Huawei Basic Configuration Guide For Routers

HUAWEI NetEngine5000E Core Router V800R002C01
Configuration Guide - Basic Configurations

Issue Date 01 2011-10-15
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 01 (2011-10-15)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations
About This Document
About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic Configurations feature supported by the NE5000E device. This document describes how to configure the Basic Configurations feature. This document is intended for: l l l l Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers
Related Versions (Optional)

The following table lists the product versions related to this document. Product Name HUAWEI NetEngine5000E Core Router Version V800R002C01
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.
Issue 01 (2011-10-15)
ii
About This Document
Symbol
Description Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
Command Conventions (Optional)

The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Changes in Issue 01 (2011-10-15)

The initial commercial release.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii
Contents
Contents
About This Document.....................................................................................................................ii 1 Logging In to the System for the First Time............................................................................1
1.1 Overview of Logging In to the System for the First Time.................................................................................2 1.2 Logging In to the router Through the Console Port...........................................................................................2 1.2.1 Logging In to the router Through the Console Port..................................................................................3 1.2.2 Logging In to the router.............................................................................................................................3
2 Configure the User Interface.......................................................................................................6

2.1 User Interface Overview.....................................................................................................................................7 2.2 Configuring the Console User Interface.............................................................................................................8 2.2.1 Configuring Physical Attributes for the Console User Interface...............................................................9 2.2.2 Configuring Terminal Attributes for the Console User Interface............................................................10 2.2.3 Configuring the User Priority for the Console User Interface.................................................................11 2.2.4 Configuring Authentication for the Console User Interface....................................................................12 2.2.5 Checking the Configuration.....................................................................................................................13 2.3 Configuring VTY User Interfaces....................................................................................................................14 2.3.1 Configuring the Maximum Number of VTY User Interfaces.................................................................15 2.3.2 Configuring the Limit on Incoming and Outgoing Calls for VTY User Interfaces................................16 2.3.3 Configuring Terminal Attributes for VTY User Interfaces.....................................................................16 2.3.4 Configuring the User Priority for a VTY User Interface.........................................................................17 2.3.5 Configuring Authentication for a VTY User Interface............................................................................18 2.3.6 Checking the Configuration.....................................................................................................................20 2.4 Configuration Examples...................................................................................................................................21 2.4.1 Example for Configuring the Console User Interface.............................................................................21 2.4.2 Example for Configuring VTY User Interfaces......................................................................................23
3 Configuring User Login.............................................................................................................26

3.1 User Login Overview.......................................................................................................................................27 3.2 Logging In to the System Through the Console Port.......................................................................................30 3.2.1 Configuring the Console User Interface..................................................................................................30 3.2.2 Logging In to the System Through the Console Port..............................................................................31 3.2.3 Checking the Configuration.....................................................................................................................31 3.3 Logging In to the System by Using Telnet.......................................................................................................32 3.3.1 Configuring VTY User Interfaces...........................................................................................................33 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iv
Contents
3.3.2 (Optional) Configuring Local Telnet Users.............................................................................................33 3.3.3 Enabling the Telnet Server Function.......................................................................................................34 3.3.4 (Optional) Configuring the Listening Port Number for the Telnet Server..............................................35 3.3.5 Logging In to the System by Using Telnet..............................................................................................36 3.3.6 Checking the Configuration.....................................................................................................................37 3.4 Logging In to the System by Using STelnet.....................................................................................................37 3.4.1 Configuring VTY User Interfaces...........................................................................................................38 3.4.2 Configuring VTY User Interfaces to Support SSH.................................................................................39 3.4.3 Configuring an SSH User and Specifying the Service Type...................................................................39 3.4.4 Enabling the STelnet Server Function.....................................................................................................42 3.4.5 (Optional) Configuring STelnet Server Parameters................................................................................42 3.4.6 Logging In to the System by Using STelnet............................................................................................43 3.4.7 Checking the Configuration.....................................................................................................................44 3.5 Configuration Examples...................................................................................................................................46 3.5.1 Example for Logging In to the System Through the Console Port.........................................................46 3.5.2 Example for Logging In to the System by Using Telnet.........................................................................48 3.5.3 Example for Logging In to the System by Using STelnet.......................................................................51
4 Transferring Files........................................................................................................................55
4.1 File Transfer Overview.....................................................................................................................................56 4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E................................................................57 4.3 Operating Files After Logging In to the System..............................................................................................58 4.3.1 Managing Directories..............................................................................................................................59 4.3.2 Managing Files........................................................................................................................................59 4.4 Using FTP to Operate Files..............................................................................................................................61 4.4.1 Configuring a Local FTP User................................................................................................................62 4.4.2 (Optional) Changing the Listening Port Number of the FTP Server.......................................................63 4.4.3 Enabling the FTP Server Function..........................................................................................................63 4.4.4 (Optional) Configuring FTP Server Parameters......................................................................................64 4.4.5 (Optional) Configuring FTP Access Control...........................................................................................65 4.4.6 Using FTP to Access the System.............................................................................................................65 4.4.7 Using FTP to Operate Files.....................................................................................................................66 4.4.8 Checking the Configuration.....................................................................................................................69 4.5 Using SFTP to Operate Files............................................................................................................................70 4.5.1 Configuring an SSH User and Specifying the Service Type...................................................................71 4.5.2 Enabling the SFTP Server Function........................................................................................................73 4.5.3 (Optional) Configuring SFTP Server Parameters....................................................................................74 4.5.4 Using SFTP to Access the System..........................................................................................................76 4.5.5 Using SFTP to Operate Files...................................................................................................................77 4.5.6 Checking the Configuration.....................................................................................................................78 4.6 Configuration Examples...................................................................................................................................80 4.6.1 Example for Operating Files After Logging In to the System................................................................80 4.6.2 Example for Using FTP to Operate Files................................................................................................80 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
4.6.3 Example for Using SFTP to Operate Files..............................................................................................83
5 Accessing Other Devices............................................................................................................86

5.1 Overview..........................................................................................................................................................87 5.2 Using Telnet to Log In to Other Devices.........................................................................................................89 5.3 Using STelnet to Log In to Other Devices.......................................................................................................91 5.3.1 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH Client)...............................................................................................................................................................92 5.3.2 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key Generated on the SSH Server)..........................................................................................................................93 5.3.3 Using STelnet to Log In to Other Devices..............................................................................................94 5.3.4 Checking the Configuration.....................................................................................................................95 5.4 Using TFTP to Access Other Devices..............................................................................................................95 5.4.1 Configuring the Source Address for the TFTP Client.............................................................................96 5.4.2 Configuring TFTP Access Control..........................................................................................................96 5.4.3 Using TFTP to Download Files from Other Devices..............................................................................97 5.4.4 Using TFTP to Upload Files to Other Devices........................................................................................98 5.4.5 Checking the Configuration.....................................................................................................................98 5.5 Using FTP to Access Other Devices................................................................................................................99 5.5.1 (Optional) Configuring the Source Address for the FTP Client............................................................100 5.5.2 Using FTP to Connect the FTP Client to Other Devices.......................................................................100 5.5.3 Using FTP to Operate Files...................................................................................................................101 5.5.4 (Optional) Changing the User Login.....................................................................................................103 5.5.5 Terminating a Connection to the FTP Server........................................................................................104 5.5.6 Checking the Configuration...................................................................................................................105 5.6 Using SFTP to Access Other Devices............................................................................................................105 5.6.1 (Optional) Configuring the Source Address for the SFTP Client.........................................................106 5.6.2 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH Client).............................................................................................................................................................107 5.6.3 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key Generated on the SSH Server)........................................................................................................................107 5.6.4 Using SFTP to Connect the SSH Client to the SSH Server..................................................................109 5.6.5 Using SFTP to Operate Files.................................................................................................................109 5.6.6 Checking the Configuration...................................................................................................................111 5.7 Configuration Examples.................................................................................................................................111 5.7.1 Example for Using Telnet to Log In to Other Devices..........................................................................111 5.7.2 Example for Using STelnet to Log In to Other Devices.......................................................................113 5.7.3 Example for Using TFTP to Access Other Device................................................................................120 5.7.4 Example for Using FTP to Access Other Devices................................................................................123 5.7.5 Example for Using SFTP to Access Other Devices..............................................................................125 5.7.6 Example for Accessing the SSH Server by Using a Non-default Listening Port Number....................131 5.7.7 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a Private Network..........................................................................................................................................................137
6 Using the Command Line Interface.......................................................................................148

Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vi
Contents
6.1 Overview of the Command Line Interface.....................................................................................................149 6.2 Establishing the Running Environment for the Command Line....................................................................149 6.2.1 Configuring the Login Alert..................................................................................................................150 6.2.2 Setting a Device Name..........................................................................................................................150 6.2.3 Configuring Command Levels..............................................................................................................151 6.2.4 Lock the User Interface.........................................................................................................................152 6.3 How to Use Command Lines..........................................................................................................................152 6.3.1 Entering a Command View...................................................................................................................153 6.3.2 Editing Command Lines........................................................................................................................153 6.3.3 Checking the Configuration...................................................................................................................154 6.3.4 Checking the Diagnostic Information....................................................................................................155 6.3.5 Display Mode of Command Lines.........................................................................................................155 6.3.6 Error Information in Command Lines...................................................................................................159 6.4 How to Obtain Command Help......................................................................................................................159 6.5 How to Use Shortcut Keys.............................................................................................................................160 6.5.1 Classification of Shortcut Keys.............................................................................................................161 6.5.2 Defining Shortcut Keys.........................................................................................................................161 6.5.3 Displaying Shortcut Keys and Their Functions.....................................................................................162 6.6 Configuration Examples.................................................................................................................................163 6.6.1 Example for Using Tab..........................................................................................................................163 6.6.2 Example for Defining Shortcut Keys....................................................................................................164
7 Device Upgrade..........................................................................................................................166
7.1 Overview of Device Upgrade.........................................................................................................................167 7.2 Upgrade Modes Supported by the NE5000E.................................................................................................167
8 Patch Installation.......................................................................................................................169
8.1 Overview........................................................................................................................................................170 8.2 Patch Installation Modes Supported by the NE5000E...................................................................................170
9 Configuration Management....................................................................................................171
9.1 Introduction to Configuration Management...................................................................................................172 9.2 Configuration Management Features that the NE5000E Supports................................................................173 9.3 Selecting a Configuration Validation Mode...................................................................................................173 9.3.1 Configuring Immediate Configuration Validation Mode......................................................................174 9.3.2 Configuring Two-Phase Configuration Validation Mode.....................................................................175 9.4 Managing Configuration Files........................................................................................................................177 9.4.1 Saving Configurations...........................................................................................................................178 9.4.2 Comparing Configuration Files.............................................................................................................179 9.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup.......................................179 9.4.4 Clearing the System Configuration File Loaded at the Current Startup................................................180 9.4.5 Checking the Configuration...................................................................................................................181 9.5 Configuration Examples.................................................................................................................................183 9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode......................183 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in TwoPhase Configuration Validation Mode...........................................................................................................184 9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode ........................................................................................................................................................................186 9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode ........................................................................................................................................................................187 9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation Mode...............................................................................................................................................................189 9.5.6 Example for Managing Configuration Files..........................................................................................191
10 File System Management.......................................................................................................193

10.1 File System Overview..................................................................................................................................194 10.2 File System Supported by the NE5000E......................................................................................................194 10.3 Managing the Directory................................................................................................................................194 10.4 Managing Files.............................................................................................................................................195 10.5 Configuration Examples...............................................................................................................................197 10.5.1 Example for Managing a Directory.....................................................................................................197 10.5.2 Example for Managing Files...............................................................................................................198
11 Clock Synchronization Configuration................................................................................200

11.1 Clock Synchronization Overview.................................................................................................................201 11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)...........................................202 11.3 Configuring an External BITS Clock Reference Source..............................................................................206 11.3.1 Configuring an External Clock Reference Source for the router and the Clock Signal Type.............207 11.3.2 Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock Source for the router...................................................................................................................................................207 11.3.3 Checking the Configuration.................................................................................................................208 11.4 Specifying a Clock Source Manually...........................................................................................................209 11.5 Configuring Automatic Clock Source Selection to Be Based on Priorities.................................................210 11.5.1 Configuring the System to Automatically Select a Clock Source.......................................................211 11.5.2 Configuring Clock Source Selection Not to Be Based on SSM Levels..............................................212 11.5.3 Setting the Priority of a Clock Source.................................................................................................212 11.5.4 Checking the Configuration.................................................................................................................213 11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels............................................214 11.6.1 Configuring the System to Automatically Select a Clock Source.......................................................215 11.6.2 Configuring Clock Source Selection to Be Based on SSM Levels.....................................................216 11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock Source.............................................216 11.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock Source Signals to Bear SSM Levels...........217 11.6.5 Checking the Configuration.................................................................................................................218 11.7 Configuration Examples...............................................................................................................................219 11.7.1 Example for Configuring Protection Switching Among Clock Sources.............................................219
Issue 01 (2011-10-15)
viii
1 Logging In to the System for the First Time
Logging In to the System for the First Time
About This Chapter

To configure a new device, the device must be logged in to the console port. 1.1 Overview of Logging In to the System for the First Time User can log in to a device that is powered on for the first time only through the console port. Other login modes can be configured after the user logged in to the device for the first time. 1.2 Logging In to the router Through the Console Port A terminal can be connected to the console port on the router to establish the configuration environment.
Issue 01 (2011-10-15)
1.1 Overview of Logging In to the System for the First Time

User can log in to a device that is powered on for the first time only through the console port. Other login modes can be configured after the user logged in to the device for the first time. The console port is a linear port on the main control board. Each main control board provides one console port that conforms to the EIA/TIA-232 standard. The console port is a type of Data Connection Equipment (DCE) interface. Users can directly connect a serial interface from a terminal to the console port to configure the device. The console port has the following states: l l Connected: The console port is being connected. Disconnected: The console port is disconnected.
1.2 Logging In to the router Through the Console Port

A terminal can be connected to the console port on the router to establish the configuration environment.
Applicable Environment
When the router is powered on for the first time, you must use the console port to log in to the router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks: l l Preparing a PC or a terminal, including a serial interface and an RS-232 cable Installing a terminal emulator on the PC, such as Windows XP HyperTerminal
Configuration Procedures
Figure 1-1 Logging in to the router through the console port
Establish a physical connection
Log in to the device
Mandatory procedure Optional procedure
Issue 01 (2011-10-15)
1.2.1 Logging In to the router Through the Console Port

A terminal can be connected to the console port on the router to establish the configuration environment.
When the router is powered on for the first time, you must use the console port to log in to the router to configure and manage the router.
Before logging in to the router through the console port, complete the following tasks: l l Preparing a PC or a terminal, including a serial interface and an RS-232 cable Installing a terminal emulator on the PC, such as Windows XP HyperTerminal
Figure 1-2 Logging in to the router through the console port
Establish a physical connection
Log in to the device
1.2.2 Logging In to the router

You can use a PC (connected to the console port on the router) to log in to the router that is powered on for the first time to configure and manage the router.
Context
Configure physical attributes for the PC according to the attributes configured for the console port on the router, including the transmission rate, data bits, parity bit, stop bits, and flow control mode. As the router is logged in for the first time, terminal attributes use the default values.
Procedure
Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) on the PC to establish a connection. Follow the instructions as shown in Figure 1-3 and click OK.
Issue 01 (2011-10-15)
Figure 1-3 Establishing a connection
Step 2 Set the COM port. Follow the instructions as shown in Figure 1-4 and click OK. Figure 1-4 Setting the COM port
Step 3 Set communication parameters for the COM port to the default values of the router, as shown in Figure 1-5 and click OK.
Issue 01 (2011-10-15)
Figure 1-5 Setting communication parameters
A command prompt such as <HUAWEI> appears, the user view is displayed, and you can start the configuration on the HUAWEI device. In the user view, configure the device or check its operating status, or enter a question mark (?) for online help. ----End
Issue 01 (2011-10-15)
2 Configure the User Interface
2
About This Chapter
Configure the User Interface
When a user logs in to the router through the console port or using Telnet or Secure Shell (SSH), the system uses a corresponding user interface to manage and monitor the session between the router and the user. 2.1 User Interface Overview The system supports console and Virtual Type Terminal (VTY) user interfaces. 2.2 Configuring the Console User Interface The console user interface manages and monitors users logging in to a device through the console port. 2.3 Configuring VTY User Interfaces VTY user interfaces manage and monitor users logging in to the device by using VTY. 2.4 Configuration Examples This section provides examples for configuring console and VTY user interfaces. These examples explain networking requirements, configuration roadmap, and configuration notes.
Issue 01 (2011-10-15)
2.1 User Interface Overview

The system supports console and Virtual Type Terminal (VTY) user interfaces. Users can log in to a device to configure, monitor, and maintain local or remote network devices only after user interfaces, user management, and terminal services are configured. User interfaces provide the login entrance. User management ensures login security. Terminal services offer login protocols. Each user interface has a corresponding user interface view. A network administrator can configure a set of parameters in a user interface view to determine whether authentication is required and the level of logged in users. This allows uniform management of various user sessions. Currently, the following user interfaces are supported: l l Console: manages and monitors users logging in through the console port. The type of the console port is EIA/TIA-232 DCE. VTY: manages and monitors users logging in using VTY. A VTY connection is set up when a user uses Telnet or SSH to log in to the device. A maximum of 18 users can log in to the device by using VTY.
NOTE
A user using different login modes to log in is allocated different user interfaces. A user logging in several times using the same way may be allocated different user interfaces.
User Interface Numbering

After a user logs in to a device, the system allocates an idle user interface with the smallest number to the user based on the login mode of the user. The login process is restricted by the configurations for the user interface. User interface can be numbered in the following manners: l Relative numbering The relative numbering uniquely specifies a user interface or a group of user interfaces of the same type. The numbering format is user interface type + number, adhering to the following rules: Console port numbering: CON0. VTY user interface numbering: The first VTY is 0, the second VTY is 1, and so on. l Absolute numbering The absolute numbering uniquely specifies a user interface or a group of user interfaces. The number starts with 0, increasing by 1. The console port is numbered before VTY user interfaces. There are 20 consoles and 18 VTY user interfaces. You can run the user-interface maximum-vty command in the system view to set the maximum number of VTY user interfaces. The default value is 5. Table 2-1 shows the default absolute numbers of the console and VTY user interfaces. Numbers 1 to 32 are reserved for TTY user interfaces.
Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7
Table 2-1 Example of absolute numbers for user interfaces Absolute Number 0 34 35 36 37 38 User Interface CON0 VTY0: the first VTY VTY1: the second VTY VTY2: the third VTY VTY3: the fourth VTY VTY4: the fifth VTY
Authentication for User Interfaces

After authentication mode is configured for a user interface, the system authenticates users to log in through this user interface. Authentication modes are as follows: l l l No-authentication: Users can log in to the device without entering user names or passwords. This mode is insecure and is not recommended. Password authentication: Users need to enter passwords but not user names for login. AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails. Telnet users are usually authenticated in AAA mode.
User Priorities for User Interfaces

Users log in to the device are managed based on the user levels. Like command levels, users are classified into 18 levels from 0 to 17. The greater the value, the higher the user level. The level of commands that a user can use is determined by the user level. l l If no-authentication or password authentication is configured, the level of commands that a user can use depends on the level of the user interface through which the user logs in. If AAA authentication is configured, the level of commands that a user can use depends on the local user priority specified in the AAA configuration.
2.2 Configuring the Console User Interface

The console user interface manages and monitors users logging in to a device through the console port.
If you need to log in to a device through the console port for local maintenance, configure the console user interface, including the physical attributes, terminal attributes, user priority, and user authentication mode. Configure parameters based on the use and security requirements.
Before configuring the console user interface, complete the following task: l Logging In to the router Through the Console Port
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
2.2.1 Configuring Physical Attributes for the Console User Interface

Physical attributes of the console user interface include the baud rate, flow control mode, parity bit, stop bits, and data bits for the console port.
Context
When a user logs in a device through the console port, physical attributes set on the HyperTerminal for the console port must be consistent with the attributes of the console user interface on the device. Otherwise, the user cannot log in to the device.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

user-interface console ui-number
The console user interface is displayed. Step 3 Run:

speed line-speed
The transmission rate is set. The value can be 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, or 115200, in bit/s. By default, the value is 9600. Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the value is none. The none mode indicates that the flow control function does not take effect on the console port. Step 5 Run:
parity { even | mark | none | odd | space }
The parity bit is set. By default, the value is none. Step 6 Run:
stopbits { 1.5 | 1 | 2 }
Issue 01 (2011-10-15)
The stop bits are set. By default the value is 1. Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bits are set. By default, the value is 8. Step 8 Run:
commit
The configuration is committed. ----End
2.2.2 Configuring Terminal Attributes for the Console User Interface

Terminal attributes of the console user interface include the timeout period of an idle connection, number of lines displayed on a terminal screen, and buffer size for previously used commands.
Procedure
Step 1 Run:
system-view

The console user interface view is displayed. Step 3 Run:

shell
The terminal service is started. Step 4 Run:

idle-timeout minutes [ seconds ]
The timeout period is set. By default, idle timeout period on the user interface is 10 minutes. Step 5 Run:
screen-length screen-length
Screen length of the console terminal is set. By default, the length of a terminal screen is 24 rows. Step 6 Run:
screen-width screen-width
Screen width of the console terminal is set.

By default, the value is 80. Step 7 Run:

history-command max-size size-value
The buffer of the history command is set. By default, the size of history command buffer on a user interface is 10 entries. Step 8 Run:
commit
2.2.3 Configuring the User Priority for the Console User Interface
You can set user priorities for user interfaces to manage users based on their levels. This section describes how to set the user priority for the console user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level or lower after log in to the system.
Procedure
Step 1 Run:
system-view

The console user interface view is displayed. Step 3 Run:

user privilege level level
The user priority is set. By default, users logging in through the console user interface can use commands at level 3, and users logging in through other user interfaces can use commands at level 0.
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict, the user level takes precedence. For example, user 001 can use commands at level 3, and the user level configured in the user interface view Console 0 for the user is 2. After user 001 logs in through Console 0, the user can use commands at level 3 or lower.
Step 4 Run:
commit

2.2.4 Configuring Authentication for the Console User Interface

The system provides three authentication modes: AAA, password authentication, and noauthentication. Configuring authentication improves system security.
Procedure
l Configure AAA authentication. 1. Run:
system-view
The system view is displayed. 2. Run:

The console user interface view is displayed. 3. Run:

authentication-mode aaa
The authentication mode is set to AAA. 4. Run:

quit
Exit from the console user interface. 5. Run:

aaa
The AAA view is displayed. 6. Run:

local-user user-name password { simple | cipher } password
The user name and password is set. If the password is in the form of simple, the password must be in the plain text. If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. 7. Run:
commit
The configuration is committed. l Configure password authentication. 1. Run:

system-view


authentication-mode password
Password authentication is set.

4.
Run:
set authentication password { cipher | simple } password
Authentication password is set. If the password is in the form of simple, the password must be in the plain text. If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. 5. Run:
commit
The configuration is committed. l Configure no-authentication. 1. Run:

system-view


authentication-mode none
No-authentication is set. 4. Run:

commit
2.2.5 Checking the Configuration

After configuring the console user interface, you can view user login information about the user interface, physical attributes and configurations of the user interface, the local user list, and online users.
Prerequisite
The configurations of the console user interface are complete.
Procedure
l l l l Run the display users [ all ] command to check user login information about user interfaces. Run the display user-interface console 0 command to check physical attributes and configurations of the user interface. Run the display local-user command to check the local user list. Run the display access-user command to check information about logged-in users.
----End
Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users User-Intf Delay 0 CON 0 Username : Unspecified + 258 VTY 0 00:00:00 Username : Unspecified Username : Unspecified Type Network Address AuthenStatus pass AuthorcmdFlag no
TEL 10.164.6.15 259 VTY 1
Run the display user-interface console 0 command to view physical attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 3 N 1 CON 0 9600 3 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type Online ---------------------------------------------------------------------------user123 Active All 0 ll Active F 0 user1 Active F 0 ---------------------------------------------------------------------------Total 3,3 printed
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user ----------------------------------------User-name domain-name userid ----------------------------------------------root default 1 abcd default 2 ----------------------------------------------Total users : 2 Wait authen-ack : 0 Authentication success : 2
2.3 Configuring VTY User Interfaces

VTY user interfaces manage and monitor users logging in to the device by using VTY.
If you need to log in to a device for local or remote configuration and maintenance by using Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user authentication mode. Configure parameters based on the user and security requirements.
Before configuring VTY user interfaces, complete the following task: l Logging In to the router Through the Console Port
2.3.1 Configuring the Maximum Number of VTY User Interfaces

Configuring the maximum number of VTY user interfaces limits the number of simultaneous login users.
Context
The maximum number of VTY user interfaces is the total number of users that use Telnet and SSH to log in.
CAUTION
If the maximum number of VTY user interfaces is set to zero on a device, no user can log in to the device.
Procedure
Step 1 Run:
system-view

user-interface maximum-vty number
The maximum number of VTY user interfaces is set. l If the configured maximum number is smaller than the original, logged in users are not affected and no additional configuration is needed. l If the configured maximum number is greater than the original, configure the authentication mode and password for additional users. The system uses password authentication to authenticate users logging in through newly-added user interfaces. For example, run the authentication-mode and set authentication password commands to increase allowed login users to 18 from 5.
<HUAWEI> system-view [~HUAWEI] user-interface maximum-vty 18 [~HUAWEI] user-interface vty 5 17 [~HUAWEI-ui-vty5-17] authentication-mode password [~HUAWEI-ui-vty5-17] set authentication password cipher huawei
Step 3 Run:
commit
Issue 01 (2011-10-15)
15
2.3.2 Configuring the Limit on Incoming and Outgoing Calls for VTY User Interfaces
An Access Control List (ACL) can be configured to limit incoming and outgoing calls for VTY user interfaces.
Context
An ACL can be configured to either allow or deny Telnet connections based on source or destination IP addresses: l l A basic ACL, with number ranging from 2000 to 2999, controls Telnet connections based on source IP addresses. An advanced ACL, with number ranging from 3000 to 3999, controls Telnet connections based on both source and destination IP addresses.
Before configuring the limit on incoming and outgoing calls for VTY user interfaces, run the acl command in the system view to create an ACL and enter the ACL view. Then, run the rule command to add rules to the ACL.
Procedure
Step 1 Run:
system-view

user-interface vty first-ui-number [ last-ui-number ]
A VTY user interface view is displayed. Step 3 Run:

acl acl-number | name acl-name { inbound | outbound }
The limit on incoming and outgoing calls is set for the VTY user interface. l Choose inbound if users at a specified IP address or within a specified address range are either allowed to log in to the device or prohibited from logging in to the device. l Choose outbound if logged-in users are either allowed to log in to other devices or prohibited from logging in to other devices. Step 4 Run:
commit
2.3.3 Configuring Terminal Attributes for VTY User Interfaces

Terminal attributes of VTY user interfaces include the timeout period of an idle connection, number of rows displayed on a terminal screen, and buffer size for previously-used commands.
Procedure
Step 1 Run:
system-view


shell
The VTY terminal service is enabled. Step 4 Run:

idle-timeout minutes [ seconds ]
The timeout period of an idle connection is set. If the connection is idle within the timeout period, the system automatically terminates the connection when the timeout period expires. By default, the timeout period is 10 minutes. Step 5 Run:
screen-length screen-length
The number of rows displayed on a terminal screen is set. By default, a terminal screen displays 24 rows. Step 6 Run:
history-command max-size size-value
The buffer size is set for previously-used commands. By default, a maximum of 10 previously-used commands can be cached in the buffer. Step 7 Run:
commit
2.3.4 Configuring the User Priority for a VTY User Interface

To improve security, user priorities can be set for user interfaces to manage users based on their levels. This section describes how to set a user priority for a VTY user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level or lower after log in to the system.
Procedure
Step 1 Run:
system-view


user privilege level level
The user priority is set. By default, users logging in from a VTY user interface can use commands at level 0.
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict, the user level takes precedence. For example, a user can use commands at level 3, and the user level configured in the user interface view VTY0 for the user is 2. After the user logs in through VTY0, the user can use commands at level 3 or lower.
Step 4 Run:
commit
2.3.5 Configuring Authentication for a VTY User Interface

The system provides three authentication modes: AAA, password authentication, and noauthentication. Configuring authentication improves system security.
Procedure
l Configure AAA authentication. 1. Run:
system-view

A VTY user interface view is displayed. 3. Run:

Authentication mode is set to AAA. 4. Run:

commit
The configuration is committed.

5.
Run:
quit
Exit from the VTY user interface view. 6. Run:

aaa
The AAA view is displayed. 7. Run:

The user name and password is set. If the password is in the form of simple, the password must be in the plain text. If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. 8. Run:
commit
The configuration is committed. l Configure password authentication. 1. Run:

system-view


authentication-mode password
Authentication mode is set to password authentication. 4. Run:

set authentication password { cipher | simple } password
Local authentication password is set. If the password is in the form of simple, the password must be in the plain text. If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. 5. Run:
commit
The configuration is committed. l Configure no-authentication. 1. Run:

system-view

Issue 01 (2011-10-15)
19

authentication-mode none
Authentication mode is set to no-authentication. 4. Run:

commit

After configuring the VTY user interfaces, you can view user login information about the VTY user interfaces, the maximum number of the VTY user interfaces, and the physical attributes and configuration of the VTY user interfaces.
Prerequisite
The configuration of VTY user interfaces are complete.
Procedure
l l l l l Run the display users [ all ] command to check user login information about user interfaces. Run the display user-interface maximum-vty command to check the configured maximum number of VTY user interfaces. Run the display user-interface vty ui-number command to check physical attributes and configuration of the user interface. Run the display local-user command to check the local user list. Run the display vty mode command to check the VTY mode.
----End
Example
TEL 10.164.6.15 259 VTY 1
Run the display user-interface maximum-vty command to view the configured maximum number of VTY user interfaces.
<HUAWEI> display user-interface maximum-vty Maximum of VTY user:15
Run the display user-interface vty command to view the configured user interface information.
<HUAWEI> display user-interface vty Idx Type Tx/Rx Modem Privi ActualPrivi Auth + 34 VTY 0 15 15 N + : Current UI is active. F : Current UI is active and work in async mode. Int -
Issue 01 (2011-10-15)
20

Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.
Run the display vty mode command to view the configured VTY mode. For example:
<HUAWEI> display vty mode current VTY mode is Human-Machine interface
2.4 Configuration Examples

This section provides examples for configuring console and VTY user interfaces. These examples explain networking requirements, configuration roadmap, and configuration notes.
2.4.1 Example for Configuring the Console User Interface

In this configuration example, the physical attributes, terminal attributes, user priority, user authentication mode, and password are set for the console user interface. This allows users to log in to a device through the console port in password authentication mode.
Networking Requirements
To initialize the configurations of a new device or locally maintain the device, the device must be logged in to through the console user interface. Attributes are set for the console user interface based on user and security requirements.
Configuration Notes
By default, terminal services are enabled on all user interfaces. If terminal services are disabled, use Telnet to log in to the system through the console port and run the shell command to enable terminal services.
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3.
Issue 01 (2011-10-15)
Configure physical attributes for the console user interface. Configure terminal attributes for the console user interface. Set the user priority.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 21
4.
Set the user authentication mode and password.

NOTE
The user name and password do not have default values. Other parameters have default values, which are recommended.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l l l Transmission rate of a connection: 4800 bit/s Flow control mode: none Parity bit: even Stop bits: 2 Data bits: 6 Timeout period of an idle connection: 30 minutes Number of lines displayed on a terminal screen: 30 Buffer size for previously-used commands: 20 User priority value: 15 User authentication mode: password (password is huawei)
Procedure
Step 1 Configure physical attributes for the console user interface.
<HUAWEI> system-view [~HUAWEI] user-interface console 0 [~HUAWEI-ui-console0] speed 4800 [~HUAWEI-ui-console0] flow-control none [~HUAWEI-ui-console0] parity even [~HUAWEI-ui-console0] stopbits 2 [~HUAWEI-ui-console0] databits 6 [~HUAWEI-ui-console0] commit
Step 2 Configure terminal attributes for the console user interface.

[~HUAWEI-ui-console0] [~HUAWEI-ui-console0] [~HUAWEI-ui-console0] [~HUAWEI-ui-console0] [~HUAWEI-ui-console0] shell idle-timeout 30 screen-length 30 history-command max-size 20 commit
Step 3 Set a user priority for the console user interface.

[~HUAWEI-ui-console0] user privilege level 15 [~HUAWEI-ui-console0] commit
Step 4 Configure password authentication for the console user interface.

[~HUAWEI-ui-console0] [~HUAWEI-ui-console0] [~HUAWEI-ui-console0] [~HUAWEI-ui-console0] authentication-mode password set authentication password simple huawei commit quit
After the console user interface has been configured, users can log in to the device through the console port in password authentication mode. For information about how to log in to the system through the console port, see 3.2 Logging In to the System Through the Console Port. Step 5 Verify the configuration.
After completing the configurations, run the display_user-interface command to view the configuration of Console 0.
<HUAWEI> display user-interface 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int +0 CON 0 9600 3 N + : Current user-interface is active. F : Current user-interface is active and work in async mode. Idx : Absolute index of user-interface. Type : Type and relative index of user-interface. Privi : The privilege of user-interface. ActualPrivi : The actual privilege of user-interface. Auth : The authentication mode of user-interface. A : Authenticate use AAA. N : Current user-interface need not authentication. P : Authenticate use current UI's password. Int : The physical location of UIs.
----End
Configuration Files
# sysname HUAWEI # user-interface con 0 authentication-mode password user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 databits 6 parity even stopbits 2 speed 4800 screen-length 30 # admin return
2.4.2 Example for Configuring VTY User Interfaces

In this configuration example, the maximum number of VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, authentication mode, and password are set. This allows users to use Telnet or SSH (Stelnet) to log in to a device in password authentication mode.
If you need to log in to a device for local or remote configuration and maintenance by using Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user authentication mode. Configure parameters based on the user and security requirements.
Issue 01 (2011-10-15)
Set the maximum number of VTY user interfaces. Configure the limit on incoming and outgoing calls for VTY user interfaces. Configure terminal attributes for VTY user interfaces.
4. 5.
Set user priorities for VTY user interfaces. Configure the authentication mode and password for the VTY user interface.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l Maximum number of VTY user interfaces: 18 Number of the ACL applied to limit incoming calls on the VTY user interface: 2000 Timeout period of an idle connection: 30 minutes Number of lines displayed on a terminal screen: 30 Buffer size for previously-used commands: 20 User priority: 15 User authentication mode: password (password is huawei)
NOTE
The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and user name do not have default values. Other parameters have default values, which are recommended.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<HUAWEI> system-view [~HUAWEI] user-interface maximum-vty 18 [~HUAWEI] commit
Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.
[~HUAWEI] acl 2000 [~HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0 [~HUAWEI-acl-basic-2000] quit [~HUAWEI] user-interface vty 0 17 [~HUAWEI-ui-vty0-17] acl 2000 inbound [~HUAWEI-ui-vty0-17] commit
Step 3 Configure terminal attributes for VTY user interfaces.

[~HUAWEI-ui-vty0-17] [~HUAWEI-ui-vty0-17] [~HUAWEI-ui-vty0-17] [~HUAWEI-ui-vty0-17] [~HUAWEI-ui-vty0-17] shell idle-timeout 30 screen-length 30 history-command max-size 20 commit
Step 4 Set user priorities for VTY user interfaces.

[~HUAWEI-ui-vty0-17] user privilege level 15 [~HUAWEI-ui-vty0-17] commit
Step 5 Configure the authentication mode and password for VTY user interfaces.
[~HUAWEI-ui-vty0-17] [~HUAWEI-ui-vty0-17] [~HUAWEI-ui-vty0-17] [~HUAWEI-ui-vty0-17] authentication-mode password set authentication password simple huawei commit quit
After a VTY user interface is configured, a user can use Telnet or SSH to log in to the device in password authentication mode to maintain the device locally or remotely. For information about how to use Telnet or SSH to log in to a device, see 3.3 Logging In to the System by Using Telnet or 3.4 Logging In to the System by Using STelnet. Step 6 Verify the configuration.
After completing the configurations, run the display user-interface command to view the configurations of VTY user interfaces. Use VTY14 as an example:
[~HUAWEI] display user-interface vty 14 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int + 34 VTY 14 15 15 password + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.
----End
Configuration Files
# sysname HUAWEI # user-interface maximum-vty 18 # acl number 2000 rule 5 deny source 10.1.1.1 0 # user-interface vty 0 17 user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30 acl 2000 inbound # admin return
Issue 01 (2011-10-15)
25
3 Configuring User Login
3
About This Chapter
Configuring User Login
A user can log in to a device by using the console port, Telnet, or SSH (STelnet) to maintain the device locally or remotely. 3.1 User Login Overview Users can log in to devices by using the console port, Telnet, or STelnet. 3.2 Logging In to the System Through the Console Port To configure a device that is powered on for the first time or locally maintain the device, log in to the device through the console port. 3.3 Logging In to the System by Using Telnet Telnet allows users to log in to remote devices to manage and maintain the devices. 3.4 Logging In to the System by Using STelnet STelnet based on SSH2 provides secure remote access over an insecure network. 3.5 Configuration Examples This section provides configuration examples for logging in to the system through the console port or by using Telnet or STelnet. These configuration examples explain networking requirements, configuration roadmap, and precautions.
Issue 01 (2011-10-15)
26
3.1 User Login Overview

Users can log in to devices by using the console port, Telnet, or STelnet. Users can log in to devices to configure, monitor, and maintain the devices locally or remotely only after user interfaces, user management, and terminal services have been configured. User interfaces provide the login entrance. User management ensures login security. Terminal services offer login protocols. Users can log in by using any of the login modes listed in Table 3-1 to configure and manage the router. Table 3-1 User login modes Login Mode Logging In to the System Through the Console Port Logging In to the System by Using Telnet Logging In to the System by Using STelnet Application Users log in through the console port to configure a device locally. This login mode is required when a device is powered on for the first time. Users log in by using Telnet to maintain a device locally or remotely. Telnet helps users maintain remote devices but brings security threats. STelnet provides protection for users logging in to a device to maintain the device locally or remotely.
Console Port Overview

For information about the console port, see Overview of Logging In to the System for the First Time.
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login and virtual terminal services. The NE5000E provides the following Telnet services: l l Telnet server: A user runs the Telnet client program on a PC to log in to the router to configure and manage the router. The router functions as a Telnet server. Telnet client: After using the terminal emulator or Telnet client program on a PC to connect to the router, a user runs the telnet command to log in to another device for configuration and management. The router functions as a Telnet client. In Figure 3-1, the CE functions as both a Telnet server and a Telnet client.
Issue 01 (2011-10-15)
27
Figure 3-1 Telnet server providing the Telnet client service

Telnet session 1 Telnet session 2
PC
CE
PE Telnet server
Telnet service interruption Figure 3-2 Usage of Telnet shortcut keys

P1 Telnet client
P2
P3 Telnet server
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure 3-2, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the Telnet client of P3. The usage of shortcut keys is described as follows: Ctrl_]: Instructs the server to disconnect a Telnet connection. If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server interrupts the current Telnet connection. For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_] The connection was <P2> Select Ctrl_] <P2> Ctrl_] The connection was <P1>
NOTE
to return to the prompt of P2 closed by the remote host. to return to the prompt of P1 closed by the remote host.
If the network connection is disconnected, shortcut keys do not take effect.
Ctrl_K: Instructs the client to disconnect the connection. When the server fails and the client is unaware of the failure, the server does not respond to the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts the connection and quits the Telnet connection. For example, select Ctrl_K on P3 to quit the Telnet connection.
<P3> Select Ctrl_K to abort <P1>
Issue 01 (2011-10-15)
28
CAUTION
When the number of remote login users reaches the maximum number of VTY user interfaces, the system prompts subsequent users with a message, indicating that all user interfaces are in use and no more Telnet connections are allowed.
STelnet Overview
NOTE
Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices running SSH2 can function as SSH clients. STelnet is based on SSH2. When the client and the server set up a secure connection after negotiation, the client can log in to the server in the same way as using Telnet.
Logins using Telnet add security risks because Telnet does not provide any secure authentication mechanism and data is transmitted using TCP in plain text. Telnet connections are vulnerable to Denial of Service (DoS) attacks, IP address spoofing, and route spoofing. SSH provides secure remote access on an insecure network by supporting the following functions: l Remote Subscriber Access (RSA) authentication: Public and private keys are generated according to the encryption principle of the asymmetric encryption system to implement secure key exchange and ensure a secure session. Data encryption standards: Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES). User name and password encryption: This prevents the user name and password from being intercepted during the communication between the client and the server. Encryption of transmitted data
l l l
A device serving as an SSH server can accept connection requests from multiple SSH clients. The device can also serve as an SSH client, helping users establish SSH connections with an SSH server. This allows users to use SSH to log in to remote devices from the local device. l Local connection As shown in Figure 3-3, an SSH channel is established for a local connection. Figure 3-3 Establishing an SSH channel on a local area network (LAN)
Server Ethernet 100BASE-TX
Server
PC LapTop PC running SSH Client
Issue 01 (2011-10-15)
29
Wide area network (WAN) connection As shown in Figure 3-4, an SSH channel is established for a connection on a WAN. Figure 3-4 Establishing an SSH channel on a WAN
Local LAN Router WAN SSH Router PC running SSH Client PC Remote LAN
3.2 Logging In to the System Through the Console Port

To configure a device that is powered on for the first time or locally maintain the device, log in to the device through the console port.
A device can be logged in to only through the console port when the device is powered on for the first time.
Before logging in to the system through the console port, complete the following tasks: l l Preparing a PC or a terminal, including a serial interface and an RS-232 cable Installing a terminal emulator on the PC, such as Windows XP HyperTerminal
Figure 3-5 Logging in to the system through the console port
Configure the console user interface Log in to the system through the console port
3.2.1 Configuring the Console User Interface

To allow users to log in to the system through the console port, configure attributes for the console user interface.
Context
If you need to log in to a device through the console port for local maintenance, configure the console user interface, including the physical attributes, terminal attributes, user priority, and user authentication mode. Configure parameters based on the use and security requirements. For configurations of the console user interface, see Configuring the Console User Interface.
3.2.2 Logging In to the System Through the Console Port

Users can connect a terminal to the console port on a device, and then log in to the device.
Context
NOTE
l Communication parameters of the user terminal must be consistent with the physical attributes of the console user interface on the device. l After a user authentication mode is specified in the console user interface, a user can log in to the device only after authentication succeeds. This enhances network security.
For information about logging in to the system through the console port, see Logging In to the router Through the Console Port.

After logging in to the system through the console port, you can view information about the console user interface, such as the usage, physical attributes and configurations, local user list, and logged-in users.
Prerequisite
Configurations of user login through the console port are complete.
Procedure
l l l l Run the display users [ all ] command to check user login information about user interfaces. Run the display user-interface console 0 command to check physical attributes and configurations of the user interface. Run the display local-user command to check the local user list. Run the display access-user command to check information about logged-in users.
----End
Example
TEL 10.164.6.15 259 VTY 1
Run the display user-interface console 0 command to view physical attributes and configurations of the user interface.

<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 3 N 1 CON 0 9600 3 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type Online ---------------------------------------------------------------------------user123 Active All 0 ll Active F 0 user1 Active F 0 ---------------------------------------------------------------------------Total 3,3 printed
3.3 Logging In to the System by Using Telnet

Telnet allows users to log in to remote devices to manage and maintain the devices.
If one or more devices need to be configured and managed, you do not need to connect each of the devices to a terminal to maintain the devices locally. If you have obtained the IP address of a device and logged in to the device before, you can use Telnet to log in to the device to remotely configure the device. This allows you to maintain multiple devices on one terminal, greatly facilitating device management.
NOTE
The IP address of a device needs to be preset through the console port.
Before using Telnet to log in to the system, complete the following task: l
Issue 01 (2011-10-15)
Configuring a route between a terminal and a device

Figure 3-6 Logging in to the system by using Telnet
Configure VTY user interfaces
Configure local Telnet users
Enable the Telnet server function
Configure the listening port number of the Telnet server Use Telnet to log in to the system from terminals
3.3.1 Configuring VTY User Interfaces

If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device, configure VTY user interfaces based on user and security requirements.
Context
The default user authentication mode for VTY user interfaces is password authentication. Before using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user interfaces. Otherwise, you cannot log in to the device.
NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
3.3.2 (Optional) Configuring Local Telnet Users

If the user authentication mode of VTY user interfaces is no-authentication or password authentication, the following configuration is not required.
Context
By default, a local user can use any access type. After the user access mode has been specified, only users using the specified access mode can log in to the system.
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed. Step 3 Run:

The user name and password is set. l If the password is in the form of simple, the password must be in the plain text. l If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. Step 4 Run:
local-user user-name service-type Telnet
The access mode of local users is set to Telnet. Step 5 Run:

commit
3.3.3 Enabling the Telnet Server Function

The Telnet server can be connected only after the Telnet server function has been enabled. Choose either of the following steps based on the network protocol:
Procedure
l IPv4: 1. Run:
system-view

telnet server enable
The Telnet server function is enabled. 3. Run:

commit
The configuration is committed. l IPv6: 1. Run:

system-view
Issue 01 (2011-10-15)
34

telnet ipv6 server enable
The Telnet server function is enabled. 3. Run:

commit

NOTE
l If the undo telnet [ ipv6 ] server enable command is run to disable the Telnet server function when there are users logging in by using Telnet, the command does not take effect. l After the Telnet server function is disabled, established Telnet connections are not interrupted, and no new Telnet connection is allowed. In this situation, users can log in to the system by using SSH or through the console port.
----End
3.3.4 (Optional) Configuring the Listening Port Number for the Telnet Server
The listening port number of the Telnet server can be configured and changed to ensure network security. After the listening port number is changed, only users who know the current listening port number can log in to the router.
Context
By default, the listening port number of the Telnet server is 23. Users can log in to the router without specifying the listening port number. Attackers may access the default listening port, reducing available bandwidth, affecting performance of the server, and causing valid users unable to access the server. After the listening port number of the Telnet server is changed, attackers do not know the new listening port number. This effectively prevents attackers from accessing the listening port.
Procedure
Step 1 Run:
system-view

telnet [ ipv6 ] server port port-number
The listening port number is set for the Telnet server. If a new listening port number is set, the Telnet server terminates all established Telnet connections, and then uses the new port number to listen to new requests for Telnet connections. Step 3 Run:
commit

3.3.5 Logging In to the System by Using Telnet

After the device is configured, you can use Telnet to log in to the device from a terminal to remotely maintain the device.
Context
If you need to log in to the system by using Telnet, use either the Windows Command Prompt or third-party software on the terminal. Use the Windows Command Prompt as an example. Do as follows on the PC:
Procedure
Step 1 Enter the Windows Command Prompt window. Step 2 Run the telnet ip-address command to use Telnet to log in to the device. 1. Input the IP address of the Telnet server. Figure 3-7 Schematic diagram 1 for login by using Telnet
2.
Press Enter, and the command prompt of the user view is displayed, such as <HUAWEI>. This indicates that you have accessed the Telnet server. Figure 3-8 Schematic diagram 2 for login by using Telnet
----End

After logging in to the system by using Telnet, you can view information about the current user interface, every user interface, and established TCP connections.
Prerequisite
The configurations of logging in to the system by using Telnet are complete.
Procedure
l l l Run the display users [ all ] command to check information about user interfaces. Run the display tcp status command to check established TCP connections. Run the display telnet server status command to check the configuration and status of the Telnet server.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI]> display users User-Intf Delay Type 34 VTY 0 00:00:12 TEL Username : Unspecified + 35 VTY 1 00:00:00 TEL Username : Unspecified Network Address 1.1.1.1 1.1.1.2 AuthenStatus AuthorcmdFlag no no
Run the display tcp status command to view TCP connections. Established in the command output indicates that a TCP connection has been established.
<HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port 39952df8 36 /1509 0.0.0.0:0 32af9074 59 /1 0.0.0.0:21 34042c80 73 /17 10.1.1.1:23 Foreign Add:port 0.0.0.0:0 0.0.0.0:0 10.2.2.2:1147 0 VPNID State 0 Closed 14849 LISTEN Established
Run the display telnet server status command to view the configuration and status of the Telnet server.
<HUAWEI> display telnet server status Session 1: Source ip address : 10.137.217.221 VTY Index : 14 Current number of sessions : 1
3.4 Logging In to the System by Using STelnet

STelnet based on SSH2 provides secure remote access over an insecure network.
A large number of devices on a network need to be managed and maintained. It is impossible to connect each device to a terminal, especially when there is no reachable route between a device and the terminal. To manage and maintain remote devices, log in to other devices by using Telnet from the device that you have logged in to. Login by using Telnet brings security
risk because Telnet does not provide any secure authentication mechanism and data is transmitted by using TCP in plain text. STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and authentication and protects devices against attacks such as IP address spoofing and plain text password interception.
Before logging in to the system by using STelnet, complete the following task: l Configuring a route between a terminal and a device
Figure 3-9 Logging in to the system by using STelnet
Configure VTY user interfaces
Configure VTY user interfaces to support SSH Configure an SSH user and specify Stelnet as the service type Enable the Stelnet server function Configure Stelnet server parameters Use Stelnet to log in to the system from a terminal
3.4.1 Configuring VTY User Interfaces

If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device, configure VTY user interfaces based on user and security requirements.
Context
The default user authentication mode for VTY user interfaces is password authentication. Before using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user interfaces. Otherwise, you cannot log in to the device.

NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
3.4.2 Configuring VTY User Interfaces to Support SSH

STelnet is based on SSH2. When the client and the server set up a secure connection after negotiation, the client can log in to the server the same way as using Telnet.
Context
By default, user interfaces support Telnet. If no user interface is enabled with SSH, users cannot log in to the device by using STelnet. Do as follows on the device that functions as an SSH server:
Procedure
Step 1 Run:
system-view


AAA authentication is set. Step 4 Run:

protocol inbound ssh
SSH is enabled on the VTY user interface.

NOTE
Before configuring a user interface to support SSH, set the authentication mode of the user interface to AAA. Otherwise, the protocol inbound ssh command does not take effect.
Step 5 Run:
commit
3.4.3 Configuring an SSH User and Specifying the Service Type

To allow users to use STelnet to log in to a device, configure an SSH user, configure the device to generate a local RSA key pair, configure a user authentication mode, and specify a service type for the SSH user.
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All. Password authentication depends on AAA. Before a user log in to the device with password or password-RSA authentication mode, a local user with the same user name must be created in the AAA view. Configuring the system to generate a local RSA key pair is a key step for SSH login. If an SSH user log in to an SSH server with password authentication mode, configure the server to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA authentication mode, configure both the server and the client to generate local RSA key pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication. The All authentication mode requires success of either password authentication or RSA authentication.
Do as follows on the device that functions as an SSH server:
Procedure
Step 1 Run:
system-view

ssh user user-name
An SSH user is created. If password or password-RSA authentication is configured for the SSH user, create the same SSH user in the AAA view and set the local user access type to SSH. 1. 2. 3. 4. Run the aaa command to enter the AAA view. Run the local-user user-name password { simple | cipher } password command to configure a local user name and a password. Run the local-user user-name service-type ssh command to set the local user access type to SSH. Run the quit command to exit from the AAA view and enter the system view.
By default, a local user can use any access type. You can specify an access type to allow only users configured with the specified access type to log in to the device. Step 3 Run:
rsa local-key-pair create
A local RSA key pair is generated.

NOTE
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSHrelated configuration. l After the key pair is generated, run the display rsa local-key-pair public command to view information about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
Issue 01 (2011-10-15)
40
An authentication mode is set for the SSH user. Perform either of the following operations as needed: l Configure password authentication. Run the ssh user user-name authentication-type password command to configure password authentication. Run the ssh authentication-type default password command to configure default password authentication. If local or HWTACACS authentication is used and there are only a few users, use password authentication. If there are a large number of users, use default password authentication to simplify configuration. l Configure RSA authentication. 1. 2. 3. 4. Run the ssh user user-name authentication-type rsa command to configure RSA authentication. Run the rsa peer-public-key key-name command to enter the public key view. Run the public-key-code begin command to enter the public key edit view. Enter hex-data to edit the public key.
NOTE
l In the public key edit view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After entering the public key edit view, paste the RSA public key generated on the client to the server.
5.
Run the public-key-code end command to exit from the public key edit view. l Running the peer-public-key end command generates a key only after a valid hexdata complying with the public key format is entered. l If the peer-public-key end command is used after the key key-name specified in Step b is deleted in another window, the system prompts a message, indicating that the key does not exist, and the system view is displayed.
6. 7.
Run the peer-public-key end command to return to the system view. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a public key. Run the ssh server rekey-interval hours command to set an interval at which the key of the server is updated. By default, the interval is 0, indicating that the key is never updated. Run the ssh server timeout seconds command to set the timeout period for SSH authentication. By default, the timeout period is 60 seconds. Run the ssh server authentication-retries times command to set the retry times of SSH authentication. By default, SSH authentication retries a maximum of 3 times.
Step 5 (Optional) Configure basic authentication information for the SSH user. 1.
2.
3.
Step 6 Run:
ssh user username service-type { stelnet | sftp | all }
Issue 01 (2011-10-15)
41
The service type of an SSH user is set to STelnet, SFTP or all. By default, the service type of an SSH user is none. That is, no service is supported. Step 7 Run:
commit
3.4.4 Enabling the STelnet Server Function

The STelnet server can be connected only when the STelnet server function is enabled.
Procedure
Step 1 Run:
system-view

stelnet server enable
The STelnet server function is enabled. After the STelnet server function is disabled, all STelnet clients are disconnected. Step 3 Run:
commit
3.4.5 (Optional) Configuring STelnet Server Parameters

You can configure a device to support the SSH protocol of earlier versions, configure or change the listening port number of an SSH server, and set an interval at which the key pair of the SSH server is updated.
Context
l The SSH protocol has the following versions: SSH1.X and SSH2.0. Compared with SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key exchange methods. In addition, SSH2.0 supports more advanced services such as SFTP. The NE5000E supports SSH whose version number ranges from 1.3 to 2.0. The default listening port number of an SSH server is 22. When the default listening port number is used, users can directly log in to a device without specifying the listening port number. Attackers may access the default listening port, consuming bandwidth, affecting performance of the server, and causing valid users unable to access the server. After the listening port number of the SSH server is changed, attackers do not know the new port number. This effectively prevents attackers from accessing the listening port, improving security.
Issue 01 (2011-10-15)
An interval at which the key pair of an SSH server is updated can be set. When the timer expires, the key pair is automatically updated to improve security.
Procedure
Step 1 Run:
system-view

ssh server compatible-ssh1x enable
The system is enabled to support earlier SSH protocol versions. By default, an SSH server running SSH2.0 is compatible with SSH1.X. To prevent clients running SSH1.3 to SSH1.99 from logging in, run the undo ssh server compatible-ssh1x enable command to disable the system from supporting SSH protocol versions. Step 3 Run:
ssh server port port-number
The listening port number is set for the SSH server is set. By default, the listening port number is 22. If a new listening port is set, the SSH server cuts off all established STelnet and SFTP connections, and then uses the new port number to listen to connection requests. Step 4 Run:
ssh server rekey-interval hours
The interval at which the key pair of the SSH server is updated is set. By default, the interval is zero, indicating that the key pair will never be updated. Step 5 Run:
commit
3.4.6 Logging In to the System by Using STelnet

After the preceding configuration is complete, a user can log in to the system from a terminal by using STelnet to remotely maintain the device.
Context
Third-party software can be used to implement an STelnet login. Use the third-party software OpenSSH and Windows Command Prompt as an example. After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the software installation guide. For details about how to use OpenSSH commands to log in to the device, see the software help document.
Issue 01 (2011-10-15)
43
Procedure
Step 1 Enter the Windows Command Prompt window. Step 2 Run OpenSSH commands to log in to the device by using STelnet, as shown in Figure 3-10. Figure 3-10 Schematic diagram for login by using STelnet
----End

After you log in to the system by using STelnet, you can view configuration of the SSH server.
Prerequisite
The configuration of logging in to the system by using STelnet are complete.
Procedure
l l l l Run the display ssh user-information username command on the SSH server to check information about SSH users. Run the display ssh server status command on the SSH server to check its configuration. Run the display ssh server session command on the SSH server to check information about sessions between the SSH server and SSH clients. Run the display ssh server statistics command on the SSH server to view information about the total number of connections accepted, denied, closed and total online connections.
----End
Example
Run the display ssh user-information username command to view information about a specified SSH user.
<HUAWEI> display ssh user-information client001 -----------------------------User Name : client001 Authentication-Type : password User-public-key-name : Sftp-directory : Service-type : stelnet ----------------------------------Total 1, 1 printed
If no SSH user is specified, information about all SSH users logging in to the SSH server is displayed. Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status -----------------------------------------SSH Version : 1.99 SSH authentication timeout : 60 Seconds SSH authentication retries : 3 Times SSH server key generating interval : 0 Hours SSH version 1.x compatibility : ENABLED SSH server keep alive : DISABLED SFTP server : DISABLED STELNET server : DISABLED SNETCONF server : DISABLED SSH server port : 22 ------------------------------------------------
Run the display ssh server session command to view information about sessions between the SSH server and SSH clients.
<HUAWEI> display ssh Session Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type server session : 1 : VTY 3 : 2.0 : started : client001 : 1 : aes128-cbc : aes128-cbc : hmac-md5 : hmac-md5 : diffie-hellman-group-exchange-sha1 : stelnet : password
Run the display ssh server statistics command to view the current statistics information of the SSH server.
<HUAWEI> display ssh server statistics ---------------------------------Total connection accepted : 1 Total connection denied by ACL : 2 Total connection denied by CLI : 0 Total connection denied by AAA : 3 Total connection denied by Netconf : 1 Total connection closed by CLI : 1 Total connection closed by Netconf : 4 Total connection closed by sock : 3 Total online connection : 5 ----------------------------------------
Issue 01 (2011-10-15)
45

This section provides configuration examples for logging in to the system through the console port or by using Telnet or STelnet. These configuration examples explain networking requirements, configuration roadmap, and precautions.
3.5.1 Example for Logging In to the System Through the Console Port
In this example, a PC is set to allow a user to log in to the router through the console port.
If the default parameter values for the console user interface on the router are changed, the parameters must be set accordingly on the user terminal before the next login through the console port. Figure 3-11 Networking diagram for login through the console port
PC
Router
1. 2. 3. Connect a PC to the console port on the router. Set parameters on the PC for login. Log in to the router.
Data Preparation
Communication parameters of the PC (transmission rate: 4800 bps, data bits: 6, parity bit: even, stop bits: 2, flow control mode: none).
Procedure
Step 1 Establish the configuration environment. Connect the serial interface on the user terminal to the console port on the router through a standard RS-232 cable. Step 2 Run the terminal emulator on the PC. Set communication parameters for the PC, as shown in Figure 3-12 to Figure 3-14. Set the transmission rate to 4800 bit/s, data bit to 6, parity bit to even, stop bit to 2, and flow control mode to none.
Figure 3-12 Establishing a connection
Figure 3-13 Setting connected ports
Issue 01 (2011-10-15)
47
Figure 3-14 Setting communication parameters
Step 3 Power on the router and wait for the completion of the self-check. After the router starts properly and finishes the self-check, the system prompts you to press Enter, and the command prompt <HUAWEI> is displayed. Use commands to view the operating status of the router or configure the router. ----End
3.5.2 Example for Logging In to the System by Using Telnet

In this example, VTY user interfaces are configured to allow users to log in to the device from the client.
A user can use a user terminal to log in to the router on another network segment to remotely maintain the router. Figure 3-15 Networking diagram for logging in to the system by using Telnet
GE0/0/0 10.137.217.221/16 NetWork PC P1
Issue 01 (2011-10-15)
48
Precautions
If a user has passed AAA authentication and logged in to the router by using Telnet, the user is prohibited from logging in to other routers on the network.
1. 2. 3. 4. Establish a physical connection. Assign an IP address to the MEth interface on P1. Configure VTY user interfaces, including the limit on incoming and outgoing calls. Configure Telnet user information.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l IP address of the MEth interface on P1 Maximum number of VTY user interfaces: 10 Number of the ACL that is used to prohibit users from logging into another router: 3001 Timeout period of a user connection: 20 minutes Number of lines displayed on a terminal screen: 30 Buffer size for previously-used commands: 20 Telnet user information (authentication mode: AAA, user name: huawei, password: hello)
Procedure
Step 1 Connect the PC and the router to the network. Step 2 Assign an IP address to the MEth interface on P1.
<HUAWEI> system-view <HUAWEI> sysname P1 <HUAWEI> commit [~P1] interface gigabitethernet 0/0/0 [~P1-GigabitEthernet0/0/0] undo shutdown [~P1-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0 [~P1-GigabitEthernet0/0/0] commit [~P1-GigabitEthernet0/0/0] quit
Step 3 Configure VTY user interfaces on the router. # Set the maximum number of VTY user interfaces.
[~P1] user-interface maximum-vty 10 [~P1] commit
# Configure an ACL to restrict users from logging in to another router.

[~P1]acl 3001 [~P1-acl-adv-3001]rule deny tcp source any destination-port eq telnet [~P1-acl-adv-3001]quit [~P1] user-interface vty 0 9 [~P1-ui-vty0-9] acl 3001 outbound
# Set terminal attributes of VTY user interfaces.


[~P1-ui-vty0-9] [~P1-ui-vty0-9] [~P1-ui-vty0-9] [~P1-ui-vty0-9] shell idle-timeout 20 screen-length 30 history-command max-size 20
# Set a user authentication mode for VTY user interfaces.

[~P1-ui-vty0-9] authentication-mode aaa [~P1-ui-vty0-9] commit [~P1-ui-vty0-9] quit
Step 4 Set Telnet user information on the router. # Specify the login authentication mode.
[~P1] aaa [~P1-aaa] [~P1-aaa] [~P1-aaa] [~P1-aaa] [~P1-aaa] local-user huawei password cipher hello local-user huawei service-type telnet local-user huawei level 3 commit quit
Step 5 # Configure user login. Enter the Windows Command Prompt window and run the relevant command to telnet to the device, as shown in Figure 3-16. Figure 3-16 Telnet login window on the PC
Press Enter, and input the user name and password in the login window. After user authentication succeeds, a command prompt of the user view is displayed, as shown in Figure 3-17. This indicates that you have entered the user view. Figure 3-17 Window displayed after login to the router
Issue 01 (2011-10-15)
50
----End
Configuration file of P1
sysname P1 # user-interface maximum-vty 10 # acl number 3001 rule 5 deny tcp destination-port eq telnet # aaa local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! local-user huawei level 3 local-user huawei service-type telnet # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.221 255.255.0.0 # user-interface vty 0 9 authentication-mode aaa user privilege level 15 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!! history-command max-size 20 idle-timeout 20 0 screen-length 30 acl 2000 inbound acl 3001 outbound # admin return
3.5.3 Example for Logging In to the System by Using STelnet

In this example, a local key pair is generated on an SSH server, and a user name and a password are configured on the server for an SSH user. After the STelnet server function is enabled on the server, the STelnet client is connected to the server.
A large number of devices on a network need to be managed and maintained. It is impossible to connect each device to a terminal, especially when there is no reachable route between a device and the terminal. To manage and maintain remote devices, log in to other devices by using Telnet from the device that you have logged in to. Login by using Telnet brings security risk because Telnet does not provide any secure authentication mechanism and data is transmitted by using TCP in plain text. STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and authentication and protects devices against attacks such as IP address spoofing and plain text password interception.
As shown in Figure 3-18, after the STelnet server function is enabled on the router functioning as an SSH server, STelnet clients can log in to the SSH server in password, RSA, passwordRSA, or All authentication mode. Figure 3-18 Networking diagram for logging in to the system by using STelnet
GE0/0/0 10.137.217.225/16 Network PC SSH Server
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Assign an IP address to the MEth interface on the SSH server. Configure a local key pair on the SSH server, allowing secure data transmission between the STelnet client and the SSH server. Configure VTY user interfaces on the SSH server. Configure an SSH user, including the authentication mode, user name, and password. Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data: l l l l IP address of the MEth interface on the SSH server SSH user authentication mode: password; user name: client001; password: huawei User level of client001: 3 IP address of the SSH server: 10.137.217.223
Procedure
Step 1 Configure a login address.
<HUAWEI> system-view [~HUAWEI] sysname SSH Server [~HUAWEI] commit [~SSH Server] interface gigabitethernet 0/0/0 [~SSH Server-GigabitEthernet0/0/0] undo shutdown [~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0 [~SSH Server-GigabitEthernet0/0/0] commit [~SSH Server-GigabitEthernet0/0/0] quit
Step 2 Configure a local key pair on the server.

[~SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTE: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus [default = 512] :
Issue 01 (2011-10-15)
52
Step 3 Configure VTY user interfaces on the SSH server.

[~SSH [~SSH [~SSH [~SSH [~SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] commit Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the NE5000E automatically disables the Telnet function.
Step 4 Configure the SSH user name and password on the SSH server.
[~SSH [~SSH [~SSH [~SSH [~SSH [~SSH Server] aaa Server-aaa] Server-aaa] Server-aaa] Server-aaa] Server-aaa] local-user client001 password cipher huawei local-user client001 level 3 local-user client001 service-type ssh commit quit
Step 5 Enable the STelnet server function, and configure STelnet as the service type.
[~SSH Server] stelnet server enable [~SSH Server] ssh authentication-type default password [~SSH Server] commit
Step 6 Verify the configuration. # Access the STelnet server by using the OpenSSH software. Figure 3-19 Schematic diagram for accessing the SFTP server by using the OpenSSH software
----End
Configuration Files
l Configuration file of the SSH server
# sysname SSH Server
Issue 01 (2011-10-15)
53
# rsa local-key-pair create 512 rsa local-key-pair host-key begin AC010000ABABABAB00486F73740000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000DB07020B 0D0008370200849A356ACBBAC7DBCAB38BA7E9B9B44BDA92208B805287743DD3786B98E2388985 8D07DC8E2B8B371D8C0FC889D7ACD4AA43456973B3EB990E4C93965180EAD43A5F0D8DBAEF607B 2642C968EC4E3DF61D5FE326DDAECC9AAE4FF7D1C9A4810045EBB574B618BFFC038555F3F9D989 6B2B58ED0B92C551C7223B20646DBF6F5369B2BDF0D4B61208D8B52156A095D11EFCD901C85D4A 21332249A63107F7AD3D13885CCC79D5480B4114E0EE984BEE8E9DA4F11945201D0F9DED9A36CC CFC40FDB07D6F746F0060F95B4C802ACE64E72EBF656AC34335526E4182ABA809C0402A110D932 FA65167199A4F504AF0503DEC1F10A5807A2C9643C09FD1B127199D3AC6E609F9EA78EF6341CDD C9B45D84AC83C1C383558841346B893D2F6322E1562DE58F947D6F769E525A05376B70F8C39599 F4228A468916C617B61AF1864D4E574C17FC23EA6818A0F68E00D124AD2488E89C2379777BD4 rsa local-key-pair host-key end # stelnet server enable ssh authentication-type default password # interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.225 255.255.255.0 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # aaa local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user client001 level 3 local-user client001 service-type ssh # admin return
Issue 01 (2011-10-15)
54
4 Transferring Files
4
About This Chapter
Transferring Files
File transfer protocols help file transmission between PCs. 4.1 File Transfer Overview The File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Secure File Transfer Protocol (SFTP) can be used to operate and manage files. 4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E This section describes file transfer modes supported by the HUAWEI NetEngine5000E based on usage scenarios. Familiarizing yourself with the usage scenarios helps you rapidly and accurately complete the configurations. 4.3 Operating Files After Logging In to the System Users can operate files after logging in to the system, including managing storage devices, directories, and files. 4.4 Using FTP to Operate Files FTP is used to transfer files between local clients and remote servers. 4.5 Using SFTP to Operate Files SFTP enables users to log in to a remote device securely from PCs to manage files. This improves the security of data transmission for remote upgrade. 4.6 Configuration Examples This section provides configuration examples for operating files after logging in to the system or by using FTP or SFTP. These configuration examples explain networking requirements, configuration roadmap, and precautions.
Issue 01 (2011-10-15)
55
4.1 File Transfer Overview

The File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Secure File Transfer Protocol (SFTP) can be used to operate and manage files.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer files between local clients and remote servers. FTP uses two TCP connections to copy a file from one system to another. The TCP connections are usually established in client-server mode, one for control (the server port number is 21) and the other for data transmission (the sever port number is 20). l l Control connection: issues commands from the client to the server and transmits replies from the server to the client, minimizing the transmission delay. Data connection: transmits data between the client and server, maximizing the throughput.
FTP has two file transfer modes: l l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files. ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions: l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to the device, and run the ftp command to establish a connection between the device and a remote FTP server to access and operate files on the server. FTP server: Users can use the FTP client program to log in to the device and operate files on the device. Before users log in, the network administrator must configure an IP address for the FTP server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP, TFTP is simple, providing no authentication. It is applicable to scenarios where complicated interactions between clients and the server are not required. TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP. l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
TFTP transfer requests are initiated by clients: l When a TFTP client needs to download files from the server, the client sends a read request to the TFTP server. The server sends data packets to the client, and the client acknowledges the data packets. When a TFTP client needs to upload a file to the server, the client sends a write request and then data to the server, and receives acknowledgments from the server.
Issue 01 (2011-10-15)
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely log in to the device to manage and transfer files. On the other hand, users can use the device functioning as a client to log in to a remote server and transfer files securely. When the SFTP server or the connection between the server and the client fails, the client needs to detect the fault in time and removes the connection proactively. To help the client detect such a fault in time, configure an interval at which Keepalive packets are sent if no packet is received and the maximum number of times that the server does not respond for the client: l l If the client does not receive any packet within the specified period, the client sends a Keepalive packet to the server. If the maximum number of times that the server does not respond exceeds the specified value, the client proactively releases the connection.
4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E

This section describes file transfer modes supported by the HUAWEI NetEngine5000E based on usage scenarios. Familiarizing yourself with the usage scenarios helps you rapidly and accurately complete the configurations. Table 4-1 lists file transfer modes supported by the HUAWEI NetEngine5000E.
NOTE
The file to be uploaded must be less than 2 GB. Uploading a file larger than 2 GB causes the device unable to display information.
Table 4-1 Usage scenarios for file transfer modes File Transfer Mode FTP Advantage Disadvantage Usage Scenario
l Is based on TCP connections, having all TCP characteristics. l Supports authentication and authorization. l Supports file transfer between different file system hosts.
l FTP commands are complicated and various. l FTP requires more memory resources than TFTP. l Data and even user names and passwords are transmitted in plain text, bringing security risks.
FTP can be used on networks that have delays, packet loss, and jitters. FTP is used for version upgrade and file transfer.
Issue 01 (2011-10-15)
57
File Transfer Mode TFTP
Advantage
Disadvantage
Usage Scenario
l Is based on UDP connections. l TFTP requires fewer memory resources than FTP.
l TFTP supports only file transfer but not interaction. l TFTP does not allow users to list directories or negotiate with the server to determine files that can be obtained. l TFTP does not provide authentication and authorization. It transmits data in plain text. This adds security risks and renders the device vulnerable to attacks and network viruses.
TFTP can be used to load and upgrade software on a local area network (LAN) in a laboratory where the network is in good conditions. TFTP is applicable to networks where complicated interactions between clients and the server are not required. For details, see 5.4 Using TFTP to Access Other Devices.
SFTP
Data are encrypted and the integrity is guaranteed. SFTP boasts of high security.
l Data transmission efficiency is low. l Terminals must be installed with thirdparty software to support SFTP.
SFTP is applicable to networks that have high security requirements.
4.3 Operating Files After Logging In to the System

Users can operate files after logging in to the system, including managing storage devices, directories, and files.
When a device fails to save or obtain data, you can log in to the system to repair the faulty storage device or manage files or directories on the device. This file operation mode is used when storage devices need to be managed.
After logging in to the system, complete the following tasks before operating the files: l 3 Configuring User Login
Issue 01 (2011-10-15)
58
Figure 4-1 Operating files after logging in to the system
Manage directories
Manage files
4.3.1 Managing Directories

You can manage directories to logically save files in hierarchies.
Context
You can change and display directories, display files in directories and sub-directory lists, and create and delete directories. Perform one or multiple of the following operations as required:
Procedure
l Run:
cd directory
The current directory of the device is changed. l Run:

pwd
The current directory of the device is displayed. l Run:

dir [ /all ] [ filename ]
Files in the directory and the list of sub-directories are displayed. l Run:
mkdir directory
A directory is created. l Run:

rmdir directory
A directory is deleted. ----End
4.3.2 Managing Files

Files on a device can be deleted or renamed by logging in to the file system. Files can be viewed, copied, moved, deleted, or renamed.
Perform one or multiple operations shown in Table 4-2 as needed. Table 4-2 File management File Management Displaying a file Operation Run the more file-name command. file-name is in the [ drive ][ path ][ file-name ] format, ranging from 1 to 128 characters. An absolute path name ranges from 1 to 128 characters, supporting a maximum of 8-level directories. If the file needs to be copied to another chassis, slot, or CF card, the file path must contain the chassis ID, slot number, or CF card information. Copying a file Run the copy source-filename destination-filename command. source-filename destination-filename is in the [ drive ][ path ][ file-name ] format, ranging from 1 to 128 characters. An absolute path name ranges from 1 to 128 characters, supporting a maximum of 8-level directories. If the file needs to be copied to another chassis, slot, or CF card, the file path must contain the chassis ID, slot number, or CF card information. Moving a file Run the move source-filename destination-filename command. source-filename destination-filename is in the [ drive ][ path ][ file-name ] format, and can be a wildcard (*). The file name ranges from 1 to 128 characters. An absolute path name ranges from 1 to 128 characters, supporting a maximum of 8-level directories. If the file needs to be copied to another chassis, slot, or CF card, the file path must contain the chassis ID, slot number, or CF card information. When destination-filename is a directory name, the source file is moved to this directory, the file name remaining unchanged. Deleting a file Run the delete [ /unreserved ] filename command. /unreserved deletes a specified file thoroughly. The deleted file cannot be restored. Restoring a deleted file Run the undelete filename command. l If a file is deleted mistakenly, run the undelete command to restore the file. If a file is deleted by using the delete /unreserved command, the file cannot be restored. l If the current directory is not a root directory, use the absolute path when operating files. Removing a file from the recycle bin Run the reset recycle-bin [ /f | filename ] command. /f deletes all files from the recycle bin without confirming with the user about whether to delete files one by one.
NOTE This command deletes files from the recycle bin thoroughly, and the deleted file cannot be restored. Exercise cautions when using this command.
Renaming a file
Run the rename source-filename destination-filename command.
Issue 01 (2011-10-15)
60
4.4 Using FTP to Operate Files

FTP is used to transfer files between local clients and remote servers.
As devices operate stably and are deployed in large scopes, more and more devices need to be maintained and upgraded remotely. Online software upgrade, as a new upgrade method by loading software packages remotely, facilitates remote online upgrade, reduces upgrade expenditure, shortens the time that customers wait for upgrade, and improves customers' satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission on networks. To guarantee the quality of online upgrade and data transmission, use FTP to perform online upgrade and transfer files based on TCP connections.
Before operating files by using FTP, complete the following task: l 3 Configuring User Login
Figure 4-2 File operation by using FTP
Configure local FTP users
Configure the listening port number of the FTP server
Enable the FTP server function
Configure FTP server parameters
Configure FTP access control
Use the FTP software to access the system Use FTP commands to operate files

4.4.1 Configuring a Local FTP User

Authentication information, authorization mode, and authorization directory can be configured for an FTP user to prevent unauthorized users from accessing the specified directory.
Context
To operate files by using FTP, configure local user name and password on a device serving as an FTP server, and specify the service type and the directory that the user can access. Otherwise, the user cannot access the FTP server. Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view

aaa
The AAA view is displayed. Step 3 Run:

local-user user-name password simple password
The user name and password is set. l If the password is in the form of simple, the password must be in the plain text. l If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. Step 4 Run:
local-user user-name service-type ftp
FTP is configured as a service type for the FTP user. Step 5 Run:
local-user user-name ftp-directory directory
The authorization directory is configured for the FTP user.
CAUTION
If the directory is not configured, the user is automatically redirected to cfcard:/. Step 6 Run:
commit

4.4.2 (Optional) Changing the Listening Port Number of the FTP Server
After the listening port number of the FTP server is changed, only users that know the new port number can access the server, ensuring security.
Context
By default, the listening port number of the FTP server is 21. Users can directly log in to a device functioning as an FTP server by using the default listening port number. Attackers may access the default listening port, consuming bandwidth, affecting performance of the server, and causing valid users unable to access the server. After the listening port number of the FTP server is changed, attackers do not know the new listening port number. This effectively prevents attackers from accessing the listening port.
NOTE
If the FTP server is already enabled while changing the port number, then FTP server gets restarted.
Do as follows on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view

ftp [ ipv6 ] server port port-number
The listening port number of the FTP server is changed. If a new listening port number is set, the FTP server terminates all established FTP connections, and then uses the new port number to listen to new FTP connection attempts. Step 3 Run:
commit
4.4.3 Enabling the FTP Server Function

Before using FTP to operate files, enable the FTP sever function on the device.
Context
By default, the FTP server function is disabled. Therefore, you must enable the FTP server function before using FTP. Do as follows on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view

ftp [ ipv6 ] server enable
The FTP server function is enabled.

NOTE
After files are successfully transferred between the client and the server, run the undo ftp [ ipv6 ] server command to disable the FTP server function in time for security.
Step 3 Run:
commit
4.4.4 (Optional) Configuring FTP Server Parameters

Configuring proper parameters for the FTP server guarantees device security and maximizes the resource usage.
Context
The FTP server parameters include the source address of the FTP server and the timeout period of an idle FTP connection. l l Specifying the source address of the FTP server restricts the destination address accessed by clients, ensuring security. After the timeout period of an idle FTP connection is configured, if a client and the server do not exchange messages within the specified timeout period, the server terminates the connection and releases the FTP connection resource.
Perform the following steps on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Configure the following FTP server parameters as required: l Run the ftp server-source { -a source-ip-address | -i interface-type interface-number } command to configure the source address of the FTP server. By default, the source IP address of an FTP server is 0.0.0.0. The source address must be a loopback address, and the source interface must be a loopback interface. After the source address is configured, the address specified in the ftp command for login to the FTP server must be the configured source address. Otherwise, the login fails.
l Run the ftp timeout minutes command to set the timeout period of an idle FTP connection. By default, the timeout period of an idle FTP connection is 30 minutes. Step 3 Run:
commit
4.4.5 (Optional) Configuring FTP Access Control

An ACL can be configured to allow only specified clients to access an FTP server.
Context
When a device functions as an FTP server, you can configure an ACL to allow only the clients that meet the rules specified in the ACL to access the FTP server. Do as follows on the device that functions as an FTP server:
Procedure
Step 1 Run:
system-view

acl acl-number
The ACL view is displayed. Step 3 Run:

rule [ rule-id ] { deny | permit } [ fragment | fragment-type fragment-type-name | logging | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] *
A rule is configured.
NOTE
FTP supports only basic ACLs whose numbers range from 2000 to 2999.
Step 4 Run:
ftp acl { acl-number | acl-name acl-name }
A basic ACL is configured to filter FTP users. Step 5 Run:

commit
4.4.6 Using FTP to Access the System

After an FTP server is configured, you can access the server from a PC by using FTP to manage the files on the server.
Context
To log in to the FTP server from the PC, use either the Windows Command Prompt or thirdparty software. Use the Windows Command Prompt as an example. Do as follows on the PC:
Procedure
Step 1 Enter the Windows Command Prompt window. Step 2 Run the ftp ip-address command to log in to the server by using FTP. Enter the user name and password at the prompt, and press Enter. When the command prompt of the FTP client view is displayed, such as ftp>, you have entered the working path of the FTP server, as shown in Figure 4-3. Figure 4-3 Schematic diagram for the working path of the FTP server
----End
4.4.7 Using FTP to Operate Files

After logging in to a device that functions as an FTP server by using FTP, you can upload files to or download files from the device, and manage the directories of the device.
Context
Table 4-3 lists FTP file attributes. Table 4-3 File attributes File Attribute FTP file type Description l ASCII type A file is transmitted in ASCII characters. In this type, the Enter key cannot be used to separate lines. l Binary type
File Attribute FTP data connection mode
Description The following data connection mode can be set for the FTP server: l ACTIVE mode: The server proactively connects clients during connection establishment. l PASV mode: The server waits to be connected by clients during connection establishment. During connection establishment, the FTP client determines the mode to be either ACTIVE or PASV.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server: l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to establish a connection to the FTP server and enter the FTP client view. l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ] command to use an IPv6 address to establish a connection to the FTP server and enter the FTP client view. Step 2 Perform one or more operations shown in Table 4-4 as needed. Table 4-4 File operations File Operation Managin g files Configuring the file type Description l Run the ascii command to set the file type to ASCII. l Run the binary command to set the file type to binary. The FTP file type is determined by the client. By default, the ASCII type is used. Configuring the data connection mode l Run the passive command to set the data connection mode to PASV. l Run the undo passive command to set the data connection mode to ACTIVE. By default, the PASV mode is used. Uploading files l Run the put local-filename [ remote-filename ] command to upload a file from the local device to a remote server. l Run the mput local-filenames command to upload files from the local device to a remote server.
Issue 01 (2011-10-15)
67
File Operation Downloading files
Description l Run the get remote-filename [ local-filename ] command to download a file from a remote server and save the file on the local device. l Run the mget remote-filenames command to download files from a remote server and save the files on the local device.
Enabling the file transfer prompt function
l If the prompt command is run in the FTP client view to enable the file transfer prompt function, the system prompts you to confirm the uploading or downloading operation during file uploading or downloading. l If the prompt command is run again in the FTP client view, the file transfer prompt function is disabled.
NOTE The prompt command is applicable to the scenario where the mput or mget command is used to upload or download files. If the local device has the files to be downloaded by running the mget command, the system prompts you to override the existing ones regardless of whether the file transfer prompt function is enabled.
Enabling the FTP verbose function
Run the verbose command. After the verbose function is enabled, all FTP response information is displayed. After file transfer is complete, statistics about the transmission rate are displayed. Run the cd pathname command.
Managin g directori es
Changing the working path of a remote FTP server Changing the working path of an FTP server to the parent directory Displaying the working path of an FTP server Displaying files in a directory and the list of subdirectories Displaying a specified remote directory or file on an FTP server Displaying or changing the working path of an FTP client
Run the cdup command.
Run the pwd command.
Run the dir [ remote-directory [ local-filename ] ] command. If no path name is specified for a specified remote file, the system will search the file in the authorized directory of the user. Run the ls [ remote-directory [ local-filename ] ] command.
Run the lcd [ directory ] command. The lcd command displays the local working path of the FTP client, while the pwd command displays the working path of the remote FTP server.
Issue 01 (2011-10-15)
68
File Operation Creating a directory on an FTP server Deleting a directory from an FTP server Displaying online help for an FTP command Changing an FTP user
Description Run the mkdir remote-directory command. The directory can be a combination of letters and numbers, excluding special characters such as "<", ">", "?", "\", or ":". Run the rmdir remote-directory command.
Run the remotehelp [ command ] command. Run the user username [ password ] command.
Step 3 Perform either of the following operations as needed to terminate an FTP connection. l Run the bye/quit command to terminate the connection to the FTP server and return to the user view. l Run the close/disconnect command to terminate both the connection to the FTP server and the FTP session but remain in the FTP client view. Step 4 Run:
commit

After completing the configurations of file operation by using FTP, you can view the configuration and status of the FTP server as well as information about logged-in FTP users.
Prerequisite
The configurations of file operation by using FTP are complete.
Procedure
l l Run the display ftp-server command to check the configuration and status of the FTP server. Run the display ftp-users command to check information about logged-in FTP users.
----End
Example
Run the display ftp-server command to view the configuration and status of the FTP server.
<HUAWEI> display ftp-server -------------------------------------------------------------------------Server State : enabled IPv6 server State : enabled Timeout value (mins) : 30 Listen port : 21
Issue 01 (2011-10-15)
69
IPv6 listen port : 21 ACL 4 name : ACL 4 number : 0 Current user count : 0 Max user number : 15 Source IPv4 address : 0.0.0.0 Source interface : --------------------------------------------------------------------------
Run the display ftp-users command to view information about logged-in FTP users, including the user name, port number, and authorized directory.
<HUAWEI> display ftp-users ----------------------------------------------------------User Name : root Host Address : 2607:F0D0:1002:11::126 Control Port : 20465 Idle Time (mins) : 1 Root Directory :cfcard:/ User Name : root Host Address : 10.18.26.139 Control Port : 28783 Idle Time (mins) : 0 Root Directory :cfcard:/ -----------------------------------------------------------
4.5 Using SFTP to Operate Files

SFTP enables users to log in to a remote device securely from PCs to manage files. This improves the security of data transmission for remote upgrade.
As devices operate stably and are deployed in large scopes, more and more devices need to be maintained and upgraded remotely. Online software upgrade, as a new upgrade method by loading software packages remotely, facilitates remote online upgrade, reduces upgrade expenditure, shortens the time that customers wait for upgrade, and improves customers' satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and even user names and passwords in plain text, bringing security risks. SFTP enables users to log in to a remote device securely from PCs to manage files. This improves the security of data transmission for remote upgrade. In addition, the device can function as an SFTP client. This allows users that have logged in to the device to access other remote devices to transfer files and perform online upgrade by using SFTP.
Before operating files by using SFTP, complete the following task: l Configuring User Login
Issue 01 (2011-10-15)
70
Figure 4-4 Operating files by using SFTP
Configure an SSH user and specify SFTP as the service type
Enable the SFTP server function
Configure SFTP server parameters
Use SFTP to access the system
Use SFTP commands to operate files
4.5.1 Configuring an SSH User and Specifying the Service Type

To allow users to log in to the device by using SFTP, configure an SSH user, configure the device to generate a local RSA key pair, configure a user authentication mode, and specify a service type for the SSH user.
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All. Password authentication depends on AAA. Before a user log in to the device with password or password-RSA authentication mode, a local user with the same user name must be created in the AAA view. Configuring the system to generate a local RSA key pair is a key step for SSH login. If an SSH user log in to an SSH server with password authentication mode, configure the server to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA authentication mode, configure both the server and the client to generate local RSA key pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication. The All authentication mode requires success of either password authentication or RSA authentication.
Do as follows on the device that functions as an SSH server:
Issue 01 (2011-10-15)
71
Procedure
Step 1 Run:
system-view

ssh user user-name
An SSH user is created. If password or password-RSA authentication is configured for the SSH user, create the same SSH user in the AAA view and set the local user access type to SSH. 1. 2. 3. 4. Run the aaa command to enter the AAA view. Run the local-user user-name password { simple | cipher } password command to configure a local user name and a password. Run the local-user user-name service-type ssh command to set the local user access type to SSH. Run the quit command to exit from the AAA view and enter the system view.
By default, a local user can use any access type. You can specify an access type to allow only users configured with the specified access type to log in to the device. Step 3 Run:
rsa local-key-pair create
A local RSA key pair is generated.

NOTE
l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSHrelated configuration. l After the key pair is generated, run the display rsa local-key-pair public command to view information about the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
An authentication mode is set for the SSH user. Perform either of the following operations as needed: l Configure password authentication. Run the ssh user user-name authentication-type password command to configure password authentication. Run the ssh authentication-type default password command to configure default password authentication. If local or HWTACACS authentication is used and there are only a few users, use password authentication. If there are a large number of users, use default password authentication to simplify configuration. l Configure RSA authentication. 1. Run the ssh user user-name authentication-type rsa command to configure RSA authentication.
Issue 01 (2011-10-15)
2. 3. 4.
Run the rsa peer-public-key key-name command to enter the public key view. Run the public-key-code begin command to enter the public key edit view. Enter hex-data to edit the public key.
NOTE
l In the public key edit view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After entering the public key edit view, paste the RSA public key generated on the client to the server.
5.
Run the public-key-code end command to exit from the public key edit view. l Running the peer-public-key end command generates a key only after a valid hexdata complying with the public key format is entered. l If the peer-public-key end command is used after the key key-name specified in Step b is deleted in another window, the system prompts a message, indicating that the key does not exist, and the system view is displayed.
6. 7.
Run the peer-public-key end command to return to the system view. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a public key.
Step 5 (Optional) Configure basic authentication information for the SSH user. 1. Run the ssh server rekey-interval hours command to set an interval at which the key of the server is updated. By default, the interval is 0, indicating that the key is never updated. 2. Run the ssh server timeout seconds command to set the timeout period for SSH authentication. By default, the timeout period is 60 seconds. 3. Run the ssh server authentication-retries times command to set the retry times of SSH authentication. By default, SSH authentication retries a maximum of 3 times. Step 6 Run:
ssh user username service-type { sftp | all }
The service type of an SSH user is set to SFTP or all. By default, the service type of an SSH user is none. That is, no service is supported. Step 7 Run:
commit
4.5.2 Enabling the SFTP Server Function

Before using SFTP to access a device, enable the SFTP server function on the device.
Context
By default, the device is not enabled with the SFTP server function. Users can use SFTP to establish connections to the device only after the SFTP server function is enabled on the device. Do as follows on the device that functions as an SSH server:
Procedure
Step 1 Run:
system-view

sftp server enable
The SFTP server function is enabled. By default, the SFTP server function is disabled. Step 3 Run:
commit
4.5.3 (Optional) Configuring SFTP Server Parameters

You can configure a device to support the SSH protocol of earlier versions, configure or change the listening port number of an SFTP server, and set an interval at which the key pair of the SFTP server is updated.
Context
Table 4-5 lists SFTP server parameters. Table 4-5 Description of SFTP server parameters SFTP Server Parameter Earlier SSH version compatibility Description SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Compared with SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key exchange methods. In addition, SSH2.0 supports more advanced services such as SFTP. The HUAWEI NetEngine5000E supports SSH with version number ranging from 1.3 to 2.0.
Issue 01 (2011-10-15)
74
SFTP Server Parameter Listening port number of an SFTP server
Description The default listening port number of an SFTP server is 22. Users can log in to the device by using the default listening port number. Attackers may access the default listening port, consuming bandwidth, affecting performance of the server, and causing valid users unable to access the server. After the listening port number of the SFTP server is changed, attackers do not know the new port number. This effectively prevents attackers from accessing the listening port and improves security. After the interval is set, the key pair of the SFTP server is updated periodically to improve security.
Interval at which the key pair of the SFTP server is updated Timeout period of an idle connection Maximum number of clients that can be connected to the server
If a connection is idle within the timeout period, the system automatically cuts off the connection when the timeout period expires. This effectively prevents users from occupying connection resources for a long time, without any operation required. If the specified maximum number is smaller than the number of clients that are being connected to the server, the logged-in users will not be forced offline, and the server no longer accepts new connection requests.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Perform one or more operations shown in Table 4-6 as needed. Table 4-6 Configurations of SFTP server parameters SFTP Server Parameter Earlier SSH version compatibility Operation Run the ssh server compatible-ssh1x enable command. By default, an SFTP server running SSH2.0 is compatible with SSH1.X. To prevent clients running SSH1.3 to SSH1.99 to log in, run the undo ssh server compatible-ssh1x enable command to disable the system from supporting earlier SSH protocol versions.
Issue 01 (2011-10-15)
75
SFTP Server Parameter Listening port number of the SFTP server
Operation Run the ssh server port port-number command. If a new listening port is set, the SFTP server cuts off all established STelnet and SFTP connections, and then uses the new port number to listen to connection requests. By default, the listening port number is 22. Run the ssh server rekey-interval hours command. By default, the interval is 0, indicating that the key pair will never be updated. Run the ssh server timeout seconds command. By default, the timeout period is 60 seconds.
Interval at which the key pair of the SFTP server is updated Timeout period of an idle connection
Step 3 Run:
commit
4.5.4 Using SFTP to Access the System

After the configuration is complete, users can log in to the device from the PC by using SFTP to manage files on the device.
Context
The third-party software can be used to access the device from the PC by using SFTP. Use the third-party software OpenSSH and Windows Command Prompt as an example. After installing OpenSSH on a PC, do as follows on the PC:
NOTE
For details about how to install OpenSSH, see the installation guide of the software. For details on how to use OpenSSH commands to log in to the system, see the help document of the software.
Procedure
Step 1 Enter the Windows Command Prompt window. Step 2 Run relevant OpenSSH commands to log in to the device in SFTP mode. When the command prompt of the SFTP client view is displayed, such as sftp>, you have entered the working path of the SFTP server, as shown in Figure 4-5.
Issue 01 (2011-10-15)
76
Figure 4-5 Schematic diagram for the working path of the FTP server
----End
4.5.5 Using SFTP to Operate Files

After logging in to the SFTP server, you can manage directories and files on the server.
Context
After logging in to the SFTP server, you can perform the following operations: l l l Obtain command helps on the SFTP client. Manage directories on the SFTP server. Manage files on the SFTP server.
Procedure
Step 1 Run:
system-view

sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]
Issue 01 (2011-10-15)
77
The SFTP client view is displayed. You have successfully logged in to the SSH server by using SFTP. Step 3 Perform one or more operations shown in Table 4-7 as needed. Table 4-7 File operation File Operation Managing directories Changing the user's working directory Changing the user's working directory to the parent directory Displaying the user's working directory Displaying files in the directory and the list of sub-directories Deleting directories on the server Creating a directory on the server Managing files Renaming a file on the server Downloading files from a remote server Uploading files to a remote server Deleting files from the server Displaying command helps on the SFTP client Description Run the cd [ remote-directory ] command. Run the cdup command.
Run the pwd command. Run the dir / ls [ remote-directory ] command.
Run the rmdir remote-directory & <1-10> command. Run the mkdir remote-directory command. Run the rename old-name new-name command. Run the get remote-filename [ local-filename ] command. Run the put local-filename [ remote-filename ] command. Run the remove path &<1-10> command. Run the help [ all | command-name ] command.
----End

After completing the configuration of file operation by using SFTP, you can view information about SSH users and the configuration of the SSH server.
Prerequisite
The configuration of file operation by using SFTP are complete.
Issue 01 (2011-10-15)
78
Procedure
l l l l Run the display ssh user-information username command on the SSH server to check information about SSH users. Run the display ssh server status command on the SSH server to check its configuration. Run the display ssh server session command on the SSH server to check information about sessions between the SSH server and SSH clients. Run the display ssh server statistics command on the SSH server to view information about the total number of connections accepted, denied, closed and total online connections.
----End
Example
Run the display ssh user-information client001 command to view the authentication mode set for the SSH user client001 is password and the service type is sftp.
<HUAWEI> display ssh user-information client001 -------------------------------------Username : client001 Authentication-type : password User-public-key-name : Sftp-directory : cfcard:/home Service-type : sftp Authorization-cmd : Yes --------------------------------------------Total 1, 1 printed
Run the display ssh server status command to view configuration of the SSH server.
<HUAWEI> display ssh server status SSH version SSH authentication timeout SSH server key generating interval SSH version 1.x compatibility SSH server keep alive SFTP server STELNET server SNETCONF server SSH server port
NOTE
: : : : : : : : :
2.0 110 seconds 2 hours Disable Enable Disable Enable Disable 1025
If the default listening port is in use, information about the current listening port is not displayed.
Run the display ssh server session command to view information about sessions between the SSH server and SSH clients.
<HUAWEI> display ssh Session Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type server session : 2 : SFTP 0 : 2.0 : started : client002 : 1 : aes128-cbc : aes128-cbc : hmac-md5 : hmac-md5 : diffie-hellman-group-exchange-sha1 : sftp : password
Run the display ssh server statistics command to view the current statistics information of the SSH server.

<HUAWEI> display ssh server statistics ---------------------------------Total connection accepted : 1 Total connection denied by ACL : 2 Total connection denied by CLI : 0 Total connection denied by AAA : 3 Total connection denied by Netconf : 1 Total connection closed by CLI : 1 Total connection closed by Netconf : 4 Total connection closed by sock : 3 Total online connection : 5 ----------------------------------------

This section provides configuration examples for operating files after logging in to the system or by using FTP or SFTP. These configuration examples explain networking requirements, configuration roadmap, and precautions.
4.6.1 Example for Operating Files After Logging In to the System

This example describes how to log in to the system to view directories and copy files. For detailed configurations about operating files after logging in to the system, see Operating Files After Logging In to the System.
4.6.2 Example for Using FTP to Operate Files

Files can be uploaded and downloaded by using FTP.
As devices operate stably and are deployed in large scopes, more and more devices need to be maintained and upgraded remotely. Online software upgrade, as a new upgrade method by loading software packages remotely, facilitates remote online upgrade, reduces upgrade expenditure, shortens the time that customers wait for upgrade, and improves customers' satisfaction. In real world situations, the delay, packet loss, and jitter affect data transmission on networks. To guarantee the quality of online upgrade and data transmission, use FTP to perform online upgrade and transfer files based on TCP connections. As shown in Figure 4-6, after the FTP server function is enabled on the router, you can log in to the FTP server from the HyperTerminal to upload or download files. Figure 4-6 Networking diagram for operating files by using FTP
GE0/0/0 10.137.217.221/16 FTP Server
Network PC
Precautions
The IP address of the FTP server must be configured on the MEth interface.
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the IP address of the FTP server. Enable the FTP server function. Configure the authentication information, authorization mode, and directories to be accessed for an FTP user. Log in to the FTP server by using the correct user name and password. Upload files to or download files from the FTP server.
Data Preparation
To complete the configuration, you need the following data: l l l IP address of the FTP server: 10.137.217.221 FTP user information (user name: huawei, password: huawei) Path on which the file to be uploaded is saved and the path on which the file to be downloaded is saved
Procedure
Step 1 Configure the IP address of the FTP server.
<HUAWEI> system-view [~HUAWEI] sysname server [~HUAWEI] commit [~server] interface gigabitethernet0/0/0 [~server-GigabitEthernet0/0/0] undo shutdown [~server-GigabitEthernet0/0/0] ip address 10.137.217.221 255.255.0.0 [~server-GigabitEthernet0/0/0] quit [~server] commit
Step 2 Enable the FTP server function.

[~server] ftp server enable [~server] commit
Step 3 Configure the authentication information, authorization mode, and authorized directories for an FTP user on the FTP server.
[~server] aaa [~server-aaa] local-user huawei password simple huawei [~server-aaa] local-user huawei service-type ftp [~server-aaa] local-user huawei ftp-directory cfcard:/ [~server-aaa] quit [~server] commit
Step 4 Run the ftp commands at the Windows Command Prompt, and enter the correct user name and password to set tup an FTP connection to the FTP server, as shown in Figure 4-7.
Issue 01 (2011-10-15)
81
Figure 4-7 Logging in to the FTP server
Step 5 Upload a file from the terminal to the server and downloading a file from the server, as shown in Figure 4-8. Figure 4-8 Operating files by using FTP
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed information about the file.
----End
Configuration Files
l Configuration file of the FTP server
# sysname server # aaa local-user huawei password simple huawei local-user huawei ftp-directory cfcard:/ local-user huawei service-type ftp # authentication-scheme default # authorization-scheme default #
Issue 01 (2011-10-15)
82

accounting-scheme default # interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.221 255.255.0.0 # ftp server enable # admin return
4.6.3 Example for Using SFTP to Operate Files

In this example, a local key pair is configured on the SSH server, and a user name and a password are configured on the server for an SSH user. After the SFTP server function is enabled on the server and the SFTP client is connected to the server, you can operate files between the client and the server.
As devices operate stably and are deployed in large scopes, more and more devices need to be maintained and upgraded remotely. Online software upgrade, as a new upgrade method by loading software packages remotely, facilitates remote online upgrade, reduces upgrade expenditure, shortens the time that customers wait for upgrade, and improves customers' satisfaction. FTP is usually used to transmit data for online upgrade. FTP transmits data and even user names and passwords in plain text, bringing security risks. SFTP enables users to log in to a remote device securely from PCs to manage files. This improves the security of data transmission for remote upgrade. In addition, the device can function as an SFTP client. This allows users that have logged in to the device to access other remote devices to transfer files and perform online upgrade by using SFTP. As shown in Figure 4-9, after the SFTP server function is enabled on the router that functions as an SSH server, you can log in to the server in password, RSA, password-RSA, or all authentication mode from a PC that functions as an SFTP client. Figure 4-9 Networking diagram for operating files by using SFTP
GE0/0/0 10.137.217.225/16 SSH Server
Network PC
Precautions
The IP address of the SSH server must be configured on the MEth interface.
The configuration roadmap is as follows: 1. 2.
Issue 01 (2011-10-15)
Configure a local key pair on the SSH server, allowing secure data transmission between the client and the server. Configure VTY user interfaces on the SSH server.
3. 4.
Configure an SSH user, including the user authentication mode, user name, password, and authorized directory. Enable the SFTP server function on the SSH server and configure the service type.
Data Preparation
To complete the configuration, you need the following data: l l l SSH user authentication mode: password; user name: client001; password: huawei User level of client001: 3 IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure the IP address of the FTP server.
<HUAWEI> system-view [~HUAWEI] sysname SSH Server [~HUAWEI] commit [~SSH Server] interface gigabitethernet0/0/0 [~SSH Server-GigabitEthernet0/0/0] undo shutdown [~SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.225 255.255.0.0 [~SSH Server-GigabitEthernet0/0/0] quit [~SSH Server] commit
Step 2 Configure a local key pair on the SSH server.

[~SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTE: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus [default = 512] :
Step 3 Configure the SSH user name and password on the SSH server.
[~SSH [~SSH [~SSH [~SSH [~SSH [~SSH Server] aaa Server-aaa] local-user client001 password cipher huawei Server-aaa] local-user client001 level 3 Server-aaa] local-user client001 service-type ssh Server-aaa] quit Server] commit
Step 4 Enable the SFTP server function and set the service type to SFTP.
[~SSH Server] sftp server enable [~SSH Server] ssh user client001 authentication-type password [~SSH Server] commit
Step 5 Configure the authorized directory for the SSH user.

[~SSH Server] ssh user client001 service-type sftp [~SSH Server] commit
Step 6 Verify the configuration. # Access the SFTP server by using the OpenSSH software.
Issue 01 (2011-10-15)
84
Figure 4-10 Schematic diagram for accessing the SFTP server by using the OpenSSH software
----End
Configuration file of the SSH server

# sysname SSH Server # sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type sftp # aaa local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user client001 level 3 local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.225 255.255.0.0 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # admin return
Issue 01 (2011-10-15)
85
5 Accessing Other Devices
5
About This Chapter
Accessing Other Devices
To operate files on other devices, and manage or configure these devices, access the device by using Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to. 5.1 Overview You can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP. 5.2 Using Telnet to Log In to Other Devices Telnet helps users to log in to remote devices to manage and maintain the devices. 5.3 Using STelnet to Log In to Other Devices STelnet provides secure Telnet services. You can use STelnet to log in to other devices from the device that you have logged in to, and manage the remote devices. 5.4 Using TFTP to Access Other Devices TFTP is used to transfer files between remote server and local hosts. Unlike FTP, TFTP is simple, providing no authentication. It is applicable to scenarios without complicated interactions between the client and the server. 5.5 Using FTP to Access Other Devices You can log in to an FTP server on the network from the device that functions as an FTP client to upload files to or download files from the server. 5.6 Using SFTP to Access Other Devices SFTP provides a secure FTP service. The device is configured as an SFTP client. The SFTP server authenticates the client and encrypts data in both directions to provide secure file transfer. 5.7 Configuration Examples This section provides examples for configuring one device to access other devices. These configuration examples explain networking requirements, configuration roadmap, and precautions.
Issue 01 (2011-10-15)
86
5.1 Overview
You can log in to one device and access another device by using Telnet, FTP, TFTP, or SFTP. As shown in Figure 5-1, after you use the terminal emulator or Telnet program on a PC to connect to the router successfully, the router can still function as a client to help you access other devices on the network by using Telnet, FTP, TFTP, or SFTP. Figure 5-1 Schematic diagram for accessing other devices
User Network PC Telnet client
IP Network Telnet server
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login and virtual terminal services. The NE5000E provides the following Telnet services: l l Telnet server: A user runs the Telnet client program on a PC to log in to the router to configure and manage the router. The router functions as a Telnet server. Telnet client: After using the terminal emulator or Telnet client program on a PC to connect to the router, a user runs the telnet command to log in to another device for configuration and management. The router functions as a Telnet client. In Figure 5-2, the CE functions as both a Telnet server and a Telnet client. Figure 5-2 Telnet server providing the Telnet client service
PC
CE
PE Telnet server
Telnet service interruption Figure 5-3 Usage of Telnet shortcut keys

P1 Telnet client
P2
P3 Telnet server
Issue 01 (2011-10-15)
87
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure 5-3, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the Telnet client of P3. The usage of shortcut keys is described as follows: Ctrl_]: Instructs the server to disconnect a Telnet connection. If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server interrupts the current Telnet connection. For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_] The connection was <P2> Select Ctrl_] <P2> Ctrl_] The connection was <P1>
NOTE
to return to the prompt of P2 closed by the remote host. to return to the prompt of P1 closed by the remote host.
If the network connection is disconnected, shortcut keys do not take effect.
Ctrl_K: Instructs the client to disconnect the connection. When the server fails and the client is unaware of the failure, the server does not respond to the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts the connection and quits the Telnet connection. For example, select Ctrl_K on P3 to quit the Telnet connection.
<P3> Select Ctrl_K to abort <P1>
CAUTION
When the number of remote login users reaches the maximum number of VTY user interfaces, the system prompts subsequent users with a message, indicating that all user interfaces are in use and no more Telnet connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer files between local clients and remote servers. FTP uses two TCP connections to copy a file from one system to another. The TCP connections are usually established in client-server mode, one for control (the server port number is 21) and the other for data transmission (the sever port number is 20). l l l l l Control connection: issues commands from the client to the server and transmits replies from the server to the client, minimizing the transmission delay. Data connection: transmits data between the client and server, maximizing the throughput. Binary mode: is used to transfer program files, such as .app, .bin, and .btm files. ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files. FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to the device, and run the ftp command to establish a connection between the device and a remote FTP server to access and operate files on the server.
FTP has two file transfer modes:
The device provides the following FTP functions:
Issue 01 (2011-10-15)
FTP server: Users can use the FTP client program to log in to the device and operate files on the device. Before users log in, the network administrator must configure an IP address for the FTP server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP, TFTP is simple, providing no authentication. It is applicable to scenarios where complicated interactions between clients and the server are not required. TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine5000E supports only the binary mode for TFTP. l Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not a TFTP server.
TFTP transfer requests are initiated by clients: l When a TFTP client needs to download files from the server, the client sends a read request to the TFTP server. The server sends data packets to the client, and the client acknowledges the data packets. When a TFTP client needs to upload a file to the server, the client sends a write request and then data to the server, and receives acknowledgments from the server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely log in to the device to manage and transfer files. On the other hand, users can use the device functioning as a client to log in to a remote server and transfer files securely. When the SFTP server or the connection between the server and the client fails, the client needs to detect the fault in time and removes the connection proactively. To help the client detect such a fault in time, configure an interval at which Keepalive packets are sent if no packet is received and the maximum number of times that the server does not respond for the client: l l If the client does not receive any packet within the specified period, the client sends a Keepalive packet to the server. If the maximum number of times that the server does not respond exceeds the specified value, the client proactively releases the connection.
5.2 Using Telnet to Log In to Other Devices

Telnet helps users to log in to remote devices to manage and maintain the devices.
A large number of devices on a network need to be managed and maintained. It is impossible to connect each device to a terminal, especially when there is no reachable route between a device and the terminal. To manage and maintain remote devices, you can log in to other devices by using Telnet from the device that you have logged in to.
As shown in Figure 5-4, the PC can use Telnet to log in to the Telnet client. As the PC does not have a reachable route to the Telnet server, you cannot manage the Telnet server remotely. To manage the Telnet server remotely, you can use the Telnet client to telnet to the Telnet server. Figure 5-4 Networking diagram for accessing other devices
User Network PC Telnet client
IP Network Telnet server
Before logging in to other devices by using Telnet, complete the following task: l l Logging In to the System by Using Telnet. Configuring a route to ensure that the Telnet client and server are routable.
Context
Telnet provides an interactive interface for users to log in to a remote server. You can log in to one device, and then telnet to other devices on the network to configure and manage these remote devices, instead of connecting a terminal to each of the devices. An IP address can be configured for an interface on the device and specified as the source IP address of an FTP connection for security checks. After the source IP address is configured for the Telnet client, the source IP address of the Telnet client displayed on the server is the same as the configured one. Perform either of the following operations based on the type of the source IP address:
Procedure
l If the source address is an IPv4 address: Run the telnet [ -a source-ip-address | -i interface-type interface-number ] [ vpninstance vpn-instance-name ] host-name [ port-number ] command to log in to and manage other devices. l If the source address is an IPv6 address: Run the telnet ipv6 ipv6-address [ -i interface-type interface-number ] [ port-number ] command to log in to and manage other devices. ----End
Checking the Configuration

After logging in to other devices by using Telnet, do as follows to check the configuration. Run the display tcp status command to view TCP connections.Established in the command output indicates that a TCP connection has been established.
<HUAWEI> display tcp status
Issue 01 (2011-10-15)
90
-------------------------------------------------------------------------------Pid/SocketID Local Addr:Port Foreign Addr:Port VPNID State -------------------------------------------------------------------------------0x80C8272F/2 0.0.0.0:23 0.0.0.0:0 42949 LISTEN 0x80932727/4 0.0.0.0:22 0.0.0.0:0 42949 LISTEN 0x30666bb4/9 10.137.217.222:23 10.137.217.223:53930 0 Established --------------------------------------------------------------------------------
5.3 Using STelnet to Log In to Other Devices

STelnet provides secure Telnet services. You can use STelnet to log in to other devices from the device that you have logged in to, and manage the remote devices.
A large number of devices on a network need to be managed and maintained. It is impossible to connect each device to a terminal, especially when there is no reachable route between a device and the terminal. To manage and maintain remote devices, log in to other devices by using Telnet from the device that you have logged in to. Login by using Telnet brings security risk because Telnet does not provide any secure authentication mechanism and data is transmitted by using TCP in plain text. STelnet provides secure Telnet services based on SSH connections. Providing encryption and authentication, SSH protects devices against attacks of IP address spoofing and plain text password interception. As shown in Figure 5-5, the HUAWEI NetEngine5000E supports the SSH function. You can log in to a remote device in SSH mode to manage and maintain the device. In this situation, the device that you have logged in functions as the client, and the remote device to be logged in is an SSH server. Figure 5-5 Networking diagram for logging in to other devices by using STelnet
IP network Telnet client Telnet server
Before logging in to other devices by using STelnet, complete the following task: l 3.4 Logging In to the System by Using STelnet
Issue 01 (2011-10-15)
91
Figure 5-6 Logging in to other devices by using STelnet
Enable first-time authentication on the SSH client to allow users to successfully log in to other devices at the first time Bind the SSH client to the RSA public key generated on the SSH server to allow users to successfully log in to other devices at the first time Use Stelnet to log in to other devices
Use Stelnet to log in to other devices
5.3.1 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH Client)
After first-time authentication is enabled on the SSH client, the validity of the RSA public key of the SSH server is not checked when the STelnet client logs in to the SSH server for the first time.
Context
After first-time authentication is enabled on the SSH client, the validity of the RSA public key of the SSH server is not checked when the STelnet client logs in to the SSH server for the first time. After the first login, the system automatically allocates an RSA public key and saves the key for authentication during subsequent logins. If first-time authentication is disabled, the STelnet client cannot log in to the SSH server because the validity check of the RSA public key fails. If the STelnet client must successfully log in to the SSH server at the first time, you can enable first-time authentication or configure the client to assign an RSA public key to the server in advance. For details, see 5.3.2 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key Generated on the SSH Server) Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view

ssh client first-time enable
Enable first-time authentication on the SSH client. By default, first-time authentication is disabled for an SSH client.
Step 3 Run:
commit
5.3.2 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key Generated on the SSH Server)
To allow the SSH client to successfully log in to the SSH server at the first time, configure the SSH client to assign an RSA public key to the SSH server before the login if first-time authentication is disabled.
Context
If first-time authentication is disabled, the SSH client cannot log in to the SSH server because the validity check of the RSA public key fails. An RSA public key needs to be assigned to the server before the SSH client logs in to the server. The RSA public key assigned to the SSH server must be generated on the server. Otherwise, the validity check for the RSA public key on the SSH client cannot succeed. Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view

rsa peer-public-key key-name
The public key view is displayed. Step 3 Run:

public-key-code begin
The public key edit view is displayed. Step 4 Enter hex-data to edit the public key. The input public key must be a hexadecimal string complying with the public key format. The public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA public key generated on the server to the client.
Step 5 Run:
public-key-code end
Exit from the public key edit view.

If the configured public key contains invalid characters or does not comply with the public key format, a prompt is displayed, and the configured public key is discarded. The configuration fails. If the configured public key is valid, the key will be saved into the client public key chain table. l If no valid hex-data is specified, no public key will be generated. l If key-name specified in Step 2 has been deleted in another window, the system prompts an error and returns to the system view. Step 6 Run:
peer-public-key end
Exit from the public key view, and the system view is displayed. Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
The RSA public key is bound to the SSH client.

NOTE
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address assign rsa-key command to cancel the binding between the SSH client from the server, and then run the ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit
5.3.3 Using STelnet to Log In to Other Devices

You can log in to the SSH server from the SSH client by using STelnet to configure and manage the server.
Context
The SSH client can log in to the server without specifying the listening port number only when the listening port number of the server is 22. Otherwise, the listening port number must be specified. Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view

stelnet [ -a source-address | -i interface-type interface-number ] host-ipaddress [port-number ] [ [ prefer-kex { dh-group1 | dh-exchange-group } ] [ preferctos-cipher { des | 3des | aes128 } ] [ prefer-stoc-cipher { des | 3des | aes128 } ] [ prefer-ctos-hmac { sha1 | sha1-96| md5 | md5-96 } ] [ prefer-stoc-hmac { sha1 | sha1-96 | md5 | md5-96 } ] [ -vpn-instance vpn-instance-name ] [ -ki interval [ kc count ] ] ]*
Issue 01 (2011-10-15)
94
The client logged in to the SSH server by using STelnet. ----End

After completing the configuration of log in to another device by using STelnet, you can view mappings between SSH servers and RSA public keys on the SSH client, global configuration of SSH servers, and sessions between SSH servers and the client.
Prerequisite
The configuration for logging in to another device by using STelnet is complete.
Procedure
l Run the display ssh server-info command to check mappings between SSH servers and RSA public keys on the client.
----End
Example
Run the display ssh server-info command to view mappings between SSH servers and RSA public keys on the client.
<HUAWEI> display ssh server-info Server Name(IP) Server public key name ________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222
5.4 Using TFTP to Access Other Devices

TFTP is used to transfer files between remote server and local hosts. Unlike FTP, TFTP is simple, providing no authentication. It is applicable to scenarios without complicated interactions between the client and the server.
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings complicated interactions between terminals and servers, which is hard to implement on terminals that are not installed with advanced operating systems. TFTP is designed for file transfer that does not need complicated interactions between terminals and servers. It is simple, requiring a few costs. TFTP can be used only for simple file transfer without authentication.
NOTE
Currently, the HUAWEI NetEngine5000E can function only as a TFTP client but not as TFTP server.
Before using TFTP to access other devices, complete the following task:
You can choose one or more configuration tasks (excluding "Checking the Configuration") as required.
5.4.1 Configuring the Source Address for the TFTP Client

You can configure a source address for a TFTP client and use the source address to establish a TFTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the TFTP client and use this IP address as the source address to establish a TFTP connection. This ensures the security of file transfer. Do as follows on the router that functions as a TFTP client:
Procedure
Step 1 Run:
system-view

tftp client-source { -a ip-address | -i interface-type interface-number }
The source address of the TFTP client is configured.

NOTE
The interface type specified by interface-type must be loopback. After configuring the source address of the TFTP client, you can find that the source address of the TFTP client displayed on the server is the same as the configured one.
Step 3 Run:
commit
5.4.2 Configuring TFTP Access Control

An ACL can be configured to allow the TFTP client to access specified TFTP servers.
Context
An ACL is a set of sequential rules. These rules are described based on source addresses, destination addresses, and port numbers of packets. ACL rules are used to filter packets. After ACL rules are applied to a device, the device permits or denies packets based on the ACL rules. Multiple rules can be defined for one ACL. ACL rules are classified into interface ACL, basic ACL, and advanced ACL rules based on their functions.

NOTE
TFTP supports only basic ACLs (from ACL 2000 to ACL 2999).
Do as follows on the router that functions as a TFTP client:
Procedure
Step 1 Run:
system-view

acl acl-number
The ACL view is displayed. Step 3 Run:

rule [ rule-id ] { deny | permit } [ [ fragment | fragment-type fragment-typename ] | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *
An ACL rule is configured. Step 4 Run:

quit

tftp-server acl acl-number
The ACL is applied to the TFTP client to control its access to TFTP servers. Step 6 Run:
commit
5.4.3 Using TFTP to Download Files from Other Devices

You can use a specified TFTP command to download files from a remote server to the local device.
Context
A Virtual Private Network (VPN) is a private network. Network devices and terminals on a VPN can be connected over the internet. After a TFTP session is established, you can specify vpninstance-name in the TFTP command to connect to a remote TFTP server. To download a file, the TFTP client sends a read request to the TFTP server. After receiving data, the TFTP client sends an acknowledgment to the server.
Procedure
l
Issue 01 (2011-10-15)
Run:
tftp [ -a source-address | -i interface-type interface-number ] host-ipaddress [ vpn-instance vpn-instance-name ] get } source-filename [ destinationfilename ]
A file is downloaded by using TFTP. The interface type specified by interface-type must be loopback. ----End
5.4.4 Using TFTP to Upload Files to Other Devices

You can use TFTP commands to upload files to remote servers.
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After receiving data, the TFTP client sends an acknowledgment to the server.
Procedure
l Run:
tftp [ -a source-address | -i interface-type interface-number ] host-ipaddress [ vpn-instance vpn-instance-name ] put } source-filename [ destinationfilename ]
A file is uploaded by using TFTP. The interface type specified by interface-type must be loopback. ----End

After completing the configuration of using TFTP to access another device, you can view the source address of the TFTP client and configured ACL rules.
Prerequisite
The configurations of using TFTP to access other devices are complete.
Procedure
l l Run the display tftp-client command to check the source address of the TFTP client. Run the display acl { acl-number | all } command to check ACL rules configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
---------------------------------------------------------------------acl4Number SrcIPv4Addr Interface Name : 0 : 0.0.0.0 : LoopBack0
---------------------------------------------------------------------Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 98
Run the display acl { acl-number | all } command to view ACL rules configured on the TFTP client.
<HUAWEI> display acl 2001 Basic acl 2001, 2 rules Acl's step is 5 Acl's match-order is config rule 5 permit ip source 1.1.1.1 0 (2 times matched) rule 10 permit ip source 9.9.9.9 0 (3 times matched)
5.5 Using FTP to Access Other Devices

You can log in to an FTP server on the network from the device that functions as an FTP client to upload files to or download files from the server.
When you need to transfer files with a remote FTP server or manage directories of the server, you can configure the current device as an FTP client and then access the FTP server by using FTP.
Before using FTP to access another device, complete the following task: l Configuring User Login
Figure 5-7 Using FTP to operate files
Configure the source address for the FTP client Use FTP commands to connect to other devices Use FTP commands to operate files
Change the logged-in user
Terminate the connection to the FTP server
Issue 01 (2011-10-15)
99
5.5.1 (Optional) Configuring the Source Address for the FTP Client
You can configure a source address for an FTP client and use the source address to establish an FTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the router and use this IP address as the source address to establish an FTP connection. This ensures the security of file transfer. Do as follows on the router that functions as an FTP client:
Procedure
Step 1 Run:
system-view

ftp client-source { -a ip-address | -i interface-type interface-number }
The source address is configured. The value of interface-type must be loopback. After the source address of the FTP client is configured, you can run the display ftp-users command on the FTP server to check that the displayed source address of the FTP client is the same as the configured one. Step 3 Run:
commit
5.5.2 Using FTP to Connect the FTP Client to Other Devices

FTP commands can be used to log in to other devices from the FTP client.
Context
Commands can be run in the user or FTP client view to establish connections with remote FTP servers.
NOTE
l If the ftp command without any parameters is used in the user view to establish a control connection to an FTP server, the FTP client view is displayed but the connection is not established. l When using the ftp command in the user view or the open command in the FTP client view to establish a control connection to a remote FTP server, if the listening port number of the FTP server is the default one, you do not need to specify the listening port number in the command; otherwise, you must specify the listening port number in the command.
Perform either of the following operations on the FTP client based on the type of IP address of the server:
Procedure
l If the server has an IPv4 address, use commands listed in Table 5-1 to connect the client to other devices. Table 5-1 Using FTP commands to connect the FTP client to other devices View User view Operation Run the ftp [ [ -a source-ip-address | -i interface-type interfacenumber ] host-ip [ port-number ] [ vpn-instance vpn-instance-name ] ] command to establish a connection to the FTP server. Run the open { -a source-ip | -i interface-type interface-number } hostip-address [ port-number ] [ vpn-instance vpn-instace-name ] command to establish a connection to the FTP server.
FTP client view
If the server has an IPv6 address, use commands listed in Table 5-2 to connect the client to other devices. Table 5-2 Using FTP commands to connect the FTP client to other devices View User view FTP client view Operation Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ port-number ] command to establish a connection to the FTP server. Run the open ipv6 [ -i interface-type interface-number ] host-ipv6address [ port-number ] command to establish a connection to the FTP server.
----End
5.5.3 Using FTP to Operate Files

After logging in to an FTP server, you can use FTP commands to operate files, including configuring the file transfer mode, viewing online helps about FTP commands, uploading files, managing directories, and managing files.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server: l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to establish a connection to the FTP server and enter the FTP client view. l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ] command to use an IPv6 address to establish a connection to the FTP server and enter the FTP client view. Step 2 Perform one or more operations shown in Table 5-3 as needed.
Table 5-3 File operations File Operation Managin g files Configuring the file type Description l Run the ascii command to set the file type to ASCII. l Run the binary command to set the file type to binary. The FTP file type is determined by the client. By default, the ASCII type is used. Configuring the data connection mode l Run the passive command to set the data connection mode to PASV. l Run the undo passive command to set the data connection mode to ACTIVE. By default, the PASV mode is used. Uploading files l Run the put local-filename [ remote-filename ] command to upload a file from the local device to a remote server. l Run the mput local-filenames command to upload files from the local device to a remote server. Downloading files l Run the get remote-filename [ local-filename ] command to download a file from a remote server and save the file on the local device. l Run the mget remote-filenames command to download files from a remote server and save the files on the local device. Enabling the file transfer prompt function l If the prompt command is run in the FTP client view to enable the file transfer prompt function, the system prompts you to confirm the uploading or downloading operation during file uploading or downloading. l If the prompt command is run again in the FTP client view, the file transfer prompt function is disabled.
NOTE The prompt command is applicable to the scenario where the mput or mget command is used to upload or download files. If the local device has the files to be downloaded by running the mget command, the system prompts you to override the existing ones regardless of whether the file transfer prompt function is enabled.
Enabling the FTP verbose function
Run the verbose command. After the verbose function is enabled, all FTP response information is displayed. After file transfer is complete, statistics about the transmission rate are displayed. Run the cd pathname command.
Managin g directori es
Changing the working path of a remote FTP server
Issue 01 (2011-10-15)
102
File Operation Changing the working path of an FTP server to the parent directory Displaying the working path of an FTP server Displaying files in a directory and the list of subdirectories Displaying a specified remote directory or file on an FTP server Displaying or changing the working path of an FTP client Creating a directory on an FTP server Deleting a directory from an FTP server Displaying online help for an FTP command Changing an FTP user
Description Run the cdup command.
Run the pwd command.
Run the dir [ remote-directory [ local-filename ] ] command. If no path name is specified for a specified remote file, the system will search the file in the authorized directory of the user. Run the ls [ remote-directory [ local-filename ] ] command.
Run the lcd [ directory ] command. The lcd command displays the local working path of the FTP client, while the pwd command displays the working path of the remote FTP server. Run the mkdir remote-directory command. The directory can be a combination of letters and numbers, excluding special characters such as "<", ">", "?", "\", or ":". Run the rmdir remote-directory command.
Run the remotehelp [ command ] command. Run the user username [ password ] command.
----End
5.5.4 (Optional) Changing the User Login

You can allow users with different rights to log in.
Context
After the device function as an FTP client and establish a connection to an FTP server, you can change the logged-in user to allow users with different rights to access the server. Changing logged-in users does not affect established FTP connections. FTP control and data connections and the connection status do not change. If the input user name or password of the new user is incorrect, established connections is disconnected. To access the server, the user must again log in to the FTP client.

NOTE
After logging in to the HUAWEI NetEngine5000E, you can log in to the FTP server by using another user name without logging out of the FTP client view. The established FTP connection is identical with that established by running the ftp command.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server: l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to establish a connection to the FTP server and enter the FTP client view. l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ] command to use an IPv6 address to establish a connection to the FTP server and enter the FTP client view. Step 2 Run:
user user-name [ password ]
The logged-in user is changed. Another user logs in to access the FTP server. After the logged-in user is changed, the connection between the original user and the FTP server is disconnected. Step 3 Run:
commit
5.5.5 Terminating a Connection to the FTP Server

To save system resources and ensure successful logins of valid users to the FTP server, terminate connections to the FTP server.
Context
After the number of users logging in to an FTP server reaches the upper limit, no more valid users can log in. To allow valid users to log in to the FTP server, terminate idle connections to the FTP server.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of IP address of the server: l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to establish a connection to the FTP server and enter the FTP client view. l Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-address [ portnumber ] command to use an IPv6 address to establish a connection to the FTP server and enter the FTP client view. Step 2 Perform either of the following operations as needed to terminate an FTP connection.
l Run the bye/quit command to terminate the connection to the FTP server and return to the user view. l Run the close/disconnect command to terminate both the connection to the FTP server and the FTP session but remain in the FTP client view. ----End

After completing the configuration of accessing other devices by using FTP, you can view the parameters configured on the FTP client.
Prerequisite
The configurations of accessing other devices by using FTP are complete.
Procedure
l Run the display ftp-client command to check the source address of the FTP client. ----End
Example
After configuring the source IP address of the FTP client, run the display ftp-client command to view the configuration.
<HUAWEI> display ftp-client ----------------------------------------SrcIPv4Addr : 10.1.1.1 Interface Name : -----------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp-client command to view the configuration.
<HUAWEI> display ftp-client ----------------------------------------SrcIPv4Addr : 0.0.0.0 Interface Name : LoopBack0 -----------------------------------------
5.6 Using SFTP to Access Other Devices

SFTP provides a secure FTP service. The device is configured as an SFTP client. The SFTP server authenticates the client and encrypts data in both directions to provide secure file transfer.
SFTP is short for SSH FTP. Based on SSH, SFTP ensures that users log in to a remote device securely to manage and transfer files, enhancing secure file transfer. As the device can function as an SFTP client, you can log in to a remote SSH server from the device to transfer files securely.
Before using SFTP to access other devices, complete the following task:
Configuring a route between the client and the server to make them routable
Figure 5-8 Using SFTP to access other devices
Configure the source address for the SFTP client Enable first-time authentication on the SSH client to allow users to successfully log in to the system at the first time Configure the source address for the SFTP client Bind the RSA public key generated on the SSH server to the SSH client to allow users to successfully log in to the system at the first time
Use SFTP to log in to other devices
Use SFTP to log in to other devices
5.6.1 (Optional) Configuring the Source Address for the SFTP Client
You can configure a source address for an SFTP client and use the source address to establish an SFTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on the SFTP client and use this IP address as the source address to establish an SFTP connection. This ensures the security of file transfer The source address for an SFTP client can be a source interface or a source IP address. Do as follows on the device functioning as an SFTP client:
Procedure
Step 1 Run:
system-view

sftp client-source { -a source-ip-address | -i interface-type interface-number }
The source address of the SFTP client is configured.

Step 3 Run:
commit
5.6.2 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH Client)
After first-time authentication is enabled on the SSH client, the validity of the RSA public key of the SSH server is not checked when the SFTP client logs in to the SSH server for the first time.
Context
After first-time authentication is enabled on the SSH client, the validity of the RSA public key of the SSH server is not checked when the SFTP client logs in to the SSH server for the first time. After the first login, the system automatically allocates an RSA public key and saves the key for authentication during subsequent logins. Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view

ssh client first-time enable
Enable first-time authentication on the SSH client. By default, first-time authentication is disabled for an SSH client. Step 3 Run:
commit
5.6.3 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key Generated on the SSH Server)
If first-time authentication is disabled on the SSH client, assign an RSA public key to the SSH server before the SFTP (SSH) client logs in to the server.
Context
If first-time authentication is disabled, the SFTP client cannot log in to the SSH server because the validity check of the RSA public key fails. Therefore, you need to assign an RSA public key to the server before the SFTP client logs in to the server.
Do as follows on the router that functions as an SSH client:
Procedure
Step 1 Run:
system-view

rsa peer-public-key key-name
The public key view is displayed. Step 3 Run:

public-key-code begin
The public key edit view is displayed. Step 4 Enter hex-data to edit the public key. The input public key must be a hexadecimal string complying with the public key format. The public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA public key generated on the server to the client.
Step 5 Run:
public-key-code end
Exit from the public key edit view. If the configured public key contains invalid characters or does not comply with the public key format, a prompt is displayed, and the configured public key is discarded. The configuration fails. If the configured public key is valid, the key will be saved into the client public key chain table. l If no valid hex-data is specified, no public key will be generated. l If key-name specified in Step 2 has been deleted in another window, the system prompts an error and returns to the system view. Step 6 Run:
peer-public-key end
Exit from the public key view, and the system view is displayed. Step 7 Run:
ssh client server-ip-address assign rsa-key key-name
The RSA public key is bound to the SSH client.

NOTE
If the public key saved on the SSH client becomes invalid, run the undo ssh client server-ip-address assign rsa-key command to cancel the binding between the SSH client from the server, and then run the ssh client server-ip-address assign rsa-key key-name command to assign an RSA public key to the client.
Step 8 Run:
commit
Issue 01 (2011-10-15)
108
5.6.4 Using SFTP to Connect the SSH Client to the SSH Server
You can log in to an SSH server from an SSH client by using SFTP.
Context
The command used to enable the SFTP client is similar to the command used to enable the STelnet client. Both commands can carry the source address, key exchange algorithm, encryption algorithm, HMAC algorithm, and Keepalive interval. Do as follows on the device that functions as an SSH client:
Procedure
Step 1 Run:
system-view

The SFTP client view is displayed. You have successfully logged in to the SSH server by using SFTP. Step 3 Run:
commit
5.6.5 Using SFTP to Operate Files

You can manage directories and files of the SSH server on the SFTP client, and view help for all SFTP commands on the SFTP client.
Context
After logging in to the SSH server from the SFTP client, you can perform the following operations on the SFTP client: l l l Create and delete directories of the SSH server; view the current working directory; view files in a directory and the list of sub-directories. Rename, delete, upload, and download files. View command help on the SFTP client.
Do as follows on the router that functions as an SSH client:

Procedure
Step 1 Run:
system-view

The SFTP client view is displayed. You have successfully logged in to the SSH server by using SFTP. Step 3 Perform one or more operations shown in Table 5-4 as needed. Table 5-4 File operation File Operation Managing directories Changing the user's working directory Changing the user's working directory to the parent directory Displaying the user's working directory Displaying files in the directory and the list of sub-directories Deleting directories on the server Creating a directory on the server Managing files Renaming a file on the server Downloading files from a remote server Uploading files to a remote server Deleting files from the server Displaying command helps on the SFTP client
Issue 01 (2011-10-15)
Description Run the cd [ remote-directory ] command. Run the cdup command.
Run the pwd command. Run the dir / ls [ remote-directory ] command.
Run the rmdir remote-directory & <1-10> command. Run the mkdir remote-directory command. Run the rename old-name new-name command. Run the get remote-filename [ local-filename ] command. Run the put local-filename [ remote-filename ] command. Run the remove path &<1-10> command. Run the help [ all | command-name ] command.
110
----End

After completing the configuration of using SFTP to access other devices, you can view the source address of the SSH client, mappings between SSH servers and RSA public keys on the client, global configurations of the SSH servers, and sessions between the SSH servers and the client.
Prerequisite
The configurations of using SFTP to access other devices are complete.
Procedure
l l Run the display sftp-client command to check the source address of the SSH client. Run the display ssh server-info command to check mappings between SSH servers and RSA public keys on the client.
----End
Example
Run the display sftp-client command on the client to view parameters about the SFTP client.
<HUAWEI> display sftp-client The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view mappings between servers and RSA public keys on the client.
<HUAWEI> display ssh server-info Server Name(IP) Server public key name ________________________________________________________________________ 1000::1 1000::1 10.1.1.1 10.1.1.1 100.1.1.23 100.1.1.23 10.164.1.1 10.164.1.1 10.164.1.2 10.164.1.2

This section provides examples for configuring one device to access other devices. These configuration examples explain networking requirements, configuration roadmap, and precautions.
5.7.1 Example for Using Telnet to Log In to Other Devices

This example shows how to log in to another device by using Telnet. You can configure the user authentication mode and password to log in to another device by using Telnet.
A large number of devices on a network need to be managed and maintained. It is impossible to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, you can log in to other devices by using Telnet from the device that you have logged in to. As shown in Figure 5-9, a user can telnet to P1 but cannot directly telnet to P2. P1 and P2 are routable. The user logs in to P1, and then telnet to P2 to remotely configure and manage P2. Figure 5-9 Networking diagram for using Telnet to log in to another device
Session Session
Network PC P1
GE1/0/1 1.1.1.1/24
Network
GE1/0/1 2.1.1.1/24 P2
Precautions
l l P1 and P2 must be routable. The user must be able to log in to P1.
The configuration roadmap is as follows: 1. 2. Configure the Telnet authentication mode and password on P2. Log in to P2 from P1.
Data Preparation
To complete the configuration, you need the following data: l l Host address of P2: 2.1.1.1 Authentication mode: password (password: hello)
Procedure
Step 1 Configure the Telnet authentication mode and password.
<HUAWEI> system-view [~HUAWEI] sysname P2 [~HUAWEI] commit [~P2] user-interface vty 0 4 [~P2-ui-vty0-4] authentication-mode password [~P2-ui-vty0-4] set authentication password simple hello [~P2-ui-vty0-4] commit [~P2-ui-vty0-4] quit
If an ACL is configured to access other devices by using Telnet, do as follows on P2:

[~P2] acl 2000 [~P2-acl-basic-2000] rule permit source 1.1.1.1 0
Issue 01 (2011-10-15)
112

[~P2-acl-basic-2000] quit [~P2] user-interface vty 0 4 [~P2-ui-vty0-4] acl 2000 inbound [~P2-ui-vty0-4] commit [~P2-ui-vty0-4] quit
NOTE
It is optional to configure an ACL for Telnet services.
Step 2 Verify the configuration. After the configurations are complete, the user can telnet from P1 to P2.
<HUAWEI> system-view [~HUAWEI] sysname P1 [~HUAWEI] commit [~P1] quit <P1> telnet 2.1.1.1 Trying 2.1.1.1 Press CTRL+K to abort Connected to 2.1.1.1 Username: root Password: <P2>
----End
Configuration Files
l Configuration file of P1
# sysname P1 # interface gigabitethernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # admin return
Configuration file of P2
# sysname P2 # acl number 2000 rule 5 permit source 1.1.1.1 0 # interface gigabitethernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0 # user-interface vty 0 4 set authentication password simple hello acl 2000 inbound # admin return
5.7.2 Example for Using STelnet to Log In to Other Devices

This example shows how to log in to another device by using STelnet. To allow the STelnet client to connect to the SSH server, configure the client and server to generate local key pairs, configure the server to generate an RSA public key, and bind the public key to the client.
A large number of devices on a network need to be managed and maintained. It is impossible to connect each device to a terminal, especially when there is no reachable route between a device and the terminal. To manage and maintain remote devices, log in to other devices by using Telnet from the device that you have logged in to. Login by using Telnet brings security risk because Telnet does not provide any secure authentication mechanism and data is transmitted by using TCP in plain text. STelnet provides secure Telnet services based on SSH connections. Providing encryption and authentication, SSH protects devices against attacks of IP address spoofing and plain text password interception. As shown in Figure 5-10, after the STelnet server function is enabled on the SSH server, the STelnet client can log in to the SSH server in the authentication mode of password, RSA, password-RSA, or all. Figure 5-10 Networking diagram for logging in to another device by using STelnet
SSH Server GE0/0/0 1.1.1.1/16 GE0/0/0 1.1.2.2/16 Client 001 GE0/0/0 1.1.3.3/16 Client 002
Precautions
Two users client001 and client002 are configured to log in to the SSH server in the authentication mode of password and RSA respectively.
The configuration roadmap is as follows: 1. 2. Configure users client001 and client002 on the SSH server to use different authentication modes to log in to the SSH server. Configure client002 and the SSH server to generate local key pairs, and bind client002 to the RSA public key of the SSH server to authenticate the client when the client attempts to log in to the server. Enable the STelnet server function on the SSH server. Set the service type of client001 and client002 to STelnet. Enable first-time authentication on the SSH client. Client001 and client002 log in to the SSH server by using STelnet.
3. 4. 5. 6.
Data Preparation
To complete the configuration, you need the following data:
l l l
Client001: password authentication (password: huawei) Client002: RSA authentication (public key: RsaKey001) IP address of the SSH server: 1.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view [~HUAWEI] sysname SSH Server [~HUAWEI] commit [~SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTE: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus [default = 512] : 1024
Step 2 Create SSH users on the server.

NOTE
There are four authentication modes for SSH users: password, RSA, password-RSA, and all. l If the authentication mode is password or password-RSA, configure a local user on the server with the same user name. l If the authentication mode is RSA, password-RSA, or all, save the RSA public key generated on the SSH client to the server.
# Configure VTY user interfaces.

[~SSH [~SSH [~SSH [~SSH [~SSH [~SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] user privilege level 5 Server-ui-vty0-4] commit Server-ui-vty0-4] quit
l Create an SSH user named client001. # Create an SSH user named client001 and configure password authentication for the user.
[~SSH Server] ssh user client001 [~SSH Server] ssh user client001 authentication-type password [~SSH Server] commit
# Set the password of client001 to huawei.

[~SSH [~SSH [~SSH [~SSH [~SSH Server] aaa Server-aaa] Server-aaa] Server-aaa] Server-aaa] local-user client001 password simple huawei local-user client001 service-type ssh commit quit
l Create an SSH user named client002. # Create an SSH user named client002 and configure RSA authentication for the user.
[~SSH Server] ssh user client002 [~SSH Server] ssh user client002 authentication-type rsa [~SSH Server] commit
Step 3 Configure an RSA public key for the server. # Configure client002 to generate a local key pair.
<HUAWEI> system-view [~HUAWEI] sysname client002 [~HUAWEI] commit [~client002] rsa local-key-pair create
Issue 01 (2011-10-15)
115

The key name will be: client002_Host NOTE: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus [default = 512] : 1024 [~client002] commit
# Check the RSA public key generated on the client.

[~client002] display rsa local-key-pair public ======================Host Key========================== Time of Key pair created : 13:22:1 2010/10/25 Key Name : VRPV8_Host Key Type : RSA Encryption Key ======================================================== Key Code: 308188 028180 B21315DD A443130F 411B8B73 40A35DE6 1987178B A9F7E8FE 171896FB 0203 010001
859AD7E4 7CDB95D8 3CDD494A 2C6A82D7 8C364D57 E0D5A1B5 1FFC38CD
A6D0D9B8 4A4AE2F3 236F35AB 5C5F2C36 DD0AA24A 092F7112
121F23F0 D94A73D7 9BBFE19A 67FBC275 A0C2F87F 660BD153
006BB1BB 36FDFD5F 7336150B 2DF7E4C5 474C7931 7FB7D5B2
Host Public Key for PEM format Code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98 25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn +8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX GJb7H/w4zQ== ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri 89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key Host Public key for SSH1 format code: 1024 65537 125048203250833642388841080101906750228075076456213955541037945628567 57310398880086451511608221218821171562865637463140847157102422109476944363593619 24637760514734544191988044752471924402237145321162849626052751701862381759745461 33321165741031171160914926309797395278974490949461701171569544048167828558985421 ======================Server Key======================== Time of Key pair created : 13:22:1 2010/10/25 Key Name : VRPV8_Server Key Type : RSA Encryption Key ======================================================== Key Code: 3067 0260 BDCEC48F E50035C8 7270C3DD B7651BCB 2B1BBA18 0203 010001
1EDA55AF E1539F1F 22135C16 6D87BC2B A96FFC29
80C71881 9EB3FCAC AAC236DE 96559C38 EF70069D
CF22D6A4 2BFEF147 EFBF9865 04FC034B DD1EE053
02682F2F EEF59F23 E50D8D26 54CFE7B3
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001 Enter "RSA public key" view, return system view with "peer-public-key end".
Issue 01 (2011-10-15)
116
[~SSH Server-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [~SSH Server-rsa-public-key-rsa-key-code] 308188 [~SSH Server-rsa-public-key-rsa-key-code] 028180 [~SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB [~SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F [~SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B [~SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 [~SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 [~SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 [~SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD [~SSH Server-rsa-public-key-rsa-key-code] 0203 [~SSH Server-rsa-public-key-rsa-key-code] 010001 [~SSH Server-rsa-public-key-rsa-key-code] public-key-code end [~SSH Server-rsa-public-key] peer-public-key end [~SSH Server] commit
Step 4 Bind the RSA public key to client002.

[~SSH Server] ssh user client002 assign rsa-key RsaKey001 [~SSH Server] commit
Step 5 Enable the STelnet server function on the SSH server. # Enable the STelnet server function.
[~SSH Server] stelnet server enable [~SSH Server] commit
Step 6 Set the service type of client001 and client002 to STelnet.

[~SSH Server] ssh user client001 service-type stelnet [~SSH Server] ssh user client002 service-type stelnet [~SSH Server] commit
Step 7 Connect STelnet clients to the SSH server. # If the client logs in to the server for the first time, enable first-time authentication on the client. Enable first-time authentication on client001.
<HUAWEI> system-view [~HUAWEI] sysname client001 [~HUAWEI] commit [~client001] ssh client first-time enable [~client001] commit
Enable first-time authentication on client002.

[~client002] ssh client first-time enable [~client002] commit
# Client001 logs in to the SSH server in password authentication mode by entering the user name and password.
[~client001] stelnet 1.1.1.1 Please input the username:client001 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 1.1.1.1. Please wait... Enter password:
Issue 01 (2011-10-15)
117
Enter the password huawei, and information indicating a successful login is displayed as follows:
Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2011-01-06 11:42:42. <SSH Server>
# Client002 logs in to the SSH server in RSA authentication mode.

[~client002] stelnet 1.1.1.1 Please input the username: client002 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 1.1.1.1. Please wait... Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2011-01-06 11:42:42. <SSH Server>
If the login succeeds, the user view is displayed. If the login fails, the message Session is disconnected is displayed. Step 8 Verify the configuration. After the configuration is complete, run the display ssh server status, display ssh server session and display ssh server statistics commands on the SSH server. You can find that the STelnet server function has been enabled, and the STelnet client has logged in to the server successfully. # Check the status of the SSH server.
[~SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Disable Stelnet server : Enable
# Check the connection to the SSH server.

[~SSH Server] display ssh server session Session : 1 Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group-exchange-sha1 Service Type : stelnet Authentication Type : password Session Conn Version State Username Retry CTOS Cipher STOC Cipher : : : : : : : : 2 VTY 4 2.0 started client002 1 aes128-cbc aes128-cbc
Issue 01 (2011-10-15)
118

CTOS Hmac STOC Hmac Kex Service Type Authentication Type : : : : : hmac-sha1-96 hmac-sha1-96 diffie-hellman-group-exchange-sha1 stelnet rsa
# Check the current statistics information of the SSH server.

[~SSH Server] display ssh server statistics ---------------------------------Total connection accepted : 1 Total connection denied by ACL : 2 Total connection denied by CLI : 0 Total connection denied by AAA : 3 Total connection denied by Netconf : 1 Total connection closed by CLI : 1 Total connection closed by Netconf : 4 Total connection closed by sock : 3 Total online connection : 5 ---------------------------------------
# Check information about SSH users.

[~SSH Server] display ssh user-information ---------------------------------------------------Username : client001 Authentication-type : password User-public-key-name : Sftp-directory : cfcard: Service-type : stelnet Username : client002 Authentication-type : rsa User-public-key-name : rsakey001 Sftp-directory : Service-type : stelnet ----------------------------------------------------
----End
Configuration Files
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 308188 028180 B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 0203 010001 public-key-code end peer-public-key end # stelnet server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type stelnet ssh user client002 ssh user client002 assign rsa-key rsakey001 ssh user client002 authentication-type rsa ssh user client002 service-type stelnet #
A443130F 9BBFE19A 8C364D57 7FB7D5B2
7CDB95D8 7336150B DD0AA24A 171896FB
4A4AE2F3 40A35DE6 A0C2F87F 1FFC38CD
Issue 01 (2011-10-15)
119

aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # admin return
Configuration file of client001

# sysname client001 # interface GigabitEthernet0/0/0 ip address 1.1.2.2 255.255.255.0 # ssh client first-time enable # admin return

# sysname client002 # interface GigabitEthernet0/0/0 ip address 1.1.3.3 255.255.255.0 # ssh client first-time enable # admin return
5.7.3 Example for Using TFTP to Access Other Device

You can run the TFTP software on the TFTP server and set the directory of source files on the server to upload and download files.
In the TCP/IP protocol suite, FTP is frequently used to transfer files. However, FTP brings complicated interactions between terminals and servers, which is hard to implement on terminals that are not installed with advanced operating systems. TFTP is designed for file transfer that does not need complicated interactions between terminals and servers. It is simple, requiring a few costs. TFTP can be used only for simple file transfer without authentication. As shown in Figure 5-11, a user logs in to the TFTP client from a PC, and upload files to and download files from the TFTP server.
Issue 01 (2011-10-15)
120
Figure 5-11 Networking diagram for accessing another device by using TFTP
10.111.16.160/24
PC
TFTP Client
TFTP Server
The configuration roadmap is as follows: 1. 2. 3. Run the TFTP software on the TFTP server and set the directory of source files on the server. Use TFTP commands on the TFTP client to download files. Use TFTP commands on the TFTP client to upload files.
Data Preparation
To complete the configuration, you need the following data: l l l TFTP software to be installed on the TFTP server Name of the file to be downloaded and path of the file on the TFTP server Name of the file to be uploaded and path of the file on the TFTP client
Procedure
Step 1 Enable the TFTP server function. Enter the directory in which the file to be downloaded resides on the TFTP server in the Current Directory column, as shown in Figure 5-12. Figure 5-12 Setting the current directory on the TFTP server
Issue 01 (2011-10-15)
121
NOTE
The displayed window may vary with the TFTP software.
Run the tftpservermt command on the client to enter the TFTP server path and run the following command:
/home/tftpservermt # ./tftpserver -v -i tftpserver.ini TFTP Server MultiThreaded Version 1.61 Unix Built 1611 starting TFTP... username: root alias / is mapped to /home/ permitted clients: all server port range: all max blksize: 65464 default blksize: 512 default timeout: 3 file read allowed: Yes file create allowed: Yes file overwrite allowed: Yes thread pool size: 1 listening on: 0.0.0.0:69 Accepting requests..
Step 2 Log in to the TFTP client from the HyperTerminal to download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt Warning: cfcard:/b.txt exists, overwrite? Please select [Y/N]:y Transfer file in binary mode. Please wait for a while... / 3338 bytes transferred File transfer completed
Step 3 Verify the configuration. Run the dir command on the TFTP client to view the directory in which the downloaded file is saved.
<HUAWEI> dir Directory of 0/17#cfcard:/ Idx Attr Size(Byte) Date Time(LMT) 0 -rw3,338 Jan 25 2011 09:27:41 1 -rw103,265,123 Jan 25 2011 06:49:07 2 -rw92,766,274 Jan 25 2011 06:49:10 VRPV800R002C00SPC007B008D1012.cc 109,867,396 KB total (102,926,652 KB free) FileName b.txt VRPV800R002C00B020D0123.cc
Step 4 Log in to the TFTP client from the HyperTerminal to upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt Info: Transfer file in binary mode. Please wait for a while... \ 100% [***********] File transfer completed
----End
Configuration Files
None.
5.7.4 Example for Using FTP to Access Other Devices

You can log in to the FTP server from the FTP client to download system software from the FTP server and configuration the software on the client.
When you need to transfer files with a remote FTP server or manage directories of the server, you can configure the current device as an FTP client and then access the FTP server by using FTP. As shown in Figure 5-13, the FTP client and server are routable. You can log in to the FTP server from the FTP client to download system software from the FTP server and configure the software on the client. Figure 5-13 Networking diagram for accessing another device by using FTP
GE1/0/1 2.1.1.1/24 FTP Client GE1/0/1 1.1.1.1/24 FTP Server
Network
The configuration roadmap is as follows: 1. 2. 3. 4. Configure the user name and password for an FTP user to log in to the FTP server and the directory that the user will access. Enable the FTP server function. Run login commands to log in to the FTP server. Configure the file transfer mode and working directory to allow the client to download files from the server.
Data Preparation
To complete the configuration, you need the following data: l l l User name: huawei; password: 123 IP address of the FTP server: 1.1.1.1 Name of the file to be downloaded and directory of the file
Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] local-user huawei password simple 123 [~HUAWEI-aaa] local-user huawei service-type ftp [~HUAWEI-aaa] local-user huawei ftp-directory cfcard:/
Issue 01 (2011-10-15)
123

[~HUAWEI-aaa] commit [~HUAWEI-aaa] quit
Step 2 Enable the FTP server function.

[~HUAWEI] ftp server enable [~HUAWEI] commit [~HUAWEI] quit
Step 3 Log in to the FTP server from the FTP client.

<HUAWEI> ftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1. 220 FTP service ready. User(1.1.1.1:(none)):huawei 331 Password required for huawei. Enter password: 230 User logged in. [ftp]
Step 4 Set the file transfer mode to dir and the working directory to new_dir:/ on the FTP client.
[ftp] binary 200 Type set to I. [ftp] lcd new_dir:/ The current local directory is new_dir:. [ftp] commit
Step 5 Download the latest system software from the FTP server on the FTP client.
[ftp] get VRPV800R002C00B020D0123.cc 200 Port command okay. 150 Opening BINARY mode data connection for VRPV800R002C00B020D0123.cc. 226 Transfer complete. FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec. [ftp] quit
Run the dir command to check whether the required file has been downloaded to the client. ----End
Configuration Files
l Configuration file on the FTP server
# aaa local-user huawei password simple 123 local-user huawei ftp-directory cfcard:/ local-user huawei service-type ftp # authentication-scheme default # authorization-scheme default # accounting-scheme default # interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # ftp server enable # admin return
Configuration file on the FTP client

# interface GigabitEthernet1/0/1
Issue 01 (2011-10-15)
124

undo shutdown ip address 2.1.1.1 255.255.255.0 # admin return
5.7.5 Example for Using SFTP to Access Other Devices

To allow the SFTP client to connect to the SSH server, configure the client and server to generate local key pairs, configure the client to generate an RSA public key, send the public key to the server, and bind the public key to the client.
SFTP is based on SSH connections. SFTP ensures that users log in to a remote device securely to manage and transfer files, enhancing secure file transfer. As the device can function as an SFTP client, you can log in to a remote SSH server from the device to transfer files securely. As shown in Figure 5-14, after the SFTP server function is enabled on the SSH server, the SFTP client can log in to the SSH server in the authentication mode of password, RSA, passwordRSA, or all. Figure 5-14 Networking diagram for access another device by using SFTP
The configuration roadmap is as follows: 1. 2. Configure users client001 and client002 on the SSH server to use different authentication modes to log in to the SSH server. Configure client002 and the SSH server to generate local key pairs, and bind client002 to the RSA public key of the SSH server to authenticate the client when the client attempts to log in to the server. Enable the SFTP server function on the SSH server. Configure the service type and authorized directory for the SSH users. Client001 and client002 log in to the SSH server chain SFTP mode to obtain files on the server.
3. 4. 5.
Data Preparation
To complete the configuration, you need the following data:
l l l
Client001: password authentication (password: huawei) Client002: RSA authentication (public key: RsaKey001) IP address of the SSH server: 1.1.1.1
Procedure
<HUAWEI> system-view [~HUAWEI] sysname SSH Server [~HUAWEI] commit [~SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTE: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus [default = 512] :

NOTE

[~SSH [~SSH [~SSH [~SSH [~SSH Server] aaa Server-aaa] Server-aaa] Server-aaa] Server-aaa] local-user client001 password simple huawei local-user client001 service-type ssh commit quit
l Create an SSH user named client002. # Create an SSH user named client002 and configure RSA authentication for the user.
[~SSH Server] ssh user client002 [~SSH Server] ssh user client002 authentication-type rsa [~SSH Server] commit
Step 3 Configure the RSA public key on the server. # Configure the client to generate a local key pair.
<HUAWEI> system-view [~HUAWEI] sysname client002 [~HUAWEI] commit [~client002] rsa local-key-pair create The key name will be: client002_Host NOTE: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus [default = 512] : 1024 [~client002] commit

[~client002] display rsa local-key-pair public
Issue 01 (2011-10-15)
126

======================Host Key========================== Time of Key pair created : 13:22:1 2010/10/25 Key Name : VRPV8_Host Key Type : RSA Encryption Key ======================================================== Key Code: 308188 028180 B21315DD A443130F 411B8B73 40A35DE6 1987178B A9F7E8FE 171896FB 0203 010001
859AD7E4 7CDB95D8 3CDD494A 2C6A82D7 8C364D57 E0D5A1B5 1FFC38CD
A6D0D9B8 4A4AE2F3 236F35AB 5C5F2C36 DD0AA24A 092F7112
121F23F0 D94A73D7 9BBFE19A 67FBC275 A0C2F87F 660BD153
006BB1BB 36FDFD5F 7336150B 2DF7E4C5 474C7931 7FB7D5B2
Host Public Key for PEM format Code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98 25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn +8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX GJb7H/w4zQ== ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri 89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key Host Public key for SSH1 format code: 1024 65537 125048203250833642388841080101906750228075076456213955541037945628567 57310398880086451511608221218821171562865637463140847157102422109476944363593619 24637760514734544191988044752471924402237145321162849626052751701862381759745461 33321165741031171160914926309797395278974490949461701171569544048167828558985421 ======================Server Key======================== Time of Key pair created : 13:22:1 2010/10/25 Key Name : VRPV8_Server Key Type : RSA Encryption Key ======================================================== Key Code: 3067 0260 BDCEC48F E50035C8 7270C3DD B7651BCB 2B1BBA18 0203 010001
1EDA55AF E1539F1F 22135C16 6D87BC2B A96FFC29
80C71881 9EB3FCAC AAC236DE 96559C38 EF70069D
CF22D6A4 2BFEF147 EFBF9865 04FC034B DD1EE053
02682F2F EEF59F23 E50D8D26 54CFE7B3
[~SSH Enter [~SSH Enter [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH Server] rsa peer-public-key RsaKey001 "RSA public key" view, return system view with "peer-public-key end". Server-rsa-public-key] public-key-code begin "RSA key code" view, return last view with "public-key-code end". Server-rsa-key-code] 3047 Server-rsa-key-code] 0240 Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 Server-rsa-key-code] 1D7E3E1B Server-rsa-key-code] 0203
Issue 01 (2011-10-15)
127

[~SSH [~SSH [~SSH [~SSH Server-rsa-key-code] 010001 Server-rsa-key-code] public-key-code end Server-rsa-public-key] peer-public-key end Server] commit
Step 4 Bind the RSA public key to client002.

[~SSH Server] ssh user client002 assign rsa-key RsaKey001 [~SSH Server] commit
Step 5 Enable the SFTP server function on the SSH server. # Enable the SFTP server function.
[~SSH Server] sftp server enable [~SSH Server] commit
Step 6 Configure the service type and authorized directory for the SSH users. Two SSH users are configured on the SSH server: client001 in password authentication mode and client002 in RSA authentication mode.
[~SSH [~SSH [~SSH [~SSH Server] Server] Server] Server] ssh ssh ssh ssh user user user user client001 client001 client002 client002 service-type sftp sftp-directory cfcard: service-type sftp sftp-directory cfcard:
Step 7 Connect the SFTP client to the SSH server. # If the client logs in to the server for the first time, enable first-time authentication on the client. Enable first-time authentication on client001.

# Client001 logs in to the SSH server in password authentication mode.

[~client001] sftp 1.1.1.1 Please input the username:client001 Trying 1.1.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] : y The server's public key will be saved with the name 1.1.1.1. Please wait Enter password:
# Client002 logs in to the SSH server in RSA authentication mode.

[~client002] sftp 1.1.1.1 Please input the username: client002 Trying 1.1.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] :y The server's public key will be saved with the name 1.1.1.1. Please wait.
Step 8 Verify the configuration. After the configuration is complete, run the display ssh server status, display ssh server session and display ssh server statistics commands on the SSH server. You can find that the SFTP server function has been enabled, and the SFTP client has logged in to the server.
# Check the status of the SSH server.

[~SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable Stelnet server: Disable

[~SSH Server] display ssh server session Session : 1 Conn : SFTP 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group-exchange-sha1 Service Type : sftp Authentication Type : password Session Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type : : : : : : : : : : : : : 2 SFTP 4 2.0 started client002 1 aes128-cbc aes128-cbc hmac-sha1-96 hmac-sha1-96 diffie-hellman-group-exchange-sha1 sftp rsa

[~SSH Server] display ssh server statistics ---------------------------------Total connection accepted : 1 Total connection denied by ACL : 2 Total connection denied by CLI : 0 Total connection denied by AAA : 3 Total connection denied by Netconf : 1 Total connection closed by CLI : 1 Total connection closed by Netconf : 4 Total connection closed by sock : 3 Total online connection : 5 ---------------------------------------
# Check information about SSH users.

[~SSH Server] display ssh user-information ---------------------------------------------------Username : client001 Authentication-type : password User-public-key-name : Sftp-directory : cfcard: Service-type : sftp Username Authentication-type User-public-key-name Sftp-directory : : : : client002 rsa rsakey001 -
Issue 01 (2011-10-15)
129

Service-type : sftp ----------------------------------------------------
----End
Configuration Files
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 sftp-directory cfcard: ssh user client001 service-type sftp ssh user client002 ssh user client002 assign rsa-key rsakey001 ssh user client002 authentication-type rsa ssh user client002 sftp-directory cfcard: ssh user client002 service-type sftp # aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # interface GigabitEthernet0/0/0 undo shutdown ip address 1.1.1.1 255.255.0.0 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # admin return

# sysname client001 # interface GigabitEthernet0/0/0 undo shutdown ip address 1.1.2.2 255.255.0.0 # ssh client first-time enable # admin return
l
Issue 01 (2011-10-15)


5.7.6 Example for Accessing the SSH Server by Using a Non-default Listening Port Number
A non-default listening port number can be configured for the SSH server to allow only valid users to establish SSH connections with the server.
The default SSH listening port number is 22. If attackers continuously access this port, bandwidth resources are consumed and performance of the server deteriorates. As a result, valid users cannot access the server. If the listening port number of the SSH server is changed to a non-default one, attackers do not know the change and continue to send requests for socket connections to port 22. The SSH server denies the connection requests because the listening port number is incorrect. Valid users can set up socket connections with the SSH server by using the new listening port number to implement the following functions: negotiate the version of the SSH protocol, negotiate the algorithm, generate the session key, authenticate, send the session request, and attend the session. Figure 5-15 Example for accessing the SSH server by using a non-default listening port number
The configuration roadmap is as follows: 1. Configure users client001 and client002 on the SSH server to use different authentication modes to log in to the SSH server.
Issue 01 (2011-10-15)
2.
Configure client002 and the SSH server to generate local key pairs, and bind client002 to the RSA public key of the SSH server to authenticate the client when the client attempts to log in to the server. Enable the STelnet and SFTP server functions on the SSH server. Configure the service type and authorized directory for the SSH users. Configure a non-default listening port number of the SSH server to allow only valid users to access the server. Client001 and client002 log in to the SSH server by using STelnet and SFTP respectively.
3. 4. 5. 6.
Data Preparation
To complete the configuration, you need the following data: l l l l Client001: password authentication (password: huawei) and STelnet service type Client002: RSA authentication (public key: RsaKey001) and SFTP service type IP address of the SSH server: 1.1.1.1 Listening port number of the SSH server: 1025
Procedure
<HUAWEI> system-view [~HUAWEI] sysname client002 [~HUAWEI] rsa local-key-pair create The key name will be: client002_Host The range of public key size is (512 ~ 2048). NOTE: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus [default = 512] : 1024 [~SSH Server] commit
<HUAWEI> system-view [~HUAWEI] sysname client002 [~HUAWEI] commit [~client002] rsa local-key-pair create [~client002] commit

[~client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ----
Issue 01 (2011-10-15)
132
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001
[~SSH Enter [~SSH Enter [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH [~SSH Server] rsa peer-public-key RsaKey001 "RSA public key" view, return system view with "peer-public-key end". Server-rsa-public-key] public-key-code begin "RSA key code" view, return last view with "public-key-code end". Server-rsa-key-code] 3047 Server-rsa-key-code] 0240 Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 Server-rsa-key-code] 1D7E3E1B Server-rsa-key-code] 0203 Server-rsa-key-code] 010001 Server-rsa-key-code] public-key-code end Server-rsa-public-key] peer-public-key end Server-rsa-public-key] commit

NOTE

[~SSH [~SSH [~SSH [~SSH [~SSH Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] commit Server-ui-vty0-4] quit

[~SSH Server] aaa [~SSH Server-aaa] local-user client001 password simple huawei [~SSH Server-aaa] local-user client001 service-type ssh
Issue 01 (2011-10-15)
133

[~SSH Server-aaa] commit [~SSH Server-aaa] quit
# Set the service type of client001 to STelnet.

[~SSH Server] ssh user client001 service-type stelnet
l Create an SSH user named client002. # Create an SSH user named client002, configure RSA authentication for the user, and bind the RSA public key to client002.
[~SSH [~SSH [~SSH [~SSH Server] Server] Server] Server] ssh user client002 ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 commit
# Set the service type of client002 to SFTP and configure the authorized directory for the user.
[~SSH Server] ssh user client002 service-type sftp [~SSH Server] ssh user client002 sftp-directory cfcard: [~SSH Server] commit
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
[~SSH Server] stelnet server enable [~SSH Server] sftp server enable [~SSH Server] commit
Step 5 Configure a new listening port number on the SSH server.

[~SSH Server] ssh server port 1025
Step 6 Connect the SSH client and the SSH server. # If the client logs in to the server for the first time, enable first-time authentication on the client. Enable first-time authentication on client001.

# The STelnet client logs in to the SSH server by using the new listening port number.
[~client001] stelnet 1.1.1.1 1025 Please input the username:client001 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 1.1.1.1. Please wait... Enter password:
Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <SSH Server>
# The SFTP client logs in to the SSH server by using the new listening port number.
[~client002] sftp 1.1.1.1 1025
Issue 01 (2011-10-15)
134
Please input the username:client002 Trying 1.1.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 1.1.1.1. Please wait. .. sftp-client>
Step 7 Verify the configuration. Attackers fail to log in to the SSH server using the default listening port number 22.
[~client002] sftp 1.1.1.1 Please input the username:client002 Trying 1.1.1.1 ... Press CTRL+K to abort Error: Failed to connect to the server.
After the configuration is complete, run the display ssh server status, display ssh server session and display ssh server statistics commands on the SSH server. The current listening port number of the SSH server can be displayed in the command output. The command output also shows that the STelnet or SFTP client has logged in to the server successfully. # Check the status of the SSH server.
[~SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Enable STELNET server : Enable SSH server port : 1025

[~SSH Server] display ssh server session Session : 1 Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type : : : : : : : : : : : : : 2 VTY 4 2.0 started client002 1 aes128-cbc aes128-cbc hmac-sha1-96 hmac-sha1-96 diffie-hellman-group1-sha1 sftp rsa

[~SSH Server] display ssh server statistics
Issue 01 (2011-10-15)
135

---------------------------------Total connection accepted : 1 Total connection denied by ACL : 2 Total connection denied by CLI : 0 Total connection denied by AAA : 3 Total connection denied by Netconf : 1 Total connection closed by CLI : 1 Total connection closed by Netconf : 4 Total connection closed by sock : 3 Total online connection : 5 ---------------------------------------
----End
Configuration Files
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 308188 028180 B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 0203 010001 public-key-code end peer-public-key end # ssh server port 1025 stelnet server enable sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type stelnet ssh user client002 ssh user client002 assign rsa-key rsakey001 ssh user client002 authentication-type rsa ssh user client002 sftp-directory cfcard: ssh user client002 service-type sftp # aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # interface GigabitEthernet0/0/0 undo shutdown ip address 1.1.1.1 255.255.0.0 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # admin return
A443130F 9BBFE19A 8C364D57 7FB7D5B2
7CDB95D8 7336150B DD0AA24A 171896FB
4A4AE2F3 40A35DE6 A0C2F87F 1FFC38CD
Issue 01 (2011-10-15)
136


5.7.7 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a Private Network
This example shows how to configure an SSH client on the public network to access an SSH server on a private network. You can configure SSH-related attributes for public users to allow them to access devices on private networks in STelnet or SFTP mode.
As shown in Figure 5-16, PE1 is an SSH client located on the MPLS backbone network, and CE1 functions as an SSH server located on the private network with the AS number of 65410. It is required that public network users securely access and manage CE1 after logging in to PE1.
Issue 01 (2011-10-15)
137
Figure 5-16 Networking diagram for configuring an SSH client on the public network to access an SSH server on a private network
MPLS Backbone AS:100 Loopback1 1.1.1.9/32 PE1 (SSH Client) Loopback1 2.2.2.9/32 Loopback1 3.3.3.9/32 POS1/0/1 200.1.1.2/30 P POS1/0/2 200.1.1.1/30 GE1/0/1 10.1.2.2/24 GE1/0/1 10.1.2.1/24 CE2 PE2
POS1/0/1 100.1.1.1/30 POS1/0/1 100.1.1.2/30 GE1/0/1 10.1.1.2/24 GE1/0/1 10.1.1.1/24
CE1 (SSH server)
VPN Site
VPN Site
The configuration roadmap is as follows: 1. 2. 3. Configure a VPN instance on PE1 to allow CE1 to access PE1. Set up EBGP peer relationships between PEs and CEs and import VPN routes. Configure client002 and the SSH server to generate local key pairs, and bind client002 to the RSA public key of the SSH server to authenticate the client when the client attempts to log in to the server. Enable the STelnet and SFTP server functions on the SSH server. Configure client001 to access CE1 by using STelnet and client002 by using SFTP.
4. 5.
Data Preparation
To complete the configuration, you need the following data: l l l l l l Name of the VPN instance on the PEs: vpn1 VPN target on the PEs: 111:1 IP address of PE1: 10.1.1.2; IP address of PE2: 10.1.2.2 Client001: password authentication (password: huawei) Client002: RSA authentication (public key: RsaKey001) IP address of CE1: 10.1.1.1
Procedure
Step 1 Configure the MPLS backbone network.
Configure an IGP to allow PEs and the P on the MPLS backbone network to communicate with each other. Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS backbone network. For detailed configurations, see the configuration files in this example. Step 2 Configure VPN instances on PEs and connect CEs to PEs. # Configure PE1.
[~PE1] ip vpn-instance vpn1 [~PE1-vpn-instance-vpn1] route-distinguisher 100:1 [~PE1-vpn-instance-vpn1] vpn-target 111:1 both [~PE1-vpn-instance-vpn1] quit [~PE1] interface gigabitethernet 1/0/1 [~PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1 [~PE1-GigabitEthernet1/0/1] undo shutdown [~PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [~PE1-GigabitEthernet1/0/1] quit [~PE1] commit
# Configure PE2.
[~PE2] ip vpn-instance vpn1 [~PE2-vpn-instance-vpn1] route-distinguisher 200:1 [~PE2-vpn-instance-vpn1] vpn-target 111:1 both [~PE2-vpn-instance-vpn1] quit [~PE2] interface gigabitethernet 1/0/1 [~PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1 [~PE2-GigabitEthernet1/0/1] undo shutdown [~PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24 [~PE2-GigabitEthernet1/0/1] quit [~PE2] commit
# Configure IP addresses for interfaces on CEs based on Figure 5-16. The configuration details are not provided here. After the configuration is complete, run the display ip vpn-instance verbose command on PEs. You can view the configurations of VPN instances. Each PE can successfully ping its connected CE.
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the source address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the CE connected to the peer PE. Otherwise, the ping may fail.
Use the display on PE1 and CE1 as an example.

[~PE1] display ip vpn-instance verbose Total VPN-Instances configured : 1 VPN-Instance Name and ID : vpn1, 1 Create date : 2007/06/08 11:42:58 Up time : 0 days, 00 hours, 03 minutes and 27 seconds Route Distinguisher : 100:1 Export VPN Targets : 111:1 Import VPN Targets : 111:1 Label policy : label per route The diffserv-mode Information is : uniform The ttl-mode Information is : uniform Interfaces : GigabitEthernet2/0/0 [~PE1] ping -vpn-instance vpn1 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=70 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=60 ms
Issue 01 (2011-10-15)
139
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=90 ms --- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/108/260 ms
Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes. # Configure CE1.
[~CE1] bgp 65410 [~CE1-bgp] peer 10.1.1.2 as-number 100 [~CE1-bgp] import-route direct [~CE1-bgp] quit [~CE1] commit
# Configure PE1.
[~PE1] bgp 100 [~PE1-bgp] ipv4-family vpn-instance vpn1 [~PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410 [~PE1-bgp-vpn1] import-route direct [~PE1-bgp-vpn1] quit [~PE1-bgp] quit [~PE1] commit
# Configure CE2.
[~CE2] bgp [~CE2-bgp] [~CE2-bgp] [~CE2-bgp] [~CE2-bgp] 65420 peer 10.1.2.2 as-number 100 import-route direct quit commit
# Configure PE2.
[~PE2] bgp 100 [~PE2-bgp] ipv4-family vpn-instance vpn1 [~PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420 [~PE2-bgp-vpn1] import-route direct [~PE2-bgp-vpn1] quit [~PE2-bgp] quit [~PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command on PEs. You can find that the EBGP peer relationships between PEs and the CEs are in the Established state. Use the peer relationship between PE1 and CE1 as an example.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State 10.1.1.1 4 65410 3 3 0 00:00:37 Established
PrefRcv 1
# Set up an MP-IBGP peer relationship between PEs. For detailed configurations, see the configuration files in this example. Step 4 Configure the server to generate a local key pair.
[~CE1] rsa local-key-pair create The key name will be: CE1_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
Issue 01 (2011-10-15)
140

Input the bits in the modulus[default = 512]: 768 Generating keys... [~CE1] commit
[~PE1] rsa local-key-pair create The key name will be: PE1_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... [~PE1] commit

[~PE1] display rsa local-key-pair public ===================================================== Time of Key pair created: 12:02:09 2007/6/8 Key name: PE1_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D E2EE8EB5 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg7 2x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F 2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key ===================================================== Time of Key pair created: 12:02:09 2007/6/8 Key name: PE1_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001
[~CE1] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [~CE1-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [~CE1-rsa-key-code] 3067 [~CE1-rsa-key-code] 0240 [~CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376 [~CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695 [~CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D [~CE1-rsa-key-code] E2EE8EB5
Issue 01 (2011-10-15)
141

[~CE1-rsa-key-code] 0203 [~CE1-rsa-key-code] 010001 [~CE1-rsa-key-code] public-key-code end [~CE1-rsa-public-key] peer-public-key end [~CE1-rsa-public-key] quit [~CE1] commit

NOTE

[~CE1] user-interface vty 0 4 [~CE1-ui-vty0-4] authentication-mode aaa [~CE1-ui-vty0-4] protocol inbound ssh [~CE1-ui-vty0-4] commit [~CE1-ui-vty0-4] quit
[~CE1] ssh user client001 [~CE1] ssh user client001 authentication-type password

[~CE1] aaa [~CE1-aaa] local-user client001 password simple huawei [~CE1-aaa] local-user client001 service-type ssh [~CE1-aaa] quit
# Set the service type of client001 to STelnet.

[~CE1] ssh user client001 service-type stelnet
l # Create an SSH user named client002, configure RSA authentication for the user, and bind the RSA public key to client002.
[~CE1] ssh user client002 [~CE1] ssh user client002 authentication-type rsa [~CE1] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized directory for the user.
[~CE1] ssh user client002 service-type sftp [~CE1] ssh user client002 sftp-directory cfcard: [~CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] stelnet server enable [~CE1] sftp server enable [~CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server). # If the client logs in to the server for the first time, enable first-time authentication on the client.
[~PE1] ssh client first-time enable [~PE1] commit
# Use STelnet to log in to the SSH server.

[~PE1] stelnet 10.1.1.1 -vpn-instance vpn1
Issue 01 (2011-10-15)
142
Please input the username:client001 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... The server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):y The server's public key will be saved with the name:10.1.1.1. Please wait... Enter password:
Info: The max number of VTY users is 10, and the current number of VTY users on line is 1. <CE1>
# Use SFTP to log in to the SSH server.

[~PE1] sftp 10.1.1.1 -vpn-instance vpn1 Please input the username:client002 Trying 10.1.1.1 ... Press CTRL+K to abort The server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):y The server's public key will be saved with the name:10.1.1.1. Please wait...
After the login succeeds, the following information is displayed, and you can operate files by using FTP.
<sftp-client>
Step 9 Verify the configuration. After the configuration is complete, run the display this command in the interface view on PE1. You can find that the VPN instance has been successfully configured. Run the display ssh server session and display ssh server statistics command on CE1. You can find that the STelnet or SFTP client has been successfully connected to the SSH server. # Check the connection to the SSH server.
[~PE1] display ssh server session Session : 1 Conn : VTY 0 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password

[~PE1] display ssh server statistics ---------------------------------Total connection accepted : Total connection denied by ACL : Total connection denied by CLI : Total connection denied by AAA : Total connection denied by Netconf : Total connection closed by CLI : Total connection closed by Netconf : Total connection closed by sock :
1 2 0 3 1 1 4 3
Issue 01 (2011-10-15)
143

Total online connection : 5 ---------------------------------------
----End
Configuration Files
l Configuration file of CE1
# sysname CE1 # rsa peer-public-key rsakey001 public-key-code begin 3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001 public-key-code end peer-public-key end # stelnet server enable sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type stelnet ssh user client002 ssh user client002 assign rsa-key rsakey001 ssh user client002 authentication-type rsa ssh user client002 sftp-directory cfcard: ssh user client002 service-type sftp # aaa local-user client001 password simple huawei local-user client001 service-type ssh # authentication-scheme default # authorization-scheme default # accounting-scheme default # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0 # bgp 65410 peer 10.1.1.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # admin return
Configuration file of PE1

# sysname PE1 # ip vpn-instance vpn1
Issue 01 (2011-10-15)
144

ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 1.1.1.9 # mpls # mpls ldp # aaa # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # interface GigabitEthernet1/0/1 undo shutdown ip binding vpn-instance vpn1 ip address 10.1.1.2 255.255.255.0 # interface Pos1/0/1 undo shutdown link-protocol ppp ip address 100.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # interface NULL0 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.1.1 as-number 65410 # ospf 1 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 100.1.1.0 0.0.0.255 # ssh client first-time enable # admin return
Configuration file of the P

# sysname P # mpls lsr-id 2.2.2.9 #
Issue 01 (2011-10-15)
145

mpls # mpls ldp # aaa # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # interface Pos1/0/1 undo shutdown link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp # interface Pos1/0/2 undo shutdown link-protocol ppp ip address 200.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # interface NULL0 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255 # admin return
Configuration file of PE2

# sysname PE2 # ip vpn-instance vpn1 ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 3.3.3.9 # mpls # mpls ldp # interface GigabitEthernet1/0/1 undo shutdown ip binding vpn-instance vpn1 ip address 10.1.2.2 255.255.255.0 # interface Pos1/0/1 undo shutdown link-protocol ppp ip address 200.1.1.2 255.255.255.0 mpls mpls ldp #
Issue 01 (2011-10-15)
146

interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpn1 import-route direct peer 10.1.2.1 as-number 65420 # ospf 1 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 200.1.1.0 0.0.0.255 # admin return
Configuration file of CE2

# sysname CE2 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.2.1 255.255.255.0 # bgp 65420 peer 10.1.2.2 as-number 100 # ipv4-family unicast undo synchronization import-route direct peer 10.1.2.2 enable # admin return
Issue 01 (2011-10-15)
147
6 Using the Command Line Interface
Using the Command Line Interface
About This Chapter

This chapter describes the command line interface that is used to maintain the device routinely. After users edit and configure a command line in a certain view, the system displays certain information or error prompts. 6.1 Overview of the Command Line Interface The command line interface (CLI) is the common tool for running commands. You can configure and manage the router by using the CLI commands. 6.2 Establishing the Running Environment for the Command Line You can set the running environment of the command line to an accustomed interface before using the command line. 6.3 How to Use Command Lines The command lines are used to configure and process the command view, editing function of the command line, command line template, displayed information and error information. 6.4 How to Obtain Command Help When you enter command lines or configure services, command help offers real-time help in addition to the configuration guide. 6.5 How to Use Shortcut Keys You can use the system shortcut keys or user-defined shortcut keys to enter the corresponding commands. This simplifies operations. 6.6 Configuration Examples This section describes how to use command lines with configuration examples.
Issue 01 (2011-10-15)
148
6.1 Overview of the Command Line Interface

The command line interface (CLI) is the common tool for running commands. You can configure and manage the router by using the CLI commands.
Command Line Interface

After you log in to the router, the displayed command line prompt indicates that you have entered the CLI. The CLI is an interface through which you can interact with the router. You can enter the commands provided by the system through the CLI to configure and manage the router. The CLI has the following features: l l l l l l l l l l l l Supports local configurations through the console interface. Supports local or remote configurations through Telnet or Secure Shell (SSH). Supports the customized management of various terminal users in the user interface view. Supports the command-based hierarchical protection that users of different levels can run only the commands of corresponding levels. Supports the local, password, and AAA authentication modes to ensure system security by preventing unauthorized users from invading the router. Supports the configuration that users can type in a question mark "?" to obtain online help. Provides network testing commands, such as the tracert and ping commands, for quickly diagnosing network connectivity. Provides detailed debugging information of various types to help diagnose network faults. Supports the configuration of logging in to and managing other routers through the telnet command. Provides the FTP service that facilitates the upload and download of files. Provides the DosKey-like function to run a historical command. Provides multiple intelligent command resolution methods through the command line interpreter, such as partial match and context-sensitive, which facilitates the entry of users.
NOTE
l The system supports the command with a maximum of 1024 characters including incomplete form. l If a command in an incomplete form is run, the system saves the command to the configuration file as a command in a complete form, which may cause the command to have more than 1024 characters. In this case, the command in an incomplete form cannot be restored after the system restarts. So, pay attention to the length of the command in an incomplete form.
6.2 Establishing the Running Environment for the Command Line

You can set the running environment of the command line to an accustomed interface before using the command line.
Before using the command line to configure services, you can establish the basic running environment for the command line to meet the requirements of the actual environment.
Before establishing the running environment for the command line, complete the following tasks: l l Installing the router and powering it on properly Logging in to the router as a client
To establish the running environment for the command line, perform the following procedures.
6.2.1 Configuring the Login Alert

When you access the router, a prompt is displayed. You can set the content of the prompt as you like.
Context
The login alert refers to the prompt that is displayed at the time after you access the router or after you pass the authentication and before you start to exchange configurations with the system. The login alert is configured to provide explicit indication for your login.
Procedure
Step 1 Run:
system-view

header login { information text | file file-name }
The alert displayed during the login is configured. Step 3 Run:

header shell { information text | file file-name }
The alert displayed after the login is configured. Step 4 Run:

commit
6.2.2 Setting a Device Name

The name of a device is displayed in the command prompt. You can modify the name of a device as required.
Procedure
Step 1 Run:
system-view

sysname host-name
The name of the device is set. Step 3 Run:

commit
6.2.3 Configuring Command Levels

This section describes how to configure command levels to ensure device security or allow lowlevel users to run high-level commands. By default, commands are registered in the sequence of Level 0 to Level 3. If refined rights management is required, you can divide commands in to 16 levels, that is, from Level 0 to Level 15.
Context
If the user does not adjust a command level separately, after the command level is updated, all originally-registered command lines adjust automatically according to the following rules: l l l The commands of Level 0 and Level 1 remain unchanged. The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated to Level 15. No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust the command lines to these levels separately to refine the management of privilege.
CAUTION
Changing the default level of a command is not recommended. If the default level of a command is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view

command-privilege level rearrange
Update the command level in batches.

When no password is configured for a Level 15 user, the system prompts the user to set a superpassword for the level 15 user. At the same time, the system asks if the user wants to continue with the update of command line level. Then, just select "N" to set a password. If you select "Y", the command level can be updated in batches directly. This results in the user not logging in through the Console port and failing to update the level. Step 3 Run:
command-privilege level level view view-name command-key
All commands have default command views and levels. You do not need to reconfigure them. ----End
6.2.4 Lock the User Interface

In order to prevent unauthorized user access to the interface, you can lock the current user interface.
Procedure
Step 1 Run:
lock
The current user interface is locked. The user interface can be the console interface and VTY interface. After running the lock command, you need to enter a password twice as prompted to activate the screen save mode. When entering the same password twice, you successfully lock the current user interface. After the system is locked, if you attempt to log in to the system, press Enter and then input the correct password as prompted. In this manner, you can unlock the user interface and log in to the system. You cannot log in to the system if forgetting the password. In this case, you must retrieve the password from the administrator or reconfigure a password. ----End
6.3 How to Use Command Lines

The command lines are used to configure and process the command view, editing function of the command line, command line template, displayed information and error information.
Before configuring services through command lines, you need to understand the basic operations of command lines.
Before using command lines, complete the following tasks: l
Issue 01 (2011-10-15)
Installing the router and powering it on properly

Logging in to the router as a client.
To use command lines, perform the following procedures as required.
6.3.1 Entering a Command View

The CLI has multiple command views. All the commands are registered in one or more command views. In general, you can run a command only after enter its command view. # Set up a connection with the router. If the default configuration is adopted on the router, enter the user view. The prompt on the screen is displayed as follows:
<HUAWEI>
# Enter system-view and press Enter to enter the system view.

<HUAWEI> system-view [~HUAWEI]
# Enter aaa in the system view to enter the AAA view.

[~HUAWEI] aaa [~HUAWEI-aaa]
# Enter diagnose in the system view to enter the diagnose view.

<HUAWEI> system-view [~HUAWEI] diagnose [~HUAWEI-diagnose]
NOTE
The command line prompt "HUAWEI" is the default host name , and it can be specified by the sysname command. The current view can be determined according to the prompt. For example, "<>" indicates the user view; "[]" indicates any view except the user view.
You can run the quit command to quit the current view and enter a view of a lower level. If the current view is the user view, the system can be existed. You can run the return command to quit the current view and enter the user view. If the current view is the user view, the user view is still displayed. Certain commands that can be run in the system view can also be run in other views. The function that can be realized through a command, however, is determined by the command view where the command is run. For example, the mpls command is run to enable MPLS. If the mpls command is run in the system view, it indicates that MPLS is enabled globally; if the mpls command is run in the interface view, it indicates that MPLS is enabled on the corresponding interface.
6.3.2 Editing Command Lines

The editing function of command lines enables you to edit command lines or obtain help through certain keys. The CLI on the NE5000E provides the basic editing function of command lines and supports multi-line editing. Each command can contain up to 1024 characters. The common editing functions are described in Table 6-1.
Table 6-1 List of editing functions Key Common key Function Presses the key to insert a character in the place of the cursor and moves the cursor to the right if the editing buffer is not fully occupied. Deletes a character before the cursor and moves the cursor to the left. If the cursor reaches the head of the command, the system does not make any response. Access the last historical command. Display the last historical command if there is an earlier historical command. Access the next historical command. Display the next historical command if there is a later historical command. Otherwise, the command is cleared. Presses Tab after entering an incomplete keyword and the system runs the partial help. l If the keyword matching the entered one is unique, the system replaces the entered one with the complete keyword and displays it in a new line with the cursor a space behind. l If there are several matches or no match at all, the system displays the prefix first. You can press Tab to switch from one matched keyword to another. In this case, the cursor closely follows the end of a word and you can press the spacebar and enter the next word. l If an incorrect keyword is entered, press Tab and it is displayed in a new line without being changed.
BackSpace
Up cursor key or Ctrl_P Down cursor key or Ctrl_N Tab
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
Follow-up Procedure
A device automatically saves the typed historical command that is a piece of keyboard entry ending with Enter or "?".The display history-command command displays commands that were run recently and help you to search information.

After completing a set of configurations, you can run the following command to check the previous configuration.
Context
The basic configuration is complete.
Procedure
l Run:
display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | interface interface-type [ interface-number ] ]
The current configuration is displayed. l Run:

display this
The configurations of the system in the current view is displayed. The effective parameters the same as the default parameters are not displayed. The set parameters that do not take effect are neither displayed. ----End
6.3.4 Checking the Diagnostic Information

When a fault occurs in the system, if it is difficult to determine the module that causes the fault, you can use this command to collect diagnostics information for locating the fault.
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
The diagnostic information about the current system is displayed. By default, the file path is cfcard:, and the extension of the file is .txt. The display diagnostic-information command combines the functions of multiple common display commands, such as the display clock, display version, and display currentconfiguration commands. Running this command equals to the running of these display commands. ----End
6.3.5 Display Mode of Command Lines

All the commands share the same display feature. You can flexibly specify the display mode as required.
Display Feature
When the information cannot be completely displayed on one screen, you can adopt the pause function. You have three choices as listed in Table 6-2. Table 6-2 List of display functions Key Ctrl+C Function Stops displaying information and running commands.
Issue 01 (2011-10-15)
Key Space Enter
Function Continues to display the information on the next screen. Continues to display the information in the next line.
Regular Expression
The regular expression describes a pattern that matches a set of character strings. It consists of common characters (such as characters a to z) and special characters (or called metacharacters). The regular expression functions as a template to match a character pattern with the searched character string. The regular expression features the following functions: l l Checks and obtains the sub-character string that matches a certain rule in the character string. Replaces the character string according to the matching rule.
The regular expression consists of common characters and special characters. l Common character Common characters match common characters in the character string, including all the uppercase letters, lowercase letters, numbers, punctuation marks, and special symbols. For example, "a" matches "a" in "abc"; "202" matches "202" in "202.113.25.155"; "@" matches "@" in "xxx@xxx.com". l Special character Special characters, together with common characters, match complicated or special character strings. For example, "^10" matches "10.10.10.1" instead of "20.10.10.1". Table 6-3 describes special characters and their syntax. Table 6-3 Description of special characters special characte r \ Syntax Example
Defines an escape character, which is used to mark the next character (common or special) as the common character. Matches the starting position of the string. Matches the ending position of the string.
\* matches "*".
^ $
^10 matches "10.10.10.1" instead of "20.10.10.1". 1$ matches "10.10.10.1" instead of "10.10.10.2".
Issue 01 (2011-10-15)
156
special characte r *
Syntax
Example
Matches the preceding element zero or more times.
10* matches "1", "10", "100", and "1000". (10)* matches "null", "10", "1010", and "101010".
Matches the preceding element one or more times
10+ matches "10", "100", and "1000". (10)+ matches "10", "1010", and "101010".
Matches the preceding element zero or one time. Matches any single character.
10? matches "1" and "10". (10)? matches "null" and "10". 0.0 matches "0x0" and "020". .oo matches "book", "look", and "tool".
()
Defines a subexpression, which can be null. Both the expression and the subexpression should be matched. Matches x or y.
100(200)+ matches "100200" and "100200200". 100|200 matches "100" or "200". 1(2|3)4 matches "124" or "134", instead of "1234", "14", "1224", and "1334".
x|y
[xyz] [^xyz] [a-z] [^a-z] _
Matches any single character in the regular expression. Matches any character that is not contained within the brackets. Matches any character within the specified range. Matches any character beyond the specified range. Matches a comma "," left brace "{", right brace "}", left parenthesis "(", and right parenthesis ")". Matches the starting position of the input string. Matches the ending position of the input string. Matches a space.
[123] matches the character 2 in "255". [^123] matches any character except for "1", "2", and "3". [0-9] matches any character ranging from 0 to 9. [^0-9] matches all non-numeric characters. _2008_ matches "2008", "space 2008 space", "space 2008", "2008 space", ",2008,", "{2008}", "(2008)", "{2008", and "(2008}".
Issue 01 (2011-10-15)
157

NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Degeneration of special characters Certain special characters, when being placed at the following positions in the regular expression, degenerate to common characters. The special characters following "\" is transferred to match special characters themselves. The special characters "*", "+", and "?" placed at the starting position of the regular expression. For example, +45 matches "+45" and abc(*def) matches "abc*def". The special character "^" placed at any position except for the start of the regular expression. For example, abc^ matches "abc^". The special character "$" placed at any position except for the end of the regular expression. For example, 12$2 matches "12$2". The right bracket such as ")" or "]" being not paired with its corresponding left bracket "(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions serve as subexpressions within parentheses.
Combination of common characters and special characters In actual application, multiple common characters and special characters instead of one common character and one special character are often combined to match a special character string.
The NE5000E supports the following filtering modes based on regular expressions. For the commands supporting the regular expression, you can choose one of the following filtering modes: l | begin regular-expression Outputs all the lines following the line that matches the regular expression. That is, the system displays both the line that contains the specified character string (case sensitive) and all the following lines to the terminal. l | exclude regular-expression Outputs all the lines that do not match the regular expression. That is, the system displays only the lines that do not contain the specified character string (case sensitive) to a terminal. If no line matches the rule, the output is null. l | include regular-expression Outputs only the lines that match the regular expression. That is, the system displays only the lines that contain the specified character string (case sensitive) to a terminal. If no line matches the rule, the output is null. When you run the display command with filtering rules set to query configurations, note the following: l l The first line in the output begins with the entire line contains the specified character string rather beings with the specified character string. For some functions, though you have configured them but the configurations do not take effect, the output of the display command is null.
Issue 01 (2011-10-15)
The NE5000E supports the redirection of the output of the display command to a specified file. There are two redirection modes: l > filename The output of the display command is redirected to a specified file. If the file already exists, the content of the file is overwritten. l >> filename The output of the display command is appended to a specified file, with the original content of the file unchanged.
6.3.6 Error Information in Command Lines

If an entered command passes the validation check, the command is executed correctly. Otherwise, the system prompts error information. Common error information is shown in Table 6-4. Table 6-4 Common error information in command lines Error Information Unrecognized command Cause Indicates that no command is found. Indicates that no keyword is found. Wrong parameter Indicates that the parameter type is incorrect. Indicates that the parameter value exceeds the limit. Incomplete command Too many parameters Ambiguous command Indicates that the input command is incomplete. Indicates that the input parameters are excessive. Indicates that the input command is ambiguous.
6.4 How to Obtain Command Help

When you enter command lines or configure services, command help offers real-time help in addition to the configuration guide. The CLI on the NE5000E provides the following online help.
Full Help
You can obtain full help in any of the following methods: l l Enter a "?" in any command view to obtain all the commands and their simple descriptions.
<HUAWEI> ?
Enter a command followed by a space and a "?". If the position of "?" is for a keyword, all the keywords and their brief description are listed. Take the following command output as an example:
<HUAWEI> terminal ? debugging Debug information to terminal logging Log information to terminal
Issue 01 (2011-10-15)
159
The words "debugging" and "logging" are keywords, while "Debug information to terminal" and "Log information to terminal" are their descriptions. l Enter a command followed by a space and a "?". If the position of "?" is for a parameter, the value range and function of the parameter are listed. Take the following command output as an example:
[~HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout (in minutes) [~HUAWEI] ftp timeout 35 ? <cr>
In the command output, "INTEGER<1-35791>" indicates the value range, and "The value of FTP timeout (in minutes)" is the brief description of the parameter function. "<cr>" indicates that no parameter is in the position. In this case, press Enter to run the command.
Partial Help
You can obtain partial help in any of the following methods: l Enter a string followed by a "?", and then the system lists all the keywords that start with the string.
<HUAWEI> d? debugging dir delete display
Enter a command followed by a "?" if there are several matches for the keyword. Then, all the keywords start with the string are listed.
<HUAWEI> display c? car configuration cpu-defend cpu-usage clock control-flap cpu-monitor current-configuration
Enter the initial letters of a keyword in a command line and press Tab. Then, the complete keyword is displayed. If there are several matches for the keyword, you can press Tab repeatedly. Then, various keywords are displayed, and you can choose the one you need.
6.5 How to Use Shortcut Keys

You can use the system shortcut keys or user-defined shortcut keys to enter the corresponding commands. This simplifies operations.
When configuring services through command lines, you can define shortcut keys to rapidly enter the frequently-used commands.
Before using shortcut keys, complete the following tasks: l l
Issue 01 (2011-10-15)
Installing the router and powering it on properly Logging in to the router as a client
To use shortcut keys, perform the following procedures.
Related Tasks
6.6.1 Example for Using Tab 6.6.2 Example for Defining Shortcut Keys
6.5.1 Classification of Shortcut Keys

Shortcut keys consist of user-defined shortcut keys and system shortcut keys. After understanding the classification of shortcut keys, you can use shortcut keys quickly and accurately. Shortcut keys in the system are classified into two groups: l You can define five shortcut keys: Ctrl+G, Ctrl+L, Ctrl+O, Ctrl+T and Ctrl+U. You can associate each shortcut key with any command. When you use a shortcut key, the system automatically runs the corresponding command. For details, see 6.5.2 Defining Shortcut Keys. System shortcut keys are fixed. They provide fixed functions and cannot be defined by users. The main system shortcut keys are listed in Table 6-5.
NOTE
Different terminal software defines shortcut keys differently. Therefore, the shortcut keys on a terminal may be different from those listed in this section.
Table 6-5 System shortcut keys Key Ctrl+C Ctrl+K Ctrl+N Ctrl+P Ctrl+Z Ctrl+] Function Stops the running function. Closes the connections for outgoing calls. Displays the next command in the history command buffer. Displays the previous command in the history command buffer. Returns to the user view. Closes the connections for incoming calls or redirects the connection.
6.5.2 Defining Shortcut Keys

Only users of the management level have the right to define shortcut keys.
Issue 01 (2011-10-15)
161
Procedure
Step 1 Run:
system-view

hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_T | CTRL_U } command-text
The shortcut keys are defined. The default values of the shortcut keys Ctrl+G, Ctrl+L, and Ctrl+O are as follows: l Ctrl+G: corresponds to the display current-configuration command. l Ctrl+L: corresponds to the display ip routing-table command. l Ctrl+O: corresponds to the undo debugging all command. The default values of the other shortcut keys are null. Step 3 Run:
commit
6.5.3 Displaying Shortcut Keys and Their Functions

You can use shortcut keys at any position where a command can be entered. After you use shortcut keys, the system displays the corresponding command on the screen. The result is the same as that of entering a complete command.
Context
If you enter an incomplete command and do not press Enter, the entered characters are cleared and the corresponding command is displayed on the screen if you use shortcut keys at this time. The result is the same as that of entering a complete command. Like the use of commands, the use of shortcut keys also makes the system record the original command in the command buffer and logs for further fault detection and query.
Procedure
Step 1 Run:
display hotkey
The shortcut keys supported by the system and their functions are displayed.
NOTE
The function of shortcut keys may be affected by the terminal in use. For example, when the user-defined shortcut keys conflict with the system shortcut keys on the router, the shortcut keys are to be intercepted by the terminal programs if entered and the corresponding command line cannot be run.
----End

This section describes how to use command lines with configuration examples.
6.6.1 Example for Using Tab

You can press Tab to make the system prompt the associated keywords or check whether the keywords are correct.
Any router on the network is required.
Configuration Notes
None.
The configuration roadmap is as follows: 1. 2. 3. If there is only one match for the incomplete keyword, enter the incomplete keyword and press Tab. If there are several matches for the keyword, enter the incomplete keyword and press Tab repeatedly until the desired keyword is detected. Enter the incorrect keyword and press Tab. In this case, the incorrect keyword remains unchanged.
Data Preparation
None. The use of Tab is described as follows:
If There Is Only One Match for an Incomplete keyword

1. 2. Enter an incomplete keyword.
[~HUAWEI] ip rout
Press Tab. The system replaces the entered keywords with the complete keywords followed by a space.
[~HUAWEI] ip route-static
If There Are Several Matches for an Incomplete keyword

# The keyword ip route-static can be followed by the following keywords:
[~HUAWEI] ip route-static ? X.X.X.X Destination IP address bfd BFD configuration information default-bfd Default BFD parameter default-preference Preference-value for IPv4 static-routes frr Fast Reroute
Issue 01 (2011-10-15)
163

selection-rule topology vpn-instance

Selection rule Specify topology information VPN-Instance route information
1. 2.
Enter an incomplete keyword.

[~HUAWEI] ip route-static d
Press Tab. The system first displays the prefixes of all the matched keywords. In this example, the prefix is "default".
[~HUAWEI] ip route-static default-
Press Tab to switch from one matched keyword to another. In this case, the cursor closely follows the end of a word.
[~HUAWEI] ip route-static default-bfd [~HUAWEI] ip route-static default-preference
Stop pressing Tab when the desired keyword is detected. 3. Enter the next word 10.
[~HUAWEI] ip route-static default-preference 10
Pressing Tab After an Incorrect keyword Is Entered

1. 2. Enter an incorrect keyword.
[~HUAWEI] ip route-static default-pe
Press Tab. The system displays the output in a new line. The entered keyword remains unchanged.
[~HUAWEI] ip route-static default-pe
Configuration Files
None.
Related Tasks
6.6.2 Example for Defining Shortcut Keys

If shortcut keys are defined on the router, all users can use the shortcut keys regardless of the user levels.
Any router on the network is required.
Configuration Notes
If a user does not have the right to execute the command associated with a defined shortcut key, the system makes no response when the user presses this shortcut key.
The configuration roadmap is as follows:
1. 2.
Define the keyword Ctrl+U and associate it with the display ip routing-table command. Press Ctrl+U at the prompt of [~HUAWEI].
Data Preparation
To define shortcut keys, you need the following data. l l Names of shortcut keys Names of the commands that are to be associated with shortcut keys
Procedure
Step 1 Define the shortcut key Ctrl+U, associate it with the display ip routing-table command, and run it.
<HUAWEI> system-view [~HUAWEI] hotkey ctrl_u display ip routing-table
Step 2 Press Ctrl+U at the prompt of [~HUAWEI].

[~HUAWEI] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
----End
Configuration Files
None.
Related Tasks
Issue 01 (2011-10-15)
165
7 Device Upgrade
7
About This Chapter
7.1 Overview of Device Upgrade 7.2 Upgrade Modes Supported by the NE5000E
Device Upgrade
Issue 01 (2011-10-15)
166
7 Device Upgrade
7.1 Overview of Device Upgrade

A device is upgraded when new features need to be added, existing performance needs to be optimized, and existing problems in the current version need to be solved.
Application Scenario of Device Upgrade

To perform the following actions, you need to upgrade the NE5000E: l l l Adding new features Optimizing the existing performance Solving existing problems in the current version
Note
Before upgrading the NE5000E, pay attention to the following items: l l l l l When upgrading the NE5000E at the site, prepare a spare part for each board. Obtain the new system software, the Product Adaptive File (PAF) or license file, and the corresponding documents of the new version from Huawei. Back up configuration files, and collect and save service configurations. Enable the log function to record all the operations during the upgrade process. Check software versions of all modules on each board, including versions of the BootROM, Firmware, and MonitorBus.
7.2 Upgrade Modes Supported by the NE5000E

At present, the NE5000E can be upgraded by using the command line, mobile storage device, or BootROM.
Upgrade by Using the Command Line

This mode is applicable for the following situations. For operation details, refer to the "NE5000E V800R002C01 Version Upgrade Instructions" of the corresponding system software version. l l The NE5000E works properly and uses FTP/TFTP for the upgrade. Other devices can perform remote login to the NE5000E. The NE5000E is upgraded for the first time and has been loaded with the system software package. Other devices can log in to the NE5000E through the serial interface to configure the IP address.
Upgrade by Using a Mobile Storage Device ( CF card )

Upgrading the NE5000E by using the CF card is mainly used during the engineering stage or troubleshooting process. Before the upgrade, prepare two CF cards. In this mode, the NE5000E is upgraded by replacing the CF card on the master and slave MPU with CF cards containing the system software package. For operation details, refer to the
7 Device Upgrade
"NE5000E V800R002C01 Version Upgrade Instructions" of the corresponding system software version.
Upgrade by Using BootROM

This mode is applicable for the following situations. For operation details, refer to the "NE5000E V800R002C01 Version Upgrade Instructions" of the corresponding system software version: l l l l l The NE5000E is upgraded for the first time, but the system software package of the NE5000E does not exist or is incorrect. After the NE5000E is upgraded and restarted, both the master and slave MPUs cannot be registered. After the NE5000E is upgraded, the master MPU can be registered but the slave MPUs cannot be registered. The MPU is replaced. Other devices cannot log in to the NE5000E through Telnet.
Issue 01 (2011-10-15)
168
8 Patch Installation
8
About This Chapter
8.1 Overview
Patch Installation
8.2 Patch Installation Modes Supported by the NE5000E
Issue 01 (2011-10-15)
169
8 Patch Installation
8.1 Overview
A patch can be installed on a device to improve device performance.
Patch Installation Requirements

During device operation, the system software may need to be modified to rectify system bugs or meet new function requirements. The traditional way is to upgrade system software after powering off the device. This, however, interrupts services and affects QoS. Loading a patch onto the system software allows the system software to be upgraded without interrupting services on the device. This also improves QoS.
Precautions
Note the following points when loading a patch on the NE5000E: l l It is normal that the patch file is loaded to boards asynchronously. When installing or uninstalling a patch, ensure that all boards that are in use on the device have registered with the system. If any LPU on the device is starting during patch installation or uninstallation, patch installation or uninstallation probably fails on this LPU. Do not remove or reinstall boards or close the VTP interface during patch installation. If the patch contains subcard patches, patch installation may last longer. Wait for at least 60 seconds after patch installation if you intend to delete the installed patch. This ensures that the same type of subcards on an LPU are in the same status. If the startup patch command has been used to specify the patch to be loaded at the next startup, run the patch-state run all command to activate the patch before restarting the device.
8.2 Patch Installation Modes Supported by the NE5000E

Currently, the NE5000E supports only patch installation using commands. For details on patch installation procedures, see the Patch Notes matching the software version.
Issue 01 (2011-10-15)
170
9 Configuration Management
9
About This Chapter
Context
Configuration Management
To ensure reliable user configurations, the system provides two configuration validation modes.
As increasingly new types of services emerge, higher requirements are imposed on devices. For example, it is required that services take effect after being configured, invalid configurations be discarded, and impact on the existing services be minimized. To ensure reliable user configurations, the system allows two-phase configuration validation. In the first phase, the system performs syntax and semantics checks. In the second phase, configurations takes effect and are used for services. 9.1 Introduction to Configuration Management The system supports two configuration validation modes, namely, immediate validation and two-phase validation. By default, the two-phase configuration validation mode takes effect. 9.2 Configuration Management Features that the NE5000E Supports Configuration management features allow users to lock, preview, and discard configurations, and to save the configuration file used at the current startup and the configuration file to be loaded at the next startup of the system. 9.3 Selecting a Configuration Validation Mode According to different reliability requirements, you can select either of two configuration validation modes, namely, immediate validation and two-phase validation. 9.4 Managing Configuration Files You can set the configuration file to be loaded at the next startup and save the configuration file. 9.5 Configuration Examples This section provides an example for configuring a configuration management networking. You can understand the configuration procedures by referring to the configuration flowchart. The configuration example provides information about the networking requirements, configuration notes, and configuration roadmap.
Issue 01 (2011-10-15)
171
9.1 Introduction to Configuration Management

The system supports two configuration validation modes, namely, immediate validation and two-phase validation. By default, the two-phase configuration validation mode takes effect. l The immediate configuration validation mode is a traditional configuration validation mode. In this mode, the system-view immediately command is used to enter the system view. After a user enters a command line and presses Enter, the system performs the syntax check. The configuration takes effect as soon as it passes the syntax check. l In the two-phase configuration validation mode, the system configuration process is divided into two phases: In this mode, the system-view command is used to enter the system view. In the first phase, a user enters a configuration command, and then the system performs syntax and semantics checks on the candidate database. If an incorrect clause is found, the system displays a message on the command line terminal, indicating the fault and the cause. After entering a series of command lines to complete a configuration, you can run the commit command to commit the configuration, and the system enters the second phase, that is, configuration commit phase. In the second phase, the system delivers the configuration in the candidate database to the corresponding service module. If the configuration takes effect, the system adds it to the running database. If the same configuration is added, the system prompts a message. The following table lists advantages and disadvantages of the immediate configuration validation and two-phase configuration validation modes. Configuration Validation Mode Immediate configuration validation mode Advantage The configuration impact on services can be detected immediately. Disadvantage Incorrect configurations will immediately affect services. In this case, you have to delete incorrect configurations one by one because deleting services as a whole is not allowed.
Issue 01 (2011-10-15)
172
Two-phase configuration validation mode
l All configurations takes effect at the same time. l Configurations in the candidate database can be previewed. l When users find that a configuration in the candidate database is incorrect or does not meet their expectations, they can immediately clear the configurations that have not taken effect. l The impacts of service configurations on current services can be minimized.
The commit command needs to be run to validate configurations.
9.2 Configuration Management Features that the NE5000E Supports

Configuration management features allow users to lock, preview, and discard configurations, and to save the configuration file used at the current startup and the configuration file to be loaded at the next startup of the system. The NE5000E supports the following configuration management features: l l l l l l configuration in two-phase configuration validation mode configuration in immediate configuration validation mode manual configuration saving automatic configuration saving configuration clearance specification of the configuration file to be loaded at the next startup
9.3 Selecting a Configuration Validation Mode

According to different reliability requirements, you can select either of two configuration validation modes, namely, immediate validation and two-phase validation.
Deployment Scenario
Before configuring a service, you must enter a configuration view. After the configuration view is displayed, the system initiates the corresponding configuration flow according to the set configuration validation mode. If configurations need to be validated immediately, you can use the immediate configuration validation mode. If configurations need to be validated after being configured, you can use the two-phase configuration validation mode.
Before managing configuration files, complete the following tasks: l Allowing the user to log in to the device and enter the user view.
A user can select either the immediate configuration validation mode or the two-phase configuration validation mode at a time.
Related Tasks
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode 9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in Two-Phase Configuration Validation Mode 9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode 9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode 9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation Mode
9.3.1 Configuring Immediate Configuration Validation Mode

To validate configurations immediately after they are configured, enable the immediate configuration validation mode.
Context
Before configuring a service, you must enter the system view. After the system view is displayed, the configuration validation mode can be specified. In immediate configuration validation mode, after a user enters a command line and presses Enter, the system performs the syntax check. The configuration takes effect as soon as it passes the syntax check.
Procedure
Step 1 (Optional) Run:
lock configuration
Configurations are locked in the user view. To use the running database exclusively, lock configurations on the device to prevent other users from configuring services and submitting configurations. Other users can configure services in the running database only if you unlock configurations.
Issue 01 (2011-10-15)
174
CAUTION
After locking configurations, you can edit and submit configurations. Other users can view and edit configurations but cannot submit configurations. They can configure services in the running database only if you unlock configurations. Step 2 Run:
system-view immediately
The immediate configuration validation mode is enabled.

NOTE
To prevent a service from being affected, you can lock the configuration of a service as soon as the corresponding service process is initiated. When the configuration is being locked, configurations cannot be submitted. The configuration of the service is keeping locked until the service process is successfully started. During this period, the configuration cannot be modified but can be queried. If the configuration fails to be submitted, waiting for 30 seconds and submitting configuration again are recommended. If configuration submit fails again, it indicates that the configuration is locked by a user. In the immediate validation mode, the command prompt is as follows:
<HUAWEI> system-view immediately [HUAWEI]
Step 3 (Optional) If a configuration has been locked, run: 1. 2.

quit
The user view is displayed.

undo lock configuration
The configuration is unlocked.
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise, configurations of other users cannot take effect. ----End
9.3.2 Configuring Two-Phase Configuration Validation Mode

If you need to validate configurations after the configurations are complete, you can use the twophase configuration validation mode.
Context
The two-phase configuration validation mode enhances security and reliability of configurations and minimizes the impact of configurations on services. If the configuration of a service that has taken effect does not meet expectations, the system can roll back to the status before the configuration is committed. Figure 9-1 shows the procedures in two-phase configuration validation mode.
Figure 9-1 Flowchart of configuration commit

Lock the configuration
Set the two-phase validation mode and edit the configuration
Preview the configuration
Discard the uncommitted configuration
Commit the configuration
Unlock the configuration
M andat ory procedure O pt i onalprocedure
Procedure
lock configuration
Configurations are locked in the user view. To use the running database exclusively, lock configurations on the device to prevent other users from configuring services and submitting configurations. Other users can configure services in the running database only if you unlock configurations.
CAUTION
After locking configurations, you can edit and commit configurations. Other users can view and edit configurations but cannot commit configurations. They can configure services in the running database only if you unlock configurations. Step 2 Run:
system-view
The two-phase configuration validation Mode is set and configurations can be edited.
Issue 01 (2011-10-15)
176

NOTE
In the two-phase validation mode, the command prompt is as follows:

<HUAWEI> system-view [~HUAWEI]

preview all configuration
Configurations in the candidate database can be previewed, including uncommitted and committed ones. Before committing configurations, you can continue editing uncommitted configurations. Step 4 (Optional) Run:
clear candidate-configuration
All configurations that are not committed are cleared. If you do not need to validate uncommitted configurations, you can discard them. Step 5 Run:
commit

NOTE
To prevent a service from being affected, you can lock the configuration of a service as soon as the corresponding service process is initiated. When the configuration is being locked, configurations cannot be committed. The configuration of the service is keeping locked until the service process is successfully started. During this period, the configuration cannot be committed but can be queried. If the configuration fails to be committed, waiting for 30 seconds and committing configuration again are recommended. If configuration commit fails again, it indicates that the configuration is locked by a user.
Step 6 (Optional) If a configuration has been locked, run: 1. 2.

quit
The user view is displayed.

undo lock configuration
The configuration is unlocked.
CAUTION
After locking a configuration, you must unlock it after completing the configuration. Otherwise, configurations of other users cannot take effect. ----End
9.4 Managing Configuration Files

You can set the configuration file to be loaded at the next startup and save the configuration file.
Current configurations are saved into the configuration file. After the system is restarted, configurations can be restored.
Before managing configuration files, complete the following tasks: l l l l Installing the router and powering it on properly. Configuring user accounts and log-in authentication mode Configuring reachable routes between the router and the terminal. Allowing a user to log in to the device
Related Tasks
9.5.6 Example for Managing Configuration Files
9.4.1 Saving Configurations

Configurations can be saved in a configuration file either automatically or manually.
Context
To avoid configuration loss on the router due to power-off or abnormal reset, the system supports automatic or manual configuration saving. To enable the system to automatically save configurations or to save configurations manually, perform the following steps on the router.
Procedure
l Automatic configuration saving 1. 2. Run the system-view command to enter the system view. Run the set save-configuration [ interval interval | cpu-limit cpu-usage | delay delay-interval ] * command to enable the system to automatically save configurations. The system automatically saves configurations when the set interval interval expires regardless of whether some configurations have changed during this period. If interval is not specified, the system automatically saves configurations every 30 minutes. If the automatic configuration saving timer expires and the CPU usage of the system is detected to be higher than the set cpu-limit cpu-usage, the system cancels the current automatic configuration saving operation. If delay delay-interval is specified, the system waits a specified delay before automatically saving configurations when configurations change.
After automatic configuration saving is configured, the system automatically saves configurations to the configuration file to be loaded at the next startup. The contents in the configuration file change along with configuration changes. l Manual configuration saving Run the save command to save the current configuration. The extension name of a configuration file must be .cfg or .zip. ----End
9.4.2 Comparing Configuration Files

You can compare the current configuration file with the next startup configuration file or the specified configuration file.
Context
NOTE
The compared filename extension of the configuration file must be .cfg or .zip.
Procedure
Step 1 Run:
compare configuration [ configuration-file ]
The current configuration is compared with the configuration file for next startup or the specified configuration file. The comparison begins with the first lines of configuration file. When comparing differences between the configuration files, the system displays the contents of the current configuration file and saved configuration file from the first different line. By default, 150 characters are displayed for each configuration file. If the number of characters from the first different line to the end is less than 150, the contents after the first different line are all displayed. In comparing the current configurations with the configuration file for next startup, if the configuration file for next startup is unavailable or its contents are null, the system prompts that reading files fails. ----End
9.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup
You can specify a required configuration file to be loaded at the next startup of the system.
Context
After the system is restarted, you can specify a configuration file to restore system configurations.
Procedure
Step 1 Run:
startup saved-configuration configuration-file
The configuration file to be used at the next startup is specified. The extension of the configuration file name must be .db, .zip, or .cfg, and the file must be saved in the root directory of the storage device. ----End
9.4.4 Clearing the System Configuration File Loaded at the Current Startup
You can clear the configuration file that is loaded at the current startup of the system.
Context
The configuration file needs to be cleared in the following situations: l l The system software does not match the configuration file after the router is upgraded. The configuration file is destroyed or an incorrect configuration file is loaded.
Procedure
Step 1 Run:
reset saved-configuration
The configuration file that is loaded at the current startup is cleared.

NOTE
Before clearing the configuration file of the router, the system compares the configuration file loaded at the current startup with that to be loaded at the next startup of the system. l If the two configuration files are consistent with each other, they are both cleared. At this time, the configuration file to be loaded at the next startup must be configured on the router. Otherwise, there is no configuration file on the device after the next startup. l If the two configuration files are inconsistent with each other, the configuration file loaded at the current startup is cleared. l If the configuration file loaded at the current startup of the router is empty, the system will notify users that the configuration file does not exist after the reset saved-configuration command is run.
WARNING
Exercise caution when using this command, and you are recommended to use this command under the supervision of technical support personnel. ----End

You can check the list of configuration file loaded at the current startup and the configuration file to be loaded at the next startup, configuration information about configuration files, and the configuration file that is running currently.
Prerequisite
The file for the next startup has been loaded..
Procedure
l l l l Run the display configuration configuration-file command to check configuration information about a specified configuration file. Run the display saved-configuration last command to check the configuration file loaded at the current startup of the system. Run the display saved-configuration command to check the configuration file to be loaded at the next startup of the system. Run the display startup command to check the names of system software, and the names of the configuration file loaded at the current startup and the configuration file to be loaded at the next startup.
----End
Example
# Display configuration information about specified configuration files.
<HUAWEI> display configuration vrpcfg.db # info-center loghost source LoopBack0 info-center loghost 10.1.1.1 info-center loghost 10.1.1.2 # alarm suppression name hwBfdSessReachLimit cause-period 5 suppression name hwBfdSessReachLimit clear-period 15 alarm name hwBfdSessReachLimit severity Critical snmp target-host target-host1 mask name mask1 # mask name mask1 mask severity Minor mask severity Warning mask alarm-name PmThresholdAlarm # user-interface maximum-vty 15 # efm enable # aaa local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!! local-user ftp ftp-directory cfcard:/ local-user ftp service-type ftp # interface Ethernet3/0/1 description Don't Shutdown! It's Management Port! undo shutdown # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 #
Issue 01 (2011-10-15)
181
user-interface con 0 set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!! history-command max-size 30 # user-interface vty 0 14 user privilege level 3 idle-timeout 0 0 # return
# Display the configuration file loaded at the current startup.

<HUAWEI> display saved-configuration last # aaa local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!! local-user ftp ftp-directory cfcard:/ local-user ftp service-type ftp # interface Ethernet3/0/1 description Don't Shutdown! It's Management Port! undo shutdown # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # user-interface con 0 set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!! history-command max-size 30 # user-interface vty 0 14 user privilege level 3 idle-timeout 0 0 # return
# Display the configuration file to be loaded at the next startup.

<HUAWEI> display saved-configuration # aaa local-user ftp password cipher 0E0`_:6&/NGQ=^Q`MAF4<1!! local-user ftp ftp-directory cfcard:/ local-user ftp service-type ftp # interface Ethernet3/0/1 description Don't Shutdown! It's Management Port! undo shutdown # user-interface con 0 set authentication password cipher OUM!K%F<+$[Q=^Q`MAF4<1!! history-command max-size 30 # user-interface vty 0 14 user privilege level 3 idle-timeout 0 0 # return
Display the names of system software, and the names of the configuration file loaded at the current startup and the configuration file to be loaded at the next startup.
<HUAWEI> display startup MainBoard Configured startup system software Startup system software Next startup system software Startup saved-configuration file Next startup saved-configuration file Startup paf file : : : : : : :
VRPV800R002C00SPC001B003.rpg VRPV800R002C00SPC001B003.rpg VRPV800R002C00SPC001B003.rpg cfcard:/v1.cfg cfcard:/v2.cfg default
Issue 01 (2011-10-15)
182

Next startup paf file Startup patch package Next startup patch package SlaveBoard Configured startup system software Startup system software Next startup system software Startup saved-configuration file Next startup saved-configuration file Startup paf file Next startup paf file Startup patch package Next startup patch package : : : : : : : : : : : : : default NULL NULL
VRPV800R002C00SPC001B003.rpg VRPV800R002C00SPC001B003.rpg VRPV800R002C00SPC001B003.rpg cfcard:/v1.cfg cfcard:/v2.cfg default default NULL NULL

This section provides an example for configuring a configuration management networking. You can understand the configuration procedures by referring to the configuration flowchart. The configuration example provides information about the networking requirements, configuration notes, and configuration roadmap.
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode
This section describes how to configure user services on the router in immediate configuration validation mode.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 9-2, a user logs in to the Router. Figure 9-2 Networking of configuring services in immediate configuration validation mode
Router IP Network
User
To enable services to take effect immediately after they are configured, configure the services in immediate configuration validation mode. After you enter a command line and presses Enter, the system performs the syntax check. The configuration takes effect as soon as it passes the syntax check.
The configuration roadmap is as follows: 1. 2. Choose the immediate configuration validation mode Configure a service.
Data Preparation
Interface IP address
Procedure
Step 1 Choose the immediate configuration validation mode.
<HUAWEI> system-view immediately
Step 2 Configure a service. # Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
[HUAWEI] interface GigabitEthernet 4/0/6 [HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
----End
Configuration Files
# sysname HUAWEI # interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.1 255.255.255.0 #
Related Tasks
9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in Two-Phase Configuration Validation Mode
This section provides an example for configuring services on the router after configurations on the device are by another user.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID.
Issue 01 (2011-10-15)
184
As shown in Figure 9-3, user A and user B log in to the Router at the same time. After user A locks configurations on the Router, user B attempts to configure services on the device. Figure 9-3 Networking of configuring services when configurations have been locked by another user in two-phase configuration validation mode
UserA Router IP Network UserB
To use the running database exclusively, lock configurations on the device to prevent other users from configuring services and submitting configurations. When configurations are locked by a user and other users attempt to configure services, the system will notify them that configurations have been locked. Other users can configure services in the running database only if the user unlocks configurations.
The configuration roadmap is as follows: 1. 2. User A locks configurations. User B configures a service. The system will notify user B that the current configuration fails because configurations have been locked by another user.
Data Preparation
Procedure
Step 1 User A locks configurations.
<HUAWEI> lock configuration
Step 2 User B configures a service.

<HUAWEI> system-view [~HUAWEI] interface GigabitEthernet 4/0/6 [~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24 [~HUAWEI-GigabitEthernet4/0/6] commit Error: The configuration is locked by other user. [Session ID = 407]
----End
Configuration Files
# sysname HUAWEI # interface GigabitEthernet4/0/6 undo shutdown #
Issue 01 (2011-10-15)
185
Related Tasks
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode
This section provides an example for multiple users to configure a same service on one router in two-phase configuration validation mode.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 9-4, user A and user B log in to the Router at the same time. After user A configures a service on the Router, user B performs the same configuration for the service on the device. Figure 9-4 Networking of multiple users to configure a same service in two-phase configuration validation mode
When user B submits the configuration that is the same as the configuration submitted by user A, the system will notify user B that the configuration conflicts with an existing configuration.
The configuration roadmap is as follows: 1. 2. 3. Allow user A and user B to configure a same service successively . User A submits the configuration. User B submits the configuration.
Data Preparation
Procedure
Step 1 Allow user A and user B to configure a same service successively. l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
<HUAWEI> system-view [~HUAWEI] interface GigabitEthernet 4/0/6 [~HUAWEI-GigabitEthernet4/0/6] ip address 12.1.1.1 24
l User B configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.

Step 2 User A submits the configuration.

[~HUAWEI-GigabitEthernet4/0/6] commit
Step 3 User B submits the configuration. The system prompts user B that the configuration of user B conflicts with that of user A.
[~HUAWEI-GigabitEthernet4/0/6] commit ip address 12.1.1.1 24 Error: The address already exists. Commit canceled, the configuration conflicted with other user, you can modify the configuration and commit again.
----End
Configuration Files
Related Tasks
9.5.4 Example for Multiple Users to Configure a Service in TwoPhase Configuration Validation Mode
This section provides an example for multiple users to configure a service on one router.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID.
Issue 01 (2011-10-15)
187
As shown in Figure 9-5, user A and user B log in to the Router at the same time. After user A configures a service on the Router, user B configures the service on the device. For example, users A and B both configure different IP addresses on the same interface. Figure 9-5 Networking of multiple users to configure a service in two-phase configuration validation mode
When user B submits the configuration, it will overwrite the configuration submitted by user A.
The configuration roadmap is as follows: 1. 2. 3. Configure a service as user A and user B. Submit the configuration of user A. Submit the configuration of user B.
Data Preparation
Different interface IP addresses
Procedure
Step 1 Configure a service as user A and user B. l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router as user A.
l Configure the IP address of GigabitEthernet 4/0/6 to be 12.1.1.2 on the router as user B.

Step 2 Submit the configuration of user A.

Step 3 Submit the configuration of user B.

The following information indicates that the configuration of user B overwrites the configuration submitted by user A.
[~HUAWEI-GigabitEthernet4/0/6] display this #
Issue 01 (2011-10-15)
188

interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.2 255.255.255.0 return
----End
Configuration Files
Related Tasks
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation Mode
This section provides an example for configuring different services on one router.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 9-6, user A and user B log in to the Router at the same time. User A and user B configure different services on the Router. Figure 9-6 Networking of configuring different services by multiple users in two-phase configuration validation mode
If user A and user B submit two configurations of different services, both configurations take effect.
The configuration roadmap is as follows: 1. 2. 3. Allow user A and user B to configure different services. User A submits the configuration. User B submits the configuration.
Data Preparation
Procedure
Step 1 Allow user A and user B to configure different services. l User A configures the IP address of GigabitEthernet 4/0/6 to be 12.1.1.1 on the router.
l User B enables the FTP service.

<HUAWEI> system-view [~HUAWEI] ftp server enable
Step 2 User A submits the configuration.

Step 3 User B submits the configuration.

After user B commits configurations, the system adds new configurations on the basis of original configurations.
<HUAWEI> display current-configuration # ftp server enable # interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.1 255.255.255.0
----End
Configuration Files
# sysname HUAWEI # interface GigabitEthernet4/0/6 undo shutdown ip address 12.1.1.1 255.255.255.0 # ftp server enable # return
Related Tasks
9.5.6 Example for Managing Configuration Files

This example shows you how to save configurations and set the configuration file to be loaded at the next startup.
CAUTION
For the NE5000E, the interface is numbered as slot number/card number/interface number. For the NE5000E cluster, the interface is numbered as chassis ID/slot number/card number/interface number. The slot number is chassis ID/slot ID. As shown in Figure 9-7, a user logs in to the Router. Figure 9-7 Managing Configuration Files
Router IP Network
User
Precautions
None.
The configuration roadmap is as follows: 1. 2. 3. 4. Change configurations. Save configurations in a configuration file. Specify the configuration file to be loaded at the next startup. After system upgrade, compare the current running configuration with that defined in the configuration file loaded at system startup to check whether configurations are lost.
Data Preparation
None.
Procedure
Step 1 Change configurations. For example, enable the FTP service.
<HUAWEI> system-view
Issue 01 (2011-10-15)
191

[~HUAWEI] ftp server enable [~HUAWEI] commit [~HUAWEI] quit
Step 2 Save configurations to the file vrpcfg.cfg.

<HUAWEI> save vrpcfg.cfg Warning: Are you sure to save the configuration to vrpcfg.cfg? [Y/N]: y Now saving the current configuration to the device. Save the configuration successfully.
Step 3 Specify the configuration file to be loaded at the next startup.

<HUAWEI> startup saved-configuration vrpcfg.cfg
Step 4 After system upgrade, compare the current running configuration with that defined in the configuration file loaded at system startup to check whether configurations are lost.
<HUAWEI> compare configuration The current configuration is the same as the next startup configuration file.
----End
Configuration Files
# sysname HUAWEI # ftp server enable
Related Tasks
9.4 Managing Configuration Files
Issue 01 (2011-10-15)
192
10 File System Management
10
About This Chapter
File System Management
The file system can help you manage files and directories on a storage device. 10.1 File System Overview The file system helps you manage files and directories on a storage device so that you can view, create, rename, or delete a directory, or copy, move, rename, or delete a file. 10.2 File System Supported by the NE5000E The NE5000E supports the file system, including storage devices, directories, and files. 10.3 Managing the Directory You can manage directories to logically store files in hierarchy. 10.4 Managing Files You can log in to the file system to view, delete, or rename the files on the router. 10.5 Configuration Examples This section provides examples for using the file system. Each configuration example consists of the networking requirements, configuration notes, configuration roadmap, configuration procedures, and configuration files.
Issue 01 (2011-10-15)
193
10.1 File System Overview

The file system helps you manage files and directories on a storage device so that you can view, create, rename, or delete a directory, or copy, move, rename, or delete a file.
10.2 File System Supported by the NE5000E

The NE5000E supports the file system, including storage devices, directories, and files.
Storage Devices
Storage devices are hardware devices for storing messages. At present, the router supports the storage devices such as flash memory, and compact flash (CF) card.
Directories
The directory is a mechanism with which the system integrates and organizes the file, serving as a logical container of the file.
Files
The file is a mechanism with which the system stores and manages messages.
10.3 Managing the Directory

You can manage directories to logically store files in hierarchy.
Context
You can manage directories by changing and displaying directories, displaying files in directories and sub-directories, and creating and deleting directories.
Procedure
l Run:
cd directory
A directory is specified. l Run:

pwd
The current directory is displayed. l Run:

dir [ /all ] [ filename ]
The file and sub-directory list in the directory is displayed. Either the absolute path or relative path is applicable.
Run:
mkdir directory
The directory is created. l Run:

rename source-filename destination-filename
The directory is renamed. l Run:

rmdir directory
The directory is deleted. ----End
Related Tasks
10.5.1 Example for Managing a Directory
10.4 Managing Files

You can log in to the file system to view, delete, or rename the files on the router.
Context
l Managing files include: displaying contents, copying, moving, renaming, compressing, deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring prompt modes. You can run the cd directory command to enter the required directory from the current directory.
Procedure
l Run:
more filename
The content of the file is displayed. l Run:

copy source-filename destination-filename
The file is copied.

NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
Run:
move source-filename destination-filename
The file is moved. l Run:

rename source-filename destination-filename
The file is renamed. l Run:

zip source-filename destination-filename
Issue 01 (2011-10-15)
195
The file is compressed. l Run:

delete [ /unreserved ] filename
The file is deleted. If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after being deleted. l Run:
undelete filename
The deleted file is recovered.

NOTE
If the current directory is not the parent directory, you must operate the file by using the absolute path. If you use the parameter /unreserved in the delete command, the file cannot be restored after being deleted.
Run:
reset recycle-bin [ /f | filename ]
The file is deleted. You can permanently delete files in the recycle bin./f specifies that you can delete all files from the recycle bin without prompting whether to delete the files. l Running Files in Batch You can upload the files and then process the files in batches. The edited batch files need to be saved in the storage devices on the router. When the batch file is created, you can run the batch file to implement routine tasks automatically. 1. Run:
system-view

execute filename
The batched file is executed. l Configuring Prompt Modes The system displays prompts or warning messages when you operate the device (especially the operations leading to data loss). If you need to change the prompt mode for file operations, you can configure the prompt mode of the file system. 1. Run:
system-view

file prompt { alert | quiet }
The prompt mode of the file system is configured. By default, the prompt mode is alert.
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation. ----End
Related Tasks
10.5.2 Example for Managing Files

This section provides examples for using the file system. Each configuration example consists of the networking requirements, configuration notes, configuration roadmap, configuration procedures, and configuration files.
10.5.1 Example for Managing a Directory

This section describes how to manage a directory.
The router on which you need to manage a directory is correctly configured.
Configuration Notes
None.
The configuration roadmap is as follows: 1. 2. 3. View the current directory. Create a new directory. Check that the new directory is successfully created.
Data Preparation
To complete the configuration, you need the following data: l Name of the directory to be created
Procedure
Step 1 Display the current directory.
<HUAWEI> dir Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw1,235 1 -rw524,575 2 drwDate Time(LMT) Dec 17 2009 17:10:53 Jan 25 2010 10:03:33 Sep 09 2009 09:42:52 FileName vrpcfg.cfg private-data.txt src
Issue 01 (2011-10-15)
197

3 4 5 6 7 8 9 drw-rw-rw-rwdrw-rwdrw280 11,772 4 2,584 Sep Sep Nov Jan Sep Jan Jan 09 09 25 19 09 21 21 2009 2009 2009 2010 2009 2010 2010 09:42:53 09:42:53 16:56:55 03:09:32 09:43:00 12:02:18 11:09:21

logfile $_patch_rollback_state $_patchstate_a snmpnotilog.txt lam vrpcfg.cfg logfilelogfile
180,862 KB total (305,358 KB free)
Step 2 Create a new directory in the root directory.

<HUAWEI> mkdir abc Info:Create directory cfcard:/abc......Done.
Step 3 Display the current directory. You can view that the new directory is successfully created.
<HUAWEI> dir Directory of cfcard:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw1,235 Dec 17 2009 17:10:53 vrpcfg.cfg 1 -rw524,575 Jan 25 2010 10:03:33 private-data.txt 2 drw- Sep 09 2009 09:42:52 src 3 drw- Sep 09 2009 09:42:53 logfile 4 -rw280 Sep 09 2009 09:42:53 $_patch_rollback_state 5 -rw11,772 Nov 25 2009 16:56:55 $_patchstate_a 6 -rw4 Jan 19 2010 03:09:32 snmpnotilog.txt 7 drw- Sep 09 2009 09:43:00 lam 8 -rw2,584 Jan 21 2010 12:02:18 vrpcfg.cfg 9 drw- Jan 21 2010 11:09:21 logfilelogfile 10 drw- Jan 23 2010 11:10:42 abc 180,862 KB total (305,358 KB free)
----End
Related Tasks
10.3 Managing the Directory
10.5.2 Example for Managing Files

This section provides an example for managing files.
By configuring the file system of the router, a user can operate the router through the console port and copy files to the specified directory. The file path in the storage device must be correct. If the user does not specify a target file name, the source file name is the name of the target file by default.
Configuration Notes
None.
Issue 01 (2011-10-15)
Check the files under a certain directory. Copy a file to this directory. Check this directory and view that the file is copied successfully to the specified directory.
Data Preparation
To complete the configuration, you need the following data: l l Source file name and target file name Source file path and target file path
Procedure
Step 1 Display the file information in the current directory.
<HUAWEI> dir Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw1,235 1 -rw524,575 2 drw3 drw4 -rw280 5 -rw11,772 6 -rw4 7 drw8 -rw2,584 9 drwDate Dec 17 Jan 25 Sep 09 Sep 09 Sep 09 Nov 25 Jan 19 Sep 09 Jan 21 Jan 21 Time(LMT) 17:10:53 10:03:33 09:42:52 09:42:53 09:42:53 16:56:55 03:09:32 09:43:00 12:02:18 11:09:21 FileName vrpcfg.cfg private-data.txt src logfile $_patch_rollback_state $_patchstate_a snmpnotilog.txt lam vrpcfg.cfg logfilelogfile
2009 2010 2009 2009 2009 2009 2010 2009 2010 2010
180,862 KB total (305,358 KB free)
Step 2 Copy files from slave#cfcard2:/sample.txt to cfcard:/sample.txt.

<HUAWEI> copy slave#cfcard2:/sample.txt cfcard:/sample1.txt Copy slave#cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]: y .100% complete Info:Copied file slave#cfcard2:/sample.txt to cfcard:/sample1.txt...Done.
Step 3 Display the file information about the current directory, and you can view that the file is copied to the specified directory.
<HUAWEI> dir Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw1,235 1 -rw524,575 2 drw3 drw4 -rw280 5 -rw11,772 6 -rw4 7 drw8 -rw2,584 9 drw10 drw1,605 Date Dec 17 Jan 25 Sep 09 Sep 09 Sep 09 Nov 25 Jan 19 Sep 09 Jan 21 Jan 21 Jan 23 Time(LMT) 17:10:53 10:03:33 09:42:52 09:42:53 09:42:53 16:56:55 03:09:32 09:43:00 12:02:18 11:09:21 14:30:32 FileName vrpcfg.cfg private-data.txt src logfile $_patch_rollback_state $_patchstate_a snmpnotilog.txt lam vrpcfg.cfg logfilelogfile sample1.txt
2009 2010 2009 2009 2009 2009 2010 2009 2010 2010 2010
180,864 KB total (305,356 KB free)
----End
Related Tasks
10.4 Managing Files
Issue 01 (2011-10-15)
199
11 Clock Synchronization Configuration
11
Clock Synchronization Configuration
About This Chapter

11.1 Clock Synchronization Overview On a digital communication network (DCN), clock synchronization ensures the normal communication between the sender and receiver by enabling the sender to send and the receiver to obtain digital pulse signals in the same timeslots. 11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16) Before configuring clock synchronization, familiarize yourself with the concepts of the BITS clock signal, POS line clock signal, clock source selection mode, and so on. This will help you complete the configuration task quickly and efficiently. 11.3 Configuring an External BITS Clock Reference Source You can configure a device to trace different types of external BITS clock reference sources. (This configuration can be done on the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB.) 11.4 Specifying a Clock Source Manually In manual mode, you can specify a certain clock source for the clock board to trace. 11.5 Configuring Automatic Clock Source Selection to Be Based on Priorities When a device has multiple clock sources but does not perform clock source switching based on SSM levels, you can set different priorities for the clock sources. When the clock source with the highest priority fails, the clock board switches to use the clock source with the second highest priority. 11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels When there are multiple clock sources, the clock board uses the clock source with the highest SSM level. When the clock source with the highest SSM level fails, the clock board uses the clock source with the second highest SSM level. 11.7 Configuration Examples This section describes how to configure protection switching among clocks with an example. In this configuration example, the networking requirements, configuration notes, and configuration roadmap are provided.
Issue 01 (2011-10-15)
200
11.1 Clock Synchronization Overview

On a digital communication network (DCN), clock synchronization ensures the normal communication between the sender and receiver by enabling the sender to send and the receiver to obtain digital pulse signals in the same timeslots.
Concepts
Clock synchronization refers to the maintenance of a strict relationship between the frequencies or signal phases of all the devices on a network. This means that signals are transmitted at the same average rate during a valid period, which allows all the devices on the network to work at the same rate. On a digital communication network, the send end sends digital pulse signals in specific timeslots, and the receive end extracts pulses from these timeslots. In this manner, the send end and the receive end can communicate with each other. The clocks of the send end and the receive end must be synchronized, which is the prerequisite for normal communication between the two ends. Clock synchronization can ensure that the clocks on the send end and the receive end are synchronized.
Purpose
Clock synchronization is a technique that limits the difference in terms of the clock frequency or phase between the network elements (NEs) on digital networks to be within a certain range.On a digital communication network, discrete pulses obtained from Pulse Code Modulation (PCM)coded information are transmitted. If the clock frequencies of two digital switching devices differ, or digital bit streams are corrupted due to interference during transmission, phase drift or jitter occurs. Consequently, the buffer of the digital switching system experiences data loss or duplication, resulting in incorrect transmission of the bit streams. If the frequency difference or phase difference is beyond the allowed range, error codes and jitter may occur, which causes network transmission performance to deteriorate.
Classification and Numbering of Clock Sources

A device that provides clock signals for another device is called the clock source. A device may have multiple clock sources. The following table shows the classification and numbering of clock sources. Table 11-1 Classification and numbering of clock sources Type Internal clock source Description The reference clock provided by the clock board of a device is used as the clock of the device. Number 0
Issue 01 (2011-10-15)
201
BITS clock source
Currently, Synchronous Digital Hierarchy (SDH) or Plesiochronous Digital Hierarchy (PDH) uses the Building Integrated Timing Supply System (BITS) to build up a digital synchronization network and form a hierarchical timing allocation system.
On the NE5000E using the clock board CR52CLKA: l The clock interface on the MPU receives and traces the clock of a higher level. On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB: l The clock bits-type command can be used to configure a device to trace different types of external BITS clock reference sources.
NOTE The signal types supported by the interfaces are described in Table 11-2 of Clock Synchronization Features Supported by the NE5000E(NE5000E-X16).
On the NE5000E using the clock board CR52CLKA: l The number of BITS0 clock source is 1. l The number of BITS1 clock source is 2. On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB: l The clock bits-map command can be used to map an external clock reference source to the index of a user clock reference source.
Line clock source
The clock board of a device extracts the clock signal from the STM-N line signal as the clock of the device.
Slot ID of an LPU + 2 For example, the number of the clock source on the LPU in slot 1 is 3 and the number of the clock source on the LPU in slot 2 is 4.
11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)

Before configuring clock synchronization, familiarize yourself with the concepts of the BITS clock signal, POS line clock signal, clock source selection mode, and so on. This will help you complete the configuration task quickly and efficiently.
Tracing or Outputting BITS Clock Signals Through Clock Interfaces

NOTE
Limited by the lengths of clock cables, the mode of tracing or outputting BITS clock signals through clock interfaces is applicable to the interfaces on a site. For the limit on the clock cable length, see the "Clock Cable" in the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description NE5000E-X16 Hardware Description.
On the NE5000E using the clock board CR52CLKA:

The BITS clocks that devices can obtain from a BITS clock device are classified into two types: 2.048 MHz clocks and 2.048 Mbit/s clocks. The input modes of BITS clocks are classified into BITS0 and BITS1. A router obtains a clock through a clock interface on the MPU. The MPU on the NE5000E provides four clock interfaces. Two of them are input interfaces, which are connected to BITS devices to obtain clock signals. The other two are output interfaces, which are connected to the clock input interfaces on downstream devices to provide time signals to the downstream devices.
NOTE
The difference between the 2.048 MHz clock and 2.048 Mbit/s clock is that the 2.048 MHz clock can provide only pulse signals for clock synchronization, and the 2.048 MHz clock can provide signals bearing services in addition to pulse signals for clock synchronization.
On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB: l The MPU provides four clock interfaces, CLK/TOD0, CLK/TOD1, CLK/1PPS, and CLK/ Serial.
NOTE
For the schematic diagram of the clock interfaces on the MPU, see the section "Control Plane" in the chapter "NE5000E-X16 CLC" in the HUAWEI NetEngine5000E Core Router Hardware Description - NE5000E-X16 Hardware Description.
CLK/TOD0 and CLK/TOD1 are also called BITS0 and BITS1 respectively. CLK/1PPS and CLK/Serial, as two SMB interfaces, are bound together to form BITS2. A BITS interface transmits only one type of signal at a time. RJ45 interfaces and SMB interfaces must be connected to dedicated clock cables to input and output clock signals. For the description of the clock cable, see the "Clock Cable" in the section "Cables" in the HUAWEI NetEngine5000E Core Router Hardware Description - NE5000E-X16 Hardware Description. The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB can be configured to trace different types of external BITS clock reference sources by using the clock bits-type command. An external clock reference source can be mapped to the index of a user clock reference source by using the clock bits-map command.
The signal types supported by clock interfaces are listed in the following table.
Issue 01 (2011-10-15)
203
Table 11-2 Signal input or output on BITS interfaces Interface Name on the Clock Board CLK/TOD0 Interface Name Identified by Software BITS0 Interface Type RJ45 Type of Input or Output Signals
Clock signals: l 2.048 Mbit/s clock signals l 2.048 MHz clock signals Time signals: l 1PPS (RS422)+ASCII (RS422) time signals l Two DCLS clock channels (one channel for input, and the other channel for output)
CLK/TOD1
BITS1
RJ45
Clock signals: l 2.048 Mbit/s clock signals l 2.048 MHz clock signals Time signals: l 1PPS (RS422)+ASCII (RS422) time signals l Two DCLS clock channels (one channel for input, and the other channel for output)
CLK/1PPS CLK/Serial
BITS2
SMB SMB
Clock signals: l 2.048 Mbit/s clock signals l 2.048 MHz clock signals Time signals: l 1PPS (TTL)+ASCII (RS232) time signals
If a BITS interface transmits 2.048 Mbit/s, 2.048 MHz, or two channels of DCLS time signals, you do not need to configure input or output to specify signal input or output. It is because these types of clock signals are both input and output on the same interface. For example, if BITS0 transmits 2.048 Mbit/s time signals, BITS0 inputs and outputs 2.048 Mbit/s clock signals. If a BITS interface transmits 1PPS+ASCII time signals, signal input or output must be specified. It is because 1PPS+ASCII time signals can be either input or output at a time on an interface. If BITS2 is used to transmit 1PPS+ASCII time signals (RS232), both the two SMB interfaces either input or output the time signals. If BITS2 transmits clock signals, CLK/ 1PPS is always used to input signals and CLK/Serial is always used to output signals.
The limitations on the output of different types of time signals on a device are as follows: l
Issue 01 (2011-10-15)
If only one channel of time signals needs to be output, the signals can be successfully output.
l l
If two channels of 1PPS+ASCII signals need to be output at the same time, they can be successfully output. If one channel of 1PPS+ASCII signals and one channel of DCLS signals need to be output at the same time, only the 1PPS+ASCII signals can be successfully output.
Sending or Receiving Clock Signals Through POS Interfaces or 10GE WAN Interface
Information about the master clock is contained in STM-N signals. After receiving STM-N signals through LPUs, the clock boards of the MPUs on other devices extract the clock information from the STM-N signals, and then synchronize with the master clock. Sending or receiving clock signals through POS interfaces is a commonly used clock synchronization mode. In this mode, POS, Asynchronous Transfer Mode (ATM), and Resilient Packet Ring (RPR) links can be used to implement clock synchronization, and thus no clock synchronization network needs to be built up. The NE5000E can send or receive clock signals through a POS interface or 10GE WAN Interface.
Clock Source Selection Mode

On a digital communication network, every router traces the same primary clock level by level according to clock synchronization paths to implement clock synchronization on the network. Usually, one router has more than one path for clock tracing, and has multiple available clock sources. These clock sources may originate from either the same master clock or reference clocks of different qualities. Keeping the clocks of all routers synchronous is very important for a digital communication network. Dynamic clock source selection can be used to prevent the failure of one clock synchronization path from affecting the entire network. Currently, the NE5000E supports two modes of clock source selection: the manual mode and the automatic mode. l Manual mode This mode allows you to configure the clock board to always trace a specified clock source and not to trace another one even if the specified clock source fails. l Automatic mode In this mode, clock source selection is based on either priorities of clock sources or Synchronous Status Message (SSM) levels of clock sources. An SSM is a group of codes used to indicate the level of clock quality on a synchronization network. For details about each SSM level, see Chapter "Clock Synchronization" in the HUAWEI NetEngine5000E Core Router Feature Description - Basic Configurations. Automatic clock source selection based on priorities: A clock board selects the clock source with the highest priority. If the clock source with the highest priority is lost, the clock board automatically switches to trace the clock source with the second highest priority. If the clock source with the highest priority recovers, the clock board traces the clock source again. SSM levels are not involved. Clock source priorities are configurable. If a clock source priority defaults to 19, the clock source will not be selected during protection switching.
NOTE
Clock source priorities are locally valid, and are not sent to downstream devices by clock signals.
Automatic clock source selection based on SSM levels: A clock board selects the clock source with the highest SSM level. If the SSM levels of the clock sources are the same, the clock board selects a clock source among the clock sources based on their priorities.
If the clock source with the highest SSM level is lost, the clock board automatically switches to trace the clock source with the second highest SSM level. If the original clock source with the highest SSM level recovers, the clock board traces the clock source again. The SSM level of a clock source can be specified or obtained from clock signals sent from an upstream device. If the SSM level of a clock source is DNU and automatic clock source selection based on SSM levels is adopted, the clock source is not selected during protection switching.
NOTE
For BITS clock source signals received by the system, if the signal type is 2.048 Mbit/s, the SSM level is extracted by the clock module from signals; if the signal type is 2.048 MHz, the SSM level needs to be configured.
1. On the NE5000E using the clock board CR52CLKA, configure the types of the BITS input and output clocks; on the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB, configure the external BITS clock reference source. Manually configure the clock source as needed. Configure the system to automatically select a clock source based on the SSM levels or priorities of clock sources.
2. 3.
11.3 Configuring an External BITS Clock Reference Source

You can configure a device to trace different types of external BITS clock reference sources. (This configuration can be done on the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB.)
On a synchronization Ethernet network, if there is a BITS clock on the same site as the router, the router must be configured to trace the BITS clock. The router serves as the master clock to provide primary clock signals for the entire network. The BITS signal type may be 2.048 MHz, 2.048 Mbit/s, 1PPS, or DCLS, which can be configured on the clock board by using commands.
None.
Figure 11-1 Flowchart for configuring an external BITS clock reference source
Configuring an External Clock Reference Source for the Router and the Clock Signal Type
Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock Source for the Router
Mandatory step Optionalstep
Issue 01 (2011-10-15)
206
11.3.1 Configuring an External Clock Reference Source for the router and the Clock Signal Type
The NE5000E-X16 or the NE5000E using the new clock board CR52CLKB supports three external clock source types, which are BITS0, BITS1, and BITS2, and four clock signal types, which are 2.048 MHz, 2.048 Mbit/s, DCLS, and 1PPS.
Context
Do as follows on all the routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view

clock bits-type
An external BITS clock reference source and its signal type are configured. For information about the available clock reference source IDs and signal types, see the HUAWEI NetEngine5000E Core Router Command Reference. Step 3 Run:
commit
11.3.2 Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock Source for the router
On the NE5000E-X16 or the NE5000E using the new clock board CR52CLKB, BITS0, BITS1, or BITS2 can be mapped to the index of a user clock source. The index will be used in manual selection of a clock source.
Context
During the configuration of clock synchronization, the indexes of user clock sources are required in the selection of clock sources. Therefore, each clock source must be mapped to the index of a user clock source. Do as follows on all the routers in the clock synchronization network:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
207

clock bits-map { bits0 | bits1 | bits2 } source source-value
An external clock reference source is mapped to the index of a user clock source. Step 3 Run:
commit

After external BITS clock reference sources are configured for the device, you can check the status of the sources and whether the mappings between the external BITS clock reference sources and the indexes of user clock reference sources have taken effect.
Context
Run the following commands to check the previous configurations:
Procedure
l l Run the display clock bits-type command to check external reference clock sources on the clock board and their signal types. Run the display clock source command to check whether external clock reference sources are successfully mapped to the indexes of user clock reference sources.
----End
Example
Check the external clock reference sources on the clock board and their signal types.
<HUAWEI>display clock bits-type bits0: 2mbps bits1: 2mbps bits2: 2mbps
Check the configured mappings between external clock reference sources and indexes of user clock reference sources.
<HUAWEI>display clock source Master clock source: -----------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate -----------------------------------------------------------------------------* 1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal -----------------------------------------------------------------------------Slave clock source: -----------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate -----------------------------------------------------------------------------1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal ------------------------------------------------------------------------------
Issue 01 (2011-10-15)
208
11.4 Specifying a Clock Source Manually

In manual mode, you can specify a certain clock source for the clock board to trace.
If it is determined that a device always traces a certain clock source and does not need perform protection switching, you can specify a clock source for the device. When the specified clock source fails, the system, however, does not switch to trace another clock source. Therefore, the mode of specifying a clock source for a device is not recommended. In manual mode, you can specify a certain clock source for the clock board to trace. In this mode, only one clock source can be specified. If the specified clock source is lost, the system enters the hold-in state. When the precision of the clock in the hold-in state decreases, the device enters the free running state. In this case, the clock frequency of the device may be different from that of other devices.
NOTE
In the mode of automatically selecting a clock source, the clock source specified manually does not take effect.
Before manually specifying a clock source, complete the following tasks: Ensuring that the device can normally receive clock source signals from the outside and select the manually specified BITS clock source or line clock source based on the type of the received external clock source signals.
Procedure
Step 1 Manually configure the clock board to use the BITS clock reference source. 1. Run:
system-view

clock manual source source-value
The device is configured to use the BITS clock source received through the clock interface. 3. Run:
commit
The configuration is committed. Step 2 Manually configure the clock board to use the line clock source. 1. Run:
system-view

clock source lpuport slot slot-id card card-number port port-number
Issue 01 (2011-10-15)
209
The specified POS interface is enabled to report received clock source signals to the clock board. 3. Run:
clock manual source source-value
The device is configured to use the line clock source received through the clock interface. The value of source-value can be only the reference source to which the installed LPU. The number of the line clock source is equal to the slot ID of the LPU plus 2. 4. Run:
commit
Checking the Configuration

Run the following commands to check the previous configuration. Run the display clock config command, and you can view the information about manually specified clock sources. For example:
<HUAWEI>display clock config display clock config Current source : 9 Workmode : manual SSM control : off Primary source : 9 Output SSM Level : bits0: unknown bits1: sets bits2:-- bits3: unknown PLL state : Current source step into pull-in range Run mode : Clock is in lock mode
11.5 Configuring Automatic Clock Source Selection to Be Based on Priorities

When a device has multiple clock sources but does not perform clock source switching based on SSM levels, you can set different priorities for the clock sources. When the clock source with the highest priority fails, the clock board switches to use the clock source with the second highest priority.
Where there are multiple clock sources, you can set priorities for the clock sources based on their quality. In normal situations, a clock board uses the clock source with the highest priority. When the clock source with the highest priority fails, the clock board uses the clock source with the second highest priority. When the default priority (19) of a clock reference source is used, the clock board does not select the clock reference source during protection switching. If you configure protection switching according to the priorities of clock sources, you need to configure clock source selection not to be based on SSM levels.
Before configuring automatic clock source selection based on priorities, complete the following task:
Ensuring that a device can normally receive multiple clock source signals from another device
Figure 11-2 Flowchart for configuring automatic clock source selection based on priorities
Configure the system to automatically select a clock source. Configuring SSM levels not to participate in protection switching
Set the priority of the clock source.
Mandatory step Optional step
11.5.1 Configuring the System to Automatically Select a Clock Source

By default, the system automatically selects a clock source unless you specify a clock source for the system.
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view

clock auto
The system is configured to automatically select a clock source. Step 3 Run:

commit

11.5.2 Configuring Clock Source Selection Not to Be Based on SSM Levels

If you configure protection switching according to the priorities of clock sources, you need to configure clock source selection not to be based on SSM levels.
Context
Procedure
Step 1 Run:
system-view

clock ssm-control off
Clock source selection is configured not to be based on SSM levels.

NOTE
When clock source selection is not based on SSM levels, the system selects a clock source according to the priorities of clock sources.
Step 3 Run:
commit
11.5.3 Setting the Priority of a Clock Source

Setting the priorities of clock sources is a mandatory step for configuring automatic clock source selection according to priorities. Therefore, you need to perform the configuration on all routers on a DCN.
Context
To ensure that the system can select a high-quality clock source, you need to the set priorities of the clock sources received by the device based on the quality of the clock sources. The smaller the priority value of a clock source, the higher the priority. Do as follows on the router:
Procedure
Step 1 Run:
system-view

clock priority priority-value source source-value
Issue 01 (2011-10-15)
212
The priority of a clock source is set. To set the priorities for multiple clock sources, repeat Step 2.
NOTE
l If the priority of a reference source is 19 (default value), this reference source is not chosen during protection switching. The smaller the priority value, the higher the priority. l In Step 2, you can set the same priority for multiple clock sources. When clock source selection is performed based on priorities but the priorities of the clock sources are the same, clock source selection is performed based on the sequence numbers of clock sources in an ascending order. l If the clock interface on the MPU is not connected to any external clock source, the system ignores BITS0 and BITS1 when automatically selecting a clock source according to the priorities of clock sources. Instead, the system directly selects a clock source from the line clock sources of an LPU.
Step 3 Run:
commit

By viewing the priority of each clock source, you can determine whether the configuration is successful.
Prerequisite
All the configurations for automatic clock selection based on priorities are complete.
Procedure
l Run the display clock source command to check the priority of each clock source. ----End
Example
Run the display clock source command, and you can view the priority of each clock source. For example:
<HUAWEI>display clock source Master clock source: -----------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate -----------------------------------------------------------------------------* 1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal 9 LPU7 19 -unknown on abnormal -----------------------------------------------------------------------------Slave clock source: -----------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate -----------------------------------------------------------------------------1 BITS0 13 sa4 lnc on abnormal 2 BITS1 19 sa4 unknown on abnormal 9 LPU7 19 -unknown on abnormal ------------------------------------------------------------------------------
Issue 01 (2011-10-15)
213
11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels

When there are multiple clock sources, the clock board uses the clock source with the highest SSM level. When the clock source with the highest SSM level fails, the clock board uses the clock source with the second highest SSM level.
During automatic clock source selection based on priorities, the priorities of clock sources are set. If the priorities of clock sources are not set based on the quality of the clock sources, the device may select a clock source of low quality. The SSM levels are defined based on international standard protocols. The higher the precision of a clock source, the higher the SSM level of the clock source. When the switching among clock sources is performed based on SSM levels, the device can select a clock source of higher precision. When a device has multiple clock sources, the device selects a clock source based on the SSM levels of the clock sources. The higher the clock precision, the higher the SSM level. In normal situations, a clock board uses the clock source with the highest SSM level. When the clock source with the highest SSM level fails, the clock board uses the clock source with the second highest SSM level. When a clock board is powered on, the SSM level of all clock sources defaults to Unknown. The sequence of the SSM levels is Primary Reference Clock (PRC), Transit Node Clock (TNC), Local Node Clock (LNC), Synchronous Equipment Timing Source (SETS), Unknown, and Do not use for synchronization (DNU) in a descending order. If the SSM level of a clock source is DNU and clock source selection is not based on the SSM levels of clock sources, the clock source is not selected during protection switching. The SSM level of a clock source can be obtained in either of the following modes: l Automatically extracting the SSM levels of clock sources from the received clock source signals: If the clock source signals received from an upstream device contain SSM levels, the SSM levels can be used and you do not need to specify SSM levels for the clock sources. Manually specifying the SSM levels of BITS clock sources: If clock source signals received from an upstream device do not contain any SSM level, you need to specify the SSM level for each BITS clock source manually.
NOTE
In actually applications, the clock source signals received from lines contain SSM levels. Therefore, it is not recommended to specify the SSM levels for line clock sources. BITS clock sources have two types of signals. When the rate of a clock signal is 2.048 Mbit/s, the clock board can extract the SSM level of the clock source from the clock signal if the clock signal contains the SSM level of the clock source. In addition, you can manually specify the SSM level for the clock source if the clock signal does not contain the SSM level of the clock source. When the frequency of a clock signal of a clock source is 2.048 MHz, you must manually specify an SSM level for the clock source.
Before configuring automatic clock source selection based on SSM levels, complete the following task:
Ensuring that a device can normally receive multiple clock source signals from another device
Figure 11-3 Flowchart for configuring automatic clock source selection based on SSM levels
Configure the system to automatically select a clock source. Configuring Clock Source Selection to Be Based on SSM Levels Setting the SSM Level of a 2.048 MHz BITS Clock Source Configure the 2.048-Mbit/s BITS clock source to bear SSM timeslots. Mandatory step Optional step
11.6.1 Configuring the System to Automatically Select a Clock Source

By default, the system automatically selects a clock source unless you specify a clock source for the system.
Context
Procedure
Step 1 Run:
system-view

clock auto
The system is configured to automatically select a clock source. Step 3 Run:

commit
Issue 01 (2011-10-15)
215
11.6.2 Configuring Clock Source Selection to Be Based on SSM Levels

Setting the SSM levels of clock sources is a mandatory step for configuring dynamic clock source selection based on SSM levels. Therefore, you need to perform the configuration on all routers on a DCN.
Context
Do as follows on the router: After the following configurations, the router can select a clock source and perform switching protection based on the SSM levels of received clock sources.
Procedure
Step 1 Run: system-view The system view is displayed. Step 2 Run:
clock ssm-control on
Clock source selection is configured to be based on SSM levels. Step 3 Run:

commit
11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock Source
You need to the configure clock source selection based on SSM levels of 2.048 MHz BITS clock sources on routers connected to an external BITS clock.
Context
Because the 2.048 MHz BITS clock source signals received by a device do not contain any SSM level, you need to specify the SSM levels for the clock sources to ensure that clock source selection is based on SSM levels of the clock sources. Do as follows on the router:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
216

clock source { 1 | 2 } force ssm on
The function of setting an SSM level for a clock source is configured. Step 3 Run:
clock source { 1 | 2 } ssm { unknown | prc | tnc | lnc | sets | dnu }
An SSM level is specified for a 2.048 MHz BITS clock source.

NOTE
source-value: Specifies the index of a user clock source. l For the NE5000E, the index of the external clock source BITS0 is 1 and the index of the external clock source BITS2 is 2. l For the NE5000E-X16, the mapping relationship between an external clock source and the index of a user clock source must be established by using the clock bits-map { bits0 | bits1 | bits2 } source source-value command.
Step 4 Run:
commit
11.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock Source Signals to Bear SSM Levels
Configuring clock source selection based on SSM levels is optional and can be performed on a router connected to a 2.048 Mbit/s BITS clock.
Context
BITS clock sources have two types of clock signals. When the clock signal type is 2.048 Mbit/ s, the clock board can extract an SSM level from the SA timeslot if the SA timeslot contains the SSM level of the clock source. The default SA timeslots containing SSM levels in the clock signals generated by the clock devices of different manufacturers are different. Therefore, to ensure that the NE5000E can correctly extract the SSM levels contained in clock signals, you need to configure the SA timeslots in 2.048 Mbit/s BITS clock source signals to bear SSM levels on the NE5000E. Do as follows on the router connected to an external BITS clock:
Procedure
Step 1 Run:
system-view

clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source source-value
The SA timeslots in 2.048 Mbit/s BITS clock source signals are configured to bear SSM levels.
Step 3 Run:
commit

By viewing the SSM level of each clock source, you can determine whether the configuration is successful.
Prerequisite
All the configurations of automatic clock source selection based on SSM levels are complete.
Procedure
l l Run the display clock config command to check the SSM level of the clock source being used by the system. Run the display clock source command to check the SSM levels of all clock sources of the system.
----End
Example
Run the display clock config command, and you can view the SSM level of the clock source being used by the system. For example:
<HUAWEI>display clock config Current source : 1 Workmode : auto SSM control : on Output SSM Level : lnc PLL state : Current source step into pull-in range Run mode : Clock is in lock mode
Run the display clock source command, and you can view the SSM levels of all clock sources of the system. For example:
<HUAWEI>display clock source Master clock source: -------------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate -------------------------------------------------------------------------------------1 BITS0 10 sa4 unknown on abnormal * 2 BITS1 19 sa4 lnc on normal 3 LPU1 19 -unknown on abnormal -------------------------------------------------------------------------------------Slave clock source: -------------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate -------------------------------------------------------------------------------------1 BITS0 10 sa4 unknown on abnormal 2 BITS1 19 sa4 lnc on normal 3 LPU1 19 -unknown on abnormal
Issue 01 (2011-10-15)
218
--------------------------------------------------------------------------------------

This section describes how to configure protection switching among clocks with an example. In this configuration example, the networking requirements, configuration notes, and configuration roadmap are provided.
11.7.1 Example for Configuring Protection Switching Among Clock Sources

When there are multiple clock sources, you can set different priorities for them. In normal situations, a clock board uses the clock source with the highest priority. When the clock source with the highest priority fails, the clock board uses the clock source with the second highest priority.
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/ interface number. On the NE5000E cluster, an interface is numbered in the format of chassis ID/slot number/card number/interface number; a slot is numbered in the format of chassis ID/ slot number. As shown in Figure 11-4, BITS clock signals enter Router A and Router D through clock interfaces. The two external BITS clocks satisfy the requirements for the signal quality of the G.812 local clock. Normally, the devices on the entire network synchronize with the external BITS clock of Router A. When the link between any two routers except the link between Router D and Router E is faulty, the protection switching among clock sources is performed as follows: l l l l When the external BITS clock of Router A becomes faulty, all routers trace the external BITS clock of Router D. When the external BITS clock of Router D becomes faulty, all routers trace the external BITS clock of Router A. When the external BITS clock of Router A becomes faulty and then the external BITS clock of Router D becomes faulty, all routers trace the internal clock of Router D. When the external BITS clock of Router D becomes faulty and then the external BITS clock of Router A becomes faulty, all routers trace the internal clock of Router A.
Issue 01 (2011-10-15)
219
Figure 11-4 Networking diagram for configuring protection switching among clock sources
BITS POS1/0/0 W POS1/0/0 E POS2/0/0 E 10.1.1.1 POS2/0/0 W 10.1.1.2 E POS1/0/0 20.1.1.1 W POS1/0/0 20.1.1.2 E POS2/0/0 30.1.1.1 W POS2/0/0 30.1.1.2 BITS
RouterA RouterB RouterF
POS2/0/0 W POS2/0/0 E 50.1.1.1 POS1/0/0W 40.1.1.2 POS1/0/0 E 40.1.1.1
RouterC
RouterE
RouterD
Configuration Notes
None.
The configuration roadmap is as follows: 1. 2. Configure the type of the external BITS clock to which Router A and Router D are connected to 2.048 Mbit/s. Configure the priority of the clock source on each router. This ensures that the protection switchover of clock sources is performed based on priorities when a fault occurs.
Data Preparation
To complete the configuration, you need the following data: ID and priority of the clock source of each router, as shown in Table 11-3. Table 11-3 Clock sources and their priorities of each router router Clock Source in Use BITS0 Available Clock Source BITS0 ID Priority
Router A
Issue 01 (2011-10-15)
1
220
router
Clock Source in Use BITS0 BITS0 BITS0 LPU1 LPU1 LPU1 LPU2 LPU2 LPU2 LPU1 LPU1 LPU1 LPU1 LPU1 LPU1 LPU1 LPU2 LPU2 LPU2
Available Clock Source LPU2 LPU1 Internal clock LPU1 LPU2 Internal clock LPU2 LPU1 Internal clock LPU1 LPU2 BITS1 Internal clock LPU1 LPU2 Internal clock LPU2 LPU1 Internal clock
ID
Priority
Router A Router A Router A Router B Router B Router B Router C Router C Router C Router D Router D Router D Router D Router E Router E Router E Router F Router F Router F
4 3 0 3 4 0 4 3 0 3 4 2 0 3 4 0 4 3 0
2 3 4 1 2 3 1 2 3 1 2 3 4 1 2 3 1 2 3
Procedure
Step 1 Set the type of the external BITS clock sources of Router A and Router D to 2.048 Mbit/s. Step 2 Connect BITS clock cables to each router, as shown in Figure 11-4. Step 3 Configure the IP addresses for interfaces on each router. The configuration details are not mentioned here. Step 4 Set priorities of clock sources of each router, as shown in Figure 11-4. # Configure Router A.
<RouterA> system-view [~RouterA] clock auto [~RouterA] clock ssm-control off [~RouterA] clock priority 1 source 1 [~RouterA] clock priority 2 source 4
Issue 01 (2011-10-15)
221

[~RouterA] clock priority 3 source 3 [~RouterA] commit
# Configure Router B.
<RouterB> system-view [~RouterB] clock auto [~RouterB] clock ssm-control off [~RouterB] clock priority 1 source 3 [~RouterB] clock priority 2 source 4 [~RouterB] commit
# Configure Router C.
<RouterC> system-view [~RouterC] clock auto [~RouterC] clock ssm-control off [~RouterC] clock priority 1 source 4 [~RouterC] clock priority 2 source 3 [~RouterC] commit
# Configure Router D.
<RouterD> system-view [~RouterD] clock auto [~RouterD] clock ssm-control off [~RouterD] clock priority 1 source 3 [~RouterD] clock priority 2 source 4 [~RouterD] clock priority 3 source 2 [~RouterD] commit
# Configure Router E.
<RouterE> system-view [~RouterE] clock auto [~RouterE] clock ssm-control off [~RouterE] clock priority 1 source 3 [~RouterE] clock priority 2 source 4 [~RouterE] commit
# Configure Router F.
<RouterF> system-view [~RouterF] clock auto [~RouterF] clock ssm-control off [~RouterF] clock priority 1 source 4 [~RouterF] clock priority 2 source 3 [~RouterF] commit
Step 5 Check the attributes of the clock source of Router A.

<RouterA> display clock source Master clock source: ---------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ---------------------------------------------------------------------------------* 1 BITS0 1 sa4 unknown on normal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -unknown on normal 4 LPU2 2 -unknown on normal ---------------------------------------------------------------------------------Slave clock source: ---------------------------------------------------------------------------------1 BITS0 1 sa4 unknown on normal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -unknown on normal
Issue 01 (2011-10-15)
222
4 LPU2 2 -unknown on normal ---------------------------------------------------------------------------------NOTE
"*" indicates that the clock source functions as the master clock source. The master clock source here is BITS0.
Step 6 Check the attributes of the clock sources of other routers. # The command output of Router B, Router C, Router D, Router E, and Router F is similar. The following takes the command output of Router B as an example.
<RouterB> display clock source Master clock source: ---------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ---------------------------------------------------------------------------------1 BITS0 19 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal * 3 LPU1 1 -unknown on normal 4 LPU2 2 -unknown on normal ---------------------------------------------------------------------------------Slave clock source: ---------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ---------------------------------------------------------------------------------1 BITS0 19 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 1 -unknown on normal 4 LPU2 2 -unknown on normal ----------------------------------------------------------------------------------
Step 7 Verify the configuration. If the link between any two routers is disconnected or the BITS clock source is lost, protection switching is performed automatically. Therefore, all routers trace the same clock source to achieve clock synchronization. The follows takes disconnecting the BITS clock of Router A as an example. Router A, Router B, Router C, Router E, and Router F trace the BITS clock of Router D. Take the command output of Router A as an example. # Run the following command on Router A.
<RouterA> display clock source Master clock source: ---------------------------------------------------------------------------------Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ---------------------------------------------------------------------------------1 BITS0 1 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -unknown on normal * 4 LPU2 2 -unknown on normal ---------------------------------------------------------------------------------Slave clock source: ----------------------------------------------------------------------------------
Issue 01 (2011-10-15)
223
Source Description Priority Sa-bit Input SSM Forcessm Sourcestate ---------------------------------------------------------------------------------1 BITS0 1 sa4 unknown on abnormal 2 BITS1 19 sa4 unknown on abnormal 3 LPU1 3 -unknown on normal 4 LPU2 2 -unknown on normal ----------------------------------------------------------------------------------
After the BITS clock source of Router A is lost, it is found that the status of BITS0 clock source on is Router A is abnormal and the clock source used by the system is Source 4. # After the BITS clock of Router A is lost, all routers perform protection switching based on the priorities of clock sources. Figure 11-5 shows the clock source tracing after the BITS clock source of Router A is lost. Figure 11-5 Networking diagram of the clock source tracing after the BITS clock source of Router A is lost
W E
E W E
RouterA RouterB RouterF
E RouterC W E RouterE E W
RouterD
BITS
----End
Configuration Files
l Configuration file of Router A
# sysname RouterA # interface Pos1/0/0 undo shutdown link-protocol ppp ip address 60.1.1.2 255.255.255.0 # interface Pos2/0/0 undo shutdown link-protocol ppp
Issue 01 (2011-10-15)
224

ip address 10.1.1.1 255.255.255.0 # clock priority 1 source 1 clock priority 2 source 4 clock priority 3 source 3 # return
Configuration file of Router B

# sysname RouterB # interface Pos1/0/0 undo shutdown link-protocol ppp ip address 60.1.1.1 255.255.255.0 # interface Pos2/0/0 undo shutdown link-protocol ppp ip address 50.1.1.2 255.255.255.0 # clock priority 1 source 3 clock priority 2 source 4 # return
Configuration file of Router C

# sysname RouterC # interface Pos1/0/0 undo shutdown link-protocol ppp ip address 40.1.1.2 255.255.255.0 # interface Pos2/0/0 undo shutdown link-protocol ppp ip address 50.1.1.1 255.255.255.0 # clock priority 1 source 4 clock priority 2 source 3 # return
Configuration file of Router D

# sysname RouterD # interface Pos1/0/0 undo shutdown link-protocol ppp ip address 40.1.1.1 255.255.255.0 # interface Pos2/0/0 undo shutdown link-protocol ppp ip address 30.1.1.2 255.255.255.0 # clock priority 1 source 3 clock priority 2 source 4 clock priority 3 source 2 # return
Configuration file of Router E

# sysname RouterE
Issue 01 (2011-10-15)
225

# interface Pos1/0/0 undo shutdown link-protocol ppp ip address 20.1.1.2 255.255.255.0 # interface Pos2/0/0 undo shutdown link-protocol ppp ip address 30.1.1.1 255.255.255.0 # clock priority 1 source 3 clock priority 2 source 4 # return
Configuration file of Router F

# sysname RouterF # interface Pos1/0/0 undo shutdown link-protocol ppp ip address 20.1.1.1 255.255.255.0 # interface Pos2/0/0 undo shutdown link-protocol ppp ip address 10.1.1.2 255.255.255.0 # clock priority 1 source 4 clock priority 2 source 3 # return
Issue 01 (2011-10-15)
226

Huawei Basic Configuration Guide For Routers

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Huawei Basic Configuration Guide For Routers

Încărcat de

Drepturi de autor:

Formate disponibile

HUAWEI NetEngine5000E Core Router V800R002C01

Configuration Guide - Basic Configurations

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

About This Document

About This Document

Related Versions (Optional)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

About This Document

Command Conventions (Optional)

Changes in Issue 01 (2011-10-15)

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

2 Configure the User Interface.......................................................................................................6

3 Configuring User Login.............................................................................................................26

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

4.6.3 Example for Using SFTP to Operate Files..............................................................................................83

5 Accessing Other Devices............................................................................................................86

6 Using the Command Line Interface.......................................................................................148

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

10 File System Management.......................................................................................................193

11 Clock Synchronization Configuration................................................................................200

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

1 Logging In to the System for the First Time

Logging In to the System for the First Time

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

1 Logging In to the System for the First Time

1.1 Overview of Logging In to the System for the First Time

1.2 Logging In to the router Through the Console Port

Log in to the device

Mandatory procedure Optional procedure

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

1 Logging In to the System for the First Time

1.2.1 Logging In to the router Through the Console Port

Log in to the device

Mandatory procedure Optional procedure

1.2.2 Logging In to the router

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

1 Logging In to the System for the First Time

Figure 1-3 Establishing a connection

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

1 Logging In to the System for the First Time

Figure 1-5 Setting communication parameters

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

2 Configure the User Interface

Configure the User Interface

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations

2 Configure the User Interface

2.1 User Interface Overview

User Interface Numbering