ATN equipment through the console port.
Context
Do as follows on the PC:
Procedure
Step 1 Run the terminal emulation program on the PC, setting the communication parameters as follows: l Baud rate: 38400 bps l Data bit: 8 l Stop bit: 1 l Parity: none l Flow control: none ----End
1.2.4 Logging In to the Device

This part describes how to log in to the ATN equipment through the console port.
Context
Procedure
Step 1 Press Enter until a command line prompt such as <HUAWEI> appears. Now the user view is displayed for you to configure the ATN equipment.
NOTE
If the AAA or Password authentication mode is configured for users to log in to the ATN equipment through the console interface, the correct user name and password must be entered for a successful login.
----End
1.3 Logging In to Device Through Telnet

This section describes how to connect a terminal to a ATN equipment through Telnet to establish the configuration environment.

Before configuring login to the ATN equipment through Telnet, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
If you know the IP address of the ATN equipment, you can log in to the ATN equipment through Telnet for local or remote configuration.
Before configuring the ATN equipment through Telnet, complete the following tasks: l l Powering on devices and performing a self-check Preparing the PC (including the serial port and Ethernet crossover/direct cable)
Data Preparation
To log in to the ATN equipment through Telnet, you need the following data. No. 1 2 3 Data IP address of the PC IP address of the Ethernet interface on the ATN equipment User information accessed through Telnet: l User name l Password l Authentication mode
1.3.2 Establishing the Physical Connection

This part describes how to physically connect a terminal to a ATN equipment before login to the ATN equipment through Telnet.
Prerequisites
Establishing the Physical Connection are complete.
Procedure
Step 1 Connect the ATN equipment and the PC directly or connect the ATN equipment and the PC to the network through cables. ----End
1.3.3 Configuring Login User Parameters

This part describes how to configure user parameters for login to the ATN equipment through Telnet.
Context
Procedure
Step 1 Configure the authentication mode of login users. Step 2 Configure the authority limitation of login user. ----End
Follow-up Procedure
For details, refer to Chapter 5 "User Management".
1.3.4 Logging In from the Telnet Client

This part describes how to log in to the ATN equipment through Telnet.
Context
Procedure
Step 1 Run the Telnet program on the PC that functions as a client, and enter the IP address of the interface on the destination ATN equipment that provides the Telnet service. Step 2 Enter the user name and password in the login window. After authentication, a command line prompt such as <HUAWEI> appears. Now enter the configuration environment in the user view. ----End
1.4 Configuration Examples

This section provides examples for configuring users to log in to the ATN equipment through the console port or Telnet together with the configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
Issue 03 (2012-03-19)
1.4.1 Example for Logging In Through the Console Port

In this example, you can configure the PC so as to log in to the ATN equipment through the console port.
Networking Requirements
Initialize the configuration of the ATN equipment when the ATN equipment is powered on for the first time. Figure 1-1 Networking diagram of logging in through the console port
PC
ATN
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Connect the PC and the ATN equipment through the console port. Configure the login on the PC end. Log in to the ATN equipment.
Data Preparation
To complete the configuration, you need the terminal communication parameters (including baud rate, data bit, parity, stop bit, and flow control).
Procedure
Step 1 Connect the serial port of the PC (or terminal) to the console port of the ATN equipment through a standard RS-232 cable. The local configuration environment is established. Step 2 Run the terminal emulation program on the PC. Set the terminal communication parameters to be 38400 bps, data bit to be 8, stop bit to be 1. Specify no parity and no flow control as shown from Figure 1-2 to Figure 1-4.
Issue 03 (2012-03-19)
Figure 1-2 New connection
Figure 1-3 Setting the port
Issue 03 (2012-03-19)
Figure 1-4 Setting the port communication parameters
Step 3 Power on the ATN equipment to perform a self-check and the system performs automatic configuration. When the self-check ends, you are prompted to press Enter until a command line prompt such as <HUAWEI> appears. Enter the command to check the running status of the ATN equipment or configure the ATN equipment. Enter "?" for help. For details, refer to the following chapters. ----End
1.4.2 Example for Logging In Through Telnet

In this example, you can configure user parameters so as to log in to the ATN equipment from the PC or other terminals through Telnet.
You can log in to the ATN equipment on other network segments through the PC or other terminals to perform remote maintenance.
Issue 03 (2012-03-19)
Figure 1-5 Establishing the configuration environment through WAN
WAN PC ATN Target ATN
The configuration roadmap is as follows: 1. 2. 3. Establish the physical connection. Configure user login parameters. Log in to the ATN equipment from the client side.
Data Preparation
To complete the configuration, you need the following data l l l IP address of the PC IP address of the Ethernet interface on the ATN equipment User information accessed through Telnet (including the user name, password, and authentication mode)
Procedure
Step 1 Connect the PC and the ATN equipment to the network. Step 2 Configure login user parameters on the target ATN equipment. # Configure the login address
<HUAWEI> system-view [HUAWEI] interface ethernet 0/0/0 [HUAWEI-Ethernet0/0/0] undo shutdown [HUAWEI-Ethernet0/0/0] ip address 202.38.160.92 255.255.0.0 [HUAWEI-Ethernet0/0/0] quit
# Configure login authentication mode

[HUAWEI] aaa [HUAWEI-aaa] local-user huawei password cipher hello [HUAWEI-aaa] local-user huawei service-type telnet [HUAWEI-aaa] local-user huawei level 3 [HUAWEI-aaa] quit [HUAWEI] user-interface vty 0 4 [HUAWEI-ui-vty0-14] authentication-mode aaa
Step 3 Configure the client login. Run the Telnet on the PC, as shown in Figure 1-6.
Figure 1-6 Running the Telnet program on the PC
Click OK. Enter the user name and password in the login window. After authentication, a command line prompt such as <HUAWEI> appears. Now enter the configuration environment in the user view. ----End
Issue 03 (2012-03-19)
11
2 CLI Overview
2
About This Chapter
CLI Overview
Users operate devices, that is, configure the device and perform routine maintenance, by entering command lines. 2.1 CLI Introduction The command line interface (CLI) is the common tool for running commands. 2.2 Online Help When you enter command lines or configure services, online help offers real-time help in addition to the configuration guide. 2.3 Features of Command Line Interface You can edit command lines, display command lines, use the regular expression for command lines, and invoke historical commands. 2.4 Shortcut Keys Using the system or user-defined shortcut keys makes it easier to enter commands. 2.5 Configuration Examples This section provides several examples for using command lines.
Issue 03 (2012-03-19)
12
2 CLI Overview
2.1 CLI Introduction

The command line interface (CLI) is the common tool for running commands.
2.1.1 Command Line Interface

You can configure and manage a ATN equipment by using the CLI commands. When a prompt appears, you enter the command line interface (CLI) and interact with ATN equipment through CLI. The system provides a series of configuration commands. You can configure and manage the ATN equipment by entering commands on CLI. The characteristics of CLI are as follows: l l l l l l l l l l l l l Local or remote configuration through AUX port. Local configuration through console port. Local or remote configuration through Telnet or Secure Shell (SSH). A user interface view for specific configuration management. Hierarchical command protection for users of different levels, that is, running the commands of the corresponding level. None authentication, password authentication and Authentication, Authorization and Accounting (AAA) to prevent the unauthorized user from accessing the ATN equipment. Entering "?" for online help at any time. Network testing commands such as tracert and ping for rapidly diagnosing a network. Abundant debugging information to help in diagnosing the network. The telnet command for directly logging in to and manage other ATN equipment. FTP service for file uploading and downloading. Running a history command, like DosKey. A command line interpreter provides intelligent command resolution methods such as key word fuzzy match and context conjunction. These methods make it easy for users to enter their commands.
NOTE
l The system supports the command with up to 512 characters. The command can be incomplete. l The system saves the incomplete command to the configuration files in the complete form; therefore, the command may have more than 512 characters. When the system is restarted, however, the incomplete command cannot be restored. Therefore, pay attention to the length of the incomplete command.
2.1.2 Command Levels

The system adopts a hierarchical protection mode that has 16 command levels. The default command levels are as follows:
2 CLI Overview
Level 0-Visit level: Commands of this level include commands of network diagnosis tool (such as ping and tracert) and commands that start from the local device and visit external device (such as Telnet client side). Level 1-Monitoring level: Commands of this level, including the display commands, are used for system maintenance and fault diagnosis. Level 2-Configuration level: Commands of this level are service configuration commands that provide direct network service to the user, including routing and network layer commands. Level 3-Management level: Commands of this level are commands that influence the basic operation of the system and provide support to the service. They include file system commands, FTP commands, TFTP commands, configuration file switching commands, power supply control commands, backup board control commands, user management commands, level setting commands, system internal parameter setting commands, and debugging commands that are used for fault diagnosis.
l l
CAUTION
Not all display commands are of the monitoring level. For example, the display currentconfiguration and display saved-configuration commands are of the management level. For the level of a command, see the ATN 910 Command Reference. To implement efficient management, you can increase the command levels to 0-15. For the increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring Command Levels in the ATN 910 Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the command level defined according to the command rules in application. l Login users have the same 16 levels as the command levels. The login users can use only the command of the levels that are equal to or lower than their own levels. For details of login user levels, refer to Chapter 5 "User Login."
Searching Commands Based on Command Levels

You can search for all commands of a specific level simultaneously. The procedure is as follows: 1. 2. Open the command reference (.chm.) file. Click the "Search" tab. The search window will be displayed as shown in Figure 2-1.
Issue 03 (2012-03-19)
14
2 CLI Overview
Figure 2-1 Entering the search window
3.
Enter a desired command level in the "Type in the word(s) to search for" textbox and click "List Topics". All commands of the specified level will be displayed as shown in Figure 2-2.
Issue 03 (2012-03-19)
15
2 CLI Overview
Figure 2-2 Searching commands based on a specific level
2.1.3 Command Line Views

The command line interface has different command views. All the commands are registered in one or more command views. You can run a command only when you enter the corresponding command view. # Establish connection with the ATN equipment. If the ATN equipment adopts the default configuration, you can enter the user view with the prompt of <HUAWEI>.
<HUAWEI>
# Type system-view, and you can enter the system view.

<HUAWEI> system-view [HUAWEI]
# Type aaa in the system view, and you can enter the AAA view.
[HUAWEI] aaa [HUAWEI-aaa]
NOTE
The prompt <HUAWEI> indicates the default ATN equipment name. The prompt <> indicates the user view and the prompt [] indicates other views.
Issue 03 (2012-03-19)
16
2 CLI Overview
Some commands that are implemented in the system view can also be implemented in the other views; however, the functions that can be implemented are command view-specific. For example, the mpls command (for enabling MPLS) can be run in the system view to enable the MPLS capability globally. Although it can also be run in the interface view, the MPLS capability is enabled only on the interface.
2.2 Online Help

When you enter command lines or configure services, online help offers real-time help in addition to the configuration guide.
Context
The command line of ATN 910 provides three types of online help: l l l Full help Partial help Error Messages of the Command Line Interface
2.2.1 Full Help

When you enter a command line, you can view the description of keywords or parameters in the command line through the Full Help.
Context
You can obtain the full help of the command line in the following ways.
Procedure
l Enter "?" in any command line view to display all the commands and their simple descriptions.
<HUAWEI> ?
Enter a command and "?" separated by a space. If the key word is at this position, all key words and their simple descriptions are displayed. For example:
<HUAWEI> language-mode ? Chinese Chinese environment English English environment
Chinese and English are keywords; Chinese environment and English environment describe the keywords respectively. l Enter a command and "?" separated by a space, and if a parameter is at this position, the related parameter names and parameter descriptions are displayed. For example:
[HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout, the default value is 30 minutes [HUAWEI] ftp timeout 35 ? <cr>
In the preceding display, INTEGER<1-35791> describes the parameter value; The value of FTP timeout, the default value is 30 minutes is a simple description of the parameter usage; <cr> indicates that no parameter is at this position. The command is repeated in the next command line. You can press Enter to run the command. ----End
2 CLI Overview
2.2.2 Partial Help

When you enter a command line, you can obtain prompts on the keywords or parameters at the beginning of the string through the Partial Help.
Context
You can obtain the partial help of the command line in the following ways.
Procedure
l Enter a character string with a "?" closely following it to display all commands that begin with this character string.
<HUAWEI> d? debugging dir delete display
Enter a command and a character string with "?" closely following it to display all the key words that begin with this character string.
<HUAWEI> display b? bfd bootrom bulk-stat bgp buffer
Enter the first several letters of a key word in the command and then press Tab to display the complete key word on the condition that the letters uniquely identify the key word. Otherwise, if you continue to press Tab, different key words are displayed. You can select the needed key word.
----End
2.2.3 Error Messages of the Command Line Interface

If an entered command passes the syntax check, the system executes it. Otherwise, the system prompts an error message. All the commands entered by the user are run correctly, if the grammar check has been passed. Otherwise, error messages are reported to the user. See Table 2-1 for the common error messages. Table 2-1 Common error messages of the command line Error messages Unrecognized command Cause of the error The command cannot be found The key word cannot be found Wrong parameter Parameter type error The parameter value exceeds the limit Incomplete command Too many parameters Ambiguous command Incomplete command entered Too many parameters entered Indefinite parameters entered
Issue 03 (2012-03-19)
18
2 CLI Overview
2.3 Features of Command Line Interface

You can edit command lines, display command lines, use the regular expression for command lines, and invoke historical commands.
2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain help by using certain keys. The command line supports multi-line edition. The maximum length of each command is 512 characters. Keys for editing that are often used are shown in Table 2-2. Table 2-2 Keys for editing Key Common key Function Inserts a character in the current position of the cursor if the editing buffer is not full and the cursor moves to the right. Otherwise, an alarm is generated. Deletes the character on the left of the cursor that moves to the left. When the cursor reaches the head of the command, an alarm is generated. Moves the cursor to the left by the space of a character. When the cursor reaches the head of the command, an alarm is generated. Moves the cursor to the right by the space of a character. When the cursor reaches the end of the command, an alarm is generated. Press Tab after typing the incomplete key word and the system runs the partial help: l If the matching key word is unique, the system replaces the typed one with the complete key word and displays it in a new line with the cursor a space behind. l If there are several matches or no match at all, the system displays the prefix first. Then you can press Tab to view the matching key word one by one. In this case, the cursor closely follows the end of the word and you can type a space to enter the next word. l If a wrong key word is entered, press Tab and the word is displayed in a new line.
Backspace
Left cursor key or Ctrl_B Right cursor key or Ctrl_F Tab
2.3.2 Displaying
All command lines have the same displaying feature. You can construct the displaying mode as required.
2 CLI Overview
You can control the display of information on CLI as follows: l l Display prompt and help information in both Chinese and English. When the information displayed exceeds a full screen, it provides the pause function. In this case, the user has three choices as shown in Table 2-3.
Table 2-3 Keys for displaying Key Ctrl_C Space Enter Function Stops the display and running of the command. Continues to display the information on the next screen. Continues to display the information on the next line.
2.3.3 Regular Expressions

The regular expression is a mode matching tool. You can construct the matching mode based on certain rules, and then match the mode with the target object. The regular expression is an expression that describes a set of strings. It consists of common characters (such as letters from "a" to "z") and particular characters (also named metacharacters). The regular expression is a template according to which you can search for the required string. A regular expression can provide the following functions: l l Searching for and obtaining a sub-string that matches a rule in the string. Substituting a string according to a certain matching rule.
Formal Language Theory of the Regular Expression

The regular expression consists of common characters and particular characters. l Common characters Common characters are used to match themselves in a string, including all upper-case and lower-case letters, digits, punctuations, and special symbols. For example, a matches the letter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches the symbol "@" in "xxx@xxx.com". l Particular characters Particular characters are used together with common characters to match the complex or particular string combination. Table 2-4 describes particular characters and their syntax.
Issue 03 (2012-03-19)
20
2 CLI Overview
Table 2-4 Description of particular characters Particul ar characte r \ Syntax Example
Defines an escape character, which is used to mark the next character (common or particular) as the common character. Matches the starting position of the string. Matches the ending position of the string. Matches the preceding element zero or more times.
\* matches "*".
^ $ *
^10 matches "10.10.10.1" instead of "20.10.10.1". 1$ matches "10.10.10.1" instead of "10.10.10.2". 10* matches "1", "10", "100", and "1000". (10)* matches "null", "10", "1010", and "101010".
Matches the preceding element one or more times
10+ matches "10", "100", and "1000". (10)+ matches "10", "1010", and "101010".
Matches the preceding element zero or one time. Matches any single character.
10? matches "1" and "10". (10)? matches "null" and "10". 0.0 matches "0x0" and "020". .oo matches "book", "look", and "tool".
()
Defines a subexpression, which can be null. Both the expression and the subexpression should be matched. Matches x or y.
100(200)+ matches "100200" and "100200200". 100|200 matches "100" or "200". 1(2|3)4 matches "124" or "134", instead of "1234", "14", "1224", and "1334".
x|y
[xyz] [^xyz] [a-z] [^a-z]
Matches any single character in the regular expression. Matches any character that is not contained within the brackets. Matches any character within the specified range. Matches any character beyond the specified range.
[123] matches the character 2 in "255". [^123] matches any character except for "1", "2", and "3". [0-9] matches any character ranging from 0 to 9. [^0-9] matches all non-numeric characters.
Issue 03 (2012-03-19)
21
2 CLI Overview
Particul ar characte r _
Syntax
Example
Matches a comma "," left brace "{", right brace "}", left parenthesis "(", and right parenthesis ")". Matches the starting position of the input string. Matches the ending position of the input string. Matches a space.
_2008_ matches "2008", "space 2008 space", "space 2008", "2008 space", ",2008,", "{2008}", "(2008)", "{2008", and "(2008}".
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Degeneration of particular characters Certain particular characters, when being placed at the following positions in the regular expression, degenerate to common characters. The particular characters following "\" is transferred to match particular characters themselves. The particular characters "*", "+", and "?" placed at the starting position of the regular expression. For example, +45 matches "+45" and abc(*def) matches "abc*def". The particular character "^" placed at any position except for the start of the regular expression. For example, abc^ matches "abc^". The particular character "$" placed at any position except for the end of the regular expression. For example, 12$2 matches "12$2". The right bracket such as ")" or "]" being not paired with its corresponding left bracket "(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions serve as subexpressions within parentheses.
Combination of common and particular characters In actual application, a regular expression combines multiple common and particular characters to match certain strings.
Specifying a Filtering Mode in Command
CAUTION
The ATN 910 uses a regular expression to implement the filtering function of the pipe character. A display command supports the pipe character only when there is excessive output information. When the output information is queried according to the filtering conditions, the first line of the command output starts with the information containing the regular expression.
Issue 03 (2012-03-19)
22
2 CLI Overview
The command can carry the parameter | count to display the number of matching entries. The parameter | count can be used together with other parameters. For the commands supporting regular expressions, the three filtering methods are as follows: l l l | begin regular-expression: displays the information that begins with the line that matches regular expression. | exclude regular-expression: displays the information that excludes the lines that match regular expression. | include regular-expression: displays the information that includes the lines that match regular expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Specify a Filtering Mode when Information is Displayed

When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More ----". l l l /regular-expression: displays the information that begins with the line that matches regular expression. -regular-expression: displays the information that excludes lines that match regular expression. +regular-expression: displays the information that includes lines that match regular expression.
2.3.4 History Commands

The command line interface provides a function similar to DosKey, which can automatically save historical commands. You can invoke the historical commands saved on the command line interface at any time and run them again. By default, the system saves 10 history commands at most for each user. The operations are as shown in Table 2-5. Table 2-5 Access the history commands Action Display the history commands. Access the last history command. Access the next history command. Key or Command display historycommand Up cursor key or Ctrl_P Down cursor key or Ctrl_N Result Display the history commands entered by users.
Display the last history command if there is an earlier history command. Otherwise, a bell is generated. Display the next history command if there is a later history command. Otherwise, the command is cleared and a bell is generated.
Issue 03 (2012-03-19)
23
NOTE
2 CLI Overview
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
When you use the history commands, note the following: l l The saved history commands are the same as that those entered by users. For example, if the user enters an incomplete command, the saved command also is incomplete. If the user runs the same command several times, the earliest command is saved. If the command is entered in different forms, they are considered as different commands. For example, if the display ip routing-table command is run several times, only one history command is saved. If the disp ip routing command and the display ip routing-table command are run, two history commands are saved.
2.3.5 Batch Command Execution

By running pre-defined command lines in batches, you can simplify the operation of entering common commands and improve efficiency.
Context
Log in to the ATN equipment from the client and do as follows:
Procedure
Step 1 Run the batch-cmd edit to edit commands to be run in batches. The batch-cmd edit command can be used by only one user at a time. The maximum length of a command (including the incomplete command) to be entered is 512 characters. When editing commands, press Enter to complete the editing of each command.
NOTE
After running the batch-cmd edit command to successfully edit the commands to be executed in batches, the system deletes the original commands to be run in batches. The commands that are already edited are saved in memory and are deleted for ever when the system is restarted.
Step 2 After all commands are edited, you can press the shortcut buttons Ctrl+Z to exit the editing state and return to the user view. Step 3 Run the batch-cmd execute to execute commands in batches. The batch-cmd execute command can be used by only one user at a time. The sequence of running commands is the same as the sequence of editing commands. ----End
2.4 Shortcut Keys

Using the system or user-defined shortcut keys makes it easier to enter commands.
Issue 03 (2012-03-19)
24
2 CLI Overview
2.4.1 Classifying Shortcut Keys

There are two types of shortcut keys, namely, system shortcut keys and user-defined shortcut keys. Familiarize yourself with shortcut keys so as to use them accurately. The shortcut keys in the system are classified into the following types: l User-oriented and user-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can correlate these shortcut keys with any commands. When the shortcut keys are pressed, the system automatically runs the corresponding command. For details of defining the shortcut keys, see 2.4.2 Defining Shortcut Keys. System-defined shortcut keys: These shortcut keys with fixed functions are defined by the system. Table 2-6 lists the system-defined shortcut keys.
NOTE
Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may be different from those listed in this section.
Table 2-6 System-defined shortcut keys Key CTRL_A CTRL_B CTRL_C CTRL_D CTRL_E CTRL_F CTRL_H CTRL_K CTRL_N CTRL_P CTRL_R CTRL_T CTRL_V CTRL_W CTRL_X CTRL_Y CTRL_Z CTRL_] ESC_B
Issue 03 (2012-03-19)
Function The cursor moves to the beginning of the current line. The cursor moves to the left by the space of a character. Terminates the running function. Deletes the character where the cursor lies. The cursor moves to the end of the current line. The cursor moves to the right by the space of a character. Deletes one character on the left of the cursor. Stops the creation of the outbound connection. Displays the next command in the history command buffer. Displays the previous command in the history command buffer. Repeats the display of the information of the current line. Terminates the outbound connection. Pastes the contents on the clipboard. Deletes a character string or character on the left of the cursor. Deletes all the characters on the left of the cursor. Deletes all the characters on the right of the cursor. Returns to the user view. Terminates the inbound or redirection connections. The cursor moves to the left by the space of a word.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 25
2 CLI Overview
Key ESC_D ESC_F ESC_N ESC_P ESC_SHIFT_< ESC_SHIFT_>
Function Deletes a word on the right of the cursor. The cursor moves to the right to the end of next word. The cursor moves downward to the next line. The cursor moves upward to the previous line. Sets the position of the cursor to the beginning of the content to be pasted into the clipboard. Sets the position of the cursor to the end of the content to be pasted into the clipboard.
2.4.2 Defining Shortcut Keys

Only management-level users have the rights to define shortcut keys.
NOTE
When defining the shortcut keys, use double quotation marks to define the command if this command contains several commands words, that is, if spaces exist in the command.
Configure as follows in the system view. Action Define shortcut keys Command hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U } command-text
By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commands respectively: l l l CTRL_G: display current-configuration CTRL_L: display ip routing-table CTRL_O: undo debugging all
The default commands of the other shortcut keys are null.
2.4.3 Use of Shortcut Keys

You can use the shortcut key at any position that allows a command to be entered. The system executes an entered shortcut key and displays the corresponding command on the screen in the same way as you enter a complete command. l If you have typed part of a command and have not pressed Enter, you can press the shortcut keys to clear the entered command and display the full corresponding command. This operation has the same effect as that of deleting all commands and then re-entering the complete command.
Issue 03 (2012-03-19)
2 CLI Overview
The shortcut keys are run as the commands, the syntax is recorded to the command buffer and log for fault location and querying.
NOTE
The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcut keys of the terminal conflict with those of the ATN equipment, the input shortcut keys are captured by the terminal program and hence the shortcut keys do not function.
Run the following command in any view to display the use of shortcut keys. Action Check the usage of shortcut keys. Command display hotkey

This section provides several examples for using command lines.
2.5.1 Example for Running Commands in Batches

This part provides an example for running commands in batches. In this example, by editing the commands to be run in batches, you can configure the system to automatically run the commands in batches.
Context
During the preventive maintenance inspection (PMI), you can run commands in batches. That is, enter all PMI commands once and then send all the command output information to the PMI tool, which can improve the PMI efficiency. Log in to the ATN equipment and do as follows:
Procedure
Step 1 Edit the display users, display startup, and display clock commands to be run in batches.
<HUAWEI> batch-cmd edit Info: Begin editing batch commands. Press "Ctrl+Z" to abort this session. display users display startup display clock <HUAWEI>
Step 2 Run the commands in batches.

<HUAWEI> batch-cmd execute <HUAWEI>batch-cmd execute command: display users User-Intf Delay Type Network Address 0 CON 0 00:00:44 Username : Unspecified <HUAWEI>batch-cmd execute command: display startup MainBoard: Configured startup system software: NULL AuthenStatus pass AuthorcmdFlag no
Issue 03 (2012-03-19)
27
Startup system software: Next startup system software: NULL Startup saved-configuration file: flash:/vrpcfg.zip Next startup saved-configuration file: flash:/vrpcfg.zip Startup paf file: NULL Next startup paf file: NULL Startup license file: NULL Next startup license file: NULL Startup patch package: NULL Next startup patch package: NULL <HUAWEI>batch-cmd execute command: display clock 2009-11-23 14:27:20-08:00 Monday Time Zone(China Standard Time) : UTC-08:00 <HUAWEI>batch-cmd execute finished.
2 CLI Overview
----End
2.5.2 Example for Using Tab

You can obtain prompts on keywords or check whether the entered keywords are correct by pressing Tab.
Context
Tab can be used in three ways as shown in the following example.
The matching key word is unique after the incomplete key word is typed.
1. 2. Type the incomplete key word.
[HUAWEI] info-
Press Tab. The system replaces the typed one with the complete key word and displays it in a new line with the cursor leaving a space behind
[HUAWEI] info-center
There are several matches or no match after the incomplete key word is typed.
info-center can be followed by three key words.
[HUAWEI] info-center log? logbuffer logfile loghost
1. 2.
Type the incomplete key word.

[HUAWEI] info-center l
Press Tab.
[HUAWEI] info-center log
The system displays the prefix first. The prefix in this example is "log". Continue to press Tab. The cursor is closely following the end of the word.
[HUAWEI] info-center loghost [HUAWEI] info-center logbuffer [HUAWEI] info-center logfile
Stop pressing Tab after the key word logfile that you need is displayed. 3. Type a space to enter the next word "channel".
[HUAWEI] info-center logfile channel
Issue 03 (2012-03-19)
28
2 CLI Overview
A wrong key word is typed.

1. 2. Type a wrong key word "loglog".
[HUAWEI] info-center loglog
Press Tab.
[HUAWEI] info-center loglog
The incorrect input "loglog" is displayed in a new line.
2.5.3 Example for Using Shortcut Keys

If the login ATN equipment is defined with shortcut keys, the shortcut keys can be used by any user regardless of the user level.
Context
Do as follows on the login ATN equipment:
Procedure
Step 1 Correlate Ctrl_U with the display ip routing-table command and run the shortcut keys.
<HUAWEI> system-view [HUAWEI] hotkey ctrl_u "display ip routing-table"
Step 2 Press Ctrl+U when the prompt [HUAWEI] appears.

[HUAWEI] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 Ethernet0/0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 ---------------------------------------------------------------------
----End
2.5.4 Copying Commands Using Shortcut Keys

You can copy commands by using shortcut keys in any view.
Context
Procedure
Step 1 Move the cursor to the beginning of the command and press ESC_Shift_<. Move the cursor to the end and press ESC_Shift_>.
<HUAWEI> display ip routing-table
Issue 03 (2012-03-19)
29
2 CLI Overview
Step 2 Run the display clipboard command to view the contents on the clipboard.
<HUAWEI> display clipboard ---------------- CLIPBOARD----------------display ip routing-table
Step 3 Enter the command in any view, and press Ctrl_V to paste the contents of clipboard.
<HUAWEI> display ip routing-table
----End
Issue 03 (2012-03-19)
30
3 Basic Configuration
3
About This Chapter
Basic Configuration
This chapter describes how to configure the basic system environment and the basic user environment. 3.1 Basic Configuration Introduction This section describes the meaning and scope of the basic configuration. 3.2 Configuring the Basic System Environment This section describes how to configure the basic system environment according to user habits or the requirements of the actual environment. 3.3 Configuring Basic User Environment This section describes the configuration of the basic user environment for user level switching. 3.4 Displaying System Status Messages This section describes the display commands that are used for displaying basic system configurations.
Issue 03 (2012-03-19)
31
3.1 Basic Configuration Introduction

This section describes the meaning and scope of the basic configuration. Before configuring services, users often need to perform basic configurations for actual operation and maintenance. The ATN 910 provides configurations of two kinds of basic environments: l l Basic system environment: includes the language mode, host name, system name, system time, header text, and command level for actual environment. Basic user environment: includes password for changing levels and the terminal lock.
3.2 Configuring the Basic System Environment

This section describes how to configure the basic system environment according to user habits or the requirements of the actual environment.

Before configuring the basic system environment, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
Before configuring the services, you need to configure the basic system environments to meet the requirements of the actual environments. By default, the ATN 910 supports commands of Level 0 to Level 3, namely, visit level, monitoring level, configuration level, and management level. If the user needs to define more levels, or refine management privileges on the device, the user can extend the range of command line level from the range of Level 0 to Level 3 to the range of Level 0 to Level 15.
Before configuring basic system environment, complete the following task: l Powering on the ATN equipment
Data Preparation
To configure basic system environment, you need the following data. No. 1 2
Issue 03 (2012-03-19)
Data Language mode System time

No. 3 4 5
Data Host name Login information Command level
3.2.2 Switching the Language Mode

You can switch between the Chinese mode and the English mode as required.
Context
Procedure
Step 1 Run:
language-mode language-name
The language mode is switched. By default, the English mode is used. The help information on the ATN equipment can be in English and in Chinese. The language mode is stored in the system software and need not be loaded. ----End
3.2.3 Configuring the Equipment Name

You can change the equipment name as required. The new equipment name takes effect immediately.
Context
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

sysname host-name
The equipment name is set. You can change the name of the ATN equipment that appears in the command prompt.
By default, the host name of the ATN equipment is HUAWEI. ----End
3.2.4 Setting the System Clock

To ensure that devices on the network work with the same clock, you need to set or change the system clock.
Context
You need to set the system time properly to ensure the cooperation between the ATN 910 and other devices. The ATN 910 supports the configurations of the time zone and the daylight saving time.
NOTE
UTC indicates the Universal Time Coordinated.
Procedure
Step 1 Run:
clock datetime [ utc ] HH:MM:SS YYYY-MM-DD
The current date and time is set. Step 2 Run:

clock timezone time-zone-name { add | minus } offset
The time zone is set. l If add is configured, the current time is the UTC time plus the time offset. That is, the default UTC time plus offset is equal to the time of time-zone-name. l If minus is configured, the current time is the UTC time minus the time offset. That is, the default UTC time minus offset is equal to the time of time-zone-name. Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]
The daylight saving time is set. During the configuration of the daylight saving time, you can configure the start time and end time in one of the following modes: date+date, week+week, date+week, and week+date. For details, see clock daylight-saving-time.
NOTE
When the current time is within the daylight saving time, running the clock timezone time-zone-name { add | minus } offset command can successfully set the time zone name. If the display clock command is run to view the time zone name at the moment, the time zone name, however, is displayed as the name of the daylight saving time. After the daylight saving time ends, the set time zone name can be displayed.
Issue 03 (2012-03-19)
34
CAUTION
When the device is upgraded from an earlier version to the V200R001C01 version, the configured daylight saving time does not take effect and needs to be reconfigured. ----End
3.2.5 Configuring a Header

If you need to provide information for login users, you can configure a header that the system displays during login or after login.
Context
Procedure
Step 1 Run:
system-view

header login { information text | file file-name }
The header displayed during login is set. Step 3 Run:

header shell { information text | file file-name }
The header displayed after login is set. A header is a system prompt displayed when a user logs in to the ATN equipment or starts interactive configuration with the ATN equipment. The header provides detailed instruction.
NOTE
l If a user logs in to the ATN equipment by using SSH1.X, the login header is not displayed during login, but the shell header is displayed after login. l If a user logs in to the ATN equipment by using SSH2.0, both login and shell headers are displayed.
----End
3.2.6 Configuring Command Levels

By default, commands are registered in the sequence of Level 0 to Level 3. If refined rights management is required, you can divide commands in to 16 levels, that is, from Level 0 to Level 15.
Context
If the user does not adjust a command level separately, after the command level is updated, all originally-registered command lines adjust automatically according to the following rules:
l l l
The commands of Level 0 and Level 1 remain unchanged. The command Level 2 is updated to Level 10 and Level 3 is updated to Level 15. No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust the command lines to these levels separately to refine the management of privilege.
NOTE
The updation of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step process but onestep by batch.
Procedure
Step 1 Run:
system-view

command-privilege level rearrange
Update the command level in batch. When no password is configured for a Level 15 user, the system prompts the user to set a superpassword for the level 15 user. At the same time, the system asks if the user wants to continue to update the command line level. Then, just select "N" to set a password. If you select "Y", the command level can be updated in batch directly. This results in the user not logging in through the Console port and failing to update the level. Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level and view multiple commands at one time (command-key). All commands have default command views and levels. You need not reconfigure them. ----End
3.2.7 Configuring the Undo Command to Match in the Previous View Automatically
You can run the undo command in the current view and thus the system automatically matches the previous view.
Context
If the user allows the undo command to automatically match the previous view and the user runs the undo command that is not registered in the current view, the system searches the undo command in the previous view. The undo command has disadvantages due to automatically matching. For example, when the user runs the undo ospf command in the interface view where the command is not registered, the system searches in system view automatically. This may lead to global deletion of the OSPF feature.
NOTE
l By default, the undo command does not automatically match the upper level view. l The matched upper-view command is valid for current login users who run this command. l It is not recommended that you configure the undo command to automatically match the upper level view, unless necessary.
Procedure
Step 1 Run:
system-view

matched upper-view
The undo command is configured to match the upper level view. By default, the undo command does not match the previous view automatically. ----End
3.3 Configuring Basic User Environment

This section describes the configuration of the basic user environment for user level switching.

Before configuring the basic user environment, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
The user can log in to a ATN equipment with lower level to perform simple configurations or view configurations. When the configuration is complicated, the user needs to switch to a high level. Thus, it requires the user to configure the basic environment for switching levels.
Before configuring the basic environment for the user, complete the following task: l Powering on the ATN equipment properly
Data Preparation
To configure the basic environment for the user, you need the following data: No. 1
Issue 03 (2012-03-19)
Data Password for the user level switching

3.3.2 Configuring the Password for Switching User Levels

Passwords need to be set for users that are switched from lower levels to higher levels.
Context
When users log in to the ATN equipment with a lower user level, they switch to a higher user level to perform advanced operations by entering the corresponding password. The password needs to be configured in advance.
CAUTION
When simple is used, the password is saved in the configuration files in simple text. Login users with lower level can obtain the password by viewing the configuration. This may cause security problems. Therefore, cipher is used to save the password in encrypted text. If the pass word is set in cipher mode, the password cannot be resumed from the system. Save the password to avoid oblivion or miss. Do as follows on the ATN equipment:
Procedure
Step 1 Run:
system-view

super password [ level user-level ] { simple | cipher } password
The password for switching user levels is configured. ----End
3.3.3 Switching User Levels

You need to enter the set password when being switched from a lower level to a higher level.
Context
An accurate password must be entered when the user is switched from a lower level to a higher level. When configuring the switchover of user levels on the ATN equipment, users can perform HWTACACS Authentication. For detailed configurations, refer to the ATN 910 ATN equipment Configuration Guide - Security. Do as follows on the ATN equipment:
Procedure
Step 1 Run:
super [ level ]
User levels are switched. Step 2 Follow the prompt and enter a password. If the password entered is correct, the user can switch to a higher level. If the user enters a password incorrectly for three consecutive times, the user remains at the current login level and returns to the user view.
NOTE
When the login user of lower level is switched to the user of higher level through the super command, the system automatically sends trap messages and records the switchover in a log. When the switched level is lower than that of the current level, the system only records the switchover in a log.
----End
3.3.4 Locking User Interfaces

You can enter the set password to unlock the locked user interface.
Context
When you leave the operation terminals for a moment, you can lock the user interface to prevent unauthorized users from operating the interface. Do as follows on the ATN equipment:
Procedure
Step 1 Run:
lock
The user interface is locked. Step 2 Follow the system prompt and input an unlock password, and then confirm.
<HUAWEI> lock Enter Password: Confirm Password:
If the locking is successful, the system prompts that the user interface is locked. You must enter a correct password to unlock the user interface. ----End
3.4 Displaying System Status Messages

This section describes the display commands that are used for displaying basic system configurations.
Context
You can use the display commands to collect information about the system status. The display commands are classified according to the following functions: l l l l Displays system configurations. Displays the running status of the system. Displays the diagnostic information about a system. Displays the restart information about the main control board.
See the related sections for display commands for protocols and interfaces. The following only shows the system display commands. Run the following commands in any view.
3.4.1 Displaying System Configuration

You can view information about the system version, system time, original configuration, and current configuration.
Prerequisites
Basic Configuration are complete.
Procedure
l l l l l Run the display version command to display the system version. Run the display clock [ utc ] command to display the system time. Run the display calendar command to display system calendar. Run the display saved-configuration command to display the original configuration. Run the display current-configuration command to display the current configuration.
----End
3.4.2 Displaying System Status

You can view the configuration of the current view.
Prerequisites
Basic configuration are complete.
Procedure
l Run the display this command to display the configuration of the current view. ----End
3.4.3 Collecting System Diagnostic Information

You can view the system diagnosis information.
Context
Basic configuration is complete.
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
The system diagnosis information is displayed. When the system fails or performs the routine maintenance, you need to collect a lot of information to locate faults. Then, you have to run different display commands to collect all information. In this case, you can use the display diagnostic-information command to collect all information about the current running modules in the system. The display diagnostic-information command collects all information collected by running the following commands, including display clock, display version, display cpu-usage, display interface, display current-configuration, display saved-configuration, display historycommand, and so on. ----End
Issue 03 (2012-03-19)
41
4 User Management
4
About This Chapter
User Management
This chapter describes user interfaces and the configuration of users' login. 4.1 User Management Introduction This section describes basic concepts of user interfaces and user management. 4.2 Configuring Console User Interface You can configure the console user interface so as to maintain a ATN equipment on the local device. 4.3 Configuring VTY User Interface You can configure the VTY user interface to maintain a remote ATN equipment. 4.4 Managing User Interfaces You need to configure user management to ensure that the operator manages ATN equipments safely. 4.5 Configuring User Authentication Through user management, you can create users for ATN equipments, set user passwords, and manage users. 4.6 Configuring Exclusive Configuration Access When multiple users log in to a device to simultaneously configure services, the configurations may conflict and thus the services become abnormal on the device. To prevent the problem, you can provide exclusive configuration access to ensure that only one user performs configuration at a time. 4.7 Configuring Local User Management After configuring attributes of a local user on an access device, you can enable the access device to function as a local AAA server. 4.8 Configuring an NM User to Log in to a Device in VTY Mode You can configure an Network Management System (NMS) user to log in to a device in VTY mode to set parameters of the device. 4.9 Configuration Examples
Issue 03 (2012-03-19)
42
4 User Management
This section provides examples for configuring users to log in to a ATN equipment in different modes. These configuration examples explain networking requirements, configuration roadmap, and configuration notes.
Issue 03 (2012-03-19)
43
4 User Management
4.1 User Management Introduction

This section describes basic concepts of user interfaces and user management.
4.1.1 User Interface View

The system supports console, and VTY user interfaces. The user interface view is a command line view provided by the system. It is used to configure and manage all the physical and logical interfaces in the asynchronous mode.
User Interfaces Supported by the System

l Console port (CON) The console port is a serial port provided by the main control board of the ATN equipment. The main control board provides one EIA/TIA-232 DCE console port for local configuration by directly connecting a terminal to a ATN equipment. l Virtual type terminal (VTY) The virtual port is a logical terminal line. A VTY connection is set up when a ATN equipment connects to a terminal through Telnet. It is used for local or remote access to a ATN equipment.
User Interface Numbering

The following are user interface numbering methods: l Relative numbering The relative numbering is in the format of user interface type + number. The relative numbering is available for interfaces of a specific type. It is used only to specify one or a group of user interfaces of a specified type. It must comply with the following rules: Number of the console port: CON 0 Number of the VTY: VTY 0 for the first line, VTY 1 for the second line and so on. l Absolute numbering The absolute numbering is used to uniquely specify a user interface or a group of user interfaces. The number starts with 0. The ports are numbered in the sequence of CON VTY. There is only one console port and 0-15 VTY interfaces. You can use the user-interface maximum-vty command to set the maximum number of user interfaces. The default number is five. By default, the system supports three types of user interfaces: CON, and VTY. Table 4-1 shows the absolute numbers of the user interfaces in this system.
Issue 03 (2012-03-19)
44
4 User Management
Table 4-1 Example for the absolute numbering Absolute number 0 34 35 36 37 38 User-interface CON0 The first virtual interface (VTY0) The second virtual interface (VTY1) The third virtual interface (VTY2) The fourth virtual interface (VTY3) The fifth virtual interface (VTY4)
NOTE
The absolute numbers allocated for VTY interfaces are device-specific.
The numbers from 1 to 32 are reserved for the TTY user interfaces. Run the display user-interface command to view the absolute number of user interfaces.
4.1.2 User Management

The system supports operations such as user authentication and user planning. The user name and the password are not configured when a ATN equipment is started for the first time. In such a condition, any user can configure the ATN equipment through the console port by connecting a PC to the port. The remote user can login to the ATN equipment through Telnet if the ATN equipment is configured with an IP address on the main control board or interface board. In addition, the remote user can access the network by establishing a PPP connection with the ATN equipment. Thus, the user names and passwords are required for the ATN equipment to ensure network security and to manage users.
User Classification
Based on the services obtained, users of a ATN equipment are classified as follows: l l l l l HyperTerminal users: The users access the ATN equipment through the console port. Telnet users: The users access the ATN equipment through Telnet. File Transfer Protocol (FTP) users: The users establish FTP connections with the ATN equipment to transfer files. Secure Shell (SSH) users: The users establish SSH connections with the ATN equipment to access the network. Network Management System (NMS) users: The users establish connections with ATN equipments through SNMP or Telnet to manage ATN equipments in machine-to-machine mode.
One user can obtain multiple services simultaneously and perform multiple functions.
4 User Management
User Level
The system provides hierarchical management to HyperTerminal users and Telnet users. The login users are classified into 16 levels corresponding to the commands, marked from Level 0 to Level 15. The higher the level, the higher the priority . A user can access a command depending on the user level. l l In the case of non-authentication or password authentication, the level of the command that can be accessed by the login user depends on the level of the login user interface. In the case of AAA authentication, the level of the command that can be accessed by the login user depends on the level of the local user in the AAA configuration.
The user can access the commands with the level equal to or lower than the user level. For example, for a user of Level 2, the user can access the commands of Level 0, Level 1, and Level 2.
NOTE
For details of the command level, refer to "Command Level" in Chapter 3 "Command Line Introduction."
User Authentication
After the user configuration, the system authenticates users when they access the ATN equipment. The three types of user authentication are as follows: l l l Non-authentication: In this type, a user accesses the ATN equipment without the user name or password. This is not recommended due to security reasons. Password authentication: In this type, a user accesses the ATN equipment only with the password rather than the user name. This is safer compared to non-authentication. Authentication, Authorization and Accounting (AAA) local: This scheme needs both the user name and the password. This scheme authenticates the Telnet and HyperTerminal users.
User Planning
The network administrator provides the user plan based on the requirements. l l l l At least one HyperTerminal user is created on a ATN equipment. A Telnet user is created for remote access. An FTP user uploads or downloads files on a ATN equipment from the remote. A network administrator manages ATN equipments in machine-to-machine mode, and NMS users need to be added to the ATN equipments.
NOTE
For the configuration of FTP users, refer to Chapter 8 "FTP, TFTP and XModem".
4.2 Configuring Console User Interface

You can configure the console user interface so as to maintain a ATN equipment on the local device.
4 User Management

Before configuring a console interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
A console user interface is required for maintaining the local ATN equipment.
Before configuring a console interface, complete the following tasks: l l Powering on the ATN equipment Connecting a PC to the ATN equipment through an asynchronous interface
Data Preparation
To configure a console interface, you need the following data. No. 1 2 3 4 Data Baud rate, flow-control mode, parity, stop bit, and data bit Idle timeout period, number of lines displayed in a terminal screen, and the size of history command buffer User priority User authentication method, user name, and password
NOTE
All the configuration items of the ATN equipment, excluding the user name and password, have default values and do not need to be configured additionally.
4.2.2 Configuring Console Interface Attributes

You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console port.
Context
Do as follows on the ATN equipment that the user logs in to:
Procedure
Step 1 Run:
system-view
The system view is displayed.

4 User Management
Step 2 Run:
user-interface console interface-number
The console user interface view is displayed. ----End
4.2.3 Setting Console Terminal Attributes

You can configure the timeout period for idle users, maximum number of lines to displayed on each screen, and the size of historical command buffer for the console interface.
Context
Do as follows on the ATN equipment to which a user logs in:
Procedure
Step 1 Run:
system-view

The console interface view is displayed. Step 3 Run:

shell
The terminal service is started. Step 4 Run:

idle-timeout minutes [ seconds ]
The timeout period for idle users is set. By default, the timeout period for idle users is 10 minutes. Step 5 Run:
screen-length screen-length
The number of lines to be displayed on each screen is set. By default, a terminal displays 24 lines on each screen. You can run the screen-length screen-length temporary command to specify the number of lines that a terminal displays on each screen. Step 6 Run:
history-command max-size size-value
The buffer of the history command is set. By default,the history command buffer on a user interface can cache a maximum of 10 commands. ----End
4 User Management
4.2.4 Configuring User Priority

You can set the priority for a user who logs in through the console port.
Context
Procedure
Step 1 Run:
system-view

The console user interface view is displayed. Step 3 Run:

user privilege level level
The priority of the user is set. This process is to set the priority for a user who logs in through the console port. A user can only use the command of the level corresponding to the user level. For more information about the command priority, see "Command Level" in Chapter 3 "CLI Overview". ----End
4.2.5 Configuring User Authentication

The system provides three authentication modes, namely, AAA, password, and none.
Procedure
l Configuring AAA Authentication 1. Run:
system-view
The system view is displayed. 2. Run:

The console user interface view is displayed. 3. Run:

authentication-mode aaa
The authentication mode is set to AAA. 4. Run:

quit
Exit from the console user interface view.

4 User Management
5.
Run:
aaa
The AAA view is displayed. 6. Run:

local-user user-name password { simple | cipher } password
Name and password of the local user are created. l Configuring Password Authentication 1. Run:
system-view


authentication-mode password
You can set the authentication mode as password authentication. 4. Run:

set authentication password { cipher | simple } password
A password for authentication is set. l Configuring Non-Authentication 1. Run:

system-view


authentication-mode none
The authentication mode is set to non-authentication. ----End
4.2.6 Checking the Configuration

After configuring the console user interface, you can view the usage information of the user interface, physical attributes and configurations of the user interface, local user list, and online users.
Prerequisites
The configurations of the User Management function are complete.
Procedure
l
Issue 03 (2012-03-19)
Run the display users [ all ] command to check information about user interface.
4 User Management
l l
Run the display user-interface console ui-number1 [ summary ] command to check physical attributes and configurations of the user interface. Run the display local-user command to check the local user list.
----End
4.3 Configuring VTY User Interface

You can configure the VTY user interface to maintain a remote ATN equipment.

Before configuring a VTY interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
If you want to log in to the ATN equipment using Telnet or SSH to perform management or configuration operations, .a VTY interface is required.
Before configuring a VTY user interface, complete the following tasks: l l Powering on the ATN equipment Connecting a PC to the ATN equipment correctly
Data Preparation
To configure a VTY user interface, you need the following data. No. 1 2 3 4 Data Maximum VTY user interfaces (Optional) Number of the ACL for limiting incoming and outgoing calls of users logging in using VTY user interfaces Timeout period for idle users, maximum number of lines to be displayed on each screen and the size of the history command buffer User authentication mode, user name, and password
4.3.2 Configuring Maximum VTY User Interfaces

You can configure the maximum number of VTY user interfaces through which users log in to a ATN equipment.
4 User Management
Context
Procedure
Step 1 Run:
system-view

user-interface maximum-vty number
The maximum VTY user interfaces that can log in to the ATN equipment is set.
NOTE
When the maximum number of VTY user interfaces is set to zero, any user including the NMS user cannot log in to a ATN equipment.
If the maximum number of VTY user interfaces to be configured is smaller than the maximum number of current interfaces, other parameters need not be configured. If the maximum number of VTY user interfaces to be configured is larger than the maximum number of current interfaces, the authentication mode and password need to be configured for newly added user interfaces. For newly added user interfaces, the system applies password authentication by default. For example, a maximum of five users are allowed online. To allow 15 VTY users online at the same time, you need to run the authentication-mode command and the set authentication password command to configure authentication modes and passwords for user interfaces from VTY 5 to VTY 14. The command is run as follows:
<HUAWEI> system-view [HUAWEI] user-interface maximum-vty 15 [HUAWEI] user-interface vty 5 14 [HUAWEI-ui-vty5-14] authentication-mode password [HUAWEI-ui-vty5-14] set authentication password cipher huawei
----End
4.3.3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls

You can set the limit on incoming and outgoing calls for VTY user interfaces.
Context
Procedure
Step 1 Run:
system-view

4 User Management
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed. Step 3 Run:

acl acl-number { inbound | outbound }
The limits to calling in/out of VTY are configured. When you need to prevent a user of certain address or segment address from logging in to the ATN equipment, use the inbound command; when you need to prevent a user who logs in to an ATN equipment from accessing other ATN equipments, use the outbound command. ----End
4.3.4 Configuring VTY Terminal Attributes

You can configure the timeout period for idle users, maximum number of lines to be displayed on each screen, and the size of the historical command buffer for a VTY interface.
Context
Procedure
Step 1 Run:
system-view

user-interface vty number1 [ number2 ]
The VTY interface view is displayed. Step 3 Run:

shell
Terminal services are enabled. Step 4 Run:

The timeout period for idle users is set. Step 5 Run:

screen-length screen-length
The maximum number of lines to be displayed on each screen is set. By default, a maximum of 24 lines are displayed on each screen. You can run the screen-length screen-length temporary command to specify the maximum number of lines to be temporarily displayed on each terminal screen. Step 6 Run:
history-command max-size size-value
Issue 03 (2012-03-19)
53
4 User Management
The size of the history command buffer is set. By default, the history command buffer on a user interface can cache a maximum of 10 commands. ----End
4.3.5 Configuring User Authentication

The system provides three authentication modes, namely, AAA, password, and none.
Context
The ATN equipment supports user authentication of three types: l l l AAA authentication: requires the user name and password. Password authentication: requires no user name but a password must be set. Otherwise, the user can log in to the ATN equipment only through the console interface. None: requires neither user name nor password. No authentication is needed when the user logs in to the ATN equipment.
Procedure
l Configuring AAA Authentication 1. Run:
system-view

The VTY user interface view is displayed. 3. Run:

The authentication mode is set to AAA. 4. Run:

quit
Exit from the VTY user interface view. 5. Run:

aaa

Name and password of the local user are created. l Configuring Password Authentication 1. Run:
system-view

4 User Management
2.
Run:

Set the authentication mode as password. 4. Run:

A password for this authentication mode is set. l Configuring Non-Authentication 1. Do as follows on the ATN equipment, run:
system-view


The authentication mode is set to none. ----End

After configuring the VTY user interface, you can view the usage information of the user interface, the maximum number of VTY user interfaces, and physical attributes and configurations of the user interface.
Prerequisites
The configuration of VTY User Interface are complete.
Procedure
l l l Run the display users [ all ] command to check the usage information of the user interface. Run the display user-interface maximum-vty command to check the number of maximum VTY user interfaces. Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ] command to check the physical attributes and configurations of the user interface.
----End
4.4 Managing User Interfaces

You need to configure user management to ensure that the operator manages ATN equipments safely.
Issue 03 (2012-03-19)
55
4 User Management

Before configuring user management interfaces, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
To ensure that the operator managesATN equipments safely, you need to send messages between user interfaces and clear designated user.
Before managing the user interface, complete the following tasks: l l Powering on the ATN equipment Connecting the PC with the ATN equipment properly
Data Preparations
To manage the user interface, you need the following data: No. 1 2 Data Type and number of the user interface Contents of the message to be sent
4.4.2 Sending Messages to Other User Interfaces

You can configure messaging between user interfaces.
Context
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces. Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z or Enter to end, and press Ctrl_C to abort. ----End
4.4.3 Clearing Online User

You can clear specified online users.
4 User Management
Context
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
Online users are cleared. Step 2 On receiving the prompts, you can confirm whether the designated online users have to be cleared. ----End

After configuring user management interfaces, you can view the usage information of user interfaces.
Prerequisites
The configuration of User Interfaces are complete.
Procedure
Step 1 Run the display users [ all ] command to check the usage information of the user interface. ----End
4.5 Configuring User Authentication

Through user management, you can create users for ATN equipments, set user passwords, and manage users.

Before configuring user management, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
After the IP address is assigned to the main control board or the interface board, any remote user can use Telnet to log in to the ATN equipment, or connect the ATN equipment through PPP to access networks. This compromises the security. To ensure network security and ease user management, configure a user name and the user password for the ATN equipment.
Before configuring a user, complete the following tasks:
4 User Management
l l
Powering on the ATN equipment Connecting the PC with the ATN equipment properly
Data Preparation
To configure a user, you need the following data. No. 1 2 3 Data Authentication mode User name and password User priority
4.5.2 Configuring Authentication Mode

The system provides three authentication modes, namely, AAA local authentication, password authentication, and none authentication.
Context
Procedure
Step 1 Run:
system-view

user-interface [ ui-type ] first-ui-number [ last-ui-number ]
The user interface view is displayed. Step 3 Run:

authentication-mode { aaa | password | none }
The user authentication mode is configured. ----End
4.5.3 Configuring Authentication Password

You can configure a plain or cipher text password for authentication.
Context
4 User Management
Procedure
Step 1 Run:
system-view


The authentication mode is set to Password. Step 4 Run:

The authentication password is configured.

NOTE
The default authentication mode is the password authentication.
----End
4.5.4 Setting Username and Password for AAA Local Authentication

You can configure a plain or cipher text password for AAA local authentication.
Context
Procedure
Step 1 Run:
system-view


The authentication mode is set to AAA. Step 4 Run:

quit
Return to the system view.

4 User Management
Step 5 Run:
aaa
The AAA view is displayed. Step 6 Run:

The local username and the password are configured. ----End
4.5.5 Configuring Non-Authentication

You can configure users to log in to a ATN equipment without being authenticated.
Context
CAUTION
Configuring the non-authentication mode may cause security problems of the ATN equipment. Do as follows on the ATN equipment that the user logs in to:
Procedure
Step 1 Run:
system-view


The non-authentication mode is configured.

NOTE
l If the authentication mode is non-authentication or password authentication, the priority of the userinterface determines the command level that the users can access. l If the authentication mode needs the username and the password, the priority of the user determines the command level that the users can access.
----End
4.5.6 Configuring User Priority

You can configure the user priority.
4 User Management
Context
Refer to the ATN 910 Configuration Guide - Security.

After configuring user management, you can view the usage information of user interfaces, local user list, and online users.
Prerequisites
The configuration of User Management are complete.
Procedure
l l Run the display users [ all ] command to check the user information. Run the display local-user [ domain domain-name | username user-name ] command to check information about local users.
----End
4.6 Configuring Exclusive Configuration Access

When multiple users log in to a device to simultaneously configure services, the configurations may conflict and thus the services become abnormal on the device. To prevent the problem, you can provide exclusive configuration access to ensure that only one user performs configuration at a time.
4.6.1 (Optional) Viewing the Current Locked Configuration Set

You need to check whether the configuration set is locked by another user before enabling exclusive configuration access.
Context
Procedure
Step 1 Run:
display configuration-occupied user
Information about the user that locks the configuration set is displayed. ----End
4.6.2 Enabling Exclusive Configuration Access

A user can explicitly obtain exclusive configuration access. In this case, other users cannot obtain configuration access.
4 User Management
Context
Procedure
Step 1 Run:
configuration exclusive
The user obtains exclusive configuration access.

NOTE
If the configuration set is already locked, an error message is displayed after this command is run.
----End
4.6.3 (Optional) Setting the Unlocking Time

You can set an allowable maximum lock timeout period when no command is delivered by the user that locks the configuration set. After the period, the configuration set is automatically unlocked and other users can normally run commands.
Context
Procedure
Step 1 Run:
configuration-occupied timeout
The timeout period for automatic unlocking the configuration set is set.
NOTE
l When a user without exclusive configuration access runs this command, the system prompts an error message. l If the configuration set is locked by another user, this command cannot be configured, and the system prompts an error message. l If the configuration set is locked by the current user, the current user can run this command.
----End
4.7 Configuring Local User Management

After configuring attributes of a local user on an access device, you can enable the access device to function as a local AAA server.

This section describes the applicable environment of local user management and required tasks and data for configuring a local user.
4 User Management
You can create a single local user database on a Network Access Server (NAS) to manage access users.
Pre-configuration Task
Before configuring local user management, complete the following tasks: l l Configuring parameters of the link layer protocol and IP addresses for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Creating an Access Control List (ACL) and set ACL rules if you need to apply the ACL to manage local users
Data Preparation
To configure local user management, you need the following data. No. 1 2 3 4 5 6 7 Data User name and password Type of the service that the local user accesses Name of the FTP directory that the local user can access Local user status Local user level Limited number of local access users Number of the ACL used to managing the local user
4.7.2 Creating a Local User Account

You can create a user in the AAA view. The user can carry a domain name. If the user does not carry a domain name, the user belongs to the default domain by default.
Context
Do as follows on the NAS:
Procedure
Step 1 Run:
system-view

aaa
Issue 03 (2012-03-19)
63
4 User Management

A local user account is created. If the user name contains @, the character before @ is the user name and the character after @ is the domain name. If the user name does not contain @, the whole character string represents the user name and the domain name is default_admin. ----End
4.7.3 Configuring the Type of the Service That the Local User Accesses
By setting the service type of local users, you can manage users based on the service type.
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name service-type { ftp | ssh | telnet | terminal }*
The type of the service that the local user accesses is configured. By default, all access types are available for local users. ----End
4.7.4 Configuring the Local User Authority of Accessing the FTP Directory
If the access mode of a local user is FTP, you must configure the FTP directory for the local user. Otherwise, the FTP user cannot log in.
Context
4 User Management
Procedure
Step 1 Run:
system-view

aaa

local-user user-name ftp-directory directory
The local user authority of accessing the FTP directory is configured. By default, the FTP directory is null. ----End
4.7.5 Configuring Local User Status

The local user can be in the activated or blocked state. An activated user can be authenticated; a blocked user cannot be authenticated.
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name state { active | block }
The local user status is configured. By default, the local user is in the active state. ----End
Follow-up Procedure
Do as follows to process the local user in the active or block state: l l
Issue 03 (2012-03-19)
If the local user is in the active state, the authentication request from this user is allowed for further processing. If the local user is in the block state, the authentication request from this user is denied.
4 User Management
4.7.6 Configuring the Local User Level

After the priority of a user is set, the login user can use only the commands whose priorities are lower than or equal to the user priority.
Context
Procedure
Step 1 Run:
system-view

aaa

local-user user-name level level
The local user level is configured. By default, the level of the local user is determined by the management module. ----End
Follow-up Procedure
The login user has the same 16 levels like the command. They are Visit, Monitoring, Configure and Management, and are marked from 0 to 15. The higher the mark is, the higher the priority is.
4.7.7 Setting the Maximum Number of Access Users with the Same User Name
A user name can be used for several connections. By restricting the access of local users, you can control the number of connections under one user name.
Context
Procedure
Step 1 Run:
system-view

aaa
Issue 03 (2012-03-19)
66
4 User Management

local-user user-name access-limit max-number
The local user access limit is configured. By default, the number of access users with the same user name is not restricted. ----End
4.7.8 Configuring a ATN equipment to Cut off Idle Access Users

After a ATN equipment is configured to logoff idle local users, local users automatically go offline when their traffic is less than the set limit during the idle time.
Context
Procedure
Step 1 Run:
system-view

aaa

local-user username idle-cut
The ATN equipment is configured to cut off an idle local user. By default, the idle-cut function of the domain is disabled for users. That is, idle users in the domain are not cut off by default. After you enable the idle-cut function of local users, the idle-cut time is prioritized in descending order: the idle-cut time delivered by the server, the idle-cut time set in the AAA domain view, and the idle-cut time set on the VTY interface. ----End
4.7.9 Local Users Changing the Passwords

A local user can perform this operation to change its password.
Context
Procedure
Step 1 Run:
local-user change-password
Issue 03 (2012-03-19)
67
4 User Management
The password of the local user is changed. Only the user that passes local authentication can change the password.
NOTE
Run the command in the user view.
----End

After a local user is successfully configured, you can view basic information about the user, such as the user name, user status, user type, access restriction, and whether the user is online.
Prerequisites
The configurations of the local user management are complete.
Procedure
Step 1 Run the display local-user [ domain domain-name | username user-name ] command to check attributes of the local user. ----End
4.8 Configuring an NM User to Log in to a Device in VTY Mode

You can configure an Network Management System (NMS) user to log in to a device in VTY mode to set parameters of the device.

Before configuring an NMS user to log in to a device in VTY mode, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
The Network Management System (NMS) user can log in to the device through VTY to set parameters about the device.
Before configuring an NMS user to log in to a device through the machine-to-machine mode, complete the following task: l Configuring reachable ATN equipment to network management end and the device
Data Preparation
To configure an NMS user to log in to a device through the machine-to-machine mode, you need the following data.
4 User Management
No. 1 2
Data User name and password Type and number of the user interface
4.8.2 Configuring an NM User

You can create a local user and configure the user as an NM user.
Context
Do as follows on the ATN equipment that an NMS user needs to manage.
Procedure
Step 1 Run:
system-view

aaa

A local user is created. Step 4 Run:

local-user user-name user-type netmanager
The local user is set as an NM user. ----End
4.8.3 Configuring the Authentication Mode of an NM User

NMS users can be configured with only AAA authentication.
Context
Procedure
Step 1 Run:
system-view

4 User Management

An authentication mode used to log in to the user interface is configured.

NOTE
The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as special channels of the network management. The channels do not support the RSA authentication mode but support the password authentication.
----End
4.8.4 Switching to Machine-to-Machine Mode

You can switch the system to the machine-to-machine mode.
Context
NOTE
This command is invisible on the terminal of command lines. In addition, the command cannot be obtained from help information. Human-to-machine users should use this command with caution.
Procedure
Step 1 Run:
system-view

mmi-mode enable
The system is switched to the machine-to-machine mode.

NOTE
l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS user can log in through VTYs. A common user cannot log in through Telnet but can log in by using the five reserved user interfaces. l In the machine-to-machine mode, the system does not output logs, alarms, and debugging information to the screen. l In the machine-to-machine mode, the save and reboot commands can be used directly. l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. The value can be adjusted by using the screen-length command. In addition, you can run the screen-length temporary command to adjust the number of lines temporarily displayed on the screen.
----End

After configuring an NMS user to log in to a device in VTY mode, you can view the VTY mode.
4 User Management
Prerequisites
The configuration of an NM User to Log in to a Device in VTY Mode are complete.
Procedure
Step 1 Run the display vty mode command to check the VTY mode. ----End

This section provides examples for configuring users to log in to a ATN equipment in different modes. These configuration examples explain networking requirements, configuration roadmap, and configuration notes.
Context
CAUTION
After the first and second configuration examples are complete, the commands with priorities higher than 2 cannot be run if the current user is VTY0. Ensure that users can log in to theATN equipment in other methods to delete configurations.
4.9.1 Example for Configuring Logging In to the ATN Through Password

In this example, the VTY0 priority, authentication mode, and disconnection time are configured, which enables users to log in to the ATN equipment through a password.
The COM port of the PC is connected with the Console port. Set the priority of VTY0 to 2 and authenticate the passwords of users. Users need to enter the password Huawei to log in successfully. After login, if the operations are not carried out in 30 minutes, it means that the user-interface is disconnected from the ATN equipment.
The configuration roadmap is as follows: 1. 2. Enter the user interface, and configure the priority of VTY0 as 2. Configure the simple authentication and the disconnect time.
Data Preparation
To complete the configuration, you need the following data:
4 User Management
l l
The password of the authentication mode The disconnect time
Procedure
Step 1 Configure the priority of VTY0 to be 2 on the ATN.
<HUAWEI> system-view [HUAWEI] user-interface vty0 [HUAWEI-ui-vty0] user privilege level 2
Step 2 Configuring password and disconnect time.

[HUAWEI-ui-vty0] authentication-mode password [HUAWEI-ui-vty0] set authentication password simple huawei [HUAWEI-ui-vty0] idle-timeout 30
----End
Configuration Files
# sysname HUAWEI # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default_admin # user-interface vty 0 user privilege level 2 set authentication password simple huawei idle-timeout 30 # return
4.9.2 Example for Logging In to the Device Through AAA

In this example, the VTY0 priority and disconnection time are configured and the idle-out function is enabled for local users, which enables users to log in to the ATN equipment through AAA authentication.
The COM port of the PC and the console port of the ATN equipment are connected. Configure the priority of VTY0 to be 2, perform AAA authentication on the user that logs in through VTY0. The login user must enter the username "huawei" and the password "huawei". After login, if the user does not operate the ATN equipment within 30 minutes, the connection with the ATN equipment is disabled.
The configuration roadmap is as follows: 1. 2.
Issue 03 (2012-03-19)
Enter the user interface view to configure the priority of VTY0 to be 2 and the disconnection time. Enter the AAA view to configure the username, the password, and the user level.
4 User Management
3.
Switch on the idle timeout for the local user in the AAA view.
Data Preparation
To complete the configuration, you need the following data: l l Username and password for authentication Disconnect time
Procedure
Step 1 Configure the priority of VTY0 to be 2 and the disconnection time within 30 minutes.
<HUAWEI> system-view [HUAWEI] user-interface vty0 [HUAWEI-ui-vty0] user privilege level 2 [HUAWEI-ui-vty0] authentication-mode aaa [HUAWEI-ui-vty0] idle-timeout 30 [HUAWEI-ui-vty0] quit
Step 2 Configuring the local username, the password, and user level.
[HUAWEI] aaa [HUAWEI-aaa] local-user huawei password cipher huawei [HUAWEI-aaa] local-user huawei level 2
Step 3 Switch on the idle timeout for the local user in the AAA view.
[HUAWEI-aaa] local-user huawei idle-cut
----End
Configuration Files
# sysname HUAWEI # aaa local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user huawei level 2 local-user huawei idle-cut local-user huawei idle-cut # authorization-scheme default # accounting-scheme default # domain default_admin # user-interface vty 0 authentication-mode aaa user privilege level 2 idle-timeout 30 # return
4.9.3 Example for Configuring an NMS User to Manage Devices in Machine-to-machine Mode
In this example, an NMS user is created and the authentication mode is set for the NMS user, which enables the NMS user to manage the ATN equipment in machine-to-machine mode.
4 User Management
As shown in Figure 4-1, the NM station logs in to ATN through the channel reserved by ATN for an NMS user, and then manages devices. Figure 4-1 Networking diagram of configuring an NMS user to manage devices in the machineto-machine mode
GE0/0/0 ATN 1.1.1.1/24
1.1.1.2/24 NM Station
The configuration roadmap is as follows: 1. 2. 3. Configure an NMS user. Configure the authentication mode of the NMS user. Enter the machine-to-machine mode.
Data Preparation
To complete the configuration, you need the following data: l l Name and IP address of an interface Name of the local user
Procedure
Step 1 Configure IP addresses. The configuration details are not mentioned here. Step 2 Configure an NMS user. # Enter the AAA view.
<HUAWEI> system-view [HUAWEI] sysname ATN [ATN] aaa
# Configure the NMS user.

[ATN-aaa] local-user hello@163.net password simple hello [ATN-aaa] local-user hello@163.net user-type netmanager [ATN-aaa] quit
Step 3 Configure the authentication mode of an NMS user. # Enter the user interface view.
[ATN] user-interface vty 16 20
# Configure the authentication mode of the NMS user.

[ATN-ui-vty16-20] authentication-mode aaa [ATN-ui-vty16-20] quit
Issue 03 (2012-03-19)
74
NOTE
4 User Management
l To log in to a device through reserved channels, an NMS user can log in to the device successfully only after the user passes the AAA authentication. l Reserved channels do not support the RSA authentication mode.
Step 4 Enter the machine-to-machine mode.

[ATN] mmi-mode enable [ATN] quit
Step 5 Verify the configuration.

<ATN> display vty mode current VTY mode is Machine-Machine interface
----End
Configuration Files
# sysname ATN # interface Ethernet0/0/0 ip address 1.1.1.1 255.255.255.0 # aaa local-user hello@163.net password simple hello local-user hello@163.net user-type netmanager # user-interface vty 16 20 authentication-mode aaa # return
Issue 03 (2012-03-19)
75
5 File System
5
About This Chapter
5.2 Managing Storage Devices You can restore and format storage devices. 5.3 Managing the Directory You can manage directories to logically store files in hierarchy. 5.4 Managing Files You can view, create, delete, and rename files. 5.5 Example for Managing Files This section describes how to manage files.
File System
The file system manages files and directories in the storage device. 5.1 File System Introduction The file system manages the files and directories in the storage device. You can create a file system, create, delete, modify, and rename files and directories, and view file contents.
Issue 03 (2012-03-19)
76
5 File System
5.1 File System Introduction

The file system manages the files and directories in the storage device. You can create a file system, create, delete, modify, and rename files and directories, and view file contents.
5.1.1 File System

This section describes the definition and function of the file system.
Definitions
The file system manages the files and directories in the storage devices. It can create, delete, modify, and rename a file or directory and display the contents of the file.
Functions
The file system has two functions: managing the storage devices and managing the files that are stored in those storage devices.
5.1.2 File System Supported by the ATN 910

The file system supported by the ATN 910 consists of storage devices, directories, and files.
Storage Devices
Storage devices are hardware devices for storing messages. At present, the ATN equipment supports the storage devices such as compact flash (CF) card and flash card.
Files
The file is a mechanism with which the system stores and manages messages.
Directories
The directory is a mechanism with which the system integrates and organizes the file, serving as a logical container of the file.
5.1.3 File
A file is a mechanism used for the system to store and manage information. The file system provides two functions: l l Managing storage devices Managing the files that are stored in storage devices
By managing files, you can view, create, delete or rename files.

5 File System
5.1.4 Directory
A directory is a repository or database of information and a logical container of files. You can save files to nested directories to implement hierarchical file management.
5.2 Managing Storage Devices

You can restore and format storage devices.

Before managing storage devices, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
When the ATN equipment cannot access data normally, the storage devices that do not function normally need to be restored.
Before managing the storage devices, complete the following tasks: l l Installing the ATN equipment and starting it normally Enabling the client to log in to the ATN equipment
Data Preparations
Before managing the storage devices, you need the following data. No. 1 Data Device name
5.2.2 Restoring Storage Devices with File System Troubles

When the file system on a storage device fails, the terminal of the ATN equipment prompts you to rectify the fault.
Context
Procedure
Step 1 Run:
fixdisk device-name
Issue 03 (2012-03-19)
78
5 File System
The storage devices with file system troubles is repaired.

NOTE
After this command is run, if the prompt that the system should be repaired is still received, it indicates that the physical medium may be damaged.
----End
5.2.3 Formatting Storage Devices

You can format a storage device when you fail to repair the file system or you do not need any data saved on the storage device.
Context
CAUTION
Formatting storage devices may lead to data loss. Do as follows on the ATN equipment:
Procedure
Step 1 Run:
format device-name
The storage device is formatted.

NOTE
If the storage device cannot work after running the format device-name command, a fault may occur in the hardware.
----End
5.3 Managing the Directory

You can manage directories to logically store files in hierarchy.

Before managing directories, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
When you need to transfer files between the client and the server, configure the directory by using the file system.
5 File System
Before configuring the management directory, complete the following tasks: l l Powering on the ATN equipment Connecting the client with the server correctly
Data Preparation
To configure a management directory, you need the following data. No. 1 2 Data Directory name to be created Directory name to be deleted
5.3.2 Viewing the Current Directory

You can view the current directory to know its information.
Context
Do as follows on the ATN equipment.
Procedure
Step 1 Run:
pwd
The current directory is displayed. ----End
5.3.3 Switching a Directory

You can switch the current directory to another directory.
Context
Procedure
Step 1 Run:
cd directory
A directory is specified. Step 2 Run:

pwd
Issue 03 (2012-03-19)
80
5 File System
The current directory is displayed. ----End
5.3.4 Displaying a Directory or File

You can view a directory or files in the directory.
Context
Procedure
Step 1 Run:
cd directory
A directory is specified and the specified directory is displayed. Step 2 Run:

dir [ /all ] [ filename ]
The file and sub-directory list in the directory is displayed. Either the absolute path or relative path is applicable. ----End
5.3.5 Creating a Directory

You can create a directory in the specified directory on a specified storage device.
Context
Procedure
Step 1 Run:
cd directory
The parent directory of the directory to be created is displayed. Step 2 Run:

mkdir directory
The directory is created. ----End
5.3.6 Deleting a Directory

You can delete an unneeded directory.
Context
5 File System
Procedure
Step 1 Run:
cd directory
The parent directory of the directory to be deleted is displayed. Step 2 Run:

rmdir directory
The directory is deleted. ----End
5.4 Managing Files

You can view, create, delete, and rename files.

Before managing files, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
To view, delete, or rename files on the ATN equipment, you need to configure files using the file system.
Before configuring the file system, complete the following tasks: l l Powering on the ATN equipment Connecting the client with the server correctly
Data Preparation
To configure a file system, you need the following data. No. 1 2 3 Data File name to be viewed File name to be deleted File name to be renamed
5.4.2 Displaying Contents of Files

You can view the contents of a file, which are displayed in texts.
5 File System
Context
Procedure
Step 1 Run:
cd directory
The directory of the file is displayed. Step 2 Run:

more filename [ offset | all ]
The content of the file is displayed. By specifying parameters in the more command, you can view files flexibly: l By running the more file-name command, you can view the file named file-name. Contents of a text file are displayed screen after screen. If you hold and press the spacebar on the current terminal, all contents of the current file can be displayed. There are two preconditions if you want to display the contents of a text file screen after screen: The value configured by screen-length screen-length command must be larger than 0. The total lines of the file must be larger than the value configured by screen-length command. l By running the more file-name offset command, you can view the file named file-name. Contents of a text file are displayed from the line specified by offset screen after screen. If you hold and press the spacebar on the current terminal, all contents of the current file can be displayed. There are two preconditions if you want to display the contents of a text file screen after screen: The value configured by screen-length screen-length command must be larger than 0. The result of the number of file characters subtracted by the value of offset must be larger than the value configured by screen-length command. l By running the more file-name all command, you can view the file named file-name. Contents of a text file are completely displayed without pausing after each screenful of information. ----End
5.4.3 Copying Files

You can copy files.
Context
Procedure
Step 1 Run:
cd directory
Issue 03 (2012-03-19)
83
5 File System

copy source-filename destination-filename
The file is copied.

NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
----End
5.4.4 Moving Files

You can move files to a specified directory.
Context
Procedure
Step 1 Run:
cd directory

move source-filename destination-filename
The file is moved. ----End
5.4.5 Renaming Files

You can rename files.
Context
Procedure
Step 1 Run:
cd directory

rename source-filename destination-filename
The file is renamed. ----End

5 File System
5.4.6 Compressing Files

You can compress files to reduce the size of the files.
Context
Do as follows on the ATN equipment.
Procedure
Step 1 Run:
zip source-filename destination-filename
The file is compressed. ----End
5.4.7 Deleting Files

You can delete unneeded files.
Context
Procedure
Step 1 Run:
cd directory

delete [ /unreserved ] [ /quiet ] { filename | device-name }
The file is deleted. ----End
5.4.8 Deleting Files in the Recycle Bin

You can permanently delete files in the recycle bin.
Context
Procedure
Step 1 Run:
reset recycle-bin [ filename ]
The file is deleted. ----End

5 File System
5.4.9 Undeleting Files

You can undelete files.
Context
Procedure
Step 1 Run:
undelete filename
The deleted file is recovered.

NOTE
l If the current directory is not the parent directory, you must operate the file by using the absolute path. l If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after being deleted.
----End
5.4.10 Running Files in Batch

You can upload the files and then process the files in batches.
Prerequisites
Uploading the batched files on the client end to the ATN equipment.
Context
When the batch file is created, you can run the batch file to implement routine tasks automatically.
Procedure
Step 1 Run:
system-view

execute filename
The batched file is executed. ----End
5.4.11 Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device. If you need to change the prompt mode for file operations, you can configure the prompt mode of the file system.
5 File System
Prerequisites
Before configuring a file system, complete the following tasks: l l Powering on the ATN equipment Logging in to the ATN equipmentfrom the client end
Context
The data may be lost or damaged during the process, and the prompt is required.
Procedure
Step 1 Run:
system-view

file prompt { alert | quiet }
The prompt mode of the file system is configured. By default, the prompt mode is alert.
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation. ----End
5.5 Example for Managing Files

This section describes how to manage files.
By configuring the file system of the ATN equipment, the user can operate the ATN equipment through the console port and copy files to the specified directory. The file path in the storage device must be correct. If the user does not specify a target file name, the source file name is the name of the target file by default.
The configuration roadmap is as follows: 1. 2. 3.
Issue 03 (2012-03-19)
Check the files under a certain directory. Copy a file to this directory. Check this directory and view that the file is copied successfully to the specified directory.
5 File System
Data Preparation
To complete the configuration, you need the following data: l l Source file name and target file name Source file path and target file path
Procedure
Step 1 Display the file information in the directory of cfcard:/folder2, cfcard:/ is the flash memory identifier.
<HUAWEI> pwd cfcard:/ <HUAWEI> cd cfcard:/folder2 <HUAWEI> dir Info: File can't be found in the directory. 499,720 KB total (47,776 KB free)
Step 2 Copy files from cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt.

<HUAWEI> copy cfcard:/folder1/sample.txt cfcard:/folder2 Copy cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt?[Y/N]:Y 100% complete Info: Copied file cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt...Done.
Step 3 Display the file information about the current directory, and you can view that the file is copied to the specified directory.
<HUAWEI> dir Directory of cfcard:/folder2/ Idx 0 Attr -rwSize(Byte) 6 Date Time(LMT) Dec 21 2011 16:15:52 FileName sample.txt
499,720 KB total (47,768 KB free)
----End
Issue 03 (2012-03-19)
88
6 Management of Configuration Files
Management of Configuration Files
About This Chapter

This chapter describes current configurations, configuration files, detection of master/slave configuration consistency, and configuration recovery. 6.1 Management of Configuration Files Introduction The configuration file is the add-in configuration item when restarting the ATN equipment this time or next time. 6.2 Managing Configuration Files You can manage configuration files to ensure that the ATN equipment starts normally.
Issue 03 (2012-03-19)
89
6.1 Management of Configuration Files Introduction

The configuration file is the add-in configuration item when restarting the ATN equipment this time or next time.
6.1.1 Configuration Files

This part describes basic concepts of configuration files. The configuration file is the add-in configuration item when restarting the ATN equipment this time or next time. The configuration file is a text file in the following formats: l l l It is saved in the command format. To save space, default parameters are not saved. For the default values of the configuration parameters, see following sections. Commands are organized on the basis of the command view. All commands of the identical command view are grouped into a section. Every two command sections are separated by one or several blank lines or comment lines (beginning with "#"). The sequence of command sections is global configuration, logic interface configuration, physical interface configuration, routing protocol configuration and so on.
NOTE
l The system can run the command with the maximum length of 512 characters, including the command in an incomplete form. l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the command length in the configuration file may exceed 512 characters. When the system restarts, these commands cannot be restored.
6.1.2 Configuration Files and Current Configurations

The part describes basic concepts of configuration files and current configurations. l Initial configurations: On powering on, the ATN equipment retrieves the configuration files from a default save path to initiate itself. If configuration files do not exist in the default save path, the ATN equipment uses the default parameters. Current configurations: indicates the effective configurations of the currently running ATN equipment. Users can modify the current configurations of the ATN equipment through the command line interface. Use the save command to save the current configuration to the configuration file of the default storage devices, and the current configuration becomes the initial configuration of the ATN equipment when the ATN equipment is powered on next time.
l l
6.2 Managing Configuration Files

You can manage configuration files to ensure that the ATN equipment starts normally.
Issue 03 (2012-03-19)
90

Before managing configuration files, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
In one of the following situations, you need to manage configuration files: l l l To start the ATN equipment normally, you need to select the correct ATN 910 system software and configuration file for the ATN equipment to load. After modifying current configurations, you need to save the modified contents. You need to view the configuration of the ATN equipment.
Before managing configuration files, complete the following task: l Installing the ATN equipment and starting it properly
Data Preparation
To manage configuration files, you need the following data. No. 1 2 3 Data ATN 910 System software and its file name Configuration file and its name The number of the start line from which the comparison of the configuration files begins
6.2.2 Configuring System Software for a ATN equipment to Load for the Next Startup
To upgrade the system software of a ATN equipment, you can specify the ATN 910 system software to be loaded for the next startup.
Context
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The ATN 910 system software for the ATN equipment to load next time when it starts is configured.
The filename extension of the system software must be .cc and must be stored in the root directory of a storage device. You can specify the system-file and use the system software for the next startup that is saved on the device. slave-board is valid only on the ATN equipment with dual main control boards. ----End
6.2.3 Configuring the Configuration File for ATN to Load for the Next Startup
Before restarting a ATN equipment, you can specify the configuration files that are loaded for the next startup.
Context
Procedure
Step 1 Run:
startup saved-configuration configuration-file
Configuration file is saved for the ATN equipment to load next time on startup. The filename extension of the configuration file must be .cfg or .zip, and must be stored in the root directory of a storage device. The effective configuration when a ATN equipment is working is called current configuration. ----End
6.2.4 Saving Configuration Files

You can save configuration files periodically or immediately.
Context
The system can save the configuration files periodically or in real time to prevent data loss when the ATN equipment is powered off or accidentally restarted. Run one of the following commands to save configuration files.
Procedure
l Run: 1. 2.
system-view

set save-configuration [ interval interval | cpu-limit cpu-usage | delay delay-interval ] *
The configuration file is saved at intervals. After the parameter interval interval is specified, the device saves the configuration file at specified intervals regardless of whether the configuration file is changed.
If the set save-configuration command is not run, the system does not automatically save configurations. If the set save-configuration command without specified interval is run, the system automatically saves configurations at 30-minute intervals. When you configure the automatic saving function, to prevent that function from affecting system performance, you can set the upper limit of the CPU usage for the system during automatic saving. When automatic saving is triggered by the expiry of the timer, the CPU usage is checked. If the CPU usage is higher than the set upper limit, automatic saving will be canceled. After delay delay-interval is specified, if the configuration is changed, the device automatically saves the configuration after the specified delay. After automatic saving of configurations is configured, the system automatically saves the changed configurations to the configuration file for the next startup and configuration files are changed accordingly with the saved configurations. Before configuring the automatic configure file saving on the server, you need to run the set save-configuration backup-to-server server server-ip [ transport-type { ftp | sftp } ] user user-name password password [ path folder ] or set saveconfiguration backup-to-server server server-ip transport-type tftp [ path folder ] command to configure the server, including the IP address, username, password of the server, destination path, and mode of transporting the configuration file to the server.
NOTE
If configuration files transmitted in TFTP mode are saved, the tftp client-source command can be run to configure the address of a loopback interface of the ATN equipment as a source address of a client to ensure security.
WARNING
When the automatic saving function is enabled and the LPU is not properly installed, corresponding configurations may be lost. l Run:
save [ all ] [ configuration-file ]
The current configurations are saved. The filename extension of the configuration file must be .cfg or .zip. The system startup configuration file must be saved in the root directory of a storage device. The user can modify the current configuration through the command line interface. To set the current configuration as initial configuration when the ATN equipment starts next time, you can use the save command to save the current configuration in the cfcard memory. You can use the save all command to save all the current configurations, including the configurations of the boards that are not inserted, to the default directory.
NOTE
When saving the configuration file for the first time, if you do not specify the optional parameter configuration-file, the ATN equipment asks you whether to save the file as "vrpcfg.zip" or not.
----End
6.2.5 Clearing a Configuration File

You can clear the configuration file that has been loaded to a device, or clear the inactive configurations of the boards that are not installed in slots.
Context
The configuration file stored in cfcard memory needs to be cleared in the following cases: l l The system software does not match the configuration file after the ATN equipment has been upgraded. The configuration file is destroyed or an incorrect configuration file has been loaded.
Procedure
l Clear the currently loaded configuration file. Run the reset saved-configuration command to clear the currently loaded configuration file. If the configuration file of the ATN equipment used for the current startup is the same as that used for the next startup, running the reset saved-configuration command will clear both the configuration files. The ATN equipment will uses the default configuration file for the next startup. If the configuration file of the ATN equipment used for the current startup is different from that used at the next startup, running the reset saved-configuration command will clear the configuration file used for the current startup. If the configuration file of the ATN equipment used for the current startup is empty, the system will prompt you that the configuration file does not exist after you run the reset saved-configuration command. If you do not run the startup saved-configuration configuration-file command to specify a new correct configuration file, or do not run the save command to save the configuration file after the configuration file is cleared, the ATN equipment will use the default configuration file at the next startup. ----End
6.2.6 Comparing Configuration Files

You can compare the current configuration with the initial configuration.
Context
Procedure
Step 1 Run:
compare configuration [ configuration-file ] [ current-line-number save-linenumber ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration files. currentline-number and save-line-number are used to continue the comparison by ignoring the differences between the configuration files. When comparing differences between the configuration files, the system displays the contents of the current configuration file and saved configuration file from the first different line. By default, 150 characters are displayed for each configuration file. If the number of characters from the first different line to the end is less than 150, the contents after the first different line are all displayed. In comparing the current configurations with the configuration file for next startup, if the configuration file for next startup is unavailable or its contents are null, the system prompts that reading files fails. ----End

After managing configuration files has been configured, you can view the current configuration files, configuration files to be loaded at the next startup, files for the device startup, and files saved in the storage device.
Prerequisites
The configuration of managing configuration files are complete.
Procedure
l Run the display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ] [ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display current-configuration [ all | inactive ] command to view the current configuration files. Run the display saved-configuration [ last | time | configuration ] command to view configuration files to be loaded at the next startup. Run the display startup command to view files for the device startup. Run the dir [ /all ] [ filename ] command to view files saved in the storage device. Run the display changed-configuration time command to view the time of the last configuration change.
l l l l
----End
Issue 03 (2012-03-19)
95
7 FTP and TFTP
7
About This Chapter
FTP and TFTP are commonly-used file transfer protocols. 7.1 FTP and TFTP Introduction This section describes basic concepts of FTP and TFTP.
FTP and TFTP
7.2 Configuring the ATN to be the FTP Server After a ATN equipment is configured with basic functions of the FTP server, you can run the FTP client application to log in to the ATN equipment, and then access files on the ATN equipment. 7.3 Configuring FTP ACL You can configure the FTP ACL on a ATN equipment to allow only specified users to log in to the ATN equipment. 7.4 Configuring the ATN to Be the FTP Client You can configure a ATN equipment to be an FTP client and then log in to the FTP server. 7.5 Configuring the ATN to Be the TFTP Client You can configure a ATN equipment to be an FTP client and then log in to the FTP server. 7.6 Limiting the Access to the TFTP Server You can configure the maximum number of TFTP servers that a TFTP client can access to determine which TFTP servers the TFTP client can log in to. 7.7 Configuration Examples This section provides several configuration examples for FTP,and TFTP together with the configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
Issue 03 (2012-03-19)
96
7 FTP and TFTP
7.1 FTP and TFTP Introduction

This section describes basic concepts of FTP and TFTP.
7.1.1 FTP
You can transfer files between local and remote hosts through FTP. FTP is commonly used in version upgrade, log downloading, file transfer, and configuration saving. File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP protocol suite. It implements file transfer between local and remote hosts based on related file systems. The FTP protocol is implemented based on corresponding file system. The ATN equipment provides the following FTP services: l l FTP server service. Users can run the FTP client program to log in to the ATN equipment and access the files on the ATN equipment. FTP client service. Users can establish a connection with the ATN equipment by running a terminal emulation program or a Telnet program on a PC. Enter an FTP command to connect with the remote FTP server and access the files on the remote host.
7.1.2 TFTP
TFTP does not have a complex interactive access interface and authentication control. TFTP is applicable when there is no complex interaction between the client and server. The Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol. Compared with FTP, TFTP does not have a complex interactive access interface and authentication control. TFTP is applicable in an environment where there is no complex interaction between the client and the server. For example, TFTP is used to obtain the memory image of the system when the system starts up. TFTP is implemented based on the User Datagram Protocol (UDP). The client initiates the TFTP transfer. To download files, the client sends a read request packet to the TFTP server, receives packets from the server, and sends acknowledgement to the server. To upload files, the client sends a write request packet to the TFTP server, sends packets to the server, and receives acknowledgement from the server. TFTP transfers the files in two formats: l l The binary format: transfers program files. The ASCII format: transfers text files.
At present, the ATN 910 serves only as the TFTP client and transfers files in the binary format.
7.2 Configuring the ATN to be the FTP Server

After a ATN equipment is configured with basic functions of the FTP server, you can run the FTP client application to log in to the ATN equipment, and then access files on the ATN equipment.
Issue 03 (2012-03-19)
97
7 FTP and TFTP

Before configuring a ATN equipment to be the FTP server, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
When the ATN equipment serves as the FTP server, after the client logs in to the ATN equipment through FTP, the user can transfer files between the client and the server.
Before configuring the ATN equipment as the FTP server, complete the following tasks: l l Powering on the ATN equipment Connecting the FTP client to the server
Data Preparation
To configure the ATN equipment as the FTP server, you need the following data.
NOTE
For FTP secure server connection, perform step 2.
No. 1 2 3 4 5 6 7
Data (Optional) Listening port number specified on the FTP server Configuring FTP Server Certificate-key and Chain-key Enabling FTP Server (Optional) Source IP address or source interface of the FTP server (Optional) Timeout period of the disconnection from the FTP server FTP username and password File directory authorized to the FTP user
7.2.2 (Optional) Specifying a Port Number for the FTP Server

You can configure or change the monitoring port number of the FTP server. After the port number is changed, only the user knows the current port number, which guarantees the security.
Context
If the FTP is not enabled, change the FTP port as required. If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and then change the FTP port.
7 FTP and TFTP
Procedure
Step 1 Run:
system-view

ftp server port port-number
The port number of the FTP server is configured. If a new number of a monitored port is configured, the FTP server interrupts all the FTP connections and monitors the port of the new number. By default, the number of the port monitored by the FTP server is 21. ----End
7.2.3 Enabling the FTP Server

This section describes how to enable FTP server.
Procedure
Step 1 Run:
system-view

ftp server enable
The FTP server is enabled.

NOTE
When the file operation between clients and the ATN equipment ends, run the undo ftp server command to disable the FTP server function. This ensures the security of the ATN equipment.
----End
7.2.4 Configuring the Source IP Address of the FTP Server

The source address of the FTP server can be specified to allow only authorized users to access the FTP server. This ensures security.
Context
Do as follows on the ATN equipment that functions as an FTP server:
Procedure
Step 1 Run:
system-view

ftp server-source -a source-ip-address
7 FTP and TFTP
The source IP address of an FTP server is configured. After the source address is configured, the address specified in the ftp command for login to the FTP server must be the configured source address. Otherwise, the login fails. ----End
7.2.5 (Optional) Configuring the Timeout Period

This section describes how to configure the timeout period of the FTP server.
Context
If the client is idle for the configured time, the connection is removed from the FTP server. By default, the timeout value is 10 minutes.
Procedure
Step 1 Run:
system-view

ftp timeout minutes
The timeout period of the FTP server is configured. ----End
7.2.6 Configuring the Local Username and the Password

You can configure the authentication information for FTP users, which prevents unauthorized users from performing operations on the device and thus guarantees the security.
Context
Do as follows on the ATN equipment that serves as the FTP server:
Procedure
Step 1 Run:
system-view

aaa

Issue 03 (2012-03-19)
100
7 FTP and TFTP
The local username and the password are configured. ----End
7.2.7 Configuring the Service Type and Authorization Information

You can configure the authorization mode and authorization directory for FTP users. In this case, unauthorized users cannot access the restricted directory, which guarantees the security.
Context
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 (Optional) Run:

set default ftp-directory directory
The default FTP working directory is configured. Step 3 Run:

aaa

local-user user-name service-type ftp
The FTP service type is configured. Step 5 Run:

local-user user-name ftp-directory directory
The authorization directory about the FTP user is configured. ----End

This section describes how to check the FTP server configuration.
Prerequisites
The FTP server must be configured before running the below mentioned commands. Otherwise the system does not display any data.
Procedure
l l Run the display ftp-server command to check the configuration of the FTP server. Run the display ftp-server secure-info command to check the configuration of the FTP secure server.
Issue 03 (2012-03-19)
7 FTP and TFTP
Run the display ftp-users command to check how many users are currently logged in FTP server.
----End
7.3 Configuring FTP ACL

You can configure the FTP ACL on a ATN equipment to allow only specified users to log in to the ATN equipment.

Before configuring the FTP ACL, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
When the ATN equipment serves as the FTP server, for security, you can configure the ATN equipment by the access control list (ACL) to be accessed by only those clients that meet the matching conditions.
Before configuring the FTP ACL, complete the following tasks: l l Powering on the ATN equipment Connecting the FTP client with the server
Data Preparation
To configure the FTP ACL, you need the following data. No. 1 Data ACL number
7.3.2 Enabling the FTP Server

The FTP server is disabled by default. You need to enable the FTP server before using FTP functions.
Context
Procedure
Step 1 Run:
system-view
Issue 03 (2012-03-19)
102
7 FTP and TFTP

ftp server enable
The FTP server is started. ----End
7.3.3 Configuring a Basic ACL

You can configure a basic ACL and define rules by specifying the source IP address.
Context
Procedure
Step 1 Run:
system-view

acl acl-number
The ACL view is displayed. Step 3 Run:

rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *
The ACL rule is configured.

NOTE
FTP supports only the basic ACL.
----End
7.3.4 Configuring the Basic FTP ACL

You can configure the basic FTP ACL.
Context
Procedure
Step 1 Run:
system-view

ftp acl acl-number
Issue 03 (2012-03-19)
103
7 FTP and TFTP
The basic FTP ACL is configured. ----End

After configuring the FTP ACL, you can view the configuration and status of the FTP server as well as information about login FTP users.
Prerequisites
The configuration of FTP ACL are complete.
Procedure
l Run the display ftp-server command to check the configuration and status of the FTP server.
----End
7.4 Configuring the ATN to Be the FTP Client

You can configure a ATN equipment to be an FTP client and then log in to the FTP server.

Before configuring a ATN equipment to be an FTP client, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
When a ATN equipment serves as an FTP client, you can log in to the FTP server through the ATN equipment and then transmit files or manage server directory.
Before configuring the ATN equipment as an FTP client, complete the following tasks: l l Powering on the ATN equipment Connecting the FTP client to the server
Data Preparation
To configure the ATN equipment as an FTP client, you need the following data.
NOTE
For FTP secure server connection, perform step 2, 3 and 4.
No. 1
Data (Optional) Source IP address or source interface of the device functioning as an FTP client
Issue 03 (2012-03-19)
7 FTP and TFTP
No. 2 3 4 5 6 7 8 9 10 11
Data Configuring FTP Client Trusted-CA (Optional) Configuring FTP Client CRL (Optional) Configuring FTP Client Set Verify Depth Logging into the FTP Server Host name or IP address of the FTP server Port number of connecting FTP FTP protocol command Local file name and file name on the remote FTP server Working directory name of the remote FTP server, local working directory of the FTP client, or directory name of the remote FTP server Login username and password
7.4.2 (Optional) Configuring Source IP Address and Interface of the FTP Client
This section describes how to configure the source IP address and interface of FTP client to establish the connection with FTP server.
Prerequisites
The interface configuration is possible, only if the system has a loopback interface.
Procedure
Step 1 Run:
system-view

ftp client-source { -a ip-address }
The source IP address of the FTP client is configured. or

ftp client-source { -i interface-type interface-number }
The loopback addresses of the FTP client is configured.

NOTE
Then, run the display ftp-client command on the ATN equipment to view the current configuration of the FTP client.
----End
7 FTP and TFTP
7.4.3 Logging In to the FTP Server

You can log in to the FTP server in the user view or the FTP view.
Context
Do as follows on the ATN equipment that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address. l If the IP address of the server is an IPv4 address, do as follows: In the user view, establish a connection to the FTP server. Run:
ftp [ [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ]
The ATN equipment is connected to the FTP server. In the FTP view, establish a connection to the FTP server. 1. Run:
ftp
The FTP view is displayed. 2. Run:

open [-a source-ip-address | -i interface-type interface-number ] host [ port-number ]
The ATN equipment is connected to the FTP server.

NOTE
Before logging in to the FTP server, you can run the set net-manager vpn-instance command to configure a default VPN instance. After that, the default VPN instance is used in the FTP operation.
----End
7.4.4 Configuring Data Type and Transmission Mode for the File
This section describes how to configure the data type and transmission mode for the file.
Context
Procedure
Step 1 Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.

NOTE
FTP server supports ascii mode for data transmission. But in ATN 910, user has to switch to binary mode for data transfer.
Issue 03 (2012-03-19)
106
7 FTP and TFTP
Step 2 Run:
passive
The passive file transfer mode is configured. Step 3 Run:

verbose
The verbose mode for FTP is enabled. When verbose is enabled, all FTP responses are displayed. After file transmission, the statistics about transmission efficiency will be displayed. ----End
7.4.5 (Optional) Viewing Online Help of the FTP Command

This section describes how to view the online help of the FTP command.
Context
This configuration provides help information for protocol commands.
Procedure
Step 1 Run:
remotehelp command
The online help of the FTP command is displayed. ----End
7.4.6 Uploading or Downloading Files

You can upload local files to a remote FTP server, download files of the FTP server, and save the files on the local device.
Context
Procedure
Step 1 Upload or download files. l Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server. l Run:

get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file. ----End
7 FTP and TFTP
7.4.7 Managing Directories

You can perform management operations, such as creating and deleting directories, on the FTP server.
Context
Procedure
Step 1 Run one or more commands in the following order to manage directories. l Run:
cd pathname
The working path of the remote FTP server is specified. l Run:

cdup
The working path of the FTP server is switched to the upper-level directory. l Run:
pwd
The specified directory of the FTP server is displayed. l Run:

lcd [ local-directory ]
The directory of the FTP client is displayed or changed. l Run:

mkdir remote-directory
A directory is created on the FTP server. l Run:

rmdir remote-directory
A directory is removed from the FTP server.

NOTE
l The directory to be created can comprise letters and digits, but not special characters such as <, >, ?, \ and :. l When running the mkdir /abc command, you create a sub-directory named "abc".
----End
7.4.8 Managing Files

You can view a specified directory or file on the remote FTP server or delete a specified file from the FTP server.
Context
7 FTP and TFTP
Procedure
Step 1 Run one or more commands in the following to manage directories. l Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. l Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. l Run:
delete remote-filename
The specified file on the FTP server is deleted. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. When local-filename is set, related information about the file can be downloaded locally. ----End
7.4.9 (Optional) Changing Login Users

This section describes how to change the username and password for remote login.
Prerequisites
This configuration must be performed in FTP view.
Context
The username and password are of string data type. The string length for username must be in the range of 1 to 85 case-insensitive characters and password must be in the range of 1 to 16 case-insensitive characters.
Procedure
Step 1 Run:
user username [ password ]
The current login user is changed and the user logs in again. ----End
7.4.10 Disconnecting from the FTP Server

This section describes how the client ATN equipment disconnects from FTP server.
7 FTP and TFTP
Prerequisites
The configurations must be performed in the FTP view.
Procedure
Step 1 Run:
bye
or
quit
The client ATN equipment is disconnected from the FTP server. Return to the user view. Step 2 Run:
close
or
disconnect
The client ATN equipment is disconnected from the FTP server. This command terminates the FTP session. ----End

This section describes how to check the FTP client configuration.
Prerequisites
The FTP client must be configured before running the below mentioned command. Otherwise the system does not display any data.
Procedure
l l Run the display ftp-client command to check the configuration status of FTP client. Run the display ftp-client secure-info command to check the configuration status of FTP secure client.
----End
7.5 Configuring the ATN to Be the TFTP Client

You can configure a ATN equipment to be an FTP client and then log in to the FTP server.

Before configuring TFTP, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
7 FTP and TFTP
You can transfer files through TFTP between the server and the client in a simple interaction environment.
Before configuring TFTP, complete the following tasks: l l Powering on the ATN equipment Connecting the TFTP client with the server
Data Preparation
To configure TFTP, you need the following data. No. 1 2 3 Data IP address of the TFTP server Name of the specific file in the TFTP server File directory
7.5.2 (Optional) Configuring a Source IP Address for a TFTP Client

You can configure a source IP address for a TFTP client. Then, you can set up a TFTP connection from the TFTP client to the server through a specific route by using this source IP address.
Context
Do as follows on a ATN equipment that functions as a TFTP client.
Procedure
Step 1 Run:
system-view

tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured. After the configuration, the source IP address of the TFTP client displayed on the TFTP server must be the same as the configured one. ----End
7.5.3 Downloading Files Through TFTP

You can download files from the TFTP server to the TFTP client.
7 FTP and TFTP
Context
Do as follows on the ATN equipment that serves as the TFTP client:
Procedure
Step 1 Run the following commands according to the type of the server IP addresses.
NOTE
Currently, the ATN equipment only supports IPv4.
l The IP address of the server is IPv4 address, run:

tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ]
The ATN equipment is configured to download files through TFTP. ----End
7.5.4 Uploading Files Through TFTP

You can upload files from the TFTP client to the TFTP server.
Context
Procedure
Step 1 Run the following commands according to the type of the server IP addresses.
NOTE
l The IP address of the server is IPv4 address, run:

tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ]
The ATN equipment is configured to upload files through TFTP. ----End
7.6 Limiting the Access to the TFTP Server

You can configure the maximum number of TFTP servers that a TFTP client can access to determine which TFTP servers the TFTP client can log in to.

Before configuring a limit to access TFTP servers, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
7 FTP and TFTP
When the ATN equipment serves as the TFTP client, you can configure the ACL on the ATN equipment. After the configuration, you can control the TFTP server to which the device can log in through TFTP.
Before configuring a limit to access the TFTP server, complete the following tasks: l l Powering on the ATN equipment Connecting the TFTP client to the server
Data Preparation
To configure a limit to access to the TFTP server, you need the following data. No. 1 2 3 Data Source IP address of the TFTP client IP address of the TFTP server ACL number
7.6.2 Configuring the Basic ACL

You can configure ACL rules.
Context
NOTE
TFTP supports only the basic ACL.
Procedure
Step 1 Run:
system-view

acl acl-number
The ACL view is displayed. Step 3 Run:

rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *
The ACL rule is configured. ----End

7 FTP and TFTP
7.6.3 Configuring the Basic TFTP ACL

You can configure the basic TFTP ACL.
Context
Procedure
Step 1 Run:
system-view
The system view is displayed. ----End

This section provides several configuration examples for FTP,and TFTP together with the configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
7.7.1 Example for Configuring FTP

In this example, a PC connected to a ATN equipment logs in to the FTP server by entering the correct user name and password through FTP, and then downloads files to the memory of the ATN equipment.
As shown in Figure 7-1, the IP address of the FTP server is 172.16.104.110/24. Log in to the ATN equipment from the HyperTerminal and then download files from the FTP server. Figure 7-1 Networking diagram with FTP server basic functions
Server GE2/0/0 172.16.104.110/24
GE0/3/0 172.16.104.120/24 ATN 1.1.1.2/24 PC
Issue 03 (2012-03-19)
114
7 FTP and TFTP
The configuration roadmap is as follows: 1. 2. 3. Run the HyperTerminal on the PC and log in to the ATN equipment. Use the correct username and password to log in to the FTP server to download the files on the memory of the ATN equipment. Download files to the memory of the ATN equipment.
Data Preparation
To complete the configuration, you need the following data: l l l FTP username as huawei and password as huawei on the server The correct path of the original files on the FTP server The destination file name and its position in the ATN equipment
Procedure
Step 1 Enable FTP on the FTP server and configure the authentication information about the FTP user.
<HUAWEI> system-view [HUAWEI] sysname server [server] ftp server enable [server] ftp timeout 30 [server] aaa [server-aaa] local-user huawei password simple huawei
Step 2 Configure the authorization mode and directory of the FTP user on the FTP server
[server-aaa] local-user huawei service-type ftp [server-aaa] local-user huawei ftp-directory cfcard: [server-aaa] quit
Step 3 Configure the IP address of the FTP server

[server] interface gigabitethernet2/0/0 [server-GigabitEthernet2/0/0] undo shutdown [server-GigabitEthernet2/0/0] ip address 172.16.104.110 255.255.255.0 [server-GigabitEthernet2/0/0] quit
Step 4 Log in to the ATN equipment from the PC through the HyperTerminal, and connect to the FTP server using the correct username and password to obtain system host software # Log in to the FTP server to obtain the system host software and save it in the root directory of the cf of the ATN equipment.
<HUAWEI> cd cfcard: <HUAWEI> pwd cfcard: <HUAWEI> ftp 172.16.104.110 Trying 172.16.104.110 ... Press CTRL+K to abort Connected to 172.16.104.110. 220 FTP service ready. User(172.16.104.110:(none)):huawei 331 Password required for huawei. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get V200R001C01.cc The file V200R001C01.cc is already existing, overwrite it? [Y/N]:y 200 PORT command okay
Issue 03 (2012-03-19)
115
7 FTP and TFTP
150 Opening BINARY mode data connection for V200R001C01.cc. 226 Transfer complete. FTP: 15805100 byte(s) received in 54.175 second(s) 291.74Kbyte(s)/sec. [ftp] dir 200 Port command okay. 150 Opening ASCII mode data connection for *. -rwxrwxrwx 1 noone nogroup 67 Jul 17 13:24 V200R001C01.cc -rwxrwxrwx 1 noone nogroup 13990 Jun 26 17:41 license-80ip.txt -rwxrwxrwx 1 noone nogroup 4 Jul 17 15:25 snmpnotilog.txt 226 Transfer complete. FTP: 402 byte(s) received in 0.140 second(s) 2.87Kbyte(s)/sec. [ftp] bye
----End
Configuration Files
Configuration file of the FTP server.
# sysname Server # FTP server enable # interface GigabitEthernet2/0/0 undo shutdown ip address 172.16.104.110 255.255.255.0 # aaa local-user huawei password simple Huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard: authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # return
7.7.2 Example for Configuring the FTP Client

In this example, a ATN equipment is configured to be an FTP client. Then, the ATN equipment logs in to the FTP server and downloads system software and configuration software.
As shown in Figure 7-2, the ATN equipment that serves as the FTP client are connected to the FTP server, and download system software and configuration software from the FTP server to the client side. Figure 7-2 Networking diagram of configuring the FTP client
GE0/3/0 IP Network Server 172.16.104.110/24 ATN 172.16.105.110/24
Issue 03 (2012-03-19)
116
7 FTP and TFTP
1. 2. Log in to the FTP server from the FTP client. Download the system files form the server to the storage devices on the client side.
Data Preparation
To complete the configuration, you need the following data: l l l IP address of the FTP server The destination file name and its position in the ATN equipment User name and password used to log in to the FTP server
Procedure
Step 1 Log in to the FTP server from the ATN equipment.
<HUAWEI> ftp 172.16.104.110 Trying 72.16.104.110 Press CTRL+K to abort Connected to 172.16.104.110 220 FTP service ready. User(ftp 172.16.104.110:(none)):huawei 331 Password required for huawei Password: 230 User logged in.
Step 2 Configure the transmission mode to the binary format and configure the directory of the Flash memory on the ATN equipment.
[ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ Info: Local directory now cfcard:.
Step 3 Download the newest system software from the remote FTP server on the ATN equipment.
[ftp] get V200R001C01.cc 200 Port command okay. 150 Opening ASCII mode data connection for V200R001C01.cc. 226 Transfer complete. FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec. [ftp] quit
----End
7.7.3 Example for Configuring TFTP

In this example, the TFTP application is run on the TFTP server and the location of the source file on the server is set. After that, you can upload and download files.
As shown in Figure 7-3, the IP address of the TFTP server is 10.111.16.160/24. Log in to the ATN equipment from the HyperTerminal and then download the file V200R001C01.cc from the TFTP server.
Issue 03 (2012-03-19)
117
7 FTP and TFTP
Figure 7-3 Networking diagram of configuring TFTP
10.111.16.160/24
PC
TFTP Client
TFTP Server
The configuration roadmap is as follows: 1. 2. 3. Run the TFTP application on the TFTP server, and set the location of the file on the server. Use the TFTP command on the ATN equipment to download the file. Use the TFTP command on the ATN equipment to upload the file.
Data Preparation
To complete the configuration, you need the following data: l l l The TFTP application installed on the TFTP server The path of the file on the TFTP server The destination file name and its path on the ATN equipment
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the V200R001C01.cc file resides. Figure 7-4 shows the interface. Figure 7-4 Setting the Base Directory of the TFTP server
Issue 03 (2012-03-19)
118
7 FTP and TFTP
NOTE
The display may be different depending on different TFTP server applications run in the computer.
Step 2 Log in to the ATN equipment from the computer HyperTerminal and enter the following command to download the file.
<HUAWEI>tftp 10.111.16.160 get V200R001C01.cc cfcard:/V200R001C01.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory on the ATN equipment.
<HUAWEI> dir cfcard: Directory of cfcard:/ Idx Attr Size(Byte) 1 -rw40 2 -rw396 3 -rw540 4 -rw2718 5 -rw14343 6 -rw1004 7 -rw6247 8 -rw14343 9 -rw- 86235884 Date Jun 24 May 19 May 19 Jun 21 May 19 Feb 05 May 19 May 16 Feb 05 Time 09:30:40 15:00:10 15:00:10 17:46:46 15:00:10 09:51:22 15:00:10 14:13:42 10:23:46 FileName private-data.txt rsahostkey.dat rsaserverkey.dat 1.cfg paf.txt vrp1.zip license.txt paf.txt.bak V200R001C01.cc
2011 2011 2011 2011 2011 2010 2011 2011 2010
Step 4 Log in to the ATN equipment from the computer HyperTerminal and enter the following command to upload the file.
<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.
----End
Issue 03 (2012-03-19)
119
8 Telnet and SSH
8
About This Chapter
Telnet and SSH
Telnet and SSH can provide a terminal which enables users to remotely log in to and access a server. 8.1 Telnet and SSH Introduction This section explains basic concepts of user login by means of Telnet and SSH. 8.2 Configuring Telnet Terminal Services This section explains how to log in to a ATN equipment by means of Telnet and configure the ATN equipment. 8.3 Configuring SSH Users SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH servers. 8.4 Configuring the SSH Server Function This section describes how to configure the SSH server. STelnet or SFTP must first be enabled on the SSH server. 8.5 Configuring the STelnet Client Function This section describes how to configure the STelnet client. A secure connection between the client and server can be established through negotiation, and the client will be able to log in to the server similarly to using Telnet services. 8.6 Configuring the SFTP Client Function This section explains how to configure the SFTP client. The authentication and bidirectional data encryption of the SFTP client can be manually configured, which will ensure secure file transmission on the network. 8.7 Configuration Examples This section provides configuration examples for Telnet and SSH along with a configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
Issue 03 (2012-03-19)
120
8 Telnet and SSH
8.1 Telnet and SSH Introduction

This section explains basic concepts of user login by means of Telnet and SSH.
8.1.1 Overview of User Login

You can locally or remotely log in to a ATN equipment through the console port, Telnet, or SSH. To configure, monitor, and maintain the local or remote network devices running ATN 910, you need to configure the user interface, the user management, and the terminal service. The user interface provides a login plane. The user management guarantees the login security and the terminal service provides related processes of login protocol. The ATN 910 supports the following login methods: l l Login through the console port Local or remote login through Telnet or SSH
8.1.2 Telnet Terminal Services

The ATN 910 provides Telnet services including Telnet server, Telnet client, and redirection terminal.
Telnet Services
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and a virtual terminal service through the network. The ATN 910 provides the following Telnet services: l l Telnet server: You can run the Telnet client program on a PC to log in to the ATN equipment, configure and manage it. The ATN equipment acts as a Telnet server. Telnet client: You can run the terminal emulation program or the Telnet client program on a PC to connect with the ATN equipment. With the telnet command, you can log in to other ATN equipments to configure and manage them. As shown in Figure 8-1, ATN A serves as both the Telnet server and the Telnet client. Figure 8-1 Telnet client services
Telnet Session 1
Telnet Session2 Telnet Server
PC
ATN A
ATN B
Issue 03 (2012-03-19)
121
8 Telnet and SSH
Redirection terminal services: You can run the Telnet client program on a PC to log in to the ATN equipment through a specified port number. Then connect with the serial interface devices that are connected with the asynchronous interface of the ATN equipment, as shown in Figure 8-2. The typical application is to connect the asynchronous interface of the ATN equipment with multiple devices for their remote configuration and maintenance. Figure 8-2 Telnet redirection services
PC
Ethernet ATN
Async0
Async1
Async2
Async8/16
CX600-1 Lan Switch
Modem
CX600-2
NOTE
Only the devices that provide the asynchronous interface support the Telnet redirection service.
Interruption of Telnet services In Telnet connection, you can use two types of shortcut keys to interrupt the connection. As shown in Figure 8-3, ATN A logs in to ATN B through Telnet, and ATN B logs in to ATN C through Telnet. Thus, a cascade network is formed. In this case, ATN A is the client of ATN B and ATN B is the client of ATN C. Figure 8-3 illustrates the usage of the two types of shortcut keys. Figure 8-3 Usage of Telnet shortcut keys
Telnet Session 1 Telnet Client
Telnet Session2 Telnet Server
ATN A
ATN B
ATN C
<Ctrl_]>: The server interrupts the connection.

8 Telnet and SSH
If the network connection is normal, when you press Ctrl_], the Telnet server interrupts the current Telnet connection actively. For example:
<ATNC>
Press <Ctrl_]> to return to the prompt of ATN B.

Info: The max number of VTY users is 10, and the current number of VTY users on line is 1. Info: The connection was closed by the remote host. <ATNB>
Press <Ctrl_]> to return to the prompt of ATN A.

Info: The max number of VTY users is 10, and the current number of VTY users on line is 1. Info: The connection was closed by the remote host. <ATNA>
NOTE
If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to the server.
<Ctrl_T>: The client interrupts the connection. When the server fails and the client is unaware of the failure, the server does not respond to the input of the client. In this case, if you press Ctrl_T, the Telnet client interrupts the connection actively and quits the Telnet connection. For example:
<ATNC>
Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.
<ATNA>
CAUTION
When the number of remote login users reaches to the maximum number of VTY user interfaces, the system prompts that all user interfaces are in use and you cannot use Telnet to log in.
8.1.3 SSH Terminal Services

SSH terminal services support the basic SSH protocol, SFTP protocol, STelnet protocol,. In addition, SSH terminal services support other ports and secure remote access.
SSH Overview
When users on an insecure network log in to the ATN equipment through Telnet, the Secure Shell (SSH) feature ensures information security and authentication to protect the ATN equipment from attacks such as IP address spoofing and interception of plain text password. The ATN equipment can be connected to multiple SSH users. The SSH client function allows users to establish SSH connections with the ATN equipment serving as SSH server or with UNIX hosts. l SSH connection in a LAN As shown in Figure 8-4, the client can set up an SSH connection with the server in a Local Area Network (LAN).
8 Telnet and SSH
Figure 8-4 Establishing an SSH channel in a LAN
Server Ethernet 100BASE-TX
Server
LapTop
PC PC running SSH Client
SSH connection in a WAN As shown in Figure 8-5, the client can set up an SSH connection with the server in a Wide Area Network (WAN). Figure 8-5 Establishing an SSH channel in a WAN
Local LAN WAN ATN PC running SSH Client
Remote LAN
SSH Server PC
Advantages of SSH
SSH supports the STelnet client n, Secure FTP (SFTP) client. l STelnet client Telnet services do not provide secure authentication and use TCP to transmit data in plain text. This leads to security problems. In addition, Telnet services are prone to network attacks, such as DOS (Denial of Service) attacks, the host IP address spoofing, and routing spoofing.. Unlike Telnet, SSH provides the secure remote access on insecure networks and has the following advantages: Supports Remote Subscriber Access (RSA) authentication. In RSA authentication, SSH generates and exchanges public and private keys compliant with asymmetric encipherment system to ensure the session security. Supports Data Encryption Standard (DES), 3DES, and AES authentications. Prevents password interception by encrypting the username and password in the communication between the SSH client and the SSH server.. Encrypts the data to be transferred. When the STelnet server or the connection to the client is faulty, the client must detect the fault in time and release the connection voluntarily. This requires that the client be
8 Telnet and SSH
configured with the interval at which keepalive packets are sent and the maximum number of times that the server does not respond when it logs in to the server through Stelnet. If the client does not receive any response within specified period, the client sends a keepalive packet to the server. If the number of times that the server does not respond exceeds the specified limit, the client releases the connection voluntarily. l SFTP client SFTP allows you to log in to a device from the remote end to manage files. This improves the security of data transfer when the remote system is updated. Meanwhile, the client function enables you to log in to the remote device using SFTP for secure file transfer. When the SFTP server or the connection between it and the client is faulty, the client must detect the fault in time and releases the connection voluntarily. This requires that the client be configured with the interval at which keepalive packets are sent and the maximum number of times that the server does not respond when it logs in to the server through Stelnet. If the client does not receive any response within specified period, the client sends a keepalive packet to the server. If the number of times that the server does not respond exceeds the specified limit, the client releases the connection voluntarily.
8.2 Configuring Telnet Terminal Services

This section explains how to log in to a ATN equipment by means of Telnet and configure the ATN equipment.

Before configuring Telnet terminal services, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
To remotely log in to the ATN equipment through the Telnet protocol for maintenance and management, you need to configure Telnet terminal services.
Before configuring Telnet terminal services, complete the following tasks: l l l l Ensuring that the ATN equipment runs normally Ensuring that the IP addresses of interfaces on the ATN equipment are configured correctly Configuring the user account, correct login authentication mode, and call-in and call-out restriction Ensuring that reachable routes exist between the terminal and the ATN equipment
Data Preparation
To configure Telnet terminal services, you need the following data. No. 1
Issue 03 (2012-03-19)
Data IP address of the ATN equipment

8 Telnet and SSH
No. 2 3 4 5 6
Data Name of the VPN instance IPv4 address or host name of the remote ATN equipment Number of the TCP port that is used by the remote ATN equipment to provide Telnet services (Optional) Timeout period after which the server terminates the connection with the user interface (Optional) Source IP address or source interface of the device functioning as an Telnet client
8.2.2 Enabling the Telnet Service

Before establishing a Telnet connection with the server, you need to enable the Telnet service.
Context
Do as follows on the ATN equipment that serves as an Telnet server. Select and perform one of the following two steps for IPv4.
NOTE
Currently, the ATN equipment only supprots IPv4.
Procedure
l For the IPv4 network 1. Run:
system-view

telnet server enable
The Telnet service is enabled.

NOTE
l By default, the function of the Telnet server is enabled. l If the undo telnet server enable command is run when Telnet login is in progress, the command does not take effect. l After the Telnet server function is disabled, you can log in to the device only through SSH or an asynchronous serial interface rather than through Telnet.
----End
Issue 03 (2012-03-19)
126
8 Telnet and SSH
8.2.3 (Optional) Configuring a Source IP Address for an Telnet Client

You can configure a source IP address for an Telnet client. Then, you can set up an Telnet connection from the Telnet client to the server through a specific route by using this source IP address.
Context
Do as follows on a ATN equipment that functions as an Telnet client.
Procedure
Step 1 Run:
system-view

telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of an Telnet client is configured. After the configuration, the source IP address of the Telnet client displayed on the Telnet server must be the same as the configured one. ----End
8.2.4 Establishing a Telnet Connection

You can log in to and manage a ATN equipment through Telnet.
Context
Do as follows on the ATN equipment that serves as a Telnet client:
NOTE
Procedure
l Run:
telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-name [ port-number ]
Log in to the ATN equipment and manage other ATN equipments. ----End
8.2.5 (Optional) Configuring a Telnet Server Port Number

A user can configure or change the Telnet server port number. After the port number is changed, only the user knows the port number, improving security.
8 Telnet and SSH
Context
Do as follows on the ATN equipment that functions as a Telnet server:
Procedure
Step 1 Run:
system-view

telnet server port port-number
A Telnet server port number is set. If a new port number is set, the Telnet server terminates all established Telnet connections, and then uses the new port number to listen to new requests for Telnet connections. By default, the Telnet server port number is 23. ----End
8.2.6 (Optional) Scheduled Telnet Disconnection

You can set the idle-timeout period for Telnet connections. In this manner, if the Telnet connections keep idle during the specified period, the system automatically terminates the Telnet connections.
Context
Do as follows on the ATN equipment that serves as a Telnet client:
Procedure
Step 1 Run:
system-view


The scheduled Telnet disconnection is enabled. ----End

After configuring Telnet terminal services, you can view the connection status of the current user interface, connection status of each user interface, and status of all established TCP connections.
8 Telnet and SSH
Prerequisites
The configuration of Telnet Terminal Services are complete.
Procedure
l l l l Run the display users command to check information about connected users. Run the display users all command to check information about all users, including connected and disconnected users. Run the display tcp status command to check TCP connections. Run the display telnet server status command to check the configuration and status of the Telnet server.
----End
8.3 Configuring SSH Users

SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH servers.

Before configuring SSH users, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
The STelnet or SFTP client can log in to the SSH server to perform operations only after SSH users are correctly configured on the SSH server.
Before configuring SSH users, complete the following tasks: l l Creating a local user Configuring an RSA public key for the SSH client on the SSH server
Data Preparation
To configure SSH users, you need the following data. No. 1 2 3 4
Issue 03 (2012-03-19)
Data Name and password of SSH users Authentication mode of SSH users Service type of SSH users Name of the peer RSA public key assigned to SSH users
8 Telnet and SSH
No. 5
Data Operating directory of the SFTP service for SSH users
8.3.2 Creating SSH User

AAA does not support RSA authentication. Therefore, when RSA authentication or passwordrsa authentication is adopted, you need to create an SSH user. When password authentication is adopted, you need to create a local user with the same name in the AAA view.
Context
NOTE
Besides creating an SSH user separately, you can also create an SSH user when you configure the following. l Configuring the Authentication Mode for SSH Users l Configuring the Service Type of SSH Users
Do as follows on the ATN equipment that serves as an SSH server:
Procedure
Step 1 Run:
system-view

ssh user user-name
If you want to create an SSH user in the password authentication mode, you need to create a local user with the same name in the AAA view. 1. Run:
aaa

Name and password of the local user are created. ----End
8.3.3 Configuring SSH for the VTY User Interface

You can configure SSH for the VTY user interface.
Context
8 Telnet and SSH
Procedure
Step 1 Run:
system-view

user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed. Step 3 Run:

The AAA authentication mode is configured. Step 4 Run:

protocol inbound ssh
The VTY is configured to support SSH.

NOTE
The authentication mode of the VTY user interface must be set to AAA. Otherwise, the protocol inbound ssh command cannot be configured successfully.
----End
8.3.4 Generating a Local RSA Key Pair

You need to create an RSA key before configuring SSH.
Context
Do as follows on the ATN equipments that serve as a client or a server:
Procedure
Step 1 Run:
system-view

rsa local-key-pair create
A local RSA key pair is generated.

NOTE
To log in to an SSH server, the local RSA key pair must be configured and generated first. Before performing the other SSH configurations, you must configure the rsa local-key-pair create command to generate a local key pair.
----End
8.3.5 Configuring the Authentication Mode for SSH Users

You can configure the password or RSA authentication mode for SSH users.
8 Telnet and SSH
Context
Procedure
Step 1 Run:
system-view

ssh user user-name authentication-type { password | rsa | password-rsa | all }
The authentication mode for SSH users is configured. Perform the following as required: l Authenticate the SSH user through the password. Run:
ssh user user-name authentication-type password
The password authentication is configured for the SSH user. Run:

ssh authentication-type default password
The default password authentication is configured for the SSH user. For the local authentication or HWTACACS authentication, if the number of SSH users is small, you can adopt the former command; if the number of SSH users is large, adoptthe later command to simplify the configuration. l Authenticate the SSH user through RSA. 1. Run:
ssh user user-name authentication-type rsa
The RSA authentication is configured for the SSH user. 2. Run:

rsa peer-public-key key-name
The public key view is displayed. 3. Run:

public-key-code begin
The public key editing view is displayed. 4. Run:

hex-data
The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key. 5. Run:
public-key-code end
Quit the public key editing view.

8 Telnet and SSH
If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. 6. Run:
peer-public-key end
Return to the system view from the public key view. 7. Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user.

NOTE
l After the public key editing view is displayed, the RSA public key generated on the client can be sent to the server. Copy the RSA public key to the ATN equipment that serves as the SSH server. l Before the peer RSA public key is assigned to the SSH users, the SSH server must be configured and the peer RSA public key must be the RSA public key of the SSH client.
----End
8.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users
You can configure the interval for updating the server key pair, timeout period of the SSH authentication, and retry times of the SSH authentication.
Context
Procedure
Step 1 Run:
system-view

ssh server rekey-interval interval
The interval for updating the server key pair is configured. By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating. Step 3 Run:
ssh server timeout seconds
The timeout period of the SSH authentication is set. By default, the timeout period is 60 seconds. Step 4 Run:
ssh server authentication-retries times
The number of retry times of the SSH authentication is set.

8 Telnet and SSH
By default, the retry times is 3. ----End
8.3.7 (Optional) Authorizing SSH Users Through the Command Line

If RSA authentication is adopted, you need to configure command line authorization for SSH users.
Context
NOTE
There are four authentication modes for an SSH user, namely, password, rsa, password-rsa, and all. For details of the configuration of the command line authorization for password authentication, refer to the chapter "AAA and User Management" in the ATN 910 Configuration Guide - Security. This section describes how to configure the command line authorization for RSA authentication.
Procedure
Step 1 Run:
system-view

ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user. ----End
Follow-up Procedure
After configuring the authorization through command lines for the SSH user to perform RSA authentication, you have to configure the AAA authorization. Otherwise, the command line authorization for the SSH user does not take effect.
8.3.8 Configuring the Service Type of SSH Users

You can set the service type of SSH users to SFTP, STelnet, or all.
Context
Do as follows on the ATN equipment that functions as an SSH server:
Procedure
Step 1 Run:
system-view

8 Telnet and SSH
Step 2 Run:
ssh user username service-type { sftp | stelnet | all }
The service type for the SSH user is configured. By default, the service type of the SSH user is not configured. ----End
8.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users
You can configure a directory as an authorized directory to allow SSH users to use SFTP services.
Context
Procedure
Step 1 Run:
system-view

ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for SSH users is configured. By default, the authorized directory of the SFTP service for SSH users is cfcard:. ----End

After configuring SSH users, you can view SSH user information.
Prerequisites
The configuration of SSH Users are complete.
Procedure
l l Run the display ssh user-information command to check the information about the SSH client on the SSH server. Run the display ssh user-information username command to check the information about the specified SSH client on the SSH server.
----End
8.4 Configuring the SSH Server Function

This section describes how to configure the SSH server. STelnet or SFTP must first be enabled on the SSH server.
8 Telnet and SSH

Before configuring the SSH server, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
Before configuring the SSH server, you must enable STelnet or SFTP on the SSH server. You can change the number of the port monitored by the SSH server to other port numbers. This can prevent attackers from accessing standard ports of the SSH server and thus save bandwidth and system resources.
Before configuring the SSH server, complete the following tasks: l l l l l Connecting the SSH client to the SSH server correctly Ensuring that the SSH client and the SSH server are routable Configuring the VTY interface on the SSH server to support SSH Configuring the SSH client on the SSH server Creating the local RSA key pair on the SSH server
Data Preparation
To configure the SSH server, you need the following data. No. 1 Data Number of the port monitored by the SSH server
8.4.2 Enabling the STelnet Service

Before enjoying the STelnet service, you need to enable it.
Context
Procedure
Step 1 Run:
system-view

stelnet server enable
The STelnet service is enabled.

8 Telnet and SSH
By default, STelnet services are disabled. ----End
8.4.3 Enabling the SFTP Service

Before enjoying the STelnet service, you need to enable it.
Context
Procedure
Step 1 Run:
system-view

sftp server enable
The SFTP service is enabled. By default, the SFTP service is disabled. ----End
8.4.4 (Optional) Enabling the Earlier Version - Compatible Function

You can configure whether SSH of earlier versions are compatible.
Context
Procedure
Step 1 Run:
system-view

ssh server compatible-ssh1x enable
The earlier version-compatible function is enabled. By default, the server configured with the SSH2.0 protocol is compatible with the server configured with SSH1.X. If the client of SSH1.3 to SSH1.99 (protocol version ranges from 1.3 to 1.99) is denied access to log in, you can run the undo ssh server compatible-ssh1x enable command to disable the ATN equipment to be compatible with the earlier protocol version.
NOTE
8 Telnet and SSH
l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes and key exchange modes with higher service capability, such as SFTP. l The ATN 910 supports the SSH protocol of version 1.3 to version 2.0.
----End
8.4.5 (Optional) Configuring the Number of the Port Monitored by the SSH Server
You can configure or change the monitoring port number of the SSH server. After the port number is changed, only the user knows the current port number, which guarantees the security.
Context
Procedure
Step 1 Run:
system-view

ssh server port port-number
The number of the port monitored by the SSH server is configured. If a new number of a monitored port is configured, the SSH server interrupts all the STelnet and SFTP connections and monitors the port of the new number. By default, the number of the port monitored by the SSH server is 22. ----End
8.4.6 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server
You can configure the interval for updating the key pair of the SSH server, which can guarantee the security.
Context
Procedure
Step 1 Run:
system-view

ssh server rekey-interval interval
Issue 03 (2012-03-19)
138
8 Telnet and SSH
The interval for updating the key pair is set. By default, the interval for updating the key pair of the SSH server is 0, which means that the key pair is never updated. ----End

After configuring the SSH server, you can view the global configuration of the SSH server.
Prerequisites
The configurations of the SSH server are complete.
Procedure
Step 1 Run the display ssh server status command to view the global configuration of the SSH server. ----End
8.5 Configuring the STelnet Client Function

This section describes how to configure the STelnet client. A secure connection between the client and server can be established through negotiation, and the client will be able to log in to the server similarly to using Telnet services.

Before configuring an STelnet client, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner as using the Telnet service.
Before connecting the STelnet client to the SSH server, complete the following tasks: l l l Generating the local RSA key pair on the SSH server Configuring the STelnet user on the SSH server Enabling the STelnet service on the SSH server
Data Preparation
To connect the STelnet client to the SSH server, you need the following data:
8 Telnet and SSH
No. 1 2 3 4 5 6 7 8 9
Data Name of the SSH server Number of the port monitored by the SSH server Preferred encrypted algorithm from the STelnet client to the SSH server Preferred encrypted algorithm from the SSH server to the STelnet client Preferred HMAC algorithm from the STelnet client to the SSH server Preferred HMAC algorithm from the SSH server to the STelnet client Preferred algorithm of key exchange Name of the outgoing interface Source address
8.5.2 Enabling the First-Time Authentication on the SSH Client

After the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time.
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After the login, the system automatically allocates the RSA public key and saves it for authentication in next login. To simplify user operations, you are recommended to enable the first-time authentication on the SSH client. Do as follows on the ATN equipment that serves as an SSH client:
Procedure
Step 1 Run:
system-view

ssh client first-time enable
The first-time authentication on the SSH client is enabled. By default, the first-time authentication on the SSH client is disabled.
Issue 03 (2012-03-19)
140
NOTE
8 Telnet and SSH
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH server. l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA public key in advance to the SSH server on the SSH client in addition to enabling the first-time authentication on the SSH client.
----End
8.5.3 (Optional) Assigning an RSA Public Key to the SSH Server

You can assign an RSA public key to the SSH server.
Context
If the first-time authentication on the SSH client is disabled, you need to allocate an RSA public key to the SSH server before the STelnet client logs in to the SSH server. Do as follows on the ATN equipment that serves as an SSH client:
Procedure
Step 1 Run:
system-view

The public key view is displayed. Step 3 Run:

The public key editing view is displayed. Step 4 Run:

hex-data
The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key. Step 5 Run:
public-key-code end
Quit the public key editing view. If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts
8 Telnet and SSH
that the key does not exist after the peer-public-key end command is run and the system view is displayed. Step 6 Run:
peer-public-key end
Return to the system view from the public key view. Step 7 Run:
ssh client servername assign rsa-key keyname
The RSA public key is assigned to the SSH server.

NOTE
l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo the validity check on the RSA public key of the SSH server. l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server.
----End
8.5.4 Enabling the STelnet Client

You can log in to the SSH server from the SSH client through STelnet.
Context
NOTE
When accessing an SSH server, the STelnet client can carry the source address and the VPN instance name and choose the key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the keepalive function..
Do as follows on the ATN equipment that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 According to the address type of the SSH server, run the following commands. l For IPv4 addresses, Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instancename ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through STelnet. ----End
8 Telnet and SSH

After configuring the STelnet client, you can view the global configuration of the SSH server.
Prerequisites
The configuration of the STelnet Client Function are complete.
Procedure
l l Run the display ssh server-info command to check the mapping between the RSA public key and the SSH client on the SSH client. Run the display ssh server session command to check the session of the SSH client on the SSH server.
----End
8.6 Configuring the SFTP Client Function

This section explains how to configure the SFTP client. The authentication and bidirectional data encryption of the SFTP client can be manually configured, which will ensure secure file transmission on the network.

Before configuring the SFTP client, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
SFTP enables users to log in to the device from a secure remote end to manage files. This improves the security of data transmission for the remote end to update its system. The SFTP client function also enables you to log in to the remote device through SFTP for the secure file transmission.
Before connecting the SFTP client to the SSH server, complete the following tasks: l l l Creating a local RSA key pair on an SSH server Configuring an SFTP client on the SSH server Enabling the SFTP service on the SSH server
Data Preparation
To connect an SFTP client to an SSH server, you need the following data. No. 1
Issue 03 (2012-03-19)
Data Name of the SSH server

8 Telnet and SSH
No. 2 3 4 5 6 7 8 9 10 11
Data Number of the port monitored by the SSH server Preferred encrypted algorithm from the SFTP client to the SSH server Preferred encrypted algorithm from the SFTP server to the SSH client Preferred HMAC algorithm from the SFTP client to the SSH server Preferred HMAC algorithm from the SFTP server to the SSH client Preferred algorithm of key exchange Name of the outgoing interface Source address Directory name File name
8.6.2 (Optional) Configuring a Source IP Address for an SFTP Client

You can configure a source IP address for an SFTP client. Then, you can set up an SFTP connection from the SFTP client to the server through a specific route by using this source IP address.
Context
Do as follows on a ATN equipment that functions as an SFTP client.
Procedure
Step 1 Run:
system-view

sftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for an SFTP client. ----End
8.6.3 Configuring the First-Time Authentication on the SSH Client

After the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time.
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After
8 Telnet and SSH
the login, the system automatically allocates the RSA public key and saves it for authentication in next login. To simplify user operations, you are recommended to enable the first-time authentication on the SSH client. Do as follows on the ATN equipment that serves as an SSH client:
Procedure
Step 1 Run:
system-view

ssh client first-time enable
Enable the SSH client with the first authentication. By default, first-time authentication is disabled on SSH clients.
NOTE
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the SFTP client logs in to the SSH server for the first time. The check is skipped because the SFTP server has not saved the RSA public key of the SSH server. l If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to the SSH server for the first time, the SFTP client fails to pass the check on the RSA public key validity and cannot log in to the server.
TIP
Except for enabling the first-time authentication on the SSH client, the SFTP client can assign the RSA public key in advance to the SSH server on the SSH client to log in to the server successfully for the first time.
----End
8.6.4 (Optional) Assigning an RSA Public Key to the SSH Server

You can assign an RSA public key on the SSH client to the SSH server.
Context
If the first-time authentication on the SSH client is disabled, you need to assign an RSA public key to the SSH server before the STelnet client logs in to the SSH server. Do as follows on the ATN equipment that serves as an SSH client:
Procedure
Step 1 Run:
system-view

Issue 03 (2012-03-19)
145
8 Telnet and SSH
The public key view is displayed. Step 3 Run:

The public key editing view is displayed. Step 4 Run:

hex-data
The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key. Step 5 Run:
public-key-code end
Quit the public key editing view. If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. Step 6 Run:
peer-public-key end
Return to the system view from the public key view. Step 7 Run:
ssh client servername assign rsa-key keyname
Assign a public key to the SSH server.

NOTE
l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. Then, the SFTP client can successfully undergo the validity check on the RSA public key of the SSH server. l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server.
----End
8.6.5 Enabling the SFTP Client

You can log in to the SSH server from the SSH client through SFTP.
Context
NOTE
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the SSH server, the SFTP can carry the source address and the name of the VPN instance and choose the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the keepalive function.
Do as follows on the ATN equipment that serves as an SSH client.

8 Telnet and SSH
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 According to the address type of the SSH server, run the following commands. l For IPv4 addresses, Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]
You can log in to the SSH server through SFTP. ----End
8.6.6 (Optional) Managing the Directory

On the SFTP client, you can log in to the SSH server to create or delete directories on the SSH server.
Context
NOTE
After the SFTP client logs in to the SSH server, the SFTP client can create or delete the directory on the SSH server, display the current operating directory and information about a specified directory and its files.
Do as follows on the ATN equipment that serves as an SSH client:
Procedure
Step 1 Run:
system-view
You can log in to the SSH server through SFTP. Step 3 Perform the following as required: l Run:
cd [ remote-directory ]
The current operating directory of users is changed.

8 Telnet and SSH
l Run:
cdup
The operating directory of users is switched to the upper-level directory. l Run:

pwd
The current operating directory of users is displayed. l Run:

dir / ls [ remote-directory ]
The file list in the specified directory is displayed. l Run:

rmdir remote-directory & <1-10>
l The directory on the server is deleted. l Run:

mkdir remote-directory
A directory is created on the server. ----End
8.6.7 (Optional) Managing the File

On the SFTP client, you can view specified remote directories or files on the SFTP server or delete specified files on the SFTP server.
Context
NOTE
After the SFTP client logs in to the SSH server, SFTP client can change file names, delete files, display the file list, upload and download files on the SFTP server.
Do as follows on the login ATN equipment.
Procedure
Step 1 Run:
system-view
You can log in to the SSH server through SFTP. Step 3 Run the command. l Run:
rename old-name new-name
Issue 03 (2012-03-19)
148
8 Telnet and SSH
The name of the specified file on the server is changed. l Run:

get remote-filename [local-filename]
The file on the remote server is downloaded. l Run:

put local-filename [remote-filename]
The local file is uploaded to the remote server. l Run:

remove remote-filename
The file on the server is removed. ----End
8.6.8 (Optional) Displaying the SFTP Client Command Help

You can view the SFTP client command help.
Context
Procedure
Step 1 Run:
system-view
You can log in to the SSH server through SFTP. Step 3 Run:
help [all | command-name ]
The SFTP client command help is displayed. ----End

After configuring the SFTP client, you can view the global configuration of the SSH server.
Prerequisites
The configuration of the SFTP Client Function are complete.
8 Telnet and SSH
Procedure
l l l Run the display sftp-client command to check the source IP address of the SFTP client on the SSH client. Run the display ssh server-info command to check the mapping between the SSH server and the RSA public key on the SSH client. Run the display ssh server session command to check the session of the SSH client on the SSH server.
----End

This section provides configuration examples for Telnet and SSH along with a configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.
8.7.1 Example for Configuring Telnet Services

In this example, the authentication mode and password are configured for users to log in through Telnet.
On the network shown in Figure 8-6, CX deviceand ATN can ping each other successfully. A user logs in to ATN from CX device through Telnet. Figure 8-6 Networking diagram for configuring Telnet services
GE1/0/0 1.1.1.1/24 CX600 GE0/3/0 1.1.1.2/24 ATN
The configuration roadmap is as follows: 1. 2. On ATN, configure the authentication mode and password for VTY0 to VTY4. Configure users to use passwords to log in to ATNfrom CX devicethrough Telnet.
Data Preparation
To complete the configuration, you need the following data: l l
Issue 03 (2012-03-19)
Host address of ATN Authentication mode and password

8 Telnet and SSH
Procedure
Step 1 Configure IP addresses. # Configure CX600.
<CX600> system-view [CX600] interface gigabitethernet 1/0/0 [CX600-GigabitEthernet1/0/0] undo shutdown [CX600-GigabitEthernet1/0/0] ip address 1.1.1.1 24 [CX600-GigabitEthernet1/0/0] quit [CX600] quit
# Configure ATN.
<HUAWEI> system-view [HUAWEI] sysname ATN [ATN] interface gigabitethernet 0/3/0 [ATN-GigabitEthernet0/3/0] undo shutdown [ATN-GigabitEthernet0/3/0] ip address 1.1.1.2 24 [ATN-GigabitEthernet0/3/0] quit
Step 2 Configure the authentication mode and password for Telnet services on ATN .
[ATN] user-interface vty 0 4 [ATN-ui-vty0-4] authentication-mode password [ATN-ui-vty0-4] set authentication password simple hello [ATN-ui-vty0-4] quit
To configure an ACL for Telnet services, run the following commands on ATN .
[ATN] acl 2000 [ATN-acl-basic-2000] rule permit source 1.1.1.1 0 [ATN-acl-basic-2000] quit [ATN] user-interface vty 0 4 [ATN-ui-vty0-4] acl 2000 inbound
NOTE
It is optional to configure an ACL for Telnet services.
Step 3 Log in to ATN from CX device through Telnet.

<CX600> telnet 1.1.1.2 Trying 1.1.1.2 ... Press CTRL+K to abort Connected to 1.1.1.2 ... Login authentication Password: Info: The max number of VTY users is 10, and the current number of VTY users on line is 1.
----End
Configuration Files
l l Configuration file of CX600 The configuration file of CX600 is not provided. Configuration file of ATN
# sysname ATN # acl number 2000 rule 5 permit source 1.1.1.1 0 # interface GigabitEthernet 0/3/0 undo shutdown ip address 1.1.1.2 255.255.255.0
Issue 03 (2012-03-19)
151
# user-interface con 0 user-interface vty 0 4 acl 2000 inbound set authentication password simple hello # return
8 Telnet and SSH
Issue 03 (2012-03-19)
152
9 Device Maintenance
9
About This Chapter
Device Maintenance
With routine device maintenance, you can detect potential operation threats on devices and then eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably. 9.1 Introduction of Device Maintenance Device maintenance involves replacing boards and monitoring the internal environment. 9.2 Monitoring the Device Status Monitoring the device status facilitates fault location and cause analysis. 9.3 Board Maintence Board Maintenance involves resetting a board and clearing the maximum CPU usage.
Issue 03 (2012-03-19)
153
9.1 Introduction of Device Maintenance

Device maintenance involves replacing boards and monitoring the internal environment.
9.1.1 Overview of Device Maintenance

Device maintenance involves replacing boards and monitoring the internal environment.
Concept
The stable running of a ATN equipmentdepends on the mature network planning and the routine maintenance. In addition, fast location of the hidden hazards is necessary. The maintenance personnel must check the alarm information in time and deal with the fault properly to keep the device in normal operation and reduce the failure rate. Thus, the system runs in a safe, stable, and reliable environment.
Maintenance Operation
Maintenance such as board replacement and internal environment check ensures the normal operation of the ATN equipment.
9.1.2 Maintenance Features Supported by the ATN 910

The ATN 910 allows the operation status to be monitored.
Monitoring
In routine maintenance of the device, you can run the display commands to view the working status of the ATN equipment. This can help the maintenance personnel fast locate the fault during the troubleshooting procedure.
9.2 Monitoring the Device Status

Monitoring the device status facilitates fault location and cause analysis.
9.2.1 Displaying the System Version Information

The system version information includes the system software version and various hardware versions.
Procedure
Step 1 Run:
display version
The system version information is displayed. In practice, using this command in any view, you can view the system version information. The main information is as follows:
l System software version l Hardware and software version of the MPUs l Hardware and software version . l Hardware and software version of the Fan . ----End
9.2.2 Displaying Basic Information About the Router

The basic information includes detailed information about the system-control board, physical interface card, clock board, power supply, and fan module.
Procedure
Step 1 Run:
display device [ pic-status | slot-id]
Basic information about the ATN equipment is displayed. In practice, using this command in any view, you can view the basic device information. Enter slot-id to view information about the board in the specified slot. l Choose a board in a certain slot. You can view basic information about this board. l Run: display device pic-status Basic information about the PIC card is displayed. ----End
9.2.3 Displaying the Electronic Label

The electronic label information includes the type of the board/card, bar code, BOM code, English description, production date, supplier name, issuing number, Common Language Equipment Identification (CLEI) code, and sales BOM code.
Procedure
l Run:
display elabel [ backplane | slot-id ]
The electronic label is displayed. In practice, using this command in the user view, you can view information about the electronic label of the boards. Enter slot-id to view information about the electronic label of the board in the specified slot.
NOTE
For the range of numbers of the slots on the ATN equipment, refer to the ATN 910Multi-service Access Equipment Hardware Description.
Issue 03 (2012-03-19)
155
Information displayed includes the type of the board and PIC card, bar code, BOM, English description, production date, supplier name, issuing number, CLEI (Common Language Equipment Identification) code, and sales BOM.
NOTE
You can back up the electronic label of the specified board in the following methods: l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label to the CF card on the ATN equipment. l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command to back up the electronic label to the specified FTP server.
----End
9.2.4 Displaying the Threshold of the Memory Usage

By specifying the slot ID, you can check the memory usage of the system control board.
Procedure
Step 1 Run:
display memory-usage
The threshold of the memory usage of the main system control board is displayed.
NOTE
To set the threshold of the memory usage in the main system control board , you can run the set memoryusage threshold thresholdcommand.
----End
9.2.5 Displaying the Threshold of CPU Usage

By specifying the slot ID, you can check the CPU usage of the MPU.
Procedure
Step 1 Run:
display cpu-usage [ task-name ] [ congfiguration ]
NOTE
To set the threshold of the CPU usage on the main MPU, you can run the set cpu-usage threshold thresholdvalue command, and run thedisplay cpu-usage configuration command can display the current configuration of the CPU usage.
----End
9.2.6 Displaying Alarm Information

The alarm information includes the alarm level, alarm date and time, and alarm description.
Procedure
Step 1 Run:
display alarm { slot-id | all }
Information about the alarm is displayed.

In the operation, using this command in any view, you can view current information about the alarm of the ATN equipment. Alarm information includes the following: l Alarm level l Alarm date and time l Alarm description
NOTE
After displaying the alarm of the ATN equipment, you can run the clear alarm index index-id { sendtrap | no-trap } command to clear the alarm at the specified index-id.
----End
9.2.7 Displaying the Board Temperature

The temperature information includes the temperature status of each board, temperature alarm thresholds of a board, and actual temperature of a board.
Procedure
Step 1 Run:
display temperature slot slot-id
The temperature of the specified board is displayed. In practice, using this command in any view, you can view the current temperature of the ATN equipment.The temperature information includes the following: l Current temperature status of the board l Threshold to the alarm temperature of the board l Actual temperature of the board ----End
9.2.8 Displaying the Board Voltage

The voltage information includes the number of voltage sensors on each board, working voltage sensor of each board, working status of the voltage sensor on each board, and voltage alarm thresholds of each board.
Procedure
Step 1 Run:
display voltage slot slot-id
The board voltage is displayed. In practice, using this command in any view, you can view the voltage of all the boards. The voltage information includes the following: l Number of the voltage sensors l Working voltage sensors l Working status of the voltage sensors l Alarm field value of the voltage
l Actual board voltage ----End
9.2.9 Displaying the Power Supply Status

The power supply information includes the slot ID of the power supply module, whether the power supply module is registered, working mode of the power supply module, and cable status of the power supply module.
Procedure
Step 1 Run:
display power
The power supply status is displayed. In practice, using this command in any view, you can view the power supply status. The displayed information includes the following: l Slot number of the power supply module l Presence status of the power supply module l Operation mode of the power supply module l Cable status of the power supply module ----End
9.2.10 Displaying the Sequence Number of the MPU

Each MPU has a globally unique equipment serial number (ESN).
Procedure
Step 1 Run:
display esn
The sequence number of the MPU is displayed. In the operation, using this command in any view, you can view the sequence number of the MPU on the ATN equipment. ----End
9.3 Board Maintence

Board Maintenance involves resetting a board and clearing the maximum CPU usage.
9.3.1 Resetting a Board

You need to back up important data before resetting a board.
Context
In the case that a board is faulty, you can use the reset slot command to reset the board.
WARNING
Back up important data before resetting the board. Do as follows on the ATN equipment:
Procedure
Step 1 Run:
reset slot slot-id
The board is reset.

NOTE
l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset with the CPU being powered on. If a slave MPU exists, this command performs master/slave MPU switchover. l If the board is still abnormal after being reset, contact the Huawei technical support personnel.
----End
Issue 03 (2012-03-19)
159
10 Patch Management
10
About This Chapter
10.1 Introduction of Patch Management This section describes the basics of the patch.
Patch Management
Patch management includes checking the running patch, loading patch files, and installing patches.
10.2 Checking the Running of Patch in the System The system allows only one patch to run. Therefore, confirm that no patch is running before loading a new patch. 10.3 Loading a Patch Patches can be loaded through FTP or TFTP. 10.4 Installing a Patch To repair the system that has vulnerabilities or defects, you can install a patch on the system. By installing a patch, you can upgrade the system without upgrading the system software. 10.5 (Optional) Unactivating the activating of Patch If an installed patch does not take effect, you need to deactivate the patch. 10.6 Configuration Examples of the Patch Management This section describes some Configuration Examples.
Issue 03 (2012-03-19)
160
10 Patch Management
10.1 Introduction of Patch Management

This section describes the basics of the patch.
10.1.1 Overview of Patch Management

You can install patches to improve system functions.
Patch Overview
During the operation of the device, you need to revise the system software sometimes such as remove the system defects or add new functions for service requirements. We used to upgrade the software after shutting down the system. This static upgrade affects the service on the device and does not improve the communication. If we load a patch to the system software, we can upgrade it online without interrupting the operation of the device. This dynamic upgrade does not affect the service and can improve the communication.
Patch Area
In the memory of the Main Processing Unit (MPU), a certain space is reserved to save the patch. This space is called patch area. To install the patch, save the patch to the patch area in advance in the memory of the board. The patch saved in the patch area is numbered uniquely. Up to 2000 patches can be saved to the patch area in the memory of the MPU .
Patch States
Patch status can be idle, deactive, active, and running. For details, seeTable 10-1, Table 10-1 Patch states State No patch (idle) deactive Description The patch file is saved to the CF card but not loaded to the patch area in the memory. The patch is loaded to the patch area but disabled. States Conversion When the patch is loaded to the patch area, the patch status is set to deactive. The patch in the deactive state can be as follows: l Uninstalled, that is, deleted from the patch area. l Enabled temporarily and turns to the active state.
Issue 03 (2012-03-19)
161
10 Patch Management
State active
Description The patch is loaded to the patch area and enabled temporarily. If the board is reset, the active patch on that board turns to the deactive state.
States Conversion The patch in the active state can be as follows: l Uninstalled, that is, deleted from the patch area. l Enabled temporarily and turned into the active state. l Enabled permanently, and turns to the running state.
running
The patch is loaded to the patch area and enabled permanently. If the board is reset, the patch on the board keeps in the running state.
The patch in the running state can be uninstalled and deleted from the patch area.
Figure 10-1shows the conversion between patch states. Figure 10-1 Conversion between the statuses of a patch
Load patch No patch Delete patch Deactivated
Delete patch Delete patch
Deactive patch
Active patch
Running
Run patch
Activated
10.1.2 Patches Supported by the ATN 910

The ATN 910 allows patches to be loaded to the system or a certain board.
Issue 03 (2012-03-19)
162
10 Patch Management
Patch Functions
Installing patches can improve system functions or fix bugs. By installing a patch, you can upgrade the system without upgrading the system software.
Logic Relationships Between Configuration Tasks

Figure 10-2Shows the logic relationships between the configuration tasks. Figure 10-2 Logical relationships between configuration tasks
Run VRP
Resort to technical support for new patch
Normally run Yes
No
Enable patch temporarily
Bug removed Yes
No
Disable patch
End
Unload patch
10.2 Checking the Running of Patch in the System

The system allows only one patch to run. Therefore, confirm that no patch is running before loading a new patch.

Before checking the running patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
At a certain time, the system allows the running of only one patch. Therefore, you need to confirm no patch is running in the current system before installing a patch. If a patch runs, delete the patch before installing the new patch.
Before checking the running of patch in the system, complete the following tasks:
10 Patch Management
l l
Ensuring that the ATN equipment is started normally after power-on Ensuring that the ATN equipment can be logged in to
Data Preparation
None
10.2.2 Checking the Running of Patch in the System

By running the display patch-information command, you can view information about the running patch units, activated patch units, and deactivated patch units.
Context
Do as follows on the ATN equipment to be upgraded:
Procedure
Step 1 Run:
display patch-information
All the information about the current patch is displayed, including information about the patch units that are running, the patch units that are activated, and the patch units that are deactivated. ----End
Example
<PE> display patch-information Info: No patch exists.
This indicates that no patch runs in the current system.

NOTE
If there are patches running, you must delete them before loading new patches.
10.2.3 (Optional) Deleting a Patch

The system allows only one patch to run. If there is a running patch, you need to delete it before loading a new patch.
Context
Before installing a patch, you need to delete the running patch. Do as follows on the ATN equipment to be upgraded.
Procedure
Step 1 Run:patch delete all The running patch is deleted. ----End
10 Patch Management
10.3 Loading a Patch

Patches can be loaded through FTP or TFTP.

Before loading a patch, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
Before a patch is installed, it should be uploaded to the root directory of the CF card of the master MPUs. The three methods to upload a patch are FTP,.
Before loading a patch, complete the following tasks: l l Ensuring that the ATN equipment is started normally after power-on Ensuring that the ATN equipment can be logged in to
Data Preparation
Before running a patch, you need to obtain a patch that is consistent with the board. No. 1 2 Data Uploading a Patch to the Root Directory of the CF Card of the Master MPU Copying a Patch to the Root Directory of the CF Card of the Slave MPU
10.3.2 Loading a Patch

Upload a patch to the root directory of the CF card of the MPU.
Context
Procedure
Step 1 Upload a patch to the root directory of the CF card of the MPU. The ATN equipment supports the uploading of files through FTP, TFTP, for more infirmation ,please see: "FTP, TFTP". Choose an uploading method based on the requirements. Step 2 Run:
startup patch file-name
Issue 03 (2012-03-19)
165
10 Patch Management
The patch package is specified for the MPU on the next startup. ----End

After a patch is loaded, you can check patch information.
Context
Run the following commands to check the previous configuration.
Procedure
l Run:
dir cfcard:/
Check the files on the MPU. l Run:

display startup
Check the patch file used in the next system startup. ----End
10.4 Installing a Patch

To repair the system that has vulnerabilities or defects, you can install a patch on the system. By installing a patch, you can upgrade the system without upgrading the system software.

Before installing a patch on the system, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
Installing patches can fix system vulnerabilities or correct system defects. By installing a patch, you can upgrade the system without upgrading the system software. When a patch is uploaded, the system checks that the patch version is the same as the system version. If the two versions are not the same, the system prompts that the patch uploading fails.
Before installing a patch, upload the patch to the root directory of the CF card of the master.
Data Preparation
None
10 Patch Management
10.4.2 Loading a Patch

A patch can be successfully loaded only when the patch version matches the system software version.
Context
Procedure
Step 1 Run:
patch load file-name all
The patch is loaded. ----End
Follow-up Procedure
When a patch is loaded, the system checks that the patch version is the same as the system version. If the two versions are not the same, the system prompts that the patch loading fails. When the patch is loaded successfully, it's status is Deactive and keeps Deactive after the board is reset.
10.4.3 Activating a Patch

A patch can be activated only when it is correctly loaded and is in the deactivated state.
Context
Procedure
Step 1 Run:
patch active all
The patch is activated. ----End
Follow-up Procedure
A patch can be activated only when it is correctly loaded and is in the deactivated state. When a patch is activated, it becomes valid immediately. After the board is reset, however, the status of the patch becomes Deactive , and the patch does not remain valid.
10.4.4 Running a Patch

A patch can be run only after it is activated. Running a patch means that the patch is activated permanently.
10 Patch Management
Context
Do as follows on the ATN equipment be upgraded:
Procedure
Step 1 Run:
patch run all
The patch is run. ----End
Follow-up Procedure
A patch can be run only after it is activated. Running a patch means that the patch is activated permanently and the patch remains valid after the board is reset. The status of the patch keeps Running.

After a patch is installed on the system, you can check the patch status.
Procedure
l Run:
Check the patch state. ----End
10.5 (Optional) Unactivating the activating of Patch

If an installed patch does not take effect, you need to deactivate the patch.

Before deactivating a patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.
After a patch is activated, you need to judge that the patch has achieved the expected effect. If the patch does not become valid, you need to activate the patch. A patch can be deactivated only after it is activated.
None
10 Patch Management
Data Preparation
None
10.5.2 Deactivating a Patch

Deactivating a patch makes an active patch become inactive.
Procedure
Step 1 Run:
patch deactive all
The patch is deactivated. ----End

After a patch is deactivated, you can run the display command to check the patch status.
Procedure
l Run:
Check the patch state. ----End
10.6 Configuration Examples of the Patch Management

This section describes some Configuration Examples.
10.6.1 Example for Installing a Patch

When the system has vulnerabilities or defects, you can install a patch to repair the system.
Figure 10-3shows that some urgent bug occurs in the system software at the Provider Edge (PE) connected to the Internet. Huawei provides the patch file to remove the bug. The patch in this patch file must be installed to remove the bug. Figure 10-3 Networking diagram of installing a patch
FTP Server GE0/3/0 10.1.1.1/24 MPLS Core PE PC 10.1.1.3/24 10.1.1.2/24
Issue 03 (2012-03-19)
169
10 Patch Management
The configuration roadmap is as follows: 1. 2. 3. 4. Save the patch file to the root directory of the CF card on the master. Load the patch. Activate the patch. Run the patch.
Data Preparation
To complete the configuration, you need the following data: l l File name of the patch: patch.pat Path the patch saved to on the MPU: cfcard:/
Procedure
Step 1 Upload the patch file for the system software. # Log in to the FTP server.
<PE> ftp 10.1.1.2 Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 192.168.1.2. 220 FTP service ready. User(10.1.1.2:(none)):huawei 331 Password required for huawei. Password: 230 User logged in. [ftp]
# Configure the binary transmission format and the working directory of the CF card on PE.
[ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ % Local directory now cfcard:.
# Load the patch file for the current system software from the remote FTP server.
[ftp] get patch.pat 200 Port command okay. 150 Opening ASCII mode data connection for license.txt. 226 Transfer complete. FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec. [ftp] bye 221 Server closing. <PE>
Step 2 Load the patch.

<PE> patch load patch.pat all
Step 3 Activate the patch.

<PE> patch active all
Step 4 Run the patch.

<PE> patch run all
Issue 03 (2012-03-19)
170
10 Patch Management
Step 5 Verify the configuration

<PE> display patch-information Patch Package Name :cfcard:/patch.pat Patch Package Version:V200R001C01 The state of the patch state file is: Running The current state is: Running ************************************************************************ * The hot patch information, as follows: * ************************************************************************ Slot Type State Count -----------------------------------------------------------2 C Running 1
----End
Configuration Files
None
Issue 03 (2012-03-19)
171
A Acronyms and Abbreviations
A
Numerics 3DES A AAA ACL ARP AES ASPF AUX
Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.
Triple Data Encryption Standard
Authentication, Authorization and Accounting Access Control List Address Resolution Protocol Advanced Encryption Standard Application Specific Packet Filter Auxiliary port
B BGP Border Gateway Protocol
C CBQ CHAP CQ CR-LDP Class-based Queue Challenge Handshake Authentication Protocol Custom Queuing Constraint-based Routing LDP
D DES Data Encryption Standard
Issue 03 (2012-03-19)
172
DHCP DNS
Dynamic Host Configuration Protocol Domain Name System
E ESP Encapsulating Security Payload
F FR Frame Relay
G GRE Generic Routing Encapsulation
H HDLC High Level Data Link Control
I IETF IKE IPSec IS-IS ITU-T Internet Engineering Task Force Internet Key Exchange IP Security Intermediate System-to-Intermediate System intra-domain routing information exchange protocol International Telecommunication Union Telecommunications Standardization Sector
L L2TP LAPB LDP Layer Two Tunneling Protocol Link Access Procedure Balanced Label Distribution Protocol
M MAC MBGP MFR Medium Access Control Multiprotocol Extensions for BGP-4 Multiple Frame Relay
Issue 03 (2012-03-19)
173
MP MPLS MSDP MTU
MultiLink PPP Multiprotocol Label Switching Multicast Source Discovery Protocol Maximum Transmission Unit
N NAT NAT-PT Network Address Translation Network Address Translation - Protocol Translation
O OAM OSPF Operation, Administration and Maintenance Open Shortest Path First
P PAP PE Ping PPP PPPoA PPPoE PPPoEoA PQ Password Authentication Protocol Provider Edge Ping (Packet Internet Groper) Point-to-Point Protocol PPP over AAL5 Point-to-Point Protocol over Ethernet PPPoE on AAL5 Priority Queuing
Q QoS Quality of Service
R RADIUS RIP RPR RSVP Remote Authentication Dial In User Service Routing Information Protocol Resilient Packet Ring Resource Reservation Protocol
Issue 03 (2012-03-19)
174
S SFTP SSH File Transfer Protocol
T TE TCP TFTP Traffic Engineering Transmission Control Protocol Trivial File Transfer Protocol
V VPN VRP VRRP Virtual Private Network Versatile Routing Platform Virtual Router Redundancy Protocol
W WAN WFQ WRED Wide Area Network Weighted Fair Queuing Weighted Random Early Detection
X XOT X.25 Over TCP
Issue 03 (2012-03-19)
175

Configuration Guide Basic Configurations (V200R001C01 - 03)

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Configuration Guide Basic Configurations (V200R001C01 - 03)

Încărcat de

Drepturi de autor:

Formate disponibile

ATN 910 Multi - service Access Equipment V200R001C01

Configuration Guide - Basic Configurations

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Changes in Issue 03 (2012-03-19)

Changes in Issue 02 (2012-01-06)

Changes in Issue 01 (2011-10-28)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

6 Management of Configuration Files........................................................................................89

6.2.7 Checking the Configuration.....................................................................................................................95

7 FTP and TFTP...............................................................................................................................96

8 Telnet and SSH..........................................................................................................................120

A Acronyms and Abbreviations................................................................................................172

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Establishment of the Configuration Environment

Establishment of the Configuration Environment

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Establishment of the Configuration Environment

1.1 Introduction to Establishment of the Configuration Environment

1.1.1 Login Through the Console

1.1.2 Login Through Telnet

1.2 Logging In to the Device Through the Console Port

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Establishment of the Configuration Environment

1.2.1 Establishing the Configuration Task

1.2.2 Establishing the Physical Connection

1 Establishment of the Configuration Environment

1.2.3 Configuring Terminals

1.2.4 Logging In to the Device

1 Establishment of the Configuration Environment

1.3 Logging In to Device Through Telnet

1.3.1 Establishing the Configuration Task

1.3.2 Establishing the Physical Connection

1 Establishment of the Configuration Environment

1.3.3 Configuring Login User Parameters

1.3.4 Logging In from the Telnet Client

1.4 Configuration Examples

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Establishment of the Configuration Environment

1.4.1 Example for Logging In Through the Console Port

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Establishment of the Configuration Environment

Figure 1-2 New connection

Figure 1-3 Setting the port

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Establishment of the Configuration Environment

Figure 1-4 Setting the port communication parameters

1.4.2 Example for Logging In Through Telnet

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Establishment of the Configuration Environment

Figure 1-5 Establishing the configuration environment through WAN

WAN PC ATN Target ATN

# Configure login authentication mode