Configuration Guide - Basic Configurations (V600R003C00 - 01)

HUAWEI CX600 Metro Services Platform
V600R003C00
Configuration Guide - Basic
Configurations
Issue 01
Date 2011-05-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-05-30) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
About This Document
Purpose
This part describes the organization of this document, product version, intended audience,
conventions, and Change history.
NOTE
l This document takes interface numbers and link types of the CX600-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this
document.
l On CX600 series excluding CX600-X1 and CX600-X2, line processing boards are called Line
Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). On
the CX600-X1 and CX600-X2, there are no LPUs and SFUs, and NPUs implement the same functions
of LPUs and SFUs to exchange and forward packets.
Intended Audience
This document is intended for:
l Commissioning Engineer
l Data Configuration Engineer
l Network Monitoring Engineer
l System Maintenance Engineer
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
DANGER
Alerts you to a high risk hazard that could, if not avoided,
result in serious injury or death.
WARNING
Alerts you to a medium or low risk hazard that could, if
not avoided, result in moderate or minor injury.
Configuration Guide - Basic Configurations About This Document
iii
Symbol Description
CAUTION
Alerts you to a potentially hazardous situation that could,
if not avoided, result in equipment damage, data loss,
performance deterioration, or unanticipated results.
TIP
Provides a tip that may help you solve a problem or save
time.
NOTE
Provides additional information to emphasize or
supplement important points in the main text.

Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Changes in Issue 01 (2011-05-30)
Initial commercial release.
About This Document
Configuration Guide - Basic Configurations
iv Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
Contents
About This Document...................................................................................................................iii
1 Logging In to the System for the First Time......................................................................... 1-1
1.1 Introduction to Log In to the Device for the First Time..................................................................................1-2
1.2 Logging In to the Device Through the Console Port......................................................................................1-2
1.2.1 Establishing the Configuration Task......................................................................................................1-3
1.2.2 Establishing the Physical Connection....................................................................................................1-3
1.2.3 Logging in to the CX device..................................................................................................................1-4
1.3 Logging In to the CX device That Supports the Plug-and-Play Function......................................................1-6
2 CLI Overview.............................................................................................................................. 2-1
2.1 CLI Introduction..............................................................................................................................................2-2
2.1.1 Command Line Interface........................................................................................................................2-2
2.1.2 Command Levels....................................................................................................................................2-3
2.1.3 Command Line Views............................................................................................................................2-4
2.2 Online Help.....................................................................................................................................................2-4
2.2.1 Full Help.................................................................................................................................................2-5
2.2.2 Partial Help.............................................................................................................................................2-5
2.2.3 Error Messages of the Command Line Interface....................................................................................2-6
2.3 CLI Features....................................................................................................................................................2-6
2.3.1 Editing....................................................................................................................................................2-7
2.3.2 Displaying..............................................................................................................................................2-8
2.3.3 Regular Expressions...............................................................................................................................2-8
2.3.4 Previously-Used Commands................................................................................................................2-11
2.3.5 Batch Command Execution..................................................................................................................2-12
2.4 Shortcut Keys................................................................................................................................................2-13
2.4.1 Classifying Shortcut Keys....................................................................................................................2-13
2.4.2 Defining Shortcut Keys........................................................................................................................2-15
2.4.3 Use of Shortcut Keys............................................................................................................................2-15
2.5 Configuration Examples................................................................................................................................2-16
2.5.1 Example for Running Commands in Batches......................................................................................2-16
2.5.2 Example for Using Tab........................................................................................................................2-17
2.5.3 Example for Using Shortcut Keys........................................................................................................2-18
2.5.4 Example for Copying Commands Using Shortcut Keys......................................................................2-19
Configuration Guide - Basic Configurations Contents
v
3 Basic Configuration................................................................................................................... 3-1
3.1 Configuring the Basic System Environment...................................................................................................3-2
3.1.2 Switching the Language Mode...............................................................................................................3-3
3.1.3 Configuring the Equipment Name......................................................................................................... 3-3
3.1.4 Setting the System Clock....................................................................................................................... 3-4
3.1.5 Configuring a Header.............................................................................................................................3-5
3.1.6 Configuring Command Levels...............................................................................................................3-6
3.1.7 Configuring the Undo Command to Match in the Previous View Automatically.................................3-7
3.2 Displaying System Status Messages...............................................................................................................3-8
3.2.1 Displaying System Configuration..........................................................................................................3-8
3.2.2 Displaying System Status.......................................................................................................................3-9
3.2.3 Collecting System Diagnostic Information............................................................................................3-9
4 Configuring User Interface......................................................................................................4-1
4.1 User Interface Overview................................................................................................................................. 4-2
4.2 Configuring the Console User Interface..........................................................................................................4-4
4.2.2 Setting Physical Attributes of Console User Interface...........................................................................4-5
4.2.3 Setting Terminal Attributes of Console User Interface..........................................................................4-6
4.2.4 Configuring User Priority of Console User Interface............................................................................ 4-7
4.2.5 Configuring the User Authentication Mode of the Console User Interface...........................................4-8
4.2.6 Checking the Configuration...................................................................................................................4-9
4.3 Configuring the AUX User Interface............................................................................................................4-10
4.3.1 Establishing the Configuration Task....................................................................................................4-11
4.3.2 Setting Physical Attributes of AUX User Interface.............................................................................4-11
4.3.3 Setting Terminal Attributes of AUX User Interface............................................................................4-12
4.3.4 Setting User Priority of AUX User Interface.......................................................................................4-13
4.3.5 Setting Modem Attributes of AUX User Interface..............................................................................4-14
4.3.6 (Optional) Configuring Auto-Execute Commands of AUX User Interface.........................................4-15
4.3.7 Setting User Authentication Mode of AUX User Interface.................................................................4-16
4.3.8 Checking the Configuration.................................................................................................................4-17
4.4 Configuring VTY User Interface..................................................................................................................4-18
4.4.2 Configuring Maximum VTY User Interfaces......................................................................................4-19
4.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls of VTY User Interfaces............................4-20
4.4.4 Setting Terminal Attributes of the VTY User Interface.......................................................................4-21
4.4.5 Setting User Priority of VTY User Interface........................................................................................4-22
4.4.6 Setting User Authentication Mode of the VTY User Interface............................................................4-23
4.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces....................................4-24
4.5.1 Example for Configuring Console User Interface................................................................................4-27
Contents
vi Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
4.5.2 Example for Configuring AUX User Interface....................................................................................4-29
4.5.3 Example for Configuring VTY User Interface.....................................................................................4-31
5 Configuring User Login............................................................................................................5-1
5.1 Overview of User Login..................................................................................................................................5-3
5.2 Logging in to the Devices Through the Console Port.....................................................................................5-3
5.2.2 Configuring Console User Interface......................................................................................................5-4
5.2.3 Logging in to the CX device Through a Console Port...........................................................................5-5
5.3 Logging in to the Devices Through the AUX Port.........................................................................................5-6
5.3.2 Configuring AUX User Interface...........................................................................................................5-8
5.3.3 Logging in to the CX deviceThrough an AUX Port..............................................................................5-8
5.4 Logging in to the Devices by Using Telnet...................................................................................................5-12
5.4.2 Configuring VTY User Interface.........................................................................................................5-14
5.4.3 (Optional) Configuring Local Telnet Users.........................................................................................5-14
5.4.4 Enabling the Telnet Service.................................................................................................................5-15
5.4.5 (Optional) Configuring Listening Port Number for Telnet Server.......................................................5-15
5.4.6 Logging in to the CX device by Using Telnet.....................................................................................5-16
5.5 Logging in to the Devices by Using STelnet................................................................................................5-18
5.5.3 Configuring SSH for the VTY User Interface.....................................................................................5-20
5.5.4 Configuring an SSH User and Specifying STelnet as One of Service Types......................................5-21
5.5.5 Enabling the STelnet Server Function.................................................................................................5-23
5.5.6 (Optional) Configuring the STelnet Server Parameters.......................................................................5-24
5.5.7 Logging in to the CX device by Using STelnet...................................................................................5-25
5.6 Common Operations After Login.................................................................................................................5-27
5.6.2 Switching User Levels.........................................................................................................................5-28
5.6.3 Locking User Interfaces.......................................................................................................................5-30
5.6.4 Sending Messages to Other User Interfaces.........................................................................................5-30
5.6.5 Displaying Logged-in Users.................................................................................................................5-30
5.6.6 Clearing Logged-in Users....................................................................................................................5-31
5.6.7 Configuring Configuration Locking.....................................................................................................5-31
5.7.1 Example for Configuring User Login Through a Console Port...........................................................5-32
5.7.2 Example for Logging In Through the AUX Port.................................................................................5-35
vii
5.7.3 Example for Configuring User Login by Using Telnet........................................................................5-36
5.7.4 Example for Configuring User Login by Using STelnet.....................................................................5-40
6 Managing File System...............................................................................................................6-1
6.1 File System Overview.....................................................................................................................................6-2
6.1.1 File System.............................................................................................................................................6-2
6.1.2 Methods of File Management................................................................................................................6-2
6.2 Performing File Operations by Means of the File System..............................................................................6-3
6.2.2 Managing Storage Devices.....................................................................................................................6-4
6.2.3 Managing the Directory.........................................................................................................................6-5
6.2.4 Managing Files.......................................................................................................................................6-5
6.3 Performing File Operations by Means of FTP................................................................................................6-8
6.3.2 Configuring a Local FTP User...............................................................................................................6-9
6.3.3 (Optional) Specifying a Port Number for the FTP Server...................................................................6-10
6.3.4 Enabling the FTP Server......................................................................................................................6-11
6.3.5 (Optional) Configuring the FTP Server Parameters.............................................................................6-11
6.3.6 (Optional) Configuring an FTP ACL...................................................................................................6-12
6.3.7 Accessing the System by Using FTP...................................................................................................6-13
6.3.8 Performing File Operations by Using FTP Commands.......................................................................6-14
6.4 Performing File Operations by Means of SFTP............................................................................................6-16
6.4.3 Configuring SSH for the VTY User Interface.....................................................................................6-18
6.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types.........................................6-19
6.4.5 Enabling the SFTP Service..................................................................................................................6-22
6.4.6 (Optional) Configuring the STelnet Server Parameters.......................................................................6-22
6.4.7 Accessing the System by Using SFTP.................................................................................................6-23
6.4.8 Performing File Operations by Using SFTP........................................................................................6-25
6.5 Performing File Operations by Means of Xmodem......................................................................................6-27
6.5.2 Getting a File Through Xmodem.........................................................................................................6-28
6.6.1 Example for Performing File Operations by Means of the File System..............................................6-29
6.6.2 Example for Performing File Operations by Means of FTP................................................................6-30
6.6.3 Example for Performing File Operations by Means of SFTP..............................................................6-33
6.6.4 Example for Performing File Operations by Means of Xmodem........................................................6-35
7 Configuring System Startup....................................................................................................7-1
7.1 System Startup Overview................................................................................................................................7-2
7.1.1 System Software.....................................................................................................................................7-2
Contents
viii Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
7.1.2 Configuration Files.................................................................................................................................7-2
7.1.3 Configuration Files and Current Configurations....................................................................................7-2
7.2 Managing Configuration Files........................................................................................................................ 7-3
7.2.2 Saving Configuration Files.....................................................................................................................7-4
7.2.3 Clearing a Configuration File.................................................................................................................7-6
7.2.4 Comparing Configuration Files..............................................................................................................7-7
7.3 Specifying a File for System Startup...............................................................................................................7-8
7.3.2 Configuring System Software for a CX device to Load for the Next Startup........................................7-9
7.3.3 Configuring the Configuration File for CX- to Load for the Next Startup..........................................7-10
7.4.1 Example for Configuring System Startup............................................................................................7-11
8 Accessing Another Device........................................................................................................8-1
8.1 Accessing Another Device..............................................................................................................................8-3
8.1.1 Telnet Method........................................................................................................................................8-3
8.1.2 FTP Method............................................................................................................................................8-5
8.1.3 TFTP Method.........................................................................................................................................8-6
8.1.4 SSH Method...........................................................................................................................................8-6
8.2 Logging in to Other Devices by Using Telnet................................................................................................ 8-7
8.2.2 (Optional) Configuring a Source IP Address for an Telnet Client.........................................................8-9
8.2.3 Logging in to Another Device by Using Telnet.....................................................................................8-9
8.3 Connecting to Another Device by Using the Telnet Redirection Function..................................................8-10
8.3.2 Enabling the Telnet Redirection Function...........................................................................................8-12
8.3.3 Connecting Another Device by Using the Telnet Redirection Function..............................................8-12
8.4 Logging in to Another Device by Using STelnet..........................................................................................8-13
8.4.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)..............................................................................................................................................8-15
8.4.3 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSH
Server)...........................................................................................................................................................8-16
8.4.4 Logging in to Another Device by Using STelnet.................................................................................8-17
8.4.5 Checking the configuration..................................................................................................................8-18
8.5 Accessing Files on Another Device by Using TFTP....................................................................................8-18
8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client..........................................................8-19
8.5.3 (Optional) Configuring TFTP Access Authority.................................................................................8-20
ix
8.5.4 Downloading Files by Using TFTP.....................................................................................................8-21
8.5.5 Uploading Files by Using TFTP..........................................................................................................8-21
8.6 Accessing Files on Another Device by Using FTP.......................................................................................8-22
8.6.2 (Optional) Configuring Source IP Address and Interface of the FTP Client.......................................8-23
8.6.3 Connecting to Other Devices by Using FTP Commands.....................................................................8-24
8.6.4 Operating Files by Using FTP Commands..........................................................................................8-25
8.6.5 Changing Login Users..........................................................................................................................8-27
8.6.6 Disconnecting from the FTP Server.....................................................................................................8-28
8.7 Accessing Files on Another Device by Using SFTP.....................................................................................8-29
8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client........................................................8-30
8.7.3 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)..............................................................................................................................................8-31
8.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSH
Server)...........................................................................................................................................................8-32
8.7.5 Connecting to Other Devices by Using SFTP......................................................................................8-33
8.7.6 Operating Files by Using SFTP Commands........................................................................................8-34
8.8.1 Example for Logging in to Another Device by Using Telnet..............................................................8-37
8.8.2 Example for Logging in to Another Device by Using the Telnet Redirection Function.....................8-39
8.8.3 Example for Logging in to Another Device by Using Telnet on a VPN.............................................8-41
8.8.4 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server.................8-43
8.8.5 Example for Accessing Files on Another Device by Using TFTP......................................................8-49
8.8.6 Example for Configuring the Access of the TFTP Server on the Public Network When the Management
VPN Instance Is Used...................................................................................................................................8-51
8.8.7 Example for Accessing Files on Another Device by Using FTP.........................................................8-53
8.8.8 Example for Configuring the Access of the FTP Server on the Public Network When the Management
8.8.9 Example for Accessing Files on Another Device by Using SFTP.......................................................8-56
8.8.10 Example for Configuring the Access of the SFTP Server on the Public Network When the Management
8.8.11 Example for Accessing the SSH Server Through Other Port Numbers.............................................8-67
8.8.12 Example for an SSH Client in the Public Network to Access an SSH Server in the Private Network
.......................................................................................................................................................................8-73
9 Clock Synchronization Configuration...................................................................................9-1
9.1 Introduction of Clock Synchronization Configuration....................................................................................9-2
9.1.1 Overview of Clock Synchronization Configuration...............................................................................9-2
9.1.2 Clock Synchronization Supported by the CX600..................................................................................9-2
9.2 Setting Basic Configurations for Clock Synchronization...............................................................................9-3
Contents
x Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
9.2.2 Setting Basic Configurations for Clock Synchronization......................................................................9-3
9.3 Configuring an External BITS Clock Source..................................................................................................9-5
9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock.............................9-5
9.3.3 Configuring an External Clock Source and Its Signal Type on the CX device..................................... 9-6
9.4 Configuring a Clock Reference Source Manually or Forcibly........................................................................9-7
9.4.2 Configuring a Clock Reference Source..................................................................................................9-8
9.5 Configuring Clock Protection Switching Based on SSM Levels....................................................................9-9
9.5.2 Configuring the Router to Automatically Select Clock Sources..........................................................9-10
9.5.3 Enabling SSM......................................................................................................................................9-11
9.5.4 Configuring the SSM Level of the Clock Reference Source...............................................................9-11
9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs.........................................9-12
9.5.6 Setting the Modes of Extracting SSM Levels......................................................................................9-12
9.6 Configuring Clock Protection Switching Based on Priorities.......................................................................9-14
9.6.2 Configuring the Router to Automatically Select Clock Sources..........................................................9-14
9.6.3 Disabling SSM.....................................................................................................................................9-15
9.6.4 Setting Priorities of Clock Reference Sources.....................................................................................9-15
9.7 Configuring Ethernet Clock Synchronization...............................................................................................9-16
9.7.2 Enabling Ethernet Clock Synchronization...........................................................................................9-18
9.7.3 Configuring Ethernet Clock Source.....................................................................................................9-18
9.8 Configuration Examples of Clock Synchronization......................................................................................9-19
9.8.1 Example for Configuring Protection Switchover of Clock Sources....................................................9-19
10 Device Maintenance..............................................................................................................10-1
10.1 Introduction of Device Maintenance...........................................................................................................10-3
10.1.1 Overview of Device Maintenance......................................................................................................10-3
10.1.2 Maintenance Features Supported by the CX600................................................................................10-3
10.2 Powering off the MPU................................................................................................................................10-3
10.2.1 Establishing the Configuration Task..................................................................................................10-4
10.2.2 Powering off the Slave MPU.............................................................................................................10-4
10.2.3 Checking the Configuration...............................................................................................................10-5
10.3 Powering off the SFU..................................................................................................................................10-6
xi
10.3.2 Powering off the SFU.........................................................................................................................10-7
10.4 Powering off the NPU.................................................................................................................................10-8
10.4.2 Powering off the NPU........................................................................................................................10-9
10.5 Powering off the LPU...............................................................................................................................10-10
10.5.1 Establishing the Configuration Task................................................................................................10-10
10.5.2 Powering off the LPU......................................................................................................................10-11
10.5.3 Checking the Configuration.............................................................................................................10-11
10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s.................................10-12
10.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s.........................10-13
10.7 Switching Between the Operation Modes of the LPUF-10.......................................................................10-14
10.7.2 Switching Between the Operation Modes of the LPUF-10..............................................................10-15
10.8 Configuring the CMU...............................................................................................................................10-16
10.8.2 Configuring Monitor Items for a CMU............................................................................................10-17
10.9 Configuring a Cleaning Cycle for the Air Filter.......................................................................................10-18
10.9.2 Configuring a Cleaning Cycle for the Air Filter..............................................................................10-18
10.9.3 Remonitoring the Cleaning Cycle of the Air Filter..........................................................................10-19
10.10 Monitoring the Device Status..................................................................................................................10-20
10.10.1 Displaying the System Version Information..................................................................................10-21
10.10.2 Displaying Basic Information About the Router............................................................................10-21
10.10.3 Displaying the Electronic Label.....................................................................................................10-22
10.10.4 Displaying the Soft Boot Mode......................................................................................................10-22
10.10.5 Displaying the Threshold of the Memory Usage...........................................................................10-22
10.10.6 Displaying the Threshold of CPU Usage.......................................................................................10-23
10.10.7 Displaying Alarm Information.......................................................................................................10-23
10.10.8 Displaying the Board Temperature................................................................................................10-24
10.10.9 Displaying the Board Voltage........................................................................................................10-24
10.10.10 Displaying the Power Supply Status............................................................................................10-25
10.10.11 Displaying Current Information About Boards............................................................................10-25
10.10.12 Displaying Entironment Information About the Device..............................................................10-25
10.10.13 Displaying the Fan Status.............................................................................................................10-26
10.10.14 Displaying the Sequence Number of the MPU............................................................................10-26
10.10.15 Displaying the Next Start Mode of the Board..............................................................................10-26
Contents
xii Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
10.10.16 Displaying the Number of the Registered SFUs By Default.......................................................10-27
10.11 Board Maintence ....................................................................................................................................10-27
10.11.1 Resetting a Board...........................................................................................................................10-28
10.11.2 Clearing the Maximum CPU Usage...............................................................................................10-28
10.12 Configuring NAP-based Remote Deployment........................................................................................10-29
10.12.1 Establishing the Configuration Task..............................................................................................10-29
10.12.2 Configuring and Starting the NAP Master Interface......................................................................10-30
10.12.3 Remote Login.................................................................................................................................10-32
10.12.4 Disabling NAP on the Slave Device..............................................................................................10-32
10.12.5 Checking the Configuration...........................................................................................................10-33
10.13 Configuration Examples of the Device Maintenance..............................................................................10-34
10.13.1 Example for Powering off the MPU..............................................................................................10-35
10.13.2 Example for Powering off the SFU................................................................................................10-36
10.13.3 Example for Powering off the LPU................................................................................................10-37
10.13.4 Example for Configuring the Operation Mode of the LPUF-10....................................................10-39
10.13.5 Example for Configuring NAP-based Remote Deployment in Automatic Mode..........................10-40
10.13.6 Example for Configuring NAP-based Remote Deployment in Static Mode.................................10-41
11 Device Upgrading..................................................................................................................11-1
11.1 Overview of Device Upgrade......................................................................................................................11-2
11.2 Upgrade Modes Supported by the CX600..................................................................................................11-2
12 Patch Management.................................................................................................................12-1
12.1 Introduction of Patch Management.............................................................................................................12-2
12.1.1 Overview of Patch Management........................................................................................................12-2
12.1.2 Patches Supported by the CX600.......................................................................................................12-3
12.2 Checking the Running of Patch in the System............................................................................................12-4
12.2.2 Checking the Running of Patch in the System...................................................................................12-5
12.2.3 (Optional) Deleting a Patch................................................................................................................12-5
12.3 Loading a Patch...........................................................................................................................................12-6
12.3.2 Loading a Patch..................................................................................................................................12-7
12.4 Installing a Patch.........................................................................................................................................12-9
12.4.2 Loading a Patch................................................................................................................................12-10
12.4.3 Activating a Patch............................................................................................................................12-10
12.4.4 Running a Patch...............................................................................................................................12-11
12.4.5 (Optional) Synchronizing Patches....................................................................................................12-11
12.5 (Optional) Unactivating the activating of Patch........................................................................................12-15
12.5.2 Deactivating a Patch.........................................................................................................................12-16
xiii
12.6 Configuration Examples of the Patch Management..................................................................................12-17
12.6.1 Example for Installing a Patch.........................................................................................................12-17
A Glossary.....................................................................................................................................A-1
B Acronyms and Abbreviations.................................................................................................B-1
Contents
xiv Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
Figures
Figure 1-1 Connection creation............................................................................................................................1-4
Figure 1-2 Interface setting .................................................................................................................................1-5
Figure 1-3 Communication parameter setting .....................................................................................................1-5
Figure 5-1 Networking diagram of remote login through an AUX port..............................................................5-7
Figure 5-2 Connection creating............................................................................................................................5-8
Figure 5-3 Dialing information setting.................................................................................................................5-9
Figure 5-4 Remote connection with the CX device.............................................................................................5-9
Figure 5-5 Connection attribute modification....................................................................................................5-10
Figure 5-6 Communications parameters setting.................................................................................................5-11
Figure 5-7 Networking diagram of user login through a console port...............................................................5-33
Figure 5-8 Connection creation..........................................................................................................................5-33
Figure 5-9 Interface setting................................................................................................................................5-34
Figure 5-10 Communication parameter setting..................................................................................................5-34
Figure 5-11 Networking diagram of logging in through the AUX port.............................................................5-35
Figure 5-12 Networking diagram of user login by using Telnet........................................................................5-36
Figure 5-13 Telnet login window on the PC......................................................................................................5-38
Figure 5-14 Window after login of the CX device.............................................................................................5-39
Figure 5-15 Networking diagram of configuring user login by using STelnet..................................................5-40
Figure 6-1 Networking for performing file operations by using FTP................................................................6-30
Figure 6-2 Logging in to the FTP Server...........................................................................................................6-31
Figure 6-3 Performing file operations by means of FTP....................................................................................6-32
Figure 6-4 Networking diagram for operating files by using SFTP...................................................................6-33
Figure 6-5 Accessing Interface...........................................................................................................................6-34
Figure 6-6 Specifying the file to be sent............................................................................................................6-36
Figure 8-1 Networking diagram for accessing another device from the CX device............................................8-3
Figure 8-2 Telnet client services..........................................................................................................................8-4
Figure 8-3 Telnet redirection services..................................................................................................................8-4
Figure 8-4 Usage of Telnet shortcut keys............................................................................................................8-5
Figure 8-5 Networking diagram for accessing another device from the CX device that you have logged in to
...............................................................................................................................................................................8-8
Figure 8-6 Schematic diagram of redirecting the client login to another device by using Telnet.....................8-11
Figure 8-7 Networking diagram for logging in to another device by using Telnet............................................8-37
Figure 8-8 Networking of logging in to another device by using the Telnet redirection function.....................8-40
Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN...........................8-41
Configuration Guide - Basic Configurations Figures
xv
Figure 8-10 Networking diagram for logging in to another device by Using STelnet.......................................8-43
Figure 8-11 Networking diagram for accessing files on another device by using TFTP...................................8-49
Figure 8-12 Setting the Base Directory of the TFTP server...............................................................................8-50
Figure 8-13 Networking diagram of configuring the access of the TFTP server on the public network when the
management VPN instance is used..................................................................................................................... 8-51
Figure 8-14 Setting the Base Directory of the TFTP server...............................................................................8-52
Figure 8-15 Networking diagram for accessing files on another device by using FTP.....................................8-53
Figure 8-16 Networking diagram of configuring the access of the FTP server on the public network when the
Figure 8-17 Networking diagram for accessing files on another device by using SFTP...................................8-56
Figure 8-18 Networking diagram of configuring the access of the SFTP server on the public network when the
Figure 8-19 Networking diagram of accessing the SSH server through other port numbers.............................8-68
Figure 8-20 Networking diagram of configuring the SSH client in public network accessing the SSH server in the
private network....................................................................................................................................................8-74
Figure 9-1 Diagram of configuring the clock reference source manually............................................................9-8
Figure 9-2 Networking diagram of applying Ethernet clock synchronization...................................................9-17
Figure 9-3 Networking diagram of configuring clock source tracing................................................................9-20
Figure 9-4 Networking diagram of the clock source tracing after the connection between the BITS clock source
and CX- A is closed............................................................................................................................................ 9-24
Figure 10-1 Networking diagram of configuring NAP-based remote deployment..........................................10-40
Figure 10-2 Networking diagram of configuring NAP-based remote deployment..........................................10-41
Figure 12-1 Conversion between the statuses of a patch................................................................................... 12-3
Figure 12-2 Logical relationships between configuration tasks.........................................................................12-4
Figure 12-3 Networking diagram of installing a patch....................................................................................12-17
Figures
xvi Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
Tables
Table 2-1 Command line levels............................................................................................................................2-3
Table 2-2 Common error messages of the command line....................................................................................2-6
Table 2-3 Keys for editing....................................................................................................................................2-7
Table 2-4 Keys for displaying..............................................................................................................................2-8
Table 2-5 Description of particular characters.....................................................................................................2-9
Table 2-6 Access the previously-used commands..............................................................................................2-12
Table 2-7 System-defined shortcut keys............................................................................................................2-14
Table 4-1 Example for the absolute numbering...................................................................................................4-3
Table 5-1 User login modes..................................................................................................................................5-3
Table 6-1 File management methods....................................................................................................................6-3
Table 9-1 Clock sources of all CX device and the priorities..............................................................................9-20
Table 12-1 Patch states.......................................................................................................................................12-2
Configuration Guide - Basic Configurations Tables
xvii
1 Logging In to the System for the First Time
About This Chapter
Users can log in to a new CX device through the console port to configure the CX device.
1.1 Introduction to Log In to the Device for the First Time
A user can log in to the CX device that is powered on for the first time through the console port
or by the plug-and-play function to configure the CX device.
1.2 Logging In to the Device Through the Console Port
This section describes how to connect a terminal to a CX device through the console port to
establish the configuration environment.
1.3 Logging In to the CX device That Supports the Plug-and-Play Function
The plug-and-play function enables the CX device to automatically access the network and
obtains an IP address after the CX device is powered on. This allows engineers to remotely log
in to the CX device to perform basic configurations.
Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time
1-1
1.1 Introduction to Log In to the Device for the First Time
A user can log in to the CX device that is powered on for the first time through the console port
or by the plug-and-play function to configure the CX device.
Log in to the CX device through the console port
The console port is a linear port on the main control board.
Each main control board provides one console port that conforms to the EIA/TIA-232 standard
and whose type is DCE. The serial interface of a terminal can be directly connected to the console
port on the CX device. Users can then configure the CX device on the terminal.
NOTE
When a device is powered on for the first time, you must log in to the device through the console port. It
is a prerequisite for other login modes. For example, the IP address for Telnet login must be configured by
logging in to the device through the console port.
Log in to the CX device by the plug-and-play function
NOTE
The plug-and-play function only can be configured on the X1 , X2 and X3 models of the CX600.
During site deployment, the CX devices reside far away from the equipment room. Sending
software commissioning engineers to deploy the network at the site is quite costly. After the
plug-and-play function is enabled, however, the CX device automatically obtains an IP address.
Software commissioning engineers are able to remotely deliver configurations to the CX
device through the NMS after installation personnel finishes hardware installation. This greatly
simplifies installation and reduces costs with minimized site visits.
The plug-and-play function is controlled by a PAF file and users do not need to configure it
manually. This function is automatically disabled after the CX device correctly obtains an IP
address.
1.2 Logging In to the Device Through the Console Port
This section describes how to connect a terminal to a CX device through the console port to
establish the configuration environment.
1.2.1 Establishing the Configuration Task
Before logging in to the CX device through the console port, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
will help you complete the configuration task quickly and accurately.
1.2.2 Establishing the Physical Connection
The console port on the CX device must be connected to the COM port on a terminal by using
a console cable.
1.2.3 Logging in to the CX device
You can log in to the CX device through the console port to configure and manage the CX
device that is powered on for the first time.
1-2 Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
Before logging in to the CX device through the console port, familiarize yourself with the
will help you complete the configuration task quickly and accurately.
Applicable Environment
When the CX device is powered on for the first time, you need to use the console port to log in
to the CX device to configure and manage the CX device.
Pre-configuration Tasks
Before logging in to the CX device through the console port, complete the following tasks:
l Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)
l Preparing the RS-232 cable
Data Preparation
To log in to the CX device through the console port, you need the following data.
No. Data
1 Terminal communication parameters
l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode

NOTE
When the CX device is logged in for the first time, the system automatically uses default parameter values.
1.2.2 Establishing the Physical Connection
The console port on the CX device must be connected to the COM port on a terminal by using
a console cable.
Procedure
Step 1 Power on all devices to perform a self-check.
Step 2 Connect the COM port on the PC and the console port on the CX device by a cable.
----End
1-3
1.2.3 Logging in to the CX device
You can log in to the CX device through the console port to configure and manage the CX
device that is powered on for the first time.
Context
You need to configure terminal attributes for the PC according to the attributes configured for
the console port, including the transmission rate, data bit, parity bit, stop bit, and flow control
mode. As the CX device is logged in for the first time, every terminal attribute uses the default
value of the CX device.
Procedure
Step 1 Start a terminal emulator on the PC, and create a new connection, as shown in Figure 1-1.
Figure 1-1 Connection creation

Step 2 Set interface,as shown in Figure 1-2.
Issue 01 (2011-05-30)
Figure 1-2 Interface setting

Step 3 Set communication parameter, same as the default of CX device,as shown in Figure 1-3.
Figure 1-3 Communication parameter setting

1-5
Step 4 Press Enter. A command line prompt such as <HUAWEI> appears, and the user view is
displayed for you to configure the CX device.
----End
1.3 Logging In to the CX device That Supports the Plug-and-
Play Function
The plug-and-play function enables the CX device to automatically access the network and
obtains an IP address after the CX device is powered on. This allows engineers to remotely log
in to the CX device to perform basic configurations.
Context
NOTE
The plug-and-play function only can be configured on the X1 , X2 and X3 models of the CX600.
During site deployment, the CX devices reside far away from the equipment room. Sending
software commissioning engineers to deploy the network at the site is quite costly. After the
plug-and-play function is enabled, however, the CX device automatically obtains an IP address.
Software commissioning engineers are able to remotely deliver configurations to the CX
device through the NMS after installation personnel finishes hardware installation. This greatly
simplifies installation and reduces costs with minimized site visits. The plug-and-play function
is controlled by a PAF file and users do not need to configure it manually. This function is
automatically disabled after the CX device correctly obtains an IP address. The process of
logging in to the CX device supporting the plug-and-play function is as follows:
Procedure
Step 1 After planning the network, network planning engineers provide a planning list for software
commissioning engineers.
Step 2 Based on the planning list, software commissioning engineers configure the mappings between
the CX device locations and IP addresses on the DHCP server, compile configuration scripts,
and configure the mappings between the CX device locations and scripts.
Step 3 Hardware installation personnel installs the CX device and power them on at the site.
Step 4 The CX device sends a DHCPREQUEST message to the DHCP server, and then the interface
connecting to the DHCP server obtains an IP address.
Step 5 The NMS delivers configurations to the CX device.
----End
Follow-up Procedure
If there is no DHCP server on the network or the CX device cannot obtain an IP address for
some reason, the CX device displays the following information:
PNP State!!!PLEASE UNDO PNP enable for manual Setup!
You can undo PNP in system view with "undo pnp enable"
At this time, do as follows to disable the plug-and-play function:
1. Run the system-view command to enter the system view.
Issue 01 (2011-05-30)
2. Run the undo pnp enable command to disable the plug-and-play function.
3. Run the undo pnp default route command to delete the default route generated by the
plug-and-play function.
1-7
2 CLI Overview
About This Chapter
The command line interface (CLI) is used to configure and maintain devices.
2.1 CLI Introduction
After you log in to the CX device, a prompt is displayed, indicating that you enter the command
line interface (CLI). The CLI is used by users to interact with the CX device.
2.2 Online Help
When inputting command lines or configuring services, you can use the online help function to
obtain real-time help.
2.3 CLI Features
The CLI provides the following features to help users flexibly use it.
2.4 Shortcut Keys
Using the system or user-defined shortcut keys makes it easier to enter commands.
2.5 Configuration Examples
This section provides several examples for using command lines.
Configuration Guide - Basic Configurations 2 CLI Overview
2-1
2.1 CLI Introduction
After you log in to the CX device, a prompt is displayed, indicating that you enter the command
line interface (CLI). The CLI is used by users to interact with the CX device.
2.1.1 Command Line Interface
You can configure and manage the CX device by using the CLI commands.
2.1.2 Command Levels
The system manages commands in hierarchy for security. The administrator can set user levels
corresponding to command levels to implement user-specific access control.
2.1.3 Command Line Views
The command line interface has different command views. All the commands are registered in
one or more command views. You can run a command only when you enter the corresponding
command view.
2.1.1 Command Line Interface
You can configure and manage the CX device by using the CLI commands.
The characteristics of CLI are as follows:
l Local or remote configuration through the AUX port.
l Local configuration through console port.
l Local or remote configuration through Telnet or Secure Shell (SSH).
l Remote configuration by logging in to an asynchronous serial interface on the CX device
through Modem dialup.
l The telnet command for directly logging in to and managing other CX devices.
l FTP service for file uploading and downloading.
l A user interface view for specific configuration management.
l Hierarchical command protection for users of different levels, that is, running the
commands of the corresponding levels.
l Three authentication modes are supported, namely, none-authentication, password
authentication, and Authentication, Authorization, and Accounting (AAA) authentication.
Password and AAA authentication prohibit unauthorized users from logging in to the CX
device, guaranteeing system security.
l Entering "?" for online help at any time.
l A command line interpreter provides intelligent command resolution methods such as key
word fuzzy match and context conjunction. These methods make it easy for users to enter
their commands.
l Network testing commands such as tracert and ping for rapidly diagnosing a network.
l Abundant debugging information to help in diagnosing the network.
l Running a command used previously on the device, like DosKey.
2 CLI Overview
Issue 01 (2011-05-30)
NOTE
l The system supports the command with up to 512 characters. The command can be incomplete. This
means that you can input initial characters (one or some) of the command to represent the whole
command. The incomplete command, however, must be unqiue in the system. For example, to use the
display current-configuration command, just input d cu, di cu, or dis cu. d c or dis c, however, cannot
be input, becuse they are not unique to represent the display current-configuration command.
l The system saves the incomplete command to the configuration files in the complete form; therefore,
the command may have more than 512 characters. When the system is restarted, however, the
incomplete command cannot be restored. Therefore, pay attention to the length of the incomplete
command.
2.1.2 Command Levels
The system manages commands in hierarchy for security. The administrator can set user levels
corresponding to command levels to implement user-specific access control.
The default command levels are as follows:
Table 2-1 Command line levels
Level Name Description
0 Visit level Commands of this level include commands of network
diagnosis tool (such as ping and tracert) and commands that
start from the local device and visit external device (such
as Telnet client side).
1 Monitoring level Commands of this level, including the display commands,
are used for system maintenance and fault diagnosis.
2 Configuration
level
Commands of this level are service configuration
commands that provide direct network service to the user,
including routing and network layer commands.
3 Management level Commands of this level are commands that influence the
basic operation of the system and provide support to the
service. They include file system commands, FTP
commands, TFTP commands, XModem downloading
commands, configuration file switching commands, power
supply control commands, backup board control
commands, user management commands, level setting
commands, system internal parameter setting commands,
and debugging commands that are used for fault diagnosis.

To implement efficient management, you can increase the command levels to 0-15. For the
increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring
Command Levels in the HUAWEI CX600 Configuration Guide - Basic Configurations.
2-3
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l The level of the command that a user can run is determined by the level of this user.
l Login users have the same 16 levels as the command levels. The login users can use only the command
of the levels that are equal to or lower than their own levels. The user privilege level level command
sets the user level.
2.1.3 Command Line Views
The command line interface has different command views. All the commands are registered in
one or more command views. You can run a command only when you enter the corresponding
command view.
The following part uses the user, system, and BFD views as an example:
# Establish connection to the CX device. If the CX device adopts the default configuration, you
can enter the user view with the prompt of <HUAWEI>.
<HUAWEI>
# Run the system-view command to enter the system view.
<HUAWEI> system-view
[HUAWEI]
# Run the aaa command in the system view to enter the AAA view.
[HUAWEI] aaa
[HUAWEI-aaa]
NOTE
l The command prompt "HUAWEI" is the default host name.
l The prompt indicates a specific view. For example, "<HUAWEI>" indicates the user view, and
"[HUAWEI-ui-console0]" indicates the console user interface view.
Some commands can be used in both system and other views, but have different effects. For
example, the mpls command can be run in the system view to enable MPLS globally or in the
interface view to enable MPLS only on this interface.
2.2 Online Help
When inputting command lines or configuring services, you can use the online help function to
obtain real-time help.
2.2.1 Full Help
When inputting a command, you can use the full help function to obtain all keywords or
parameters of this command.
2.2.2 Partial Help
If you enter only the first one or a few characters of a command, you can use the partial help
function to obtain all keywords following the character or character string.
2.2.3 Error Messages of the Command Line Interface
If an entered command passes the syntax check, the system executes it. Otherwise, the system
prompts an error message.
2 CLI Overview
Issue 01 (2011-05-30)
2.2.1 Full Help
When inputting a command, you can use the full help function to obtain all keywords or
parameters of this command.
Procedure
l You can obtain the full help of a command line in the following manners.
Enter a question mark (?) in any command line view to display all the commands and
their simple descriptions.
<HUAWEI> ?
User view commands:
arp-ping ARP-ping
backup Backup information
batch-cmd Batch commands
board-channel-check Board-Channel-Check enable/disable
capture-packet enable capturing packet
cd Change current directory
...
...
Enter a command and a question mark (?) separated by a space. If the key word is at
this position, all key words and their simple descriptions are displayed. For example:
<HUAWEI> language-mode ?
Chinese Chinese environment
English English environment
Chinese and English are keywords; Chinese environment and English
environment describe the keywords respectively.
Enter a command and a question mark (?) separated by a space, and if a parameter is at
this position, the related parameter names and parameter descriptions are displayed. For
example:
[HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[HUAWEI] ftp timeout 35 ?
<cr> Please press ENTER to execute command
[HUAWEI] ftp timeout 35
In the preceding display, INTEGER<1-35791> describes the parameter value; The
value of FTP timeout (in minutes) is a simple description of the parameter usage;
<cr> indicates that no parameter is at this position. The command is repeated in the next
command line. You can press Enter to run the command.
----End
2.2.2 Partial Help
If you enter only the first one or a few characters of a command, you can use the partial help
function to obtain all keywords following the character or character string.
Procedure
l You can obtain the partial help of a command line in the following manners.
Enter a character string with a question mark (?) closely following it to display all
commands that begin with this character string.
<HUAWEI> d?
debugging delete
dir display
2-5
Enter a command and a character string with a question mark (?) closely following it
to display all the key words that begin with this character string.
<HUAWEI> display b?
bas-interface bfd
bgp board-current
board-power board-type
bootmode-current bootmode-next
bootrom btv
buffer bulk-stat
Enter the first several letters of a key word in the command and then press Tab to display
the complete key word on the condition that the letters uniquely identify the key word.
Otherwise, if you continue to press Tab, different key words are displayed. You can
select the needed key word.
----End
2.2.3 Error Messages of the Command Line Interface
If an entered command passes the syntax check, the system executes it. Otherwise, the system
All the commands entered by the user are run correctly, if the grammar check has been passed.
Otherwise, error messages are reported to the user. See Table 2-2 for the common error
messages.
Table 2-2 Common error messages of the command line
Error messages Cause of the error
Unrecognized command The command cannot be found
The key word cannot be found
Wrong parameter Parameter type error
The parameter value exceeds the limit
Incomplete command Incomplete command entered
Too many parameters Too many parameters entered
Ambiguous command Indefinite parameters entered

2.3 CLI Features
The CLI provides the following features to help users flexibly use it.
2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain help by using
certain keys.
2.3.2 Displaying
All command lines have the same displaying feature. You can construct the displaying mode as
required.
2.3.3 Regular Expressions
2 CLI Overview
Issue 01 (2011-05-30)
The regular expression is an expression that describes a set of strings. It consists of common
characters (such as letters from "a" to "z") and particular characters (also named metacharacters).
The regular expression is a template according to which you can search for the required string.
Users can use regular expressions to filter output information to rapidly locate desired
information.
2.3.4 Previously-Used Commands
The CLI provides a function similar to DosKey to automatically save commands used previously
on the device. If you need to run a command that has been executed, you can call the command
from those have been used previously on the device. This facilitates user operation.
2.3.5 Batch Command Execution
If multiple commands are frequently used consecutively, you can edit these commands to be
executed in batches. This simplifies command input and improves efficiency.
2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain help by using
certain keys.
The command line supports multi-line edition. The maximum length of each command is 512
characters.
Keys for editing that are often used are shown in Table 2-3.
Table 2-3 Keys for editing
Key Function
Common key Inserts a character in the current position of the cursor if the editing
buffer is not full and the cursor moves to the right. Otherwise, an
alarm is generated.
Backspace Deletes the character on the left of the cursor that moves to the
left. When the cursor reaches the head of the command, an alarm
is generated.
Left cursor key or
Ctrl_B
Moves the cursor to the left by the space of a character. When the
cursor reaches the head of the command, an alarm is generated.
Right cursor key or
Ctrl_F
Moves the cursor to the right by the space of a character. When
the cursor reaches the end of the command, an alarm is generated.
Tab Press Tab after typing the incomplete key word and the system
runs the partial help:
l If the matching key word is unique, the system replaces the
typed one with the complete key word and displays it in a new
line with the cursor a space behind.
l If there are several matches or no match at all, the system
displays the prefix first. Then you can press Tab to view the
matching key word one by one. In this case, the cursor closely
follows the end of the word and you can type a space to enter
the next word.
l If a wrong key word is entered, press Tab and the word is
displayed in a new line.
2-7

2.3.2 Displaying
All command lines have the same displaying feature. You can construct the displaying mode as
required.
You can control the display of information on the CLI as follows:
l Prompts and help information can be displayed in both Chinese and English. You can use
the language-mode language-name command to change the language mode.
l If output information cannot be displayed on a full screen, you have three options to view
the information, as shown in Table 2-4.
Table 2-4 Keys for displaying
Key Function
Ctrl_C Stops the display and running of the command.
NOTE
You can also press any of the keys except the spacebar and Enter key
to stop the display and running of the command.
Space Allows information to be displayed on the next screen.
Enter Allows information to be displayed on the next line.

2.3.3 Regular Expressions
The regular expression is an expression that describes a set of strings. It consists of common
characters (such as letters from "a" to "z") and particular characters (also named metacharacters).
The regular expression is a template according to which you can search for the required string.
Users can use regular expressions to filter output information to rapidly locate desired
information.
A regular expression can provide the following functions:
l Searching for and obtaining a sub-string that matches a rule in the string.
l Substituting a string according to a certain matching rule.
Formal Language Theory of the Regular Expression
The regular expression consists of common characters and particular characters.
l Common characters
Common characters are used to match themselves in a string, including all upper-case and
lower-case letters, digits, punctuation, and special symbols. For example, a matches the
letter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches the
symbol "@" in "xxx@xxx.com".
l Particular characters
Particular characters are used together with common characters to match the complex or
particular string combination. Table 2-5 describes particular characters and their syntax.
2 CLI Overview
Issue 01 (2011-05-30)
Table 2-5 Description of particular characters
Particul
ar
characte
r
Syntax Example
\ Defines an escape character, which
is used to mark the next character
(common or particular) as the
common character.
\* matches "*".
^ Matches the starting position of the
string.
^10 matches "10.10.10.1" instead of
"20.10.10.1".
$ Matches the ending position of the
string.
1$ matches "10.10.10.1" instead of
"10.10.10.2".
* Matches the preceding element zero
or more times.
10* matches "1", "10", "100", and
"1000".
(10)* matches "null", "10", "1010",
and "101010".
+ Matches the preceding element one
or more times
10+ matches "10", "100", and
"1000".
(10)+ matches "10", "1010", and
"101010".
? Matches the preceding element zero
or one time.
10? matches "1" and "10".
(10)? matches "null" and "10".
. Matches any single character. 0.0 matches "0x0" and "020".
.oo matches "book", "look", and
"tool".
() Defines a subexpression, which can
be null. Both the expression and the
subexpression should be matched.
100(200)+ matches "100200" and
"100200200".
x|y Matches x or y. 100|200 matches "100" or "200".
1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
[xyz] Matches any single character in the
regular expression.
[123] matches the character 2 in
"255".
[^xyz] Matches any character that is not
contained within the brackets.
[^123] matches any character except
for "1", "2", and "3".
[a-z] Matches any character within the
specified range.
[0-9] matches any character ranging
from 0 to 9.
[^a-z] Matches any character beyond the
specified range.
[^0-9] matches all non-numeric
characters.
2-9
Particul
ar
characte
r
Syntax Example
_ Matches a comma "," left brace "{",
right brace "}", left parenthesis "(",
and right parenthesis ")".
Matches the starting position of the
input string.
Matches the ending position of the
input string.
Matches a space.
_2008_ matches "2008", "space
2008 space", "space 2008", "2008
space", ",2008,", "{2008}",
"(2008)", "{2008", and "(2008}".

NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
l Degeneration of particular characters
Certain particular characters, when being placed at the following positions in the regular
expression, degenerate to common characters.
The particular characters following "\" is transferred to match particular characters
themselves.
The particular characters "*", "+", and "?" placed at the starting position of the regular
expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".
The particular character "^" placed at any position except for the start of the regular
expression. For example, abc^ matches "abc^".
The particular character "$" placed at any position except for the end of the regular
expression. For example, 12$2 matches "12$2".
The right bracket such as ")" or "]" being not paired with its corresponding left bracket
"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions
serve as subexpressions within parentheses.
l Combination of common and particular characters
In actual application, a regular expression combines multiple common and particular
characters to match certain strings.
2 CLI Overview
Issue 01 (2011-05-30)
Specifying a Filtering Mode in Command
CAUTION
The HUAWEI CX600 uses a regular expression to implement the filtering function of the pipe
character. A display command supports the pipe character only when there is excessive output
information.
When the output information is queried according to the filtering conditions, the first line of the
command output starts with the information containing the regular expression.
The command can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For the commands supporting regular expressions, the three filtering methods are as follows:
l | begin regular-expression: displays the information that begins with the line that matches
regular expression.
l | exclude regular-expression: displays the information that excludes the lines that match
regular expression.
l | include regular-expression: displays the information that includes the lines that match
regular expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Specify a Filtering Mode when Information is Displayed
When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More
----".
l /regular-expression: displays the information that begins with the line that matches regular
expression.
l -regular-expression: displays the information that excludes lines that match regular
expression.
l +regular-expression: displays the information that includes lines that match regular
expression.
2.3.4 Previously-Used Commands
The CLI provides a function similar to DosKey to automatically save commands used previously
on the device. If you need to run a command that has been executed, you can call the command
from those have been used previously on the device. This facilitates user operation.
By default, the system saves a maximum of 10 previously-used commands for each user. You
can run the history-command max-size size-value command in the user view to set the number
of previously-used commands saved in the system. A maximum of 256 previously-used
commands can be saved in the system.
2-11
NOTE
Setting the number of saved previously-used commands to a proper value is recommended. If a large
number of previously-used commands are saved, it will take a long time to locate a needed previously-
used command, affecting efficiency.
The operations are shown in Table 2-6
Table 2-6 Access the previously-used commands
Action Key or Command Result
Display
previously-
used
commands.
display history-
command
Display previously-used commands entered by
users.
Access the last
previously-
used
command.
Up cursor key () or
Ctrl_P
Display the last previously-used command if there
is an earlier previously-used command. Otherwise,
an alarm is generated.
Access the next
previously-
used
command.
Down cursor key
() or Ctrl_N
Display the next previously-used command if there
is a later previously-used command. Otherwise, the
command is cleared and an alarm is generated.

NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X
define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
When you use previously-used commands, note the following points:
l The saved previously-used commands are the same as that those entered by users. For
example, if the user enters an incomplete command, the saved command also is incomplete.
l If the user runs the same command several times, the earliest command is saved. If the
command is entered in different forms, they are considered as different commands.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the disp ip routing command and the display ip
routing-table command are run, two previously-used commands are saved.
2.3.5 Batch Command Execution
If multiple commands are frequently used consecutively, you can edit these commands to be
executed in batches. This simplifies command input and improves efficiency.
Procedure
Step 1 In the user view, run:
batch-cmd edit
Commands are edited to be executed in batches.
The batch-cmd edit command can be used by only one user at a time.
2 CLI Overview
Issue 01 (2011-05-30)
The maximum length of a command (including the incomplete command) to be entered is 512
characters.
When editing commands, press Enter to complete the editing of each command.
NOTE
l After the batch-cmd edit command is run successfully to edit the commands to be executed in batches,
the system deletes the original commands to be run in batches.
l The commands that are already edited are saved in memory and are deleted for ever when the system
is restarted.
Step 2 After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing state
and return to the user view.
Step 3 In the user view, run:
batch-cmd execute
The commands are executed in batches.
The batch-cmd execute command can be used by only one user at a time.
The sequence of running commands is the same as the sequence of editing commands. You can
view the execution of these commands on the CLI. After the execution is complete, the user
view is displayed.
NOTE
If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in batches,
the system displays an error when executing the batch-cmd edit or batch-cmd execute command and
continues to execute the following commands.
----End
2.4 Shortcut Keys
Using the system or user-defined shortcut keys makes it easier to enter commands.
2.4.1 Classifying Shortcut Keys
There are two types of shortcut keys, namely, system shortcut keys and user-defined shortcut
keys. Familiarize yourself with shortcut keys so as to use them accurately.
2.4.2 Defining Shortcut Keys
If one or multiple commands are frequently used, you can correlate these commands with
shortcut keys. This facilitates user operation and improves efficiency. Only management-level
users have the rights to define shortcut keys.
2.4.3 Use of Shortcut Keys
You can use the shortcut key at any position that allows a command to be entered. The system
executes an entered shortcut key and displays the corresponding command on the screen in the
same way as you enter a complete command.
2.4.1 Classifying Shortcut Keys
There are two types of shortcut keys, namely, system shortcut keys and user-defined shortcut
keys. Familiarize yourself with shortcut keys so as to use them accurately.
The shortcut keys in the system are classified into the following types:
2-13
l User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can
correlate these shortcut keys with any commands. When the shortcut keys are pressed, the
system automatically runs the corresponding command. For details of defining the shortcut
keys, see 2.4.2 Defining Shortcut Keys.
l System-defined shortcut keys: These shortcut keys with fixed functions are defined by the
system. Table 2-7 lists the system-defined shortcut keys.
NOTE
Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may
be different from those listed in this section.
Table 2-7 System-defined shortcut keys
Key Function
CTRL_A The cursor moves to the beginning of the current line.
CTRL_B The cursor moves to the left by the space of a character.
CTRL_C Terminates the running function.
CTRL_D Deletes the character where the cursor lies.
CTRL_E The cursor moves to the end of the current line.
CTRL_F The cursor moves to the right by the space of a character.
CTRL_H Deletes one character on the left of the cursor.
CTRL_K Stops the creation of the outbound connection.
CTRL_N Displays the next command in the previously-used command
buffer.
CTRL_P Displays the previous command in the previously-used
command buffer.
CTRL_R Repeats the display of the information of the current line.
CTRL_T Terminates the outbound connection.
CTRL_V Pastes the contents on the clipboard.
CTRL_W Deletes a character string or character on the left of the cursor.
CTRL_X Deletes all the characters on the left of the cursor.
CTRL_Y Deletes all the characters on the right of the cursor.
CTRL_Z Returns to the user view.
CTRL_] Terminates the inbound or redirection connections.
ESC_B The cursor moves to the left by the space of a word.
ESC_D Deletes a word on the right of the cursor.
ESC_F The cursor moves to the right to the end of next word.
2 CLI Overview
Issue 01 (2011-05-30)
Key Function
ESC_N The cursor moves downward to the next line.
ESC_P The cursor moves upward to the previous line.
ESC_SHIFT_< Sets the position of the cursor to the beginning of the clipboard.
ESC_SHIFT_> Sets the position of the cursor to the end of the clipboard.

2.4.2 Defining Shortcut Keys
If one or multiple commands are frequently used, you can correlate these commands with
shortcut keys. This facilitates user operation and improves efficiency. Only management-level
users have the rights to define shortcut keys.
Configure as follows in the system view.
Action Command
Define shortcut keys hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }
command-text

NOTE
When defining the shortcut keys, use double quotation marks to define the command if this command
contains several commands words, that is, if spaces exist in the command.
By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commands
respectively:
l CTRL_G: display current-configuration
l CTRL_L: display ip routing-table
l CTRL_O: undo debugging all
By default, CTRL_U is not correlated with any command.
2.4.3 Use of Shortcut Keys
You can use the shortcut key at any position that allows a command to be entered. The system
executes an entered shortcut key and displays the corresponding command on the screen in the
same way as you enter a complete command.
l If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear the entered command and display the full corresponding command. This
operation has the same effect as that of deleting all commands and then re-entering the
complete command.
l The shortcut keys are run as the commands, the syntax is recorded to the command buffer
and log for fault location and querying.
2-15
NOTE
The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcut
keys of the terminal conflict with those of the CX device, the input shortcut keys are captured by the terminal
program and hence the shortcut keys do not function.
Run the following command in any view to display the use of shortcut keys.
Action Command
Check the usage of shortcut keys. display hotkey

This section provides several examples for using command lines.
2.5.1 Example for Running Commands in Batches
This part provides an example for running commands in batches. In this example, by editing the
commands to be run in batches, you can configure the system to automatically run the commands
in batches.
2.5.2 Example for Using Tab
This example shows how to use the Tab key. After inputting an incomplete keyword, you can
press Tab and obtain all related keywords or verify the correctness of the input keyword.
2.5.3 Example for Using Shortcut Keys
This example shows how to use shortcut keys. In this example, frequently-used commands are
correlated with shortcut keys. You can press the shortcut keys instead of inputting the commands.
This facilitates user operation and improves efficiency.
2.5.4 Example for Copying Commands Using Shortcut Keys
This example shows how to copy commands by using shortcut keys. In this example, after a
specified command is copied by using shortcut keys, you can use the shortcut keys
Ctrl_Shift_V to paste the command.
2.5.1 Example for Running Commands in Batches
This part provides an example for running commands in batches. In this example, by editing the
commands to be run in batches, you can configure the system to automatically run the commands
in batches.
Context
If commands are frequently used consecutively, especially a large number of commands, you
can run the commands in batches to improve efficiency.
For example, during the preventive maintenance inspection (PMI), you can run commands in
batches. That is, enter all PMI commands once and then send all the command output information
to the PMI tool, which can improve the PMI efficiency.
Log in to the CX device and do as follows:
2 CLI Overview
Issue 01 (2011-05-30)
Procedure
Step 1 Edit the display users, display startup, and display clock commands to be run in batches.
<HUAWEI> batch-cmd edit
Info: Begin editing batch commands. Press "Ctrl+Z" to abort this session.
display users
display startup
display clock
<HUAWEI>
Step 2 Run the commands in batches.
<HUAWEI> batch-cmd execute
<HUAWEI>batch-cmd execute command: display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
35 VTY 1 00:00:00 TEL 190.120.2.19 no
Username : Unspecified
<HUAWEI>batch-cmd execute command: display startup
MainBoard:
Configured startup system software: cfcard:/V600R003C00.cc
Startup system software: cfcard:/V600R003C00.cc
Next startup system software: cfcard:/V600R003C00.cc
Startup saved-configuration file: cfcard:/vrp.cfg
Next startup saved-configuration file: cfcard:/vrp.cfg
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: NULL
Next startup patch package: NULL
<HUAWEI>
batch-cmd execute command: display clock
2011-01-27 01:25:24
Thursday
Time Zone(DefaultZoneName) : UTC
<HUAWEI>
batch-cmd execute finished.
----End
2.5.2 Example for Using Tab
This example shows how to use the Tab key. After inputting an incomplete keyword, you can
press Tab and obtain all related keywords or verify the correctness of the input keyword.
Context
Usually, you do not need to input complete keywords. Instead, you can just input one or a few
beginning characters of a keyword and press Tab to complete the keyword. The Tab key helps
search for and use commands.
Procedure
l Tab can be used in three ways as shown in the following example.
The matching key word is unique after the incomplete key word is input.
1. Input the incomplete key word.
[HUAWEI] info-
2. Press Tab.
2-17
The system replaces the input one with the complete key word and displays it in a
new line with the cursor leaving a space behind.
[HUAWEI] info-center
There are several matches or no match after the incomplete key word is input.
# info-center can be followed by three key words.
[HUAWEI] info-center log?
logbuffer logfile loghost
1. Input the incomplete key word.
[HUAWEI] info-center l
2. Press Tab.
The system displays the prefix first. The prefix in this example is "log".
[HUAWEI] info-center log
Continue to press Tab. The cursor is closely following the end of the word.
[HUAWEI] info-center loghost
[HUAWEI] info-center logbuffer
[HUAWEI] info-center logfile
Stop pressing Tab after the key word logfile that you need is displayed.
3. Input a space to enter the next word channel.
[HUAWEI] info-center logfile channel
Input an incorrect keyword and press Tab to check the correctness of the keyword.
1. Input a wrong keyword loglog.
[HUAWEI] info-center loglog
2. Press Tab.
[HUAWEI] info-center loglog
The system displays information in a new line, but the keyword loglog remains
unchanged and there is no space between the cursor and the keyword, indicating
that this keyword is inexistent.
----End
2.5.3 Example for Using Shortcut Keys
This example shows how to use shortcut keys. In this example, frequently-used commands are
correlated with shortcut keys. You can press the shortcut keys instead of inputting the commands.
This facilitates user operation and improves efficiency.
Context
If the login CX device is defined with shortcut keys, the shortcut keys can be used by any user
regardless of the user level.
Procedure
Step 1 Correlate Ctrl_U with the display ip routing-table command and run the shortcut keys.
[HUAWEI] hotkey ctrl_u "display ip routing-table"
2 CLI Overview
Issue 01 (2011-05-30)
NOTE
When defining shortcut keys for a command, use double quotation marks to quote the command if the
command consisting of multiple words, which are separated by spaces. No double quotation marks are
required for single-word commands.
Step 2 Press Ctrl_U when the prompt [HUAWEI] appears.
[HUAWEI] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0
100.2.0.0/16 Direct 0 0 D 100.2.150.51 GigabitEthernet0/
0/0
---------------------------------------------------------------------
----End
2.5.4 Example for Copying Commands Using Shortcut Keys
This example shows how to copy commands by using shortcut keys. In this example, after a
specified command is copied by using shortcut keys, you can use the shortcut keys
Ctrl_Shift_V to paste the command.
Context
If you need to repeatedly run a command, you can use shortcut keys to copy the command.
The copied command is saved on the clipboard and is available for only the current logged-in
user. After the user logs out of the CX device, the clipboard is cleared.
You can use shortcut keys to copy a command in any view.
Procedure
Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor to
the end and press Esc_Shift_>.
<HUAWEI> display ip routing-table
Step 2 Run the display clipboard command to view the contents on the clipboard.
<HUAWEI> display clipboard
---------------- CLIPBOARD-----------------
display ip routing-table
Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard.
<HUAWEI> display ip routing-table
2-19
NOTE
If you press shortcut keys to copy a new command, you can paste only the new command by using shortcut
keys.
----End
2 CLI Overview
Issue 01 (2011-05-30)
3 Basic Configuration
About This Chapter
This chapter describes how to configure the CX device to follow your using habits and the actual
environment requirements after logging in to the CX device.
3.1 Configuring the Basic System Environment
This section describes how to configure the basic system environment.
3.2 Displaying System Status Messages
This section describes how to use display commands to check basic configurations of the current
system.
Configuration Guide - Basic Configurations 3 Basic Configuration
3-1
3.1 Configuring the Basic System Environment
This section describes how to configure the basic system environment.
Before configuring the basic system environment, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
3.1.2 Switching the Language Mode
You can switch between the Chinese mode and the English mode as needed.
3.1.3 Configuring the Equipment Name
When multiple devices on the network need to be managed, you can identify them by setting an
equipment name for each device.
3.1.4 Setting the System Clock
You need to set the system time properly to ensure the cooperation between the CX600 and other
devices.
3.1.5 Configuring a Header
If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.
3.1.6 Configuring Command Levels
This section describes how to configure command levels to ensure device security or allow low-
level users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
3.1.7 Configuring the Undo Command to Match in the Previous View Automatically
You can run the undo command in the current view and thus the system automatically matches
the previous view.
Before configuring the basic system environment, familiarize yourself with the applicable
Before configuring services, you need to configure the basic system environment (such as the
language mode, time, device name, login information, and command level) to meet the
environment requirement.
Before configuring the basic system environment, complete the following task:
l Powering on the CX device
Issue 01 (2011-05-30)
Data Preparation
To configure the basic system environment, you need the following data.
No. Data
1 Language mode
2 System time
3 Host name
4 Login information
5 Command level

3.1.2 Switching the Language Mode
You can switch between the Chinese mode and the English mode as needed.
Context
After the language mode is switched, the system displays prompts and outputs of command lines
in the specified language.
Language information (Chinese and English) has been stored in the system software and does
not need to be loaded.
Do as follows in the user view:
Procedure
l Run:
language-mode { chinese | english }
The language mode is switched.
By default, the English mode is used.
The help information on the CX device can be in English or in Chinese. The language mode
is stored in the system software and does not need to be loaded.
----End
3.1.3 Configuring the Equipment Name
When multiple devices on the network need to be managed, you can identify them by setting an
equipment name for each device.
Context
The new equipment name takes effect immediately.
3-3
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
sysname host-name
The equipment name is set.
By default, the equipment name of the CX device is HUAWEI.
You can change the name of the CX device that appears in the command prompt.
----End
3.1.4 Setting the System Clock
You need to set the system time properly to ensure the cooperation between the CX600 and other
devices.
Context
The system clock displays the current time and date of the system, time zone to which the system
belongs, and daylight saving time. The CX600 supports the configurations of the time zone and
the daylight saving time.
Do as follows in the user view:
Procedure
Step 1 Run:
clock datetime [ utc ] HH:MM:SS YYYY-MM-DD
The current date and time is set.
Step 2 Run:
clock timezone time-zone-name { add | minus } offset
The time zone is set.
l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
NOTE
UTC stands for the Universal Time Coordinated.
Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
Issue 01 (2011-05-30)
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
The daylight saving time is set.
By default, the daylight saving time is not set.
During the configuration of the daylight saving time, you can configure the starting time and
ending time in one of the following modes: date+date, week+week, date+week, and week+date.
For details, see clock daylight-saving-time.
CAUTION
When the device is upgraded from an earlier version to the V600R003C00 version, the
configured daylight saving time does not take effect and needs to be reconfigured.
----End
3.1.5 Configuring a Header
If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.
Context
A header text is a message displayed by the system when and after a user is logging in to the
CX device.
If you need to provide information for login users, you can configure a header that the system
displays during login or after login.
Procedure
Step 1 Run:
system-view
Step 2 Run:
header login { information text | file file-name }
The header displayed during login is set.
Step 3 Run:
header shell { information text | file file-name }
The header displayed after login is set.
To display the header when the terminal connection has been activated but the user is not being
authenticated, configure the parameter login.
To display the header after the user logs in successfully, configure the parameter shell.
If the user can log in to the CX device without authentication, the system directly displays the
header after the login.
3-5
CAUTION
l The header text starts and ends with the same character. After a character is input and
Enter is pressed, an interactive interface is displayed. You can input the required information
ended with the first character. The system then exits from the interactive interface.
l If a user logs in to the CX device by using SSH1.X, the login header is not displayed during
login, but the shell header is displayed after login.
l If a user logs in to the CX device by using SSH2.0, both login and shell headers are displayed.
----End
3.1.6 Configuring Command Levels
This section describes how to configure command levels to ensure device security or allow low-
level users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l The commands of Level 0 and Level 1 remain unchanged.
l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated
to Level 15.
l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
command-privilege level rearrange
Update the command level in batches.
When no password is configured for a Level 15 user, the system prompts the user to set a super-
password for the level 15 user. At the same time, the system asks if the user wants to continue
with the update of command line level. Then, just select "N" to set a password. If you select "Y",
Issue 01 (2011-05-30)
the command level can be updated in batches directly. This results in the user not logging in
through the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
3.1.7 Configuring the Undo Command to Match in the Previous
View Automatically
You can run the undo command in the current view and thus the system automatically matches
the previous view.
Context
If the user allows the undo command to automatically match the previous view and the user
runs the undo command that is not registered in the current view, the system searches the
undo command in the previous view.
CAUTION
The undo command has disadvantages due to automatically matching. For example, when the
user runs the undo ospf command in the interface view where the command is not registered,
the system searches in system view automatically. This may lead to global deletion of the OSPF
feature.
Procedure
Step 1 Run:
system-view
Step 2 Run:
matched upper-view
The undo command is configured to match the upper level view.
By default, the undo command does not match the previous view automatically.
NOTE
l The matched upper-view command is valid for current login users who run this command.
l It is not recommended that you configure the undo command to automatically match the upper level
view, unless necessary.
----End
3-7
3.2 Displaying System Status Messages
This section describes how to use display commands to check basic configurations of the current
system.
Context
You can use the display commands to collect information about the system status. The display
commands are classified according to the following functions:
l Displays system configurations.
l Displays the running status of the system.
l Displays the diagnostic information about a system.
l Displays the restart information about the main control board.
See the related sections for display commands for protocols and interfaces. The following part
only shows the system-level display commands.
Run the following commands in any view.
3.2.1 Displaying System Configuration
This section describes how to check the system version, system time, original configuration, and
current configuration by using command lines.
3.2.2 Displaying System Status
This section describes how to check the system operating status (the configuration of the current
view) by using command lines.
3.2.3 Collecting System Diagnostic Information
This section describes how to collect information about all modules in the system.
3.2.1 Displaying System Configuration
This section describes how to check the system version, system time, original configuration, and
current configuration by using command lines.
Prerequisite
Basic configuration are complete.
Procedure
l Run the display version command to display the system version.
l Run the display clock [ utc ] command to display the system time.
l Run the display calendar command to display system calendar.
l Run the display saved-configuration command to display the original configuration.
l Run the display current-configuration command to display the current configuration.
Issue 01 (2011-05-30)
NOTE
l The display version command can be used to display the software version of the system, the
chassis type, and the information about the main control board and interface board.
l The original configuration refers to information about configuration files used by the device when
the device has been powered on and is being initialized. The current configuration refers to the
configuration files taking effect during the device operation. For details, see the chapter
"Configuring System Startup" in the CX600 Basic-Configuration.
----End
3.2.2 Displaying System Status
This section describes how to check the system operating status (the configuration of the current
view) by using command lines.
Prerequisite
Basic configurations are complete.
Procedure
l Run the display this command to display the configuration of the current view.
----End
3.2.3 Collecting System Diagnostic Information
This section describes how to collect information about all modules in the system.
Context
When the system fails to perform routine maintenance, you need to collect a lot of information
to locate faults. Then, you have to run different display commands to collect all information. In
this case, you can use the display diagnostic-information command to collect all information
about the current running modules in the system.
Procedure
l Run:
display diagnostic-information [ file-name ]
The system diagnosis information is displayed.
The display diagnostic-information command collects all information collected by
running the following commands, including display clock, display version, display cpu-
usage, display interface, display current-configuration, display saved-configuration,
display history-command, and so on.
----End
3-9
4 Configuring User Interface
About This Chapter
A user can log in to the CX device by using a console port or an AUX port, or by means of Telnet
or SSH (STelnet). For users logging in to CX device in different modes, the system uses different
user interfaces to manage the sessions between the CX device and the users.
4.1 User Interface Overview
The system supports console, AUX, and VTY user interfaces.
4.2 Configuring the Console User Interface
When a user logs in to the CX device by using a console port for local maintenance, you can
configure attributes for the corresponding console user interface are needed.
4.3 Configuring the AUX User Interface
When a user logs in to the CX device for local or remote configuration by using an AUX port,
configuring attributes in the corresponding AUX user interface is needed.
4.4 Configuring VTY User Interface
If you need to log in to the CX device for local or remote maintenance by using Telnet or SSH,
you can configure the corresponding VTY user interface as needed.
This section provides examples for configuring console, AUX, and VTY user interfaces. These
configuration examples explain networking requirements, configuration roadmap, and
configuration notes.
Configuration Guide - Basic Configurations 4 Configuring User Interface
4-1
4.1 User Interface Overview
The system supports console, AUX, and VTY user interfaces.
Each user interface has a corresponding user interface view. A user interface view is a command
line view provided by the system. It is used to configure and manage all the physical and logical
interfaces in asynchronous mode.
User Interfaces Supported by the System
l Console port (CON)
The console port is a serial port provided by the main control board of the CX device.
The main control board provides one EIA/TIA-232 DCE console port for local
configuration by directly connecting a terminal to a CX device.
l Auxiliary port (AUX)
It is a linear port provided by the main control board of the CX device and supports the
dialup by using a modem.
Each main control board provides one AUX port with the type of EIA/TIA-232 DTE. A
terminal can remotely access the CX device through the modem on the AUX port.
l Virtual type terminal (VTY)
It is a logical terminal line. A VTY connection is set up when a CX device connects to a
terminal by means of Telnet. It is used for local or remote access to a CX device. A
maximum of 16 users can log in to the CX device by using the VTY user interface.
Numbering of a User Interface
After a user logs in to the CX device, the system assigns an idle user interface of the smallest
number to the user according to the user's login mode. You can number a user interface in the
following manners:
l Relative numbering
The relative numbering is in the format of user interface type + number.
The relative numbering is available for interfaces of a specific type. It is used only to specify
one or a group of user interfaces of a specified type. Relative numbering must comply with
the following rules:
Number of the console port: CON 0
Number of the auxiliary port: AUX 0
Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
l Absolute numbering
The absolute numbering is used to uniquely specify a user interface or a group of user
interfaces.
The number starts with 0. The ports are numbered in the sequence of CON AUX
VTY. There is only one console port and one AUX port and 0-15 VTY interfaces. You can
use the user-interface maximum-vty command to set the maximum number of user
interfaces. The default number is five.
By default, the system supports three types of user interfaces: CON, AUX, and VTY.
Table 4-1 shows the absolute numbers of the user interfaces in this system.
Issue 01 (2011-05-30)
Table 4-1 Example for the absolute numbering
Absolute number User-interface
0 CON0
33 AUX0
34 The first virtual interface (VTY0)
35 The second virtual interface (VTY1)
36 The third virtual interface (VTY2)
37 The fourth virtual interface (VTY3)
38 The fifth virtual interface (VTY4)

NOTE
The absolute numbers allocated for AUX and VTY interfaces are device-specific.
The numbers from 1 to 32 are reserved for the TTY user interfaces.
Run the display user-interface command to view the absolute number of user interfaces.
Authentication of a User Interface
After a user is configured, the system authenticates the user during user login.
There are three user authentication modes: non-authentication, password authentication, and
AAA.
l Non-authentication: In this mode, users can log in to the CX device without entering
usernames or passwords. For security, this mode is not recommended.
l Password authentication: In this mode, users need to enter passwords, not usernames,
during the login process.
l AAA authentication: In this mode, users need to enter passwords and usernames during the
login process. Telnet users are usually authenticated in this mode.
Priority of a User Interface
Users that log in to the CX device are managed according to their levels.
Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater the
number, the higher the user level.
The level of the command that a user can run is determined by the level of this user.
l In the case of non-authentication or password authentication, the level of the command that
the user can run is determined by the level of the user interface.
l In the case of AAA authentication, the command that the user can run is determined by the
level of the local user specified in the AAA configuration.
4-3
4.2 Configuring the Console User Interface
When a user logs in to the CX device by using a console port for local maintenance, you can
configure attributes for the corresponding console user interface are needed.
Before configuring the console user interface, familiarize yourself with the applicable
4.2.2 Setting Physical Attributes of Console User Interface
You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.
4.2.3 Setting Terminal Attributes of Console User Interface
This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines displayed in a terminal screen, and size of
the history command buffer.
4.2.4 Configuring User Priority of Console User Interface
This section describes how to control users' authority of logging in to the CX device and improve
the security of managing the CX device by configuring the user priority.
4.2.5 Configuring the User Authentication Mode of the Console User Interface
The system provides three authentication modes: AAA, password authentication, and non-
authentication. Configuring the user authentication mode can improve the security of the CX
device.
4.2.6 Checking the Configuration
After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.
Before configuring the console user interface, familiarize yourself with the applicable
If you need to log in to the CX device for local maintenance by using a console port, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. The preceding parameters have default
values on the CX device and additional configuration is not needed. You can configure these
parameters as needed.
Before configuring a console user interface, complete the following tasks:
l Logging in to the CX device by using a terminal
Issue 01 (2011-05-30)
Data Preparation
To configure a console user interface, you need the following data.
No. Data
1 Baud rate, flow-control mode, parity, stop bit, and data bit
2 Idle timeout period, number of lines displayed in a terminal screen, and the size of
history command buffer
3 User priority
4 User authentication method, user name, and password

NOTE
All the default values (excluding the password and username) are stored on the CX device and do not need
additional configuration.
4.2.2 Setting Physical Attributes of Console User Interface
You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.
Context
Physical attributes of a console port have default values on the CX device and no additional
configuration is needed.
NOTE
When a user logs in to a CX device through a console port, the physical attributes set for the console port
on the HyperTerminal should be consistent with the attributes of the console user interface on the CX
device. Otherwise, the user cannot log in to the CX device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.
Step 3 Run:
speed speed-value
The baud rate is set.
By default, the baud rate is 9600 bit/s.
Step 4 Run:
flow-control { hardware | none | software }
4-5
The flow control mode is set. By default, the flow-control mode is none.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set.
By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.
By default, the value is 1 bit.
Step 7 (Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.
By default, the data bit is 8.
----End
4.2.3 Setting Terminal Attributes of Console User Interface
This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines displayed in a terminal screen, and size of
the history command buffer.
Context
Terminal attributes of the console user interface have default values on the CX device and you
can set them as needed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
shell
The terminal service is started.
Step 4 Run:
idle-timeout minutes [ seconds ]
The idle timeout period is set.
If the connection keeps idle within the timeout period, the system automatically terminates the
connection.
Issue 01 (2011-05-30)
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]
The length of a terminal screen is set.
The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the length of a terminal screen is 24 lines.
Step 6 Run:
history-command max-size size-value
The history command buffer is set.
By default, the size of history command buffer on a user interface is 10 entries.
----End
4.2.4 Configuring User Priority of Console User Interface
Context
l Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
l This process is to set the priority for a user who logs in through the console port. A user
can only use the commands with the level corresponding to the user level.
For details about command levels, see "Command Level" in the chapter "CLI Overview" of
the Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
user privilege level level
The priority of the user is set.
NOTE
l By default, users logging in through the console user interface can use commands at level 3, and users
logging in through other user interfaces can use commands at level 0.
l If the command level is inconsistent with the user level, the user level takes precedence.
----End
4-7
4.2.5 Configuring the User Authentication Mode of the Console
User Interface
device.
Context
By default, the user authentication mode of the console user interface is non-authentication.
Procedure
l Configuring AAA Authentication
1. Run:
system-view
2. Run:
3. Run:
authentication-mode aaa
The authentication mode is set to AAA.
4. Run:
quit
Exit from the console user interface view.
5. Run:
aaa
The AAA view is displayed.
6. Run:
local-user user-name password { simple | cipher } password
Name and password of the local user are created.
l Configuring Password Authentication
1. Run:
system-view
2. Run:
3. Run:
authentication-mode password
You can set the authentication mode as password authentication.
4. Run:
set authentication password { cipher | simple } password
Issue 01 (2011-05-30)
A password for authentication is set.
l Configuring Non-Authentication
1. Run:
system-view
2. Run:
3. Run:
authentication-mode none
The authentication mode is set to non-authentication.
----End
After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.
Prerequisite
The configurations of the user management function are complete.
Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check the local user list.
----End
Example
Run the display users command, and you can view information about the current user interface.
<HUAWEI> display users
0 CON 0 00:00:44 pass no
Run the display user-interface console ui-number1 [ summary ] command, and you can view
the physical attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
4-9
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user
----------------------------------------------------------------------------
Username State Type CAR Access-limit Online
----------------------------------------------------------------------------
user123 Active All Dft No 0
ll Active F Dft No 0
user1 Active F Dft No 0
----------------------------------------------------------------------------
Total 3,3 printed
4.3 Configuring the AUX User Interface
When a user logs in to the CX device for local or remote configuration by using an AUX port,
configuring attributes in the corresponding AUX user interface is needed.
Before configuring the AUX user interface, familiarize yourself with the applicable
4.3.2 Setting Physical Attributes of AUX User Interface
Physical attributes of the AUX user interface include the transmission rate, flow control mode,
parity mode, stop bit, and data bit of the AUX port.
4.3.3 Setting Terminal Attributes of AUX User Interface
This section describes how to configure terminal attributes of the AUX user interface, including
the user idle timeout, number of lines displayed in a terminal screen, and size of the history
command buffer.
4.3.4 Setting User Priority of AUX User Interface
4.3.5 Setting Modem Attributes of AUX User Interface
You can set the time period from picking up the signal to detecting the carrier when a call is
established, modem for only incoming calls or for both incoming and outgoing calls, and
automatic answer.
4.3.6 (Optional) Configuring Auto-Execute Commands of AUX User Interface
You can set a command to be an auto-executed command.
4.3.7 Setting User Authentication Mode of AUX User Interface
device.
After configuring the AUX user interface, you can view the usage information of the user
interface, physical attributes and configurations of the user interface, local user list, and online
users.
Issue 01 (2011-05-30)
Before configuring the AUX user interface, familiarize yourself with the applicable
If you need to log in to the CX device for remote maintenance by using an AUX port, you can
configure the corresponding AUX user interface as needed by setting the physical attributes,
terminal attributes, user priority, and user authentication mode. The preceding parameters have
default values on the CX device and additional configuration is not needed.
Before configuring an AUX user interface, complete the following tasks:
Data Preparation
Before configuring an AUX user interface, you need the following data.
No. Data
1 Baud rate, flow-control mode, parity, stop bit, and data bit
2 Idle timeout period, number of lines displayed in a terminal screen, and the size of
history command buffer
3 User priority
4 Modem attributes
5 (Optional) Auto-execute commands

NOTE
All the default values (excluding the auto-run commands, password, and username) are stored on the CX
device and do not need additional configuration.
4.3.2 Setting Physical Attributes of AUX User Interface
Physical attributes of the AUX user interface include the transmission rate, flow control mode,
parity mode, stop bit, and data bit of the AUX port.
Context
Physical attributes of the AUX user interface have default values on the CX device and no
additional configuration is needed.
4-11
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface aux interface-number
The AUX user interface view is displayed.
Step 3 Run:
speed speed-value
The transmission rate is set.
By default, the baud rate is 9600 bit/s.
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set.
By default, the flow-control mode is none.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set.
By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.
By default, the value is 1 bit.
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.
By default, the value is 8.
NOTE
When the user logs in to a CX device through an AUX port, the configured attributes for the console port
on the HyperTerminal should be in accordance with the attributes of the AUX user interface on the CX
device. Otherwise, the user cannot log in to the CX device.
----End
4.3.3 Setting Terminal Attributes of AUX User Interface
This section describes how to configure terminal attributes of the AUX user interface, including
the user idle timeout, number of lines displayed in a terminal screen, and size of the history
command buffer.
Issue 01 (2011-05-30)
Context
Terminal attributes of the AUX user interface have default values on the CX device and you can
configure them as needed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
shell
AUX terminal service is enabled.
Step 4 Run:
User idle timeout is enabled.
connection.
By default, idle timeout period on the interface is 10 minutes.
Step 5 Run:
a terminal screen.
Step 6 Run:
The size of the history command buffer is configured.
By default, the size of history command buffer on user interface is 10 entries.
----End
4.3.4 Setting User Priority of AUX User Interface
4-13
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The user priority is set.
NOTE
l By default, users logging in by using the AUX user interface can use commands at level 0.
l If the authority to use commands is inconsistent with the user level, the user level takes precedence.
----End
4.3.5 Setting Modem Attributes of AUX User Interface
You can set the time period from picking up the signal to detecting the carrier when a call is
established, modem for only incoming calls or for both incoming and outgoing calls, and
automatic answer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
modem timer answer seconds
The period between the system receiving the ring signal and the system waiting for the CD_UP
is set. That is the time that elapses between picking up the signal to detecting the carrier, since
the call is established.
Issue 01 (2011-05-30)
By default, the waiting time is 30 seconds.
Step 4 Run:
modem [ both | call-in ]
The switch of incoming call or outgoing call is set.
By default, incoming and outgoing calls are prohibited.
Step 5 Run:
modem auto-answer
Automatic answer is enabled.
By default, manual answering is enabled.
----End
4.3.6 (Optional) Configuring Auto-Execute Commands of AUX User
Interface
You can set a command to be an auto-executed command.
Context
CAUTION
After the auto-execute command command is run, you cannot perform general configuration
in the system through a terminal.
Before configuring the auto-execute command command and the save command to save the
existing configurations, ensure that you can log in to the system using other methods to delete
the configurations.
Do as follows on the CX device that the user logs in to:
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface aux 0
Step 3 Run:
auto-execute command command
A command is specified as an auto-execute command.
4-15
Generally, the auto-execute command command is run to configure Telnet on a terminal. After
the configuration, the user can automatically connect to a designated host.
----End
4.3.7 Setting User Authentication Mode of AUX User Interface
device.
Context
By default, the user authentication mode of the AUX user interface is non-authentication.
Procedure
1. Run:
system-view
2. Run:
3. Run:
4. Run:
quit
Exit from the AUX user interface view.
5. Run:
aaa
6. Run:
Local user and password are configured.
1. Run:
system-view
2. Run:
3. Run:
Issue 01 (2011-05-30)
The authentication mode is set to password.
4. Run:
A password is set.
1. Run:
system-view
2. Run:
3. Run:
The authentication mode is set to non-authentication.
----End
After configuring the AUX user interface, you can view the usage information of the user
interface, physical attributes and configurations of the user interface, local user list, and online
users.
Prerequisite
Configurations of the AUX user interface are complete.
Procedure
l Run the display users [ all ] command to check usage information about the AUX user
interface.
l Run the display user-interface aux interface-number [ summary ] command to check
----End
Example
33 AUX 0 00:00:44 pass no
Run the display user-interface aux ui-number1 [ summary ] command, and you can view the
<HUAWEI> display user-interface aux 0
4-17
33 AUX 0 9600 - 0 - N -
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Total 3,3 printed
4.4 Configuring VTY User Interface
you can configure the corresponding VTY user interface as needed.
Before configuring the VTY user interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
4.4.2 Configuring Maximum VTY User Interfaces
This section describes how to limit the number of users logging in to the CX device by
configuring the maximum number of VTY user interfaces.
4.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls of VTY User Interfaces
This section describes how to configure an ACL to limit incoming and outgoing calls of the
VTY user interface.
4.4.4 Setting Terminal Attributes of the VTY User Interface
This section describes how to configure terminal attributes of the VTY user interface, including
user idle timeout, number of lines displayed in a terminal screen, and size of the history command
buffer.
4.4.5 Setting User Priority of VTY User Interface
4.4.6 Setting User Authentication Mode of the VTY User Interface
device.
4.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces
Network Management System (NMS) users can log in to a device through VTY user interfaces
to set parameters about the device.
Issue 01 (2011-05-30)
After configuring the VTY user interface, you can view information about user interfaces, the
maximum number of VTY user interfaces, and physical attributes and configurations of user
interfaces.
Before configuring the VTY user interface, familiarize yourself with the applicable environment,
you can configure the corresponding VTY user interface, including the maximum number of
VTY user interfaces, limit of incoming and outgoing calls, user priority, and user authentication
mode. The preceding parameters have default values on the CX device. You can also set these
parameters as needed.
Before configuring VTY user interface, complete the following tasks:
Data Preparation
To configure a VTY user interface, you need the following data.
No. Data
1 Maximum VTY user interfaces
2 (Optional) ACL code to limit VTY user interface to call in and out
3 Idle timeout period, number of characters in each line displayed in a terminal screen
4 User priority

NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, password, and user name) have default values on the CX device, and no additional configuration
is needed.
4.4.2 Configuring Maximum VTY User Interfaces
This section describes how to limit the number of users logging in to the CX device by
configuring the maximum number of VTY user interfaces.
4-19
Context
The maximum number of VTY user interfaces is the total number of users logging in to the CX
device by using Telnet and SSH.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface maximum-vty number
The maximum VTY user interfaces that can log in to the CX device is set.
NOTE
When the maximum number of VTY user interfaces is set to zero, any user (including the NMS user) cannot
log in to the CX device by using a VTY user interface.
If the maximum number of VTY user interfaces to be configured is smaller than the maximum
number of current interfaces, current online users will not be affected and no addition
configuration is needed.
If the maximum number of VTY user interfaces to be configured is larger than the maximum
number of current interfaces, the authentication mode and password need to be configured for
newly added user interfaces.
For newly added user interfaces, the system defaults to password authentication.
For example, a maximum of five users are allowed online. To allow 15 VTY users online at the
same time, you need to run the authentication-mode command and the set authentication
password command to configure authentication modes and passwords for user interfaces from
VTY 5 to VTY 14. The command is run as follows:
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 5 14
[HUAWEI-ui-vty5-14] authentication-mode password
[HUAWEI-ui-vty5-14] set authentication password cipher huawei
----End
4.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls of
VTY User Interfaces
This section describes how to configure an ACL to limit incoming and outgoing calls of the
VTY user interface.
Context
Before setting the limit on incoming and outgoing calls of the VTY user interface, run the acl
command in the system view to create an ACL and enter the ACL view. Then, run the rule
command to add rules to the ACL.
Issue 01 (2011-05-30)
NOTE
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging from
3000 to 3999.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
Step 3 Run:
acl acl-number { inbound | outbound }
The limits to calling in/out of VTY are configured.
l When you need to prevent a user of certain address or segment address from logging in to
the CX device, use the inbound command.
l When you need to prevent a user who logs in to a CX device from accessing other CX
devices, use the outbound command.
----End
4.4.4 Setting Terminal Attributes of the VTY User Interface
This section describes how to configure terminal attributes of the VTY user interface, including
user idle timeout, number of lines displayed in a terminal screen, and size of the history command
buffer.
Context
Terminal attributes of the VTY user interface have default values on the CX device and you can
set them as needed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty number1 [ number2 ]
Step 3 Run:
shell
VTY terminal service is enabled.
Step 4 Run:
4-21
User ilde timeout is enabled.
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
a terminal screen.
Step 6 Run:
Set the size of the history command buffer.
By default, a maximum number of 10 commands can be cached in the history command buffer.
----End
4.4.5 Setting User Priority of VTY User Interface
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty interface-number
Step 3 Run:
The user priority is set.
Issue 01 (2011-05-30)
By default, users logging in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view is inconsistent with the user priority, the
user priority takes effect.
----End
4.4.6 Setting User Authentication Mode of the VTY User Interface
device.
Context
By default, the user authentication mode of the VTY user interface is password authentication.
Procedure
1. Run:
system-view
2. Run:
3. Run:
4. Run:
quit
Exit from the VTY user interface view.
5. Run:
aaa
6. Run:
1. Run:
system-view
2. Run:
4-23
3. Run:
Set the authentication mode as password.
4. Run:
A password for this authentication mode is set.
1. Do as follows on the CX device, run:
system-view
2. Run:
3. Run:
The authentication mode is set to none.
----End
4.4.7 (Optional) Configuring NMS Users to Log In Through VTY
User Interfaces
Network Management System (NMS) users can log in to a device through VTY user interfaces
to set parameters about the device.
Context
NMS users can log in to the CX device through VTY user interfaces to set parameters about the
CX device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
A local user is created.
Step 4 Run:
local-user user-name user-type netmanager
Issue 01 (2011-05-30)
The local user is set as an NM user.
Step 5 Run:
quit
Step 6 Run:
user-interface vty first-ui-number [ last-ui-number ]
The user interface view is displayed.
Step 7 Run:
An authentication mode used to log in to the user interface is configured.
NOTE
The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as special
channels of the network management. The channels do not support the RSA authentication mode but
support the password authentication.
Step 8 Run:
quit
Step 9 Run:
mmi-mode enable
The system is switched to the machine-to-machine mode.
NOTE
l This command is invisible to terminals and cannot be obtained by using the online help. In man-to-
machine mode, exercise caution when using this command.
l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS user
can log in through VTYs. A common user cannot log in through Telnet but can log in by using the five
reserved user interfaces.
l In the machine-to-machine mode, the system does not output logs, alarms, and debugging information
to the screen.
l In the machine-to-machine mode, the save and reboot commands can be used directly.
l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. The value can be
adjusted by using the screen-length command. In addition, you can run the screen-length
temporary command to adjust the number of lines temporarily displayed on the screen.
----End
After configuring the VTY user interface, you can view information about user interfaces, the
maximum number of VTY user interfaces, and physical attributes and configurations of user
interfaces.
Prerequisite
The configurations of the VTY user interface are complete.
4-25
Procedure
l Run the display users [ all ] command to check information about user interfaces.
l Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]
command to check the physical attributes and configurations of user interfaces.
l Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command, and you can view information about the current user interfaces.
34 VTY 0 00:00:12 TEL 10.138.77.38 no
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Run the display user-interface maximum-vty command, and you can view the maximum
number of VTY user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<HUAWEI> display user-interface vty 0
+ 34 VTY 0 - 14 14 N -
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Total 3,3 printed
Run the display vty mode command, and you can view the prompt message indicating that the
machine-to-machine interface is enabled. For example:
<HUAWEI> display vty mode
current VTY mode is Machine-Machine interface
Issue 01 (2011-05-30)
This section provides examples for configuring console, AUX, and VTY user interfaces. These
configuration examples explain networking requirements, configuration roadmap, and
configuration notes.
4.5.1 Example for Configuring Console User Interface
This part provides an example describing how to configure the console user interface. In this
configuration example, to allow a user in password authentication mode to log in to the CX
device by using a console user interface, multiple attributes of the console user interface are set,
including physical attributes, terminal attributes, user priority, user authentication mode, and
password.
4.5.2 Example for Configuring AUX User Interface
This part provides an example describing how to configure the AUX user interface. In the
configuration example, to allow a user in AAA authentication mode to log in to the CX
device by using an AUX user interface, multiple attributes of the console user interface are set,
password.
4.5.3 Example for Configuring VTY User Interface
This part provides an example describing how to configure the VTY user interface. In this
device by using Telnet or SSH (Stelnet), multiple attributes of the VTY user interface are set,
including the maximum number of VTY user interfaces, call-in and call-out limit, terminal
attributes, authentication mode, and password.
4.5.1 Example for Configuring Console User Interface
This part provides an example describing how to configure the console user interface. In this
device by using a console user interface, multiple attributes of the console user interface are set,
password.
Networking Requirements
To initialize configurations of the CX device or locally maintain the CX device, a user can log
in to the CX device through a console user interface. To allow the user to log in, you can set
attributes of the console user interface as needed (for security reasons, for example).
In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is huawei).
After a user logs in, if the user takes no action on the CX device for more than 30 minutes, the
connection between the user and the CX device is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enter the interface view and set physical attributes of the console user interface.
4-27
2. Set terminal attributes of the console user interface.
3. Set the user priority of the console user interface.
4. Set the user authentication mode and password of the console user interface.
Data Preparation
To complete the configuration, you need the following data:
l Transmission rate of the console user interface: 4800 bit/s
l Flow control mode of the console user interface: None
l Parity of the console user interface: even
l Stop bit of the console user interface: 2
l Data bit of the console user interface: 6
l Timeout period for disconnecting from the console user interface: 30 minutes
l Number of lines that a terminal screen displays: 30
l Size of the history command buffer: 20
l User priority: 15
l User authentication mode: password (password: huawei)
Procedure
Step 1 Set physical attributes of the console user interface.
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] speed 4800
[HUAWEI-ui-console0] flow-control none
[HUAWEI-ui-console0] parity even
[HUAWEI-ui-console0] stopbits 2
[HUAWEI-ui-console0] databits 6
Step 2 Set terminal attributes of the console user interface.
[HUAWEI-ui-console0] shell
[HUAWEI-ui-console0] idle-timeout 30
[HUAWEI-ui-console0] screen-length 30
[HUAWEI-ui-console0] history-command max-size 20
Step 3 Set the user priority of the console user interface.
[HUAWEI-ui-console0] user privilege level 15
Step 4 Set the user authentication mode in the console user interface to password.
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password simple huawei
[HUAWEI-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can log
in to the CX device through a console port, implementing local maintenance of the CX device.
For details on how a user logs in to the CX device, see the 5 Configuring User Login.
----End
Configuration Files
#
sysname HUAWEI
#
Issue 01 (2011-05-30)
user-interface con 0
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
screen-length 30
databits 6
parity even
stopbits 2
speed 4800
screen-length 30
#
return
4.5.2 Example for Configuring AUX User Interface
This part provides an example describing how to configure the AUX user interface. In the
configuration example, to allow a user in AAA authentication mode to log in to the CX
device by using an AUX user interface, multiple attributes of the console user interface are set,
password.
To maintain the CX device locally or remotely, a user can log in to the CX device through an
AUX user interface.
To allow the user login, an operator can set attributes of the AUX user interface as needed (for
security reasons, for example).
In the AUX user interface, the user priority is set to 15, and the authentication mode is set to
AAA, with the user name of user123 and the password of huawei.
After a user logs in, if the user takes no action on the CX device for more than 30 minutes, the
1. Enter the interface view and set physical attributes of the AUX user interface.
2. Set terminal attributes of the AUX user interface.
3. Set the user priority of the AUX user interface.
4. Set modem attributes of the AUX user interface.
5. Set the authentication mode and password in the AUX user interface.
Data Preparation
l Transmission rate of the AUX user interface: 9600 bit/s
l Flow control mode of the AUX user interface: None
l Parity of the AUX user interface: None
l Stop bit of the AUX user interface: 1
4-29
l Data bit of the AUX user interface: 8
l Timeout period for disconnecting from the AUX user interface: 30 minutes
l User priority: 15
l Modem attributes: idle timeout from off-hook to carrier detection (45 seconds), call-in
permission, and automatic response
l User authentication mode and password in the AUX user interface
Procedure
Step 1 Set physical attributes of the AUX user interface.
[HUAWEI] user-interface aux 0
[HUAWEI-ui-aux0] speed 9600
[HUAWEI-ui-aux0] flow-control none
[HUAWEI-ui-aux0] parity none
[HUAWEI-ui-aux0] stopbits 1
[HUAWEI-ui-aux0] databits 8
All the preceding physical attributes of the AUX user interface are set with default values. In
fact, if a user chooses to use the default values, the user does not need to set them. The preceding
settings only mean to provide the configuration method.
Step 2 Set terminal attributes of the AUX user interface.
[HUAWEI-ui-aux0] shell
[HUAWEI-ui-aux0] idle-timeout 30
[HUAWEI-ui-aux0] screen-length 30
[HUAWEI-ui-aux0] history-command max-size 20
Step 3 Set the user priority of the AUX user interface.
[HUAWEI-ui-aux0] user privilege level 15
Step 4 Set modem attributes of the AUX user interface.
[HUAWEI-ui-aux0] modem timer answer 45
[HUAWEI-ui-aux0] modem call-in
[HUAWEI-ui-aux0] modem auto-answer
Step 5 Set the authentication mode of the AUX user interface to AAA.
[HUAWEI-ui-aux0] authentication-mode aaa
[HUAWEI-ui-aux0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user user123 password simple huawei
[HUAWEI-aaa] quit
After the AUX user interface is configured, a user in AAA authentication mode can log in to
the CX device through an AUX port, implementing maintenance of the CX device. For details
on how a user logs in to the CX device, refer to the 5 Configuring User Login.
----End
Configuration Files
#
sysname HUAWEI
#
Issue 01 (2011-05-30)
idle-timeout 30 0
modem call-in
modem auto-answer
modem timer answer 45
screen-length 30
#
return
4.5.3 Example for Configuring VTY User Interface
This part provides an example describing how to configure the VTY user interface. In this
device by using Telnet or SSH (Stelnet), multiple attributes of the VTY user interface are set,
including the maximum number of VTY user interfaces, call-in and call-out limit, terminal
attributes, authentication mode, and password.
A user logs in to the CX device through a VTY channel by using Telnet or SSH. To allow the
user login, an operator can set attributes of the VTY user interface as needed (for security reasons,
for example).
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password,
with the password of "huawei", and the user with the IP address of 10.1.1.1 is prohibitted from
logging in to the CX device.
After logging in, if the user takes no action on the CX device for more than 30 minutes, the
1. Enter the interface view and set the maximum number of VTY user interfaces to 15.
2. Set the call-in and call-out limit of the VTY user interface, limiting the access of an IP
address or an IP address segment to the CX device.
3. Set terminal attributes of the VTY user interface.
4. Set the user priority in the VTY user interface.
5. Set the authentication mode and password in the VTY user interface.
Data Preparation
l Maximum number of VTY user interfaces: 15
l ACL applied to limit call-in in the VTY user interface: 2000
l Timeout period for disconnecting from the VTY user interface: 30 minutes
l User priority: 15
l User authentication mode: password, password: huawei
4-31
Procedure
Step 1 Set the maximum number of VTY user interfaces.
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI-ui-vty0-14] acl 2000 inbound
Step 3 Set terminal attributes of the VTY user interface.
[HUAWEI-ui-vty0-14] shell
[HUAWEI-ui-vty0-14] idle-timeout 30
[HUAWEI-ui-vty0-14] screen-length 30
[HUAWEI-ui-vty0-14] history-command max-size 20
Step 4 Set the user priority in the VTY user interface.
[HUAWEI-ui-vty0-14] user privilege level 15
Step 5 Set the authentication mode and password in the VTY user interface.
[HUAWEI-ui-vty0-14] authentication-mode password
[HUAWEI-ui-vty0-14] set authentication password simple huawei
[HUAWEI-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can log in to
the CX device by using Telnet or SSH (Stelnet), implementing local or remote maintenance of
the CX device. For details on how a user logs in to the CX device, see the 5 Configuring User
Login.
----End
Configuration Files
#
sysname HUAWEI
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
set authentication password simple huawei
idle-timeout 30 0
screen-length 30
#
return
Issue 01 (2011-05-30)
5 Configuring User Login
About This Chapter
A user can log in to the CX device through a console port, an AUX port, or by using Telnet or
SSH (STelnet). After the login, the user can maintain the CX device locally or remotely.
5.1 Overview of User Login
Users can manage and maintain the CX device only after logging in to the CX device. Users can
log in to the CX device by using the AUX port, console port, Telnet, or STelnet (SSH Telnet).
5.2 Logging in to the Devices Through the Console Port
When a user needs to configure the CX device that is powered on for the first time or locally
maintain the CX device, the user can log in to the CX device through a console port.
5.3 Logging in to the Devices Through the AUX Port
When a user terminal and the CX device have no reachable route between each other, the user
can remotely configure and manage or locally maintain the CX device by logging in to the CX
device through an AUX port.
5.4 Logging in to the Devices by Using Telnet
If multiple CX devices need to be configured and managed, you do not need to connect the CX
devices and maintain them locally one by one. Instead, you can log in to the CX devices from
a terminal by using Telnet. This implements remote maintenance of the CX device and greatly
facilitates device management.
5.5 Logging in to the Devices by Using STelnet
STelnet provides secured remote access over an insecure network. After the client/server
negotiation is complete and a secured connection is established, a user can log in to the CX
device in a similar way as Telnet.
5.6 Common Operations After Login
After logging in to the CX device, you can perform following operations as needed, such as user
priority switching and terminal window locking.
This section provides several examples describing how to configure user login by using a console
port, Telnet, or STelnet. You can understand the configuration procedures by referring to the
Configuration Guide - Basic Configurations 5 Configuring User Login
5-1
configuration flowchart. The configuration examples provide information about the networking
requirements, configuration notes, and configuration roadmap.
Issue 01 (2011-05-30)
5.1 Overview of User Login
Users can manage and maintain the CX device only after logging in to the CX device. Users can
log in to the CX device by using the AUX port, console port, Telnet, or STelnet (SSH Telnet).
To configure, monitor, and maintain the local or remote network devices running CX600, you
need to configure the user interface, the user management, and the terminal service.
The user interface provides a login plane. The user management guarantees the login security
and the terminal service provides related processes of login protocol.
The CX600 supports the following login methods:
l Login through the console port
l Local or remote login through the AUX port
l Local or remote login through Telnet or STelnet
Table 5-1 User login modes
Login Mode Application
Console port Users log in to the CX device through the console port to configure the CX
device locally. Login through the console port is required when the CX
device is powered on for the first time.
Telnet Users log in to the CX device by using Telnet for local and remote
maintenance. Telnet helps users maintain remote devices but brings security
threats.
AUX port Users log in to the CX device through the AUX port to maintain the CX
device locally when there is no available route and Telnet is unsuitable.
SSH (STelnet) SSH (STelnet) provides security protection for users logging in to the CX
device to maintain the CX device locally or remotely.

NOTE
Logins by using Telnet bring security risks because no secure authentication mechanism is available and
data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees secure data transmission
on a conventional insecure network by authenticating the client and encrypting data in both directions. SSH
supports security Telnet (STelnet).
For detailed information about SSH, see the CX600 Feature Description - Basic Configurations.
5.2 Logging in to the Devices Through the Console Port
When a user needs to configure the CX device that is powered on for the first time or locally
maintain the CX device, the user can log in to the CX device through a console port.
5-3
Before configuring user login through a console port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This will help
5.2.2 Configuring Console User Interface
To allow users to log in to the CX device through a console port, configure attributes of the
console user interface.
5.2.3 Logging in to the CX device Through a Console Port
A user can log in to the CX device by connecting a terminal with the CX device through a console
port.
After a user logs in through a console port, the user can view information on the console user
interface, such as use information, physical attributes and configurations, local user list, and
online users.
Before configuring user login through a console port, familiarize yourself with the applicable
A user can log in to the CX device locally through a console port. If the CX device is powered
on for the first time, the user has to log in through a console port.
Before configuring user login through a console port, complete the following tasks:
l Configuring the PC/terminal (including the serial port and RS-232 cable)
l Installing the terminal emulator (such as HyperTerminal of Windows XP) to the PC
Data Preparation
To configure user login through a console port, you need the following data.
No. Data
1 l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, user name, and password

5.2.2 Configuring Console User Interface
To allow users to log in to the CX device through a console port, configure attributes of the
console user interface.
Issue 01 (2011-05-30)
Context
Attributes of an console user interface have default values on the CX device, and generally need
no additional settings. To meet specific application requirements or ensure network security,
you can set attributes of the console user interface, such as terminal attributes and user
authentication mode.
For detailed settings, see Configuring Console User Interface.
5.2.3 Logging in to the CX device Through a Console Port
A user can log in to the CX device by connecting a terminal with the CX device through a console
port.
Context
For details, see Login Through the Console PortCX device.
NOTE
l Communication parameters of the user terminal must be consistent with the physical attribute
parameters of the console user interface on the CX device.
l If a user authentication mode is specified in the console user interface, a user can log in to the CX
device only after passing the authentication. This enhances network security.
After a user logs in through a console port, the user can view information on the console user
online users.
Prerequisite
Configurations of user login through a console port are complete.
Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
----End
Example
0 CON 0 00:00:44 pass no
Run the display user-interface console ui-number1 [ summary ] command, and you can view
the physical attributes and configurations of the user interface.
5-5
<HUAWEI> display user-interface console 0
0 CON 0 9600 - 3 - N -
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Total 3,3 printed
5.3 Logging in to the Devices Through the AUX Port
When a user terminal and the CX device have no reachable route between each other, the user
can remotely configure and manage or locally maintain the CX device by logging in to the CX
device through an AUX port.
Before configuring user login through an AUX port, familiarize yourself with the applicable
5.3.2 Configuring AUX User Interface
To allow users to log in to the CX device through an AUX port, configure attributes of the AUX
user interface.
5.3.3 Logging in to the CX deviceThrough an AUX Port
You can establish a connection between a terminal and the CX device through an AUX port.
After a user log in through an AUX port, the user can view information on the console user
online users.
Before configuring user login through an AUX port, familiarize yourself with the applicable
You can configure and maintain the CX device locally or remotely through an AUX port.
Issue 01 (2011-05-30)
In local configuration of the CX device, the AUX login method is similar to the console login
method. The only difference between the two login methods lies in the default user priority: The
default user priority of the console user interface is 3, whereas that of the AUX user interface is
0. Therefore, Logging in by using the console login method is recommended in the local
configuration. The following part mainly describes remote login of the CX device through an
AUX port.
NOTE
To manage and maintain the CX device through an AUX port, firstly modify the user priority of the AUX
user interface.
When there is no reachable route between a PC and the CX device, you can connect the serial
port of the PC to the AUX port of the CX device by using a modem. In this manner, you can use
the PSTN to configure and maintain the CX device remotely.
As shown in Figure 5-1, The COM interface of the PC is connected to the modem that is
connected to the PSTN. The AUX port of the CX device is connected to another modem that is
connected to the PSTN.
Figure 5-1 Networking diagram of remote login through an AUX port
PSTN
PC CX600 Modem Modem

Before configuring user login through an AUX port, complete the following tasks:
l Connecting the PC to the CX device through modems
l Configuring the modem
l Installing a terminal emulator (such as HyperTerminal of Windows XP) in the PC
Data Preparation
To configure user login through an AUX port, you need the following data.
No. Data
1 l Transmission rate, flow control mode, parity, stop bit, data bit
l Number of lines displayed in a terminal screen, size of the history command buffer
l user priority
l modem attributes
l (Optional) Auto-run commands
l User authentication mode, user name, password
2 Telephone number of the modem at the remote CX device side.
5-7

5.3.2 Configuring AUX User Interface
To allow users to log in to the CX device through an AUX port, configure attributes of the AUX
user interface.
Context
Attributes of an AUX user interface have default values on the CX device, and generally need
no additional settings. To meet specific application requirements or ensure network security,
you can also set attributes of the AUX user interface, such as terminal attributes and user
authentication mode.
For detailed settings, see Configuring AUX User Interface.
5.3.3 Logging in to the CX deviceThrough an AUX Port
You can establish a connection between a terminal and the CX device through an AUX port.
Procedure
Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) in the PC to establish a
connection with the CX device, as shown in Figure 5-2.
Figure 5-2 Connection creating

Step 2 Set dialing information, as shown in Figure 5-3.
Issue 01 (2011-05-30)
Figure 5-3 Dialing information setting

Step 3 Establish a connection with the CX device, as shown in Figure 5-4.
Figure 5-4 Remote connection with the CX device

If certain communication parameters need to be modified, press Modify in the Figure 5-4, as
shown in Figure 5-5, and then press Set, as shown in Figure 5-6.
5-9
Figure 5-5 Connection attribute modification

Issue 01 (2011-05-30)
Figure 5-6 Communications parameters setting

Step 4 Press Dialing. If user authentication is needed, input the corresponding authentication
information, and wait till the command line prompt of the user view appears, such as
<HUAWEI>. This indicates that the user view is entered and relevant configurations can be
input.
----End
After a user log in through an AUX port, the user can view information on the console user
online users.
Prerequisite
Configurations of user login through the AUX port are complete.
Procedure
l Run the display users [ all ] command to check usage information about the AUX user
interface.
l Run the display user-interface aux interface-number [ summary ] command to check
5-11
----End
Example
33 AUX 0 00:00:44 pass no
Run the display user-interface aux ui-number1 [ summary ] command, and you can view the
<HUAWEI> display user-interface aux 0
33 AUX 0 9600 - 0 - N -
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Total 3,3 printed
5.4 Logging in to the Devices by Using Telnet
If multiple CX devices need to be configured and managed, you do not need to connect the CX
devices and maintain them locally one by one. Instead, you can log in to the CX devices from
a terminal by using Telnet. This implements remote maintenance of the CX device and greatly
facilitates device management.
Before configuring user login by using Telnet, familiarize yourself with the applicable
5.4.2 Configuring VTY User Interface
To log in to the CX device by using Telnet, configure attributes of the VTY user interface.
5.4.3 (Optional) Configuring Local Telnet Users
If the user authentication mode is AAA in the VTY user interface, the access type of local users
needs to be specified. Local users with the access type of Telnet are Telnet users.
Issue 01 (2011-05-30)
5.4.4 Enabling the Telnet Service
Before a terminal establishes a Telnet connection with the CX device, enable the Telnet server
function on the CX device.
5.4.5 (Optional) Configuring Listening Port Number for Telnet Server
A user can configure or change the listening port number of the Telnet server. Changing the
listening port number ensures network security, because only the user that knows the current
listening port number can log in to the CX device.
5.4.6 Logging in to the CX device by Using Telnet
After the CX device is configured, you can log in to the CX device from a terminal by using
Telnet, implementing remote maintenance of the CX device.
After users log in to the system by using Telnet, you can view the connection status of the current
user interface, connection status of each user interface, and status of all established TCP
connections.
Before configuring user login by using Telnet, familiarize yourself with the applicable
If you have known the IP address of the CX device to be accessed, you can log in to the CX
device from a terminal by using Telnet, and remotely maintain the device. This allows you to
maintain multiple CX devices on the same terminal, greatly facilitating device management.
Note that IP addresses of the CX devices need to be preset through console ports.
Before configuring user login in Telnet mode, complete the following tasks:
l Configuring reachable routes between the terminal and the device
Data Preparation
Before configuring user login in Telnet mode, you need the following data.
No. Data
1 l Maximum number of VTY user interfaces
l (Optional) ACL for limiting call-in and call-out in VTY user interfaces
l Connection timeout period of terminal users, number of lines displayed in a
terminal screen, size of the history command buffer
l User priority
l User authentication mode, user name, password
2 TCP port number for the remote CX device to provide Telnet services, VPN instance
name
5-13
No. Data
3 IPv4/IPv6 address or host name of the CX device

To log in to the CX device by using Telnet, configure attributes of the VTY user interface.
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before
a user logs in to the CX device by using Telnet, the user authentication mode in the VTY user
interface must be set. Otherwise, the user cannot log in to the CX device.
You can log in to the CX device through a console port to set the user authentication mode in
the VTY user interface.
Other attributes of the VTY user interface in the CX device, such as terminal attributes and user
priorities, can also be set as needed. These attributes, however, generally do not need to be set
because they have default values.
For detailed settings, see Configuring VTY User Interface.
5.4.3 (Optional) Configuring Local Telnet Users
If the user authentication mode is AAA in the VTY user interface, the access type of local users
needs to be specified. Local users with the access type of Telnet are Telnet users.
Context
If the user authentication mode of the VTY user interface is non-authentication or password
authentication, the following configurations are not needed.
By default, a local user can apply for any access type. You can specify an access type to allow
only users configured with the specified access type to log in to the CX device.
Do as follows on the CX device that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
The local user name and password are set.
Issue 01 (2011-05-30)
Step 4 Run:
local-user user-name service-type telnet
The access type of the local user is set to Telnet.
----End
5.4.4 Enabling the Telnet Service
Before a terminal establishes a Telnet connection with the CX device, enable the Telnet server
Context
By default, the function of the Telnet server is enabled.
Do as follows on the CX device that serves as an Telnet server.
Select and perform one of the following two steps for IPv4 or IPv6.
Procedure
l For the IPv4 network
1. Run:
system-view
2. Run:
telnet server enable
The Telnet service is enabled.
l For the IPv6 network
1. Run:
system-view
2. Run:
telnet ipv6 server enable
The Telnet service is enabled.
NOTE
l If the undo telnet [ipv6] server enable command is run when a user logs in by using
Telnet, the command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only using SSH
or an asynchronous serial port rather than using Telnet.
----End
5.4.5 (Optional) Configuring Listening Port Number for Telnet
Server
A user can configure or change the listening port number of the Telnet server. Changing the
listening port number ensures network security, because only the user that knows the current
listening port number can log in to the CX device.
5-15
Context
By default, the listening port number of a Telnet server is 23. Users can directly log in to the
CX device by using the default listening port number. Attackers probably access the default
listening port, reducing available bandwidth, deteriorating performance of the server, and
causing valid users unable to access the server. After the listening port number of the Telnet
server is changed, attackers do not know the new listening port number. This effectively prevents
attackers from accessing the listening port.
Do as follows on the CX device that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
telnet server port port-number
The listening port number of the Telnet server is set.
If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and then uses the new port number to listen to new requests for Telnet connections.
----End
5.4.6 Logging in to the CX device by Using Telnet
After the CX device is configured, you can log in to the CX device from a terminal by using
Telnet, implementing remote maintenance of the CX device.
Context
If you need to log in to the CX device by using Telnet, you can use either windows command
lines or a third-party software in the terminal. In this part, the windows command line prompt
is used.
Do as follows on the user terminal:
Procedure
Step 1 Use the windows command line.
Step 2 Run the telnet ip-address command to telnet the CX device.
1. Input the IP address of the Telnet server.
Issue 01 (2011-05-30)

2. Press "Enter" to display the command line prompt of the system view, such as
<HUAWEI>. This indicates that you have accessed the Telnet server.

----End
After users log in to the system by using Telnet, you can view the connection status of the current
user interface, connection status of each user interface, and status of all established TCP
connections.
Prerequisite
Configurations of logins by using Telnet are complete.
Procedure
l Run the display users [ all ] command to check information about logged-in users on user
interfaces.
l Run the display tcp status command to check TCP connections.
l Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
<HUAWEI]> display users
34 VTY 0 00:00:12 TEL 10.138.77.38 no
5-17
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0
Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
Telnet IPV4 server :Enable
Telnet IPV6 server :Enable
Telnet server port :23
5.5 Logging in to the Devices by Using STelnet
STelnet provides secured remote access over an insecure network. After the client/server
negotiation is complete and a secured connection is established, a user can log in to the CX
device in a similar way as Telnet.
Before configuring users to log in by using STelnet, familiarize yourself with the applicable
To allow a user to log in to the CX device by using STelnet, configure attributes of the VTY
user interface.
5.5.3 Configuring SSH for the VTY User Interface
To allow users to log in to the CX device by using STelnet, you need to configure VTY user
interfaces to support SSH.
5.5.4 Configuring an SSH User and Specifying STelnet as One of Service Types
To allow a user to log in to the CX device by using STelnet, you must configure an SSH user,
configure the CX device to generate a local RSA key pair, configure a user authentication mode,
and specify a service type for the SSH user.
5.5.5 Enabling the STelnet Server Function
To allow users to log in to the CX device by using STelnet, you must enable the STelnet server
5.5.6 (Optional) Configuring the STelnet Server Parameters
You can configure a device to be compatible with the SSH protocol of earlier versions, configure
or change the listening port number of an SSH server, and set an interval at which the key pair
of the SSH server is updated.
5.5.7 Logging in to the CX device by Using STelnet
After the CX device is configured, a user can log in to the CX device from a terminal by using
STelnet, implementing remote maintenance of the CX device.
Issue 01 (2011-05-30)
After configuring users to log in by using STelnet, you can view the SSH server configuration.
Before configuring users to log in by using STelnet, familiarize yourself with the applicable
Logins by using Telnet bring security risks because no secure authentication mechanism is
available and data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees
secure data transmission on a conventional insecure network by authenticating the client and
encrypting data in both directions.
STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner
as using the Telnet service.
Before configuring users to log in by using STelnet, complete the following task:
Data Preparation
To configure users to log in by using STelnet, you need the following data:
No. Data
1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and
call-out in VTY user interfaces, connection timeout period of terminal users, number
of rows displayed in a terminal screen, size of the history command buffer, user
authentication mode, user name, and password
2 User name, password, authentication mode, and service type of an SSH user and
remote public RSA key pair allocated to the SSH user
3 (Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encrypted algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm of key exchange, name of
the outgoing interface, and source address

To allow a user to log in to the CX device by using STelnet, configure attributes of the VTY
user interface.
5-19
Context
a user logs in to the CX device by using STelnet, the user authentication mode in the VTY user
You can log in to the CX device through a console port to set the user authentication mode in
To allow users to log in to the CX device by using STelnet, you need to configure VTY user
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH,
users cannot log in to the CX device by using STelnet.
Do as follows on the CX device that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.
Step 3 Run:
The AAA authentication mode is configured.
Step 4 Run:
protocol inbound ssh
The VTY user interface is configured to support SSH.
NOTE
If a VTY user interface is configured to support SSH, the VTY user interface must be configured with
AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.
----End
Issue 01 (2011-05-30)
5.5.4 Configuring an SSH User and Specifying STelnet as One of
Service Types
To allow a user to log in to the CX device by using STelnet, you must configure an SSH user,
and specify a service type for the SSH user.
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and all.
Password authentication depends on Authentication, Authorization and Accounting
(AAA). Before a user logs in to the CX device in password or password-RSA authentication
mode, you must create a local user with the specified user name in the AAA view.
l Configuring the CX device to generate a local RSA key pair is a key step for SSH login.
If an SSH user logs in to an SSH server in password authentication mode, configure the
server to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The all authentication mode requires success of either password authentication or RSA authentication.
Do as follows on the CX device that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh user user-name
1. Run:
aaa
2. Run:
Step 3 Run:
rsa local-key-pair create
A local RSA key pair is generated.
NOTE
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create
command to generate a local key pair.
l After generating the local key pair,you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
5-21
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
The authentication mode for SSH users is configured.
Perform the following as required:
l Authenticate the SSH user through the password.
Run:
ssh user user-name authentication-type password
The password authentication is configured for the SSH user.
Run:
ssh authentication-type default password
The default password authentication is configured for the SSH user.
For the local authentication or HWTACACS authentication, if the number of SSH users
is small, you can adopt the former command; if the number of SSH users is large, adopt
the later command to simplify the configuration.
l Authenticate the SSH user through RSA.
1. Run:
ssh user user-name authentication-type rsa
The RSA authentication is configured for the SSH user.
2. Run:
rsa peer-public-key key-name
The public key view is displayed.
3. Run:
public-key-code begin
The public key editing view is displayed.
4. Run:
hex-data
The public key is edited.
NOTE
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the CX device that serves as the SSH server.
5. Run:
public-key-code end
Quit the public key editing view.
l If the specified hex-data is invalid, the public key cannot be generated after the peer-
public-key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does
not exist after the peer-public-key end command is run and the system view is
displayed.
6. Run:
Issue 01 (2011-05-30)
peer-public-key end
Return to the system view from the public key view.
7. Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user.
Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users
1. Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured.
By default, the interval for updating the key pair of the SSH server is 0 that indicates no
updating.
2. Run:
ssh server timeout seconds
The timeout period of the SSH authentication is set.
By default, the timeout period is 60 seconds.
3. Run:
ssh server authentication-retries times
The number of retry times of the SSH authentication is set.
By default, the retry times is 3.
Step 6 (Optional) Authorizing SSH Users Through the Command Line
SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSA
authentication mode, you can configure SSH users to be authorized based on command levels.
Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 7 Run:
ssh user username service-type { stelnet | all }
The service type for the SSH user is configured.
By default, the service type of the SSH user is not configured.
----End
5.5.5 Enabling the STelnet Server Function
To allow users to log in to the CX device by using STelnet, you must enable the STelnet server
5-23
Context
By default, no CX device is enabled with the STelnet server function. Users can establish
connections to the CX device by using STelnet only after the CX device is enabled with the
STelnet server function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stelnet server enable
The STelnet server function is enabled.
By default, the STelnet server function is disabled.
----End
Context
l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes
and key exchange modes with higher service capability, such as SFTP. The CX600 supports
the SSH protocol of version 1.3 to version 2.0.
l By default, the listening port number of an SSH server is 22. Users can directly log in to
the CX device by using the default listening port number. Attackers probably access the
default listening port, reducing available bandwidth, deteriorating performance of the
server, and causing valid users unable to access the server. After the listening port number
of the SSH server is changed, attackers do not know the new port number. This effectively
prevents attackers from accessing the listening port, improving security.
l You can set an interval at which the key pair of an SSH server is updated. When the timer
expires, the key pair is automatically updated, improving security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh server compatible-ssh1x enable
The earlier version-compatible function is enabled.
Issue 01 (2011-05-30)
By default, the server enabled with SSH2.0 is compatible with the server enabled with SSH1.X.
To prevent the clients running SSH1.3 to SSH1.99 from logging in, you can run the undo ssh
server compatible-ssh1x enable command to disable the CX device from being compatible
with the SSH protocol of earlier versions.
Step 3 Run:
ssh server port port-number
If a new listening port number is configured, the SSH server interrupts all the STelnet and SFTP
connections and starts to listen to the new port. By default, the listening port number of an SSH
server is 22.
Step 4 Run:
By default, the interval at which the key pair of an SSH server is updated is 0, which means that
the key pair is not updated.
----End
5.5.7 Logging in to the CX device by Using STelnet
After the CX device is configured, a user can log in to the CX device from a terminal by using
STelnet, implementing remote maintenance of the CX device.
Context
In STelnet login mode, a third-party software can be used in the terminal. In this part, the third-
party software OpenSSH and windows command line are used.
After installing OpenSSH in the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, refer to the installation guide of the software.
For details on how to use OpenSSH commands to log in to the CX device, refer to the help document of
the software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the CX device in STelnet mode.
5-25

----End
After configuring users to log in by using STelnet, you can view the SSH server configuration.
Prerequisite
Configurations of logins by using STelnet are complete.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configurations.
Issue 01 (2011-05-30)
l Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<HUAWEI> display ssh user-information client001
User Name : client001
Authentication-type : password
User-public-key-name : -
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No
If no SSH user is specified, information about all SSH users logging in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<HUAWEI> display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH Authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Run the display ssh server session command. The command output shows that the session
information between SSH server and client.
<HUAWEI> display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : stelnet
Authentication Type : password
5.6 Common Operations After Login
After logging in to the CX device, you can perform following operations as needed, such as user
priority switching and terminal window locking.
Before performing operations after login, familiarize yourself with the applicable environment,
5.6.2 Switching User Levels
If a user wants to upgrade from a lower level to a higher level after logging in to the CX
device, a password is required. The password needs to be configured in advance.
5-27
5.6.3 Locking User Interfaces
When you leave the operation terminals for a moment, you can lock the user interface to prevent
unauthorized users from operating the interface.
5.6.4 Sending Messages to Other User Interfaces
Messages can be exchanged between the current user interface and other user interfaces.
5.6.5 Displaying Logged-in Users
After users log in, you can query information about logged-in users.
5.6.6 Clearing Logged-in Users
If you want to force a logged-in user to log out of the CX device, you can tear down the connection
between the CX device and the user.
5.6.7 Configuring Configuration Locking
When multiple users log in to the CX device to configure the device, configuration conflict may
occur. To prevent configuration conflict from affecting services, you can enable the function of
configuration locking. This allows only one user to configure the device at a time.
Before performing operations after login, familiarize yourself with the applicable environment,
To ensure that the operator manages CX devices safely, you need to configure the switching of
user levels, enable message sending between user interfaces, and clear designated users.
Before performing operations after login, complete the following tasks:
l Connecting the terminal to the CX device
Data Preparations
Before performing operations after login, you need the following data:
No. Data
1 Password used for switching user levels
2 Type and number of the user interface
3 Contents of the message to be sent

5.6.2 Switching User Levels
If a user wants to upgrade from a lower level to a higher level after logging in to the CX
device, a password is required. The password needs to be configured in advance.
Issue 01 (2011-05-30)
Context
To prevent an unauthorized user from using high-level commands, a password is required to
increase the user level.
When configuring the switchover of user levels on the CX device, users can perform
HWTACACS Authentication. For detailed configurations, refer to the HUAWEI CX600 CX
device Configuration Guide - Security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
super password [ level user-level ] { simple | cipher } password
The password for switching user levels is configured.
By default, the password for the user is set to Level 3.
CAUTION
If simple is configured, the password is saved in the configuration file in plain text. This means
that low-level login users can easily obtain and change the password by checking the
configuration file, compromising the network security. Therefore, selecting cipher to save the
password in the cipher text is recommended.
If cipher is used to set the password, the password cannot be obtained from the system. Save
the password to avoid oblivion or missing.
Step 3 Run:
quit
Return to the user view.
Step 4 Run:
super [ level ]
User levels are switched.
By default, the level is 3.
Step 5 Follow the prompt and enter a password.
If the password entered is correct, the user can switch to a higher level. If the user enters a
password incorrectly for three consecutive times, the user remains at the current login level and
returns to the user view.
NOTE
When the login user of lower level is switched to the user of higher level through the super command, the
system automatically sends trap messages and records the switchover in a log. When the switched level
is lower than that of the current level, the system only records the switchover in a log.
----End
5-29
5.6.3 Locking User Interfaces
When you leave the operation terminals for a moment, you can lock the user interface to prevent
unauthorized users from operating the interface.
Context
The user interface can be classified into the Console user interface, AUX user interface, and
VTY user interface.
Procedure
Step 1 Run:
lock
The user interface is locked.
Step 2 Follow the system prompt and input an unlock password, and then confirm the input.
<HUAWEI> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
You must enter a correct password to unlock the user interface.
----End
5.6.4 Sending Messages to Other User Interfaces
Messages can be exchanged between the current user interface and other user interfaces.
Context
Users logging in to the CX device can send messages from the current user interface to users in
other user interfaces as needed.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces.
Step 2 Following the prompt, you can view the message to be sent. You can press Ctrl_Z or Enter to
end the display, and press Ctrl_C to abort the display.
----End
5.6.5 Displaying Logged-in Users
After users log in, you can query information about logged-in users.
Context
User information includes the user name, address, and authentication and authorization
information.
Issue 01 (2011-05-30)
Procedure
l Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about logged-in users on all user interfaces is displayed.
----End
5.6.6 Clearing Logged-in Users
If you want to force a logged-in user to log out of the CX device, you can tear down the connection
between the CX device and the user.
Context
You can run the display users command to view users logging in to the CX device.
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
Online users are cleared.
Step 2 Based on displayed information, you can confirm whether specified logged-in users have been
cleared.
----End
5.6.7 Configuring Configuration Locking
When multiple users log in to the CX device to configure the device, configuration conflict may
occur. To prevent configuration conflict from affecting services, you can enable the function of
configuration locking. This allows only one user to configure the device at a time.
Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user locks the configuration set, you can exclusively lock the configuration.
Procedure
Step 1 Run:
configuration exclusive
The user obtains exclusive configuration access.
After enabling the configuration locking function, you can exclusively enjoy the configuration
authority in an explicit manner.
NOTE
This command can be run in any view.
You can run the display configuration-occupied user command to check information about the user who
locks the configuration set at the moment.
If the configuration set is already locked, an prompt message is displayed after this command is run.
5-31
Step 2 Run:
system-view
Step 3 Run:
configuration-occupied timeout timeout-value
The timeout period for automatically unlocking the configuration set is set.
After the timeout period expires, the configuration set is automatically unlocked, allowing other
users to configure the device.
By default, the timeout period is 30s.
NOTE
l When a user without exclusive configuration access runs this command, the system prompts an error
message.
l If the configuration set is locked by another user, this command cannot be configured, and the system
l If the configuration set is locked by the current user, the current user can run this command.
----End
This section provides several examples describing how to configure user login by using a console
port, Telnet, or STelnet. You can understand the configuration procedures by referring to the
configuration flowchart. The configuration examples provide information about the networking
5.7.1 Example for Configuring User Login Through a Console Port
This part provides an configuration example describing how to configure user login through a
console port. In this configuration example, certain login settings are performed on the PC,
enabling the access to the CX device through a console port.
5.7.2 Example for Logging In Through the AUX Port
In this example, you can configure terminal and modem communication parameters so as to log
in to the CX device through the AUX port.
5.7.3 Example for Configuring User Login by Using Telnet
This part provides an example describing how to configure user login by using Telnet. In this
configuration example, a user logs in to the CX device after setting the VTY user interface and
user login parameters.
5.7.4 Example for Configuring User Login by Using STelnet
This part provides an example describing how to configure user login by using STelnet.. In this
example, after generating the local key pair on the SSH server, configuring the name and
password of the SSH user on the SSH server, and enabling the STelnet service on the SSH server,
you can connect the Stelnet client to the SSH server.
5.7.1 Example for Configuring User Login Through a Console Port
This part provides an configuration example describing how to configure user login through a
console port. In this configuration example, certain login settings are performed on the PC,
enabling the access to the CX device through a console port.
Issue 01 (2011-05-30)
If a user modifies default values of certain parameters in the console user interface, the user
needs to reset corresponding parameters in the PC when logging in to the CX device through
the console port next time.
Figure 5-7 Networking diagram of user login through a console port
CX600 PC

1. Connect a PC to the CX device through a console port.
2. Perform login settings on the PC.
3. Log in to the CX device.
Data Preparation
Communication parameters of the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit: 2,
flow control mode: none)
Procedure
Step 1 Establish the configuration environment by connecting the serial port of the PC to the console
port of the CX device through standard RS-232 cable.
Step 2 Start a terminal emulator on the PC, and set the communication parameters of the PC, as shown
in Figure 5-8 to Figure 5-10.
Figure 5-8 Connection creation
5-33

Figure 5-9 Interface setting

Figure 5-10 Communication parameter setting
Issue 01 (2011-05-30)

Step 3 Power on the CX device and wait for the completion of the self-check. After the CX device starts
normally and finishes the self-check, the system prompts you to press Enter.
Wait till the prompt (mostly the <HUAWEI>) appears, and then you can use a command to view
the running status of the CX device or configure the CX device.
----End
5.7.2 Example for Logging In Through the AUX Port
In this example, you can configure terminal and modem communication parameters so as to log
in to the CX device through the AUX port.
If you cannot configure the CX device by local login and no CX device is reachable to other
CX devices, connect the serial port of the PC with the AUX port of the CX device through the
modem. The detailed configuration environment is shown in Figure 5-11.
Figure 5-11 Networking diagram of logging in through the AUX port
CX600
PC
COM
PSTN
Modem Modem

1. Establish the physical connection.
2. Configure the name, authentication mode, and password of a user that logs in.
3. Configure the AUX port to support the modem dialup.
4. Configure modem parameters.
Data Preparation
l Type of terminals
l Terminal communication parameters
l User name, password, and authentication mode used for user login, which are huawei,
hello, and password respectively.
5-35
l Modem communication parameters
Procedure
Step 1 Establish the physical connection, as shown in Figure 5-11.
Step 2 Configure the AUX port to support the modem dialup.
[HUAWEI] aaa
[HUAWEI-aaa] local-user huawei password cipher hello
[HUAWEI-aaa] local-user huawei service-type terminal
[HUAWEI-aaa] local-user huawei level 3
[HUAWEI-aaa] quit
[HUAWEI] user-interface aux 0
[HUAWEI-ui-aux0] authentication-mode aaa
[HUAWEI-ui-aux0] modem both
Step 3 Configure modem parameters.
# Run the PC emulation terminal, see Logging in to the CX device Through an AUX Port
Press Enter on the PC emulation terminal or terminal until a command line prompt of the modem
such as ">" appears.
Configure the modem to meet the requirements of AUX communication.
For details, see modem descriptions.
Step 4 Log in to the CX device.
Enter the user name and password in the remote terminal emulation program.
After authentication succeeds, a command line prompt such as <HUAWEI> appears.
Enter the command to check the running status of the CX device or configure the CX device.
Enter "?" for help.
----End
5.7.3 Example for Configuring User Login by Using Telnet
This part provides an example describing how to configure user login by using Telnet. In this
configuration example, a user logs in to the CX device after setting the VTY user interface and
user login parameters.
A user can log in to the CX device on another network segment from a PC to remotely maintain
the CX device.
Figure 5-12 Networking diagram of user login by using Telnet
NetWork
PC CX600
GE1/0/1
10.137.217.221/16
Issue 01 (2011-05-30)

After a Telnet user logs in to the CX device in AAA authentication mode, the Telnet user is
prohibited from logging in to another CX device through the CX device.
1. Establish a physical connection.
2. Assign IP addresses to interfaces on the CX device.
3. Set parameters of the VTY user interface, including limit on call-in and call-out.
4. Set user login parameters.
5. Log in to the CX device.
Data Preparation
l IP address of the PC
l IP address of the Ethernet interface on the CX device: 10.137.217.221
l Maximum number of VTY user interfaces: 10
l Number of the ACL that is used to prohibit users from logging into another CX device:
3001
l Timeout period for disconnecting from the VTY user interface: 20 minutes
l Telnet user information (authentication mode: AAA, user name: huawei, password: hello)
Procedure
Step 1 Respectively connection the PC and the CX device to the network.
Step 2 Configure a login address.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo shutdown
[HUAWEI-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0
[HUAWEI-GigabitEthernet1/0/1] quit
Step 3 Configure the VTY user interface on the CX device.
# Set the maximum number of VTY user interfaces.
# Configure an ACL that is used to prohibit users from logging into another CX device.
[HUAWEI]acl 3001
[HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[HUAWEI-acl-adv-3001]quit
[HUAWEI-ui-vty0-9] acl 3001 outbound
# Set terminal attributes of the VTY user interface.
[HUAWEI-ui-vty0-9] shell
[HUAWEI-ui-vty0-9] idle-timeout 20
5-37
[HUAWEI-ui-vty0-9] screen-length 30
[HUAWEI-ui-vty0-9] history-command max-size 20
# Set the user authentication mode of the VTY user interface.
[HUAWEI-ui-vty0-9] authentication-mode aaa
[HUAWEI-ui-vty0-9] quit
Step 4 Set parameters of the login user on the CX device.
# Specify the user authentication mode.
[HUAWEI] aaa
[HUAWEI-aaa] local-user huawei password cipher hello
[HUAWEI-aaa] local-user huawei service-type telnet
[HUAWEI-aaa] local-user huawei level 3
[HUAWEI-aaa] quit
Step 5 # Configure user login.
Use the windows command line to telnet the CX device. The Telnet login window is shown in
the following figure.
Figure 5-13 Telnet login window on the PC

Press Enter, and then input the user name and password in the login window. If user
authentication succeeds, a command line prompt of the system view is displayed. It indicates
that you have entered the user view.
Issue 01 (2011-05-30)
Figure 5-14 Window after login of the CX device

Click Yes and then input the user name and password in the login window. If user authentication
succeeds, a command line prompt such as HUAWEI is displayed.
----End
Configuration Files
Configuration file of the CX-
#
sysname HUAWEI
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user huawei service-type telnet
local-user huawei level 3
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
user-interface maximum-vty 10
acl 3001 outbound
idle-timeout 20 0
screen-length 30
#
return
5-39
5.7.4 Example for Configuring User Login by Using STelnet
This part provides an example describing how to configure user login by using STelnet.. In this
example, after generating the local key pair on the SSH server, configuring the name and
password of the SSH user on the SSH server, and enabling the STelnet service on the SSH server,
you can connect the Stelnet client to the SSH server.
As shown in Figure 5-15, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode.
In this configuration example, the password authentication mode is used.
Figure 5-15 Networking diagram of configuring user login by using STelnet
Network
PC SSH Server
GE1/0/1
10.137.217.225/16

1. Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
2. Configure the VTY user interface on the SSH server.
3. Configure an SSH client, which involves the setting of the user authentication mode, user
name, and password.
4. Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
l SSH user authentication mode: password, user name: client001, password: huawei
l User level of client001: 3
l IP address of the SSH server: 10.164.39.210
Procedure
Step 1 Generate a local key pair on the server.
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (512 ~ 2048).
Issue 01 (2011-05-30)
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure the VTY user interface.
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the CX600 automatically disables Telnet.
Step 3 Configure the password of the SSH user Client001 to huawei.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher huawei
[SSH Server-aaa] local-user client001 level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
Step 4 Enable the STelnet service on the SSH server.
[SSH Server] stelnet server enable
[SSH Server] ssh authentication-type default password
[SSH Server] quit
Step 5 Verify the configuration.
# Log in to the device through the software putty, and specify the IP address of the device being
10.164.39.210 and the login protocol being SSH.
5-41

# Log in to the device through the software putty, and enter the user name client001 and the
password huawei.

----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
aaa
local-user client001 password cipher huawei
local-user client001 level 3
local-user client001 service-type ssh
#
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
ssh user client001 authentication-type password
#
#
return
Issue 01 (2011-05-30)
6 Managing File System
About This Chapter
The file system manages the files and directories in the storage devices on the CX device. It can
move and delete a file or directory and display the contents of the file.
6.1 File System Overview
The CX device effectively manages all files by means of the file system.
6.2 Performing File Operations by Means of the File System
Users can perform file operations by means of the file system, including managing storage
devices, directories, and files.
6.3 Performing File Operations by Means of FTP
FTP can transmit files between local and remote hosts, and is widely used for version upgrade,
log downloading, file transmission, and configuration saving.
6.4 Performing File Operations by Means of SFTP
SFTP enables users to log in to the CX device securely from the remote device to manage files.
This improves the security of data transmission for the remote end to update its system.
6.5 Performing File Operations by Means of Xmodem
This section describes how to transfer files through XModem.
This section provides an example for performing files by accessing the system and using FTP
or SFTP.These configuration examples explain networking requirements, configuration
roadmap, and configuration notes.
Configuration Guide - Basic Configurations 6 Managing File System
6-1
6.1 File System Overview
The CX device effectively manages all files by means of the file system.
6.1.1 File System
The file system manages the files and directories in the storage devices. It can create, delete,
modify, and rename a file or directory and display the contents of the file.
6.1.2 Methods of File Management
You can manage files by means of the file system, FTP or SFTP.
6.1.1 File System
The file system manages the files and directories in the storage devices. It can create, delete,
modify, and rename a file or directory and display the contents of the file.
The file system has two functions: managing the storage devices and managing the files that are
stored in those storage devices.
6.1.2 Methods of File Management
You can manage files by means of the file system, FTP or SFTP.
Performing File Operations by Means of the File System
l Storage Devices
Storage devices are hardware devices for storing messages.
At present, the CX device supports the storage devices CF card.
l Files
The file is a mechanism with which the system stores and manages messages.
l Directories
The directory is a mechanism with which the system integrates and organizes the file,
serving as a logical container of the file.
Performing File Operations by Means of FTP
You can configure the CX device as the FTP server, and log in to the CX device from the user
terminal to transmit files and manage directories on the FTP server.
Performing File Operations by Means of SFTP
SSH supports Secure File Transfer Protocol (SFTP), which enables users to remotely and
securely log in to the CX device to manage files. SSH guarantees secure data transmission on a
conventional insecure network by authenticating the client and encrypting data in both
directions.
Performing File Operations by Means of Xmodem
XModem is a file transfer protocol and is mainly applied to the AUX port.XModem does not
support simultaneous operations of multiple users.
Issue 01 (2011-05-30)
Table 6-1 File management methods
File Management Method Implementation
Logging in to the system You can log in to the system through the
Console or AUX port or by using Telnet or
STelnet to manage files.
FTP The CX device needs to be enabled with FTP.
Most terminals support the FTP client
function.
SFTP l SFTP provides secure file transfer
services based on SSH, irrelevant to the
standard FTP protocol.
l The CX device needs to be enabled with
SFTP. Terminals need to be installed with
the SFTP client software.

6.2 Performing File Operations by Means of the File System
Users can perform file operations by means of the file system, including managing storage
devices, directories, and files.
Before performing file operations by means of the file system, familiarize yourself with the
can help you complete the configuration tasks quickly and accurately.
6.2.2 Managing Storage Devices
When the file system of the storage devices on the CX device functions abnormally, you need
to repair and format the file system before managing the storage devices.
6.2.3 Managing the Directory
You can manage directories to logically store files in hierarchy.
6.2.4 Managing Files
You can log in to the file system to view, delete, or rename the files on the CX device.
Before performing file operations by means of the file system, familiarize yourself with the
can help you complete the configuration tasks quickly and accurately.
When the CX device fails to save or obtain data, you can log in to the file system to repair the
faulty storage devices or manage files or directories on the CX device. You can especially
manage storage devices by logging in to the file system.
6-3
Before performing file operations by logging in to the file system, complete the following tasks:
l Connecting the client with the server correctly
Data Preparation
To perform file operations by logging in to the file system, you need the following data:
No. Data
1 Storage device name
2 Directory name
3 File name

6.2.2 Managing Storage Devices
When the file system of the storage devices on the CX device functions abnormally, you need
to repair and format the file system before managing the storage devices.
Context
When the file system on a storage device fails, the terminal of the CX device prompts you to
rectify the fault.
You can format a storage device when you fail to repair the file system or you do not need any
data saved on the storage device.
CAUTION
Formatting storage devices may lead to data loss. Therefore, exercise caution when perform this
operation.
Procedure
l Run:
fixdisk device-name
The storage devices with file system troubles is repaired.
NOTE
After this command is run, if the prompt that the system should be repaired is still received, it indicates
that the physical medium may be damaged.
l Run:
format device-name
The storage device is formatted.
Issue 01 (2011-05-30)
NOTE
If the storage device cannot work after running the format device-name command, a fault may occur
to the hardware.
----End
6.2.3 Managing the Directory
You can manage directories to logically store files in hierarchy.
Context
You can manage directories by changing and displaying directories, displaying files in
directories and sub-directories, and creating and deleting directories.
Procedure
l Run:
cd directory
A directory is specified.
l Run:
pwd
The current directory is displayed.
l Run:
dir [ /all ] [ filename ]
The file and sub-directory list in the directory is displayed.
Either the absolute path or relative path is applicable.
l Run:
mkdir directory
The directory is created.
l Run:
rmdir directory
The directory is deleted.
----End
6.2.4 Managing Files
You can log in to the file system to view, delete, or rename the files on the CX device.
Context
l Managing files include: displaying contents, copying, moving, renaming, compressing,
deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
l You can run the cd directory command to enter the required directory from the current
directory.
6-5
Procedure
l Run:
more filename [ offset | all ]
The content of the file is displayed.
By specifying parameters in the more command, you can view files flexibly:
By running the more file-name command, you can view the file named file-name.
Contents of a text file are displayed screen after screen. If you hold and press the
spacebar on the current terminal, all contents of the current file can be displayed.
There are two preconditions if you want to display the contents of a text file screen after
screen:
The value configured by screen-length screen-length temporary command must
be larger than 0.
The total lines of the file must be larger than the value configured by screen-
length command.
By running the more file-name offset command, you can view the file named file-
name. Contents of a text file are displayed from the line specified by offset screen after
screen. If you hold and press the spacebar on the current terminal, all contents of the
current file can be displayed.
There are two preconditions if you want to display the contents of a text file screen after
screen:
The value configured by screen-length screen-length command must be larger than
0.
The result of the number of file characters subtracted by the value of offset must be
larger than the value configured by screen-length command.
By running the more file-name all command, you can view the file named file-name.
Contents of a text file are completely displayed without pausing after each screenful of
information.
l Run:
copy source-filename destination-filename
The file is copied.
NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
l Run:
move source-filename destination-filename
The file is moved.
l Run:
rename source-filename destination-filename
The file is renamed.
l Run:
zip source-filename destination-filename
The file is compressed.
l Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }
Issue 01 (2011-05-30)
The file is deleted.
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l Run:
undelete filename
The deleted file is recovered.
NOTE
If the current directory is not the parent directory, you must operate the file by using the absolute
path.
l Run:
reset recycle-bin [ filename ]
The file is deleted.
You can permanently delete files in the recycle bin.
l Running Files in Batch
You can upload the files and then process the files in batches. The edited batch files need
to be saved in the storage devices on the CX device.
When the batch file is created, you can run the batch file to implement routine tasks
automatically.
1. Run:
system-view
2. Run:
execute filename
The batched file is executed.
l Configuring Prompt Modes
The system displays prompts or warning messages when you operate the device (especially
the operations leading to data loss). If you need to change the prompt mode for file
operations, you can configure the prompt mode of the file system.
1. Run:
system-view
2. Run:
file prompt { alert | quiet }
The prompt mode of the file system is configured.
By default, the prompt mode is alert.
6-7
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.
----End
6.3 Performing File Operations by Means of FTP
Before performing file operations by means of FTP, familiarize yourself with the applicable
6.3.2 Configuring a Local FTP User
You can configure the authorization mode and authorization directory for FTP users. In this
case, unauthorized users cannot access the specific directory, which guarantees the security.
6.3.3 (Optional) Specifying a Port Number for the FTP Server
You can configure or change the monitoring port number of the FTP server. After the port
number is changed, only the user knows the current port number, which guarantees the security.
6.3.4 Enabling the FTP Server
Before using FTP to perform file operations, you need to enable the FTP sever on the CX
device.
6.3.5 (Optional) Configuring the FTP Server Parameters
The FTP server parameters include the source address of the FTP server and the timeout period
for FTP connection.
6.3.6 (Optional) Configuring an FTP ACL
After an FTP ACL is configured, only the specified clients can access the deviceCX device.
6.3.7 Accessing the System by Using FTP
After the FTP server is configured, you can access the CX device from the PC by using FTP to
manage the files on the CX device.
6.3.8 Performing File Operations by Using FTP Commands
After logging in to the CX device that functions as an FTP server by using FTP, you can upload
files to or download files from the CX device, and manage the directories on the CX device.
After the configuration is complete, you can view the configuration and status of the FTP server
as well as information about login FTP users.
Before performing file operations by means of FTP, familiarize yourself with the applicable
Issue 01 (2011-05-30)
When the CX device serves as the FTP server, after the client logs in to the CX device through
FTP, the user can transfer files between the client and the server.
Before performing file operations by means of FTP, complete the following task:
l Connecting the FTP client to the server
Data Preparation
To perform file operations by means of FTP, you need the following data:
NOTE
For FTP secure server connection, perform step 2.
No. Data
1 FTP user name and password, File directory authorized to the FTP user
2 (Optional) Listening port number specified on the FTP server
3 (Optional) Source IP address or source interface of the FTP server
(Optional) Timeout period of the disconnection from the FTP server
4 IP address or host name of the FTP server

6.3.2 Configuring a Local FTP User
You can configure the authorization mode and authorization directory for FTP users. In this
case, unauthorized users cannot access the specific directory, which guarantees the security.
Context
To perform file operations by means of FTP, you need to configure a local user name and a
password on the CX device and specify the service type and the directories that can be accessed.
Otherwise, you cannot access the CX device by using FTP.
Do as follows on the CX device that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
set default ftp-directory directory
The default FTP working directory is configured.
6-9
NOTE
The configuration in this step is valid for only TACACS users.
Step 3 Run:
aaa
Step 4 Run:
The local user name and the password are configured.
Step 5 Run:
local-user user-name service-type ftp
The FTP service type is configured.
Step 6 Run:
local-user user-name ftp-directory directory
The authorization directory about the FTP user is configured.
----End
6.3.3 (Optional) Specifying a Port Number for the FTP Server
You can configure or change the monitoring port number of the FTP server. After the port
number is changed, only the user knows the current port number, which guarantees the security.
Context
By default, the listening port number of an FTP server is 21. Users can directly log in to the CX
device by using the default listening port number. Attackers probably access the default listening
port, reducing available bandwidth, affecting performance of the server, and causing valid users
unable to access the server. After the listening port number of the FTP server is changed, attackers
do not know the new listening port number. This effectively prevents attackers from accessing
the listening port.
NOTE
If the FTP is not enabled, change the FTP port as required.
If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and then change
the FTP port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server port port-number
The port number of the FTP server is configured.
Issue 01 (2011-05-30)
If a new number of a monitored port is configured, the FTP server interrupts all the FTP
connections and monitors the port of the new number.
----End
6.3.4 Enabling the FTP Server
Before using FTP to perform file operations, you need to enable the FTP sever on the CX
device.
Context
By default, the FTP server is disabled on the CX device. Therefore, you must enable the FTP
server before using FTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server enable
The FTP server is enabled.
NOTE
When the file operation between clients and the CX device ends, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This ensures the security of the CX device.
----End
6.3.5 (Optional) Configuring the FTP Server Parameters
The FTP server parameters include the source address of the FTP server and the timeout period
for FTP connection.
Context
l You can configure a source IP address for the FTP server. This limits the destination address
that the client can access and therefore guarantee the security.
l You can configure the timeout period for FTP connections on the FTP server. When the
timeout period of an FTP connection expires, the system breaks the connection to release
resources.
Procedure
Step 1 Run:
system-view
6-11
Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }
The source IP address and source interface of an FTP server is configured.
To log in to the FTP server, you must specify the same source IP address in the ftp command.
Otherwise, you cannot log in to the FTP server.
Step 3 Run:
ftp [ ipv6 ] timeout minutes
The timeout period of the FTP server is configured.
If the client is idle for the configured time, the connection is removed from the FTP server.
By default, the timeout value is 30 minutes.
----End
6.3.6 (Optional) Configuring an FTP ACL
After an FTP ACL is configured, only the specified clients can access the deviceCX device.
Context
When the CX devicedevice functions as an FTP server, you can configure an ACL to allow the
clients that meet the matching rules to access the FTP server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address
source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ]
*
The ACL rule is configured.
NOTE
FTP supports only the basic ACL (2000 to 2999).
Step 4 Run:
quit
Return the system view.
Issue 01 (2011-05-30)
Step 5 Run:
ftp [ ipv6 ] acl acl-number
The basic FTP ACL is configured.
----End
6.3.7 Accessing the System by Using FTP
After the FTP server is configured, you can access the CX device from the PC by using FTP to
manage the files on the CX device.
Context
If you need to log in to the CX device by using FTP, you can use either windows command line
prompt or a third-party software. Here uses the windows command line prompt as an example.
Do as follows on the PC:
Procedure
Step 2 Run the ftp ip-address command to log in to the CX device by using FTP.
Enter the user name and password at the prompt, and press Enter. When the windows command
line prompts are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.

----End
6-13
6.3.8 Performing File Operations by Using FTP Commands
After logging in to the CX device that functions as an FTP server by using FTP, you can upload
files to or download files from the CX device, and manage the directories on the CX device.
Context
After logging in to the FTP server, you can perform the following operations:
l Configuring data type for the file
l Uploading or downloading files
l Creating directories on or deleting directories from the FTP server
l Displaying information about a specified remote directory or a file of the FTP server, or
deleting a specified file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following one or more operations:
Procedure
l Configuring data type and transmission mode for the file.
Run:
ascii or binary
The data type of the file to be transmitted is ascii or binary mode.
NOTE
FTP supports the ASCII type and the binary type. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
The selection of the FTP transmission mode is client-customized. The system defaults to the
ASCII transmission mode. The client can use a mode switch command to switch between the
ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary
mode is used to transmit binary files.
l Upload or download files.
Upload or download a file.
Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.
Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
Upload or download multiple files.
Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
Issue 01 (2011-05-30)
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
l Run one or more commands in the following order to manage directories.
Run:
cd pathname
The working path of the remote FTP server is specified.
Run:
pwd
The specified directory of the FTP server is displayed.
Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.
Run:
mkdir remote-directory
A directory is created on the FTP server.
Run:
rmdir remote-directory
A directory is removed from the FTP server.
l Run one or more commands in the following to manage files.
Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.
If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.
Run:
delete remote-filename
The specified file on the FTP server is deleted.
When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need other FTP operations,you can perform the help [ command ] command to get help in the
Windows command line.
----End
6-15
After the configuration is complete, you can view the configuration and status of the FTP server
as well as information about login FTP users.
Prerequisite
All configurations for operating files by using FTP are complete.
Procedure
l Run the display [ ipv6 ] ftp-server command to check the configuration of the FTP server.
l Run the display ftp-users command to check how many users are currently logged in FTP
server.
----End
Example
Run the display [ ipv6 ] ftp-server to view the FTP server is working.
<HUAWEI> display ftp-server
FTP server is running
Max user number 5
User count 1
Timeout value(in minute) 30
Listening Port 1080
Acl number 0
FTP server's source address 1.1.1.1
Run the display ftp-users command to view the user name, port number, authorization directory
of the FTP user configured presently.
<HUAWEI> display ftp-users
username host port idle topdir
zll 100.2.150.226 1383 3 cfcard:
6.4 Performing File Operations by Means of SFTP
SFTP enables users to log in to the CX device securely from the remote device to manage files.
This improves the security of data transmission for the remote end to update its system.
Before performing file operations by using SFTP, familiarize yourself with the applicable
To allow a user to log in to the CX device by using SFTP, you need to configure attributes of
To allow users to log in to the CX device by using SFTP, you need to configure VTY user
6.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types
Issue 01 (2011-05-30)
To allow a user to log in to the CX device by using SFTP, you must configure an SSH user,
specify a service type and authorized directory for the SSH user.
6.4.5 Enabling the SFTP Service
Before enjoying the STelnet service, you need to enable it.
6.4.7 Accessing the System by Using SFTP
After the configuration is complete, users can log in to the CX device from the user terminal by
using SFTP to manage files on the CX device.
6.4.8 Performing File Operations by Using SFTP
On the SFTP client, you can log in to the SSH server to create or delete directories on the SSH
server.
After performing file operations by using SFTP, you can view SSH user information and global
configurations of the SSH server.
Before performing file operations by using SFTP, familiarize yourself with the applicable
SSH guarantees secure data transmission on a conventional insecure network by authenticating
the client and encrypting data in both directions. SSH supports SFTP.
SFTP is a secure FTP service and enables users to log in to the FTP server for data transmission.
Before performing file operations by using SFTP, complete the following task:
Data Preparation
Before performing file operations by using SFTP, you need the following data.
No. Data
1 Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and
call-out in VTY user interfaces, connection timeout period of terminal users, number
of rows displayed in a terminal screen, size of the history command buffer, user
authentication mode, user name, and password
6-17
No. Data
2 User name, password, authentication mode, and service type of an SSH user and
remote public RSA key pair allocated to the SSH user, SFTP working directory of
the SSH user
3 (Option) Number of the port monitored by the SSH server
(Option) The interval for updating the key pair on the SSH server
4 Name of the SSH server,Number of the port monitored by the SSH server,Preferred
encrypted algorithm from the SFTP client to the SSH server,Preferred encrypted
algorithm from the SSH server to the SFTP client,Preferred HMAC algorithm from
the SFTP client to the SSH server,Preferred HMAC algorithm from the SSH server
to the SFTP client,Preferred algorithm of key exchange,Name of the outgoing
interface,Source address
5 Directory name and File name

To allow a user to log in to the CX device by using SFTP, you need to configure attributes of
Context
a user logs in to the CX device by using SFTP, the user authentication mode in the VTY user
To allow users to log in to the CX device by using SFTP, you need to configure VTY user
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH,
users cannot log in to the CX device by using SFTP.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-05-30)
Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.
Step 3 Run:
The AAA authentication mode is configured.
Step 4 Run:
The VTY user interface is configured to support SSH.
NOTE
If a VTY user interface is configured to support SSH, the VTY user interface must be configured with
AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.
----End
6.4.4 Configuring an SSH User and Specifying SFTP as One of
Service Types
To allow a user to log in to the CX device by using SFTP, you must configure an SSH user,
specify a service type and authorized directory for the SSH user.
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and all.
Password authentication depends on Authentication, Authorization and Accounting
(AAA). Before a user logs in to the CX device in password or password-RSA authentication
mode, you must create a local user with the specified user name in the AAA view.
l Configuring the CX device to generate a local RSA key pair is a key step for SSH login.
If an SSH user logs in to an SSH server in password authentication mode, configure the
server to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA
authentication mode, configure both the server and the client to generate local RSA key
pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication.
The all authentication mode requires success of either password authentication or RSA authentication.
Do as follows on the CX device that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh user user-name
6-19
1. Run:
aaa
2. Run:
Step 3 Run:
rsa local-key-pair create
A local RSA key pair is generated.
NOTE
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create
command to generate a local key pair.
l After generating the local key pair,you can perform the display rsa local-key-pair public command
to view the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
The authentication mode for SSH users is configured.
l Authenticate the SSH user through the password.
Run:
ssh user user-name authentication-type password
The password authentication is configured for the SSH user.
Run:
ssh authentication-type default password
The default password authentication is configured for the SSH user.
For the local authentication or HWTACACS authentication, if the number of SSH users
is small, you can adopt the former command; if the number of SSH users is large, adopt
the later command to simplify the configuration.
l Authenticate the SSH user through RSA.
1. Run:
ssh user user-name authentication-type rsa
The RSA authentication is configured for the SSH user.
2. Run:
3. Run:
4. Run:
hex-data
Issue 01 (2011-05-30)
NOTE
l In the public key view, only hexadecimal strings complying with the public key format can be
typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals
for SSH client software.
l After the public key editing view is displayed, the RSA public key generated on the client can
be sent to the server. Copy the RSA public key to the CX device that serves as the SSH server.
5. Run:
public-key-code end
l If the specified hex-data is invalid, the public key cannot be generated after the peer-
public-key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does
not exist after the peer-public-key end command is run and the system view is
displayed.
6. Run:
peer-public-key end
7. Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user.
Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users
1. Run:
The interval for updating the server key pair is configured.
By default, the interval for updating the key pair of the SSH server is 0 that indicates no
updating.
2. Run:
ssh server timeout seconds
The timeout period of the SSH authentication is set.
By default, the timeout period is 60 seconds.
3. Run:
ssh server authentication-retries times
The number of retry times of the SSH authentication is set.
By default, the retry times is 3.
Step 6 (Optional) Authorizing SSH Users Through the Command Line
SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSA
authentication mode, you can configure SSH users to be authorized based on command levels.
Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
6-21
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 7 Run:
ssh user username service-type { SFTP | all }
The service type of an SSH user is set to SFTP or all.
By default, the service type of the SSH user is not configured.
Step 8 Run:
ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for SSH users is configured.
By default, the authorized directory of the SFTP service for SSH users is cfcard:.
----End
6.4.5 Enabling the SFTP Service
Before enjoying the STelnet service, you need to enable it.
Context
By default, the CX device is not enabled with the SFTP server function. Users can establish
connections with the CX device by using SFTP only after the CX device is enabled with the
SFTP server function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sftp server enable
The SFTP service is enabled.
By default, the SFTP service is disabled.
----End
Issue 01 (2011-05-30)
Context
l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes
and key exchange modes with higher service capability, such as SFTP. The CX600 supports
the SSH protocol of version 1.3 to version 2.0.
l By default, the listening port number of an SSH server is 22. Users can directly log in to
the CX device by using the default listening port number. Attackers probably access the
default listening port, reducing available bandwidth, deteriorating performance of the
server, and causing valid users unable to access the server. After the listening port number
of the SSH server is changed, attackers do not know the new port number. This effectively
prevents attackers from accessing the listening port, improving security.
l You can set an interval at which the key pair of an SSH server is updated. When the timer
expires, the key pair is automatically updated, improving security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh server compatible-ssh1x enable
The earlier version-compatible function is enabled.
By default, the server enabled with SSH2.0 is compatible with the server enabled with SSH1.X.
To prevent the clients running SSH1.3 to SSH1.99 from logging in, you can run the undo ssh
server compatible-ssh1x enable command to disable the CX device from being compatible
with the SSH protocol of earlier versions.
Step 3 Run:
ssh server port port-number
If a new listening port number is configured, the SSH server interrupts all the STelnet and SFTP
connections and starts to listen to the new port. By default, the listening port number of an SSH
server is 22.
Step 4 Run:
By default, the interval at which the key pair of an SSH server is updated is 0, which means that
the key pair is not updated.
----End
6.4.7 Accessing the System by Using SFTP
After the configuration is complete, users can log in to the CX device from the user terminal by
using SFTP to manage files on the CX device.
Context
The third-party software can be used to access the CX device from the user terminal by using
SFTP. Here uses the third-party software OpenSSH and windows command line as an example.
6-23
After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, see the installation guide of the software.
For details on how to use OpenSSH commands to log in to the CX device, see the help document of the
software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the CX device in SFTP mode.
When the command line prompt is displayed in the SFTP client view, such as sftp>, users have
entered the working directory of the SFTP server.

----End
Issue 01 (2011-05-30)
6.4.8 Performing File Operations by Using SFTP
On the SFTP client, you can log in to the SSH server to create or delete directories on the SSH
server.
Context
After logging in to the SFTP server, you can perform the following operations:
l Displaying the SFTP client command help
l Managing the directory on the SFTP server
l Managing the directory on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform the
following one or more operations.
Procedure
l Run:
help [ all | command-name ]
The SFTP client command help is displayed.
l You can perform one or multiple of the following operations as required.
Run:
cd [ remote-directory ]
The current operating directory of users is changed.
Run:
pwd
The current operating directory of users is displayed.
Run:
dir/ls [ path ]
The file list in the specified directory is displayed.
Run:
rmdir remote-directory &<1-10>
The directory on the server is deleted.
Run:
A directory is created on the server.
l You can perform one or multiple of the following operations as required.
Run:
rename old-name new-name
The name of the specified file on the server is changed.
Run:
The file on the remote server is downloaded.
Run:
6-25
The local file is uploaded to the remote server.
Run:
rmdir remote-directory &<1-10>
The file on the server is removed.
----End
After performing file operations by using SFTP, you can view SSH user information and global
configurations of the SSH server.
Prerequisite
The configuration of SSH Users are complete.
Procedure
l Run the display ssh user-information username command to check the information about
the SSH client on the SSH server.
l Run the display ssh server status command on the SSH server to check its global
configurations.
l Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password, and its service type is sftp.
[HUAWEI] display ssh user-information client001
Sftp-directory : -
Service-type : sftp
If no SSH user is specified, information about all SSH users logging in to an SSH server will be
displayed.
Run the display ssh server status command to view global configurations of an SSH server.
<HUAWEI> display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 2 hours
SSH Authentication retries : 5 times
SFTP server : Enable
Stelnet server : Enable
SSH server port : 55535
NOTE
If the default interception port is in use, information about the current interception port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
Issue 01 (2011-05-30)
<HUAWEI> display ssh server session
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : sftp
6.5 Performing File Operations by Means of Xmodem
This section describes how to transfer files through XModem.
Before configuring XModem, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
6.5.2 Getting a File Through Xmodem
Using XModem, you can download files to a CX device through the AUX port.
Before configuring XModem, familiarize yourself with the applicable environment, complete
Configure XModem to transfer files through serial interfaces.
Before configuring XModem, complete the following tasks:
l Powering on the CX device
l Connecting the CX device and the PC through an AUX port or a console port
l Logging in to the CX device through the terminal emulation program and specifying a file
path in the terminal emulation program
Data Preparation
To configure XModem, you need the following data.
No. Data
1 Name of a specific file
2 Absolute path of the file

6-27
6.5.2 Getting a File Through Xmodem
Using XModem, you can download files to a CX device through the AUX port.
Context
XModem file transfer consists of receiving program and sending program.
l The receiving program first sends the negotiation character to negotiate the check mode.
l After the negotiation is successful, the sending program begins to send packets.
l When the receiving program receives a complete packet, it checks the packet in the
negotiated mode.
l If the check is successful, the receiving program sends the acknowledgement character and
then the sending program sends the next packet.
l If the check fails, the receiving program sends the denial character and the sending program
retransmits the packet.
CX600 provides the function of XModem receiving program, which is applied to the AUX port
and supports 128-byte packets and CRC. The function of XModem sending program is
automatically included in the HyperTerminal.
Do as follows on the CX device:
Procedure
l Run:
xmodem get { filename | devicename }
XModem is used to get the file.
NOTE
l Before getting the file, confirm the path and the name of the file that are to be sent.
l For the filename, an absolute path name is required.
l If the filename is similar to an existing one, the system sends a prompt asking you whether to
overwrite the file or not.
----End
This section provides an example for performing files by accessing the system and using FTP
or SFTP.These configuration examples explain networking requirements, configuration
roadmap, and configuration notes.
6.6.1 Example for Performing File Operations by Means of the File System
This section describes how to perform file operations by means of the file system. In this
example, you can log in to the CX device to view and copy directories.
6.6.2 Example for Performing File Operations by Means of FTP
This section provides an example for operating files by means of FTP.In this example, a PC
connected to a CX device logs in to the FTP server by entering the correct user name and
password through FTP, and then downloads files to the memory of the FTP client.
6.6.3 Example for Performing File Operations by Means of SFTP
Issue 01 (2011-05-30)
This section provides an example for operating files by using SFTP. In this example, a local key
pair is configured on the SSH server, and a user name and a password are configured on the
server for an SSH user. After SFTP services are enabled on the server and the SFTP client is
connected to the server, you can operate files between the client and the server.
6.6.4 Example for Performing File Operations by Means of Xmodem
In this example, you run the HyperTerminal on a PC and then log in to a CX device to download
files through the AUX port.
6.6.1 Example for Performing File Operations by Means of the File
System
This section describes how to perform file operations by means of the file system. In this
example, you can log in to the CX device to view and copy directories.
You can log in to the CX device through the Console interface, AUX interface, Telnet, or STelnet
to perform file operations on the CX device.
The file path in the storage device must be correct. If the user does not specify a target file name,
the source file name is the name of the target file by default.
1. Check the files under a certain directory.
2. Copy a file to this directory.
3. Check this directory and view that the file is copied successfully to the specified directory.
Data Preparation
l Source file name and target file name
l Source file path and target file path
Procedure
Step 1 Display the file information in the current directory, cfcard:/ is the flash memory identifier.
<HUAWEI> dir cfcard:/
Directory of cfcard:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 64 Nov 15 2006 13:07:44 patchnpstate.dat
1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip
2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt
3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip
4 -rw- 7041 Aug 02 2007 11:02:00 license.txt
5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc
500192 KB total (347760 KB free)
Step 2 Copy files from hda1:/sample.txt to flash:/sample.txt
<HUAWEI> copy hda1:/sample.txt flash:/sample1.txt
Copy hda1:/sample.txt to flash:/sample1.txt?[Y/N]:y
6-29
100% complete
Info:Copied file hda1:/sample.txt to flash:/sample1.txt...Done
Copy files from cfcard2:/sample.txt to cfcard:/sample.txt
<HUAWEI> copy cfcard2:/sample.txt cfcard:/sample1.txt
Copy cfcard2:/sample.txt to cfcard:/sample1.txt?[Y/N]:y
100% complete
Info:Copied file cfcard2:/sample.txt to cfcard:/sample1.txt...Done
Step 3 Display the file information about the current directory, and you can view that the file is copied
to the specified directory.
1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip
2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt
3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip
5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc
6 -rw- 1605 Nov 18 2007 05:30:11 sample1.txt
----End
6.6.2 Example for Performing File Operations by Means of FTP
This section provides an example for operating files by means of FTP.In this example, a PC
connected to a CX device logs in to the FTP server by entering the correct user name and
password through FTP, and then downloads files to the memory of the FTP client.
As shown in Figure 6-1, after the FTP server is enabled on the CX device, you can log in to the
FTP server from the HyperTerminal to upload or download files.
Figure 6-1 Networking for performing file operations by using FTP
Network
GE1/0/1
10.137.217.221/16
PC FTP Server

1. Configure the IP address of the FTP server.
2. Enable the FTP server.
3. Configure the authentication information, authorization mode, and directories to be
accessed for an FTP user.
4. Log in to the FTP server by using the correct user name and password.
Issue 01 (2011-05-30)
5. Upload files to or download files from the FTP server.
Data Preparation
l IP address of the FTP server, that is, 10.137.217.221
l Timeout period for the FTP connection, that is, 30 minutes
l FTP username as huawei and password as huawei on the server
l The destination file name and its position in the FTP client
Procedure
Step 1 Configure the IP address of the FTP server.
[server] interface gigabitethernet1/0/1
[server-GigabitEthernet1/0/1] undo shutdown
[server-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0
[server-GigabitEthernet1/0/1] quit
Step 2 Enable the FTP server.
[HUAWEI] sysname server
[server] ftp server enable
[server] ftp timeout 30
Step 3 Configure the authentication information, authorization mode, and authorized directories for an
FTP user on the FTP server.
[server] aaa
[server-aaa] local-user huawei password simple huawei
[server-aaa] local-user huawei service-type ftp
[server-aaa] local-user huawei ftp-directory cfcard:
[server-aaa] quit
Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user name
and password to set tup an FTP connection with the FTP server.
Figure 6-2 Logging in to the FTP Server
6-31

Step 5 Upload and download files, as shown in the following figure.
Figure 6-3 Performing file operations by means of FTP
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed
information of the file.

----End
Configuration Files
l Configuration file of the FTP server.
#
sysname Server
#
FTP server enable
#
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
aaa
local-user huawei password simple Huawei
local-user huawei service-type ftp
local-user huawei ftp-directory cfcard:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
Issue 01 (2011-05-30)
return
6.6.3 Example for Performing File Operations by Means of SFTP
This section provides an example for operating files by using SFTP. In this example, a local key
pair is configured on the SSH server, and a user name and a password are configured on the
server for an SSH user. After SFTP services are enabled on the server and the SFTP client is
connected to the server, you can operate files between the client and the server.
As shown in Figure 6-4, after SFTP services are enabled on the CX device functioning as an
SSH server, you can log in to the server in password, RSA, password-rsa, or all authentication
mode from a PC on the SFTP client.
Configure a user to log in to the SSH server in password authentication mode.
Figure 6-4 Networking diagram for operating files by using SFTP
Network
PC SSH Server
GE1/0/1
10.137.217.225/16

1. Configure a local key pair on the SSH server to securely exchange data between the SFTP
client and the SSH server.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including user authentication mode, user name, password, and
authorization directory.
4. Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
l SSH user authentication mode: password, user name: client001, password: huawei
l User level of client001: 3
l IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure a local key pair on the SSH server.
6-33
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure VTY user interfaces on the SSH server.
Step 3 Configure the SSH user name and password on the SSH server.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 level 3
Step 4 Enable SFTP and configure the user service type to be SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 authentication-type password
Step 5 Configure the authorization directory for the SSH user.
[SSH Server] ssh user client001 service-type sftp
Step 6 Verify the configurations.
Figure 6-5 Accessing Interface
Issue 01 (2011-05-30)

----End
Configuration Files
#
sysname SSH Server
#
aaa
local-user client001 level 3
#
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
sftp server enable
#
#
return
6.6.4 Example for Performing File Operations by Means of Xmodem
In this example, you run the HyperTerminal on a PC and then log in to a CX device to download
files through the AUX port.
The CX device is connected to PC through the AUX port. Log in to the CX device through the
AUX port, to receive files from the AUX port and save the received files to the cfcard.
1. Run the HyperTerminal on the PC and log in to the CX device.
2. Use the xmodem get command to download files on the CX device, and specify the file
path on the HyperTerminal.
Data Preparation
l Files that are copied to the PC
l The path of the file in the PC
Procedure
Step 1 Log in to the CX device through the AUX port.
6-35
Refer to Chapter 2 "Logging in to the Devices Through the AUX Port" in the
CX600Configuration Guide - Basic Configuration.
Step 2 Use the XModem protocol to receive the file form the AUX port.
The received file is saved on the cfcard memory of the CX device and the file name is paf.txt.
<HUAWEI> xmodem get cfcard:/paf.txt
**** WARNING ****
xmodem is a slow transfer protocol limited to the current speed
settings of the auxiliary ports.
During the course of the download no exec input/output will be
available!
---- ******* ----
Proceed?[Y/N]y
Destination filename [cfcard:/ paf.txt]?
Before press ENTER you must choose 'YES' or 'NO'[Y/N]:y
Download with XMODEM protocol....
Step 3 Specify the file to be sent on the HyperTerminal.
Figure 6-6 Specifying the file to be sent

After the configuration, press Send to send the file.
Step 4 The system prompts that the file is sent successfully. Then, you can view the directory of the
filed named cfcard.
<HUAWEI>
Download successful!
<HUAWEI> dir
0 -rw- 10014764 Jun 20 2005 15:00:28 ne20-vrp5.10-c01b070.bin
1 -rw- 98776 Jul 27 2005 09:36:12 matnlog.dat
2 -rw- 28 Jul 27 2005 09:34:39 private-data.txt
3 -rw- 480 May 10 2003 11:25:18 vrpcfg.zip
4 -rw- 10103172 Jul 22 2005 16:40:37 ne20-vrp5.10-c01db90.bin
5 -rw- 1515 Jul 19 2005 17:39:55 vrpcfg.cfg
6 -rw- 3844 Jul 14 2004 11:51:45 exception.dat
7 -rw- 8628372 Jun 01 2005 10:14:34 ne20-vrp330-0521.01.bin
8 -rw- 45 Jul 27 2005 10:51:26 paf.txt
----End
Issue 01 (2011-05-30)
7 Configuring System Startup
About This Chapter
When the CX device starts, system software is started and configuration files are loaded. To
ensure smooth running of the CX device, you need to efficiently manage system software and
configuration files.
7.1 System Startup Overview
When the CX device starts, system software is started and configuration files are loaded.
7.2 Managing Configuration Files
You can manage the configuration files for the current and next startup operations on the CX
device.
7.3 Specifying a File for System Startup
You can specify a file for system startup by specifying the system software and configuration
file for the next startup of the CX device.
This section provides an example for configuring system startup.These configuration examples
explain networking requirements, configuration roadmap, and configuration notes.
Configuration Guide - Basic Configurations 7 Configuring System Startup
7-1
7.1 System Startup Overview
When the CX device starts, system software is started and configuration files are loaded.
7.1.1 System Software
System software is the operation system of the CX device, and is the basis for the CX device to
run properly and provide various services.
7.1.2 Configuration Files
The configuration file is the add-in configuration item when restarting the CX device this time
or next time.
7.1.3 Configuration Files and Current Configurations
During the running of the CX device, configuration files and current configurations are
differently defined.
7.1.1 System Software
System software is the operation system of the CX device, and is the basis for the CX device to
run properly and provide various services.
The extension name of the system software file is .cc. The file must be saved in the root directory
of the storage device.
7.1.2 Configuration Files
The configuration file is the add-in configuration item when restarting the CX device this time
or next time.
The configuration file is a text file in the following formats:
l It is saved in the command format.
l To save space, default parameters are not saved.
l Commands are organized on the basis of the command view. All commands of the identical
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
l The sequence of command sections is global configuration, physical interface
configuration, logic interface configuration, routing protocol configuration and so on.
l The filename extension of the configuration file must be .cfg or .zip, and must be stored in
the root directory of a storage device.
NOTE
l The system can run the command with the maximum length of 512 characters, including the command
in an incomplete form.
l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the
command length in the configuration file may exceed 512 characters. When the system restarts, these
commands cannot be restored.
7.1.3 Configuration Files and Current Configurations
During the running of the CX device, configuration files and current configurations are
differently defined.
Issue 01 (2011-05-30)
The concepts of configuration files and current configurations are as follows:
Concept Identifying Method
Configuration Files Initial configurations: On
powering on, the CX device
retrieves the configuration
files from a default save path
to initiate itself. If
configuration files do not
exist in the default save path,
the CX device uses the default
parameters.
l Run the display startup
command to view the
configuration files for the
current and next startup
operations on the CX
device.
l Run the display saved-
configuration command
to view the configuration
file for the next startup
operation on the CX
device.
Current Configurations Current configurations:
indicates the effective
configurations of the
currently running CX device.
Run the display current-
configuration command to
view the current
configurations on the CX
device.

Users can modify the current configurations of the CX device through the command line
interface. Use the save command to save the current configuration to the configuration file of
the default storage devices, and the current configuration becomes the initial configuration of
the CX device when the CX device is powered on next time.
7.2 Managing Configuration Files
You can manage the configuration files for the current and next startup operations on the CX
device.
Before managing configuration files, familiarize yourself with the applicable environment,
7.2.2 Saving Configuration Files
The configurations completed by using command lines are valid for only the current operation
on the CX device. To allow the configurations to be valid for the next startup operation, you
need to save the current configurations to configuration files before restarting the CX device.
7.2.3 Clearing a Configuration File
You can clear the configuration file that has been loaded to a device, or clear the inactive
configurations of the boards that are not installed in slots.
7.2.4 Comparing Configuration Files
You can determine whether the current configuration file is the same as the one for the next
startup operation or a specified one on the CX device by comparing them.
7-3
After managing configuration files, you can view the current configuration files and files in the
storage device.
Before managing configuration files, familiarize yourself with the applicable environment,
You can manage configuration files by saving, clearing, and comparing configuration files. To
upgrade the CX device, take preventive measures, repair configuration files, and view
configurations after the CX device starts, you need to manage configuration files.
Before managing configuration files, complete the following task:
l Installing the CX device and starting it properly
Data Preparation
To manage configuration files, you need the following data.
No. Data
1 Configuration file and its name
2 Saving configuration files interval and delay interval
3 The number of the start line from which the comparison of the configuration files
begins

7.2.2 Saving Configuration Files
The configurations completed by using command lines are valid for only the current operation
on the CX device. To allow the configurations to be valid for the next startup operation, you
need to save the current configurations to configuration files before restarting the CX device.
Context
The system can save the configuration files periodically or in real time to prevent data loss when
the CX device is powered off or accidentally restarted.
Run one of the following commands to save configuration files.
Procedure
l Run:
Issue 01 (2011-05-30)
CAUTION
When the automatic saving function is enabled and the LPU is not properly installed,
corresponding configurations may be lost.
1. system-view
2. set save-configuration [ interval interval | cpu-limit cpu-usage |delay
delay-interval ]
*
The configuration file is saved at intervals.
After the parameter interval interval is specified, the device saves the configuration
file at specified intervals regardless of whether the configuration file is changed.
If the set save-configuration command is not run, the system does not
automatically save configurations.
If the set save-configuration command without specified interval is run, the
system automatically saves configurations at 30-minute intervals.
When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After delay delay-interval is specified, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After automatic saving of configurations is configured, the system automatically saves
the changed configurations to the configuration file for the next startup and
configuration files are changed accordingly with the saved configurations.
Before configuring the automatic configure file saving on the server, you need to run
the set save-configuration backup-to-server server server-ip [ transport-type
{ ftp | sftp } ] user user-name password password [ path folder ] or set save-
configuration backup-to-server server server-ip transport-type tftp [ path
folder ] command to configure the server, including the IP address, user name,
password of the server, destination path, and mode of transporting the configuration
file to the server.
NOTE
If TFTP is used, run the tftp client-source command to configure a loopback interface address as a
client source IP address on the CX device, improving security.
l Run:
save [ all ] [ configuration-file ]
The current configurations are saved.
The filename extension of the configuration file must be .cfg or .zip. The system startup
configuration file must be saved in the root directory of a storage device.
The user can modify the current configuration through the command line interface. To set
the current configuration as initial configuration when the CX device starts next time, you
can use the save command to save the current configuration in the cfcard memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that are not inserted, to the default directory.
7-5
NOTE
When saving the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the CX device asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip"
is the default configuration file and initially contains no configuration.
----End
7.2.3 Clearing a Configuration File
You can clear the configuration file that has been loaded to a device, or clear the inactive
Context
The configuration file stored in cfcard memory needs to be cleared in the following cases:
l The system software does not match the configuration file after the CX device has been
upgraded.
l The configuration file is destroyed or an incorrect configuration file has been loaded.
Do as follows to clear the contents of a configuration file:
Procedure
l Clear the currently loaded configuration file.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
If the configuration file of the CX device used for the current startup is the same as that
used for the next startup, running the reset saved-configuration command will clear
both the configuration files. The CX device will uses the default configuration file for
the next startup.
If the configuration file of the CX device used for the current startup is different from
that used at the next startup, running the reset saved-configuration command will clear
the configuration file used for the current startup.
If the configuration file of the CX device used for the current startup is empty, the system
will prompt you that the configuration file does not exist after you run the reset saved-
configuration command.
CAUTION
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name is left.
l If you do not run the startup saved-configuration configuration-file command to
specify a new correct configuration file, or do not run the save command to save the
configuration file after the configuration file is cleared, the CX device will use the
default configuration file at the next startup.
l Exercise caution when running this command. If necessary, do it under the guidance of
Huawei technical support personnel.
l Clear the inactive configurations of the boards that are not installed in slots.
Issue 01 (2011-05-30)
1. Run the system-view command to enter the system view.
2. Run the clear inactive-configuration slot command to clear the inactive
----End
7.2.4 Comparing Configuration Files
You can determine whether the current configuration file is the same as the one for the next
startup operation or a specified one on the CX device by comparing them.
Context
You can determine whether to specify the current configuration file as the one for the next startup
operation by comparing the current configuration file with the one for the next startup operation.
Procedure
l Run:
compare configuration [ configuration-file ] [ current-line-number save-line-
number ]
The current configuration is compared with the configuration file for next startup.
If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
If no parameter is set, the comparison begins with the first lines of configuration files.
current-line-number and save-line-number are used to continue the comparison by
ignoring the differences between the configuration files.
When comparing differences between the configuration files, the system displays the
contents of the current configuration file and saved configuration file from the first different
line. By default, 150 characters are displayed for each configuration file. If the number of
characters from the first different line to the end is less than 150, the contents after the first
different line are all displayed.
NOTE
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End
After managing configuration files, you can view the current configuration files and files in the
storage device.
Prerequisite
The configuration of Managing Configuration Files are complete.
Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
7-7
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.
l Run the display startup command to check files for startup.
l Run the dir [ /all ] [ filename ] command to check files saved in the storage device.
l Run the display saved-configuration configuration command to view configurations of
the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations are unchanged (when
the period expires, configurations are automatically saved).
l Run the display changed-configuration time command to check the time of the last
configuration change.
----End
Example
Run the display startup command to check files for startup.
<HUAWEI> display startup
MainBoard:
7.3 Specifying a File for System Startup
You can specify a file for system startup by specifying the system software and configuration
file for the next startup of the CX device.
Before specifying a file for system startup, familiarize yourself with the applicable environment,
7.3.2 Configuring System Software for a CX device to Load for the Next Startup
To upgrade the system software of a CX device, you can specify the CX600 system software to
be loaded for the next startup.
7.3.3 Configuring the Configuration File for CX- to Load for the Next Startup
Before restarting a CX device, you can specify the configuration files that are loaded for the
next startup.
After specifying a file for system startup, you can check the contents of the configuration file to
be loaded and the information about the file to be used during the next startup on the CX
device.
Issue 01 (2011-05-30)
Before specifying a file for system startup, familiarize yourself with the applicable environment,
To enable the CX device to provide user-defined configurations during the next startup, you
need to correctly specify the system software and configuration file for the next startup.
Before specifying a file for the system startup, complete the following task:
l Installing the CX device and powering it on properly
Data Preparation
To specify a file for system startup, you need the following data.
No. Data
1 System software and its file name on the CX600
2 Configuration file and its file name on the CX600

7.3.2 Configuring System Software for a CX device to Load for the
Next Startup
To upgrade the system software of a CX device, you can specify the CX600 system software to
be loaded for the next startup.
Context
If no system software is specified for the next startup operation of the CX device, the system
software loaded this time will be started during the next startup operation. To change system
software for the next startup operation, you need to specify the required one.
The filename extension of the system software must be .cc and must be stored in the root directory
of a storage device.
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The CX600 system software for the CX device to load next time when it starts is configured.
You can specify the system-file and use the system software for the next startup that is saved on
the device.
7-9
slave-board is valid only on the CX device with dual main control boards.
----End
7.3.3 Configuring the Configuration File for CX- to Load for the
Next Startup
Before restarting a CX device, you can specify the configuration files that are loaded for the
next startup.
Context
You can run the display startup command on the CX device to check whether the configuration
file to be loaded during the next startup operation is specified. If no configuration file is specified,
the default configuration file is loaded during the next startup operation.
The filename extension of the configuration file must be .cfg or .zip, and must be stored in the
root directory of a storage device.
When the CX device turns on, it initiates by reading the configuration file from the cfcard
memory by default. Thus, the configuration in this configuration file is called initial
configuration. If no configuration file is saved in the cfcard, the CX device initiates with default
parameters.
Procedure
l Run:
startup saved-configuration configuration-file
Configuration file is saved for the CX device to load next time on startup.
----End
After specifying a file for system startup, you can check the contents of the configuration file to
be loaded and the information about the file to be used during the next startup on the CX
device.
Prerequisite
The file has been specified for system startup.
Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filterfilter-expression ] | filterfilter-expression ] command to
check current configurations.
l Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded during the next startup.
l Run the display startup command to check information about the files to be used during
the next startup.
Issue 01 (2011-05-30)
l Run the display current-configuration slave command to check the configuration of the
slave board.
----End
Example
Run the display startup command to check information about the files to be used during the
next startup.
MainBoard:
This section provides an example for configuring system startup.These configuration examples
explain networking requirements, configuration roadmap, and configuration notes.
7.4.1 Example for Configuring System Startup
This section provides an example for configuring system startup. In this example, the
configuration file is saved and the system software and configuration file to be loaded during
the next startup are specified so that the CX device can start in a required manner.
7.4.1 Example for Configuring System Startup
This section provides an example for configuring system startup. In this example, the
configuration file is saved and the system software and configuration file to be loaded during
the next startup are specified so that the CX device can start in a required manner.
The CX device is installed with double main control boards. After the CX device is configured,
new configurations take effect after the system restarts.
1. Save the current configuration.
2. Specify the configuration file to be loaded during the next startup of the CX device.
3. Specify the system software to be loaded during the next startup of the CX device.
Data Preparation
7-11
l Name of the configuration file
l File name of the system software
Procedure
Step 1 Check the configuration file and system software that are used during the current startup.
MainBoard:
Step 2 Save the current configuration to the specified file.
<HUAWEI> save vrpcfg.cfg
The system prompts you whether to save the current configuration to the file named vrpcfg.cfg
on the master and slave main control boards. After entering y at the prompt, you save the
configuration successfully.
Step 3 Specify the configuration file to be loaded during the next startup of the CX device.
<HUAWEI> startup saved-configuration vrpcfg.cfg
Step 4 Specify the system software to be loaded during the next startup of the CX device.
Specify the system software to be loaded during the next startup of the master main control
board.
<HUAWEI> startup system-software V600R003C00.cc
Specify the system software to be loaded during the next startup of the slave main control board.
<HUAWEI> startup system-software V600R003C00.cc slave-board
NOTE
l The slave main control board automatically synchronizes with the master main control board after the
configuration file to be loaded during the next startup is specified for the master main control board.
l Ensure that the system software to be loaded during the next startup of the CX device is saved on the
master and slave main control boards of the CX device. Configure the system software to be loaded
during the next startup of the master and slave main control boards respectively.
After the configuration is complete, run the following command to check the configuration file
and system software to be loaded during the next startup of the CX device.
MainBoard:
Next startup saved-configuration file: cfcard:/vrpcfg.cfg
Issue 01 (2011-05-30)
----End
Configuration Files
None.
7-13
8 Accessing Another Device
About This Chapter
To manage configurations or operate files of another device, you can access the device by using
Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
8.1 Accessing Another Device
This section describes how to access another device on the network by using Telnet, FTP, TFTP,
or SSH.
8.2 Logging in to Other Devices by Using Telnet
On the network, a large number of CX devices need to be managed and maintained. Not all CX
devices, however, can be connected to terminal PCs. In addition, there are not reachable routes
between some CX devices and terminal PCs. To manage and maintain CX devices remotely,
you can log in to them by using Telnet from a device that you have logged in to.
8.3 Connecting to Another Device by Using the Telnet Redirection Function
If the client is not connected to the remote device on an IP network, you can manage the device
by using the Telnet redirection function on the CX device.
8.4 Logging in to Another Device by Using STelnet
STelnet ensures secure Telnet services. You can log in to another CX device from the CX
device that you have logged in to by using STelnet, and thus to manage the device remotely.
8.5 Accessing Files on Another Device by Using TFTP
You can configure the CX device as a TFTP client, and log in to the TFTP server to upload and
download files.
8.6 Accessing Files on Another Device by Using FTP
This section describes how to configure the CX device as an FTP client to log in to the FTP
server, and to upload files to or download files from the server.
8.7 Accessing Files on Another Device by Using SFTP
SFTP is a secure FTP service. After the CX device is configured as an SFTP client. The SFTP
server authenticates the client and encrypts data in both directions to provide secure data
transmission.
Configuration Guide - Basic Configurations 8 Accessing Another Device
8-1
This section describes examples for access another device. The examples explain networking
Issue 01 (2011-05-30)
8.1 Accessing Another Device
This section describes how to access another device on the network by using Telnet, FTP, TFTP,
or SSH.
Figure 8-1 Networking diagram for accessing another device from the CX device
Network Network
PC Client
Server
As shown in Figure 8-1, when you run the terminal emulation program or Telnet program on a
PC to connect to the CX device successfully, the CX device can still function as a client to access
another device on the network by using the following one or more methods.

8.1.1 Telnet Method
To configure and manage remote device on the network, you can use the CX device that you
have logged in to as a client to log in to the device, or use the redirection terminal service on
theCX device to log in to the device.
8.1.2 FTP Method
To access files on a remote FTP server, you can establish a connection between the CX device
that you have logged in to and the remote FTP server by using FTP.
8.1.3 TFTP Method
On the network, if a client communicates with a server in a comparatively simple interaction
environment, you can enable TFTP services on the CX device that functions as a client to access
files on the TFTP server.
8.1.4 SSH Method
To securely access another device on the network, you can log in to it by using SSH (including
STelnet,SFTP) from the CX device that you have logged in to.
8.1.1 Telnet Method
To configure and manage remote device on the network, you can use the CX device that you
have logged in to as a client to log in to the device, or use the redirection terminal service on
theCX device to log in to the device.
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service through the network.
The CX600 provides the following Telnet services:
l Telnet server: You can run the Telnet client program on a PC to log in to the CX device,
configure and manage it. The CX device acts as a Telnet server.
l Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the CX device. With the telnet command, you can log in to other CX
8-3
devices to configure and manage them. As shown in Figure 8-2,CX- A serves as both the
Telnet server and the Telnet client.
Figure 8-2 Telnet client services
CX-A PC CX-B
Telnet Session 1 Telnet Session2
Telnet Server

l Redirection terminal services: You can run the Telnet client program on a PC to log in to
the CX device through a specified port number. Then connect with the serial interface
devices that are connected with the asynchronous interface of the CX device, as shown in
Figure 8-3. The typical application is to connect the asynchronous interface of the CX
device with multiple devices for their remote configuration and maintenance.
Figure 8-3 Telnet redirection services
Ethernet
PC
CX600
Router2 Modem Switch Router1
Async0
Async1
Async2
Async3

NOTE
Only the devices that provide the asynchronous interface support the Telnet redirection service.
l Interruption of Telnet services
In Telnet connection, you can use two types of shortcut keys to interrupt the connection.
As shown in Figure 8-4, CX- A logs in to CX- B through Telnet, and CX- B logs in to
CX- C through Telnet. Thus, a cascade network is formed. In this case, CX- A is the client
of CX- B and CX- B is the client of CX- C. Figure 8-4 illustrates the usage of the two types
of shortcut keys.
Issue 01 (2011-05-30)
Figure 8-4 Usage of Telnet shortcut keys
CX-B CX-C
Telnet Session 1 Telnet Session2
Telnet
Server
CX-A
Telnet
Client

<Ctrl_]>: The server interrupts the connection.
If the network connection is normal, when you press Ctrl_], the Telnet server interrupts
the current Telnet connection actively. For example:
<CX-C>
Press <Ctrl_]> to return to the prompt of CX-B.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
Info: The connection was closed by the remote host.
<CX-B>
Press <Ctrl_]> to return to the prompt of CX-A.
Info: The connection was closed by the remote host.
<CX-A>
NOTE
If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to the
server.
<Ctrl_T>: The client interrupts the connection.
When the server fails and the client is unaware of the failure, the server does not respond
to the input of the client. In this case, if you press Ctrl_T, the Telnet client interrupts the
connection actively and quits the Telnet connection.
For example:
<CX-C>
Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.
<CX-A>
CAUTION
When the number of remote login users reaches to the maximum number of VTY user
interfaces, the system prompts that all user interfaces are in use and you cannot use Telnet
to log in.
8.1.2 FTP Method
To access files on a remote FTP server, you can establish a connection between the CX device
that you have logged in to and the remote FTP server by using FTP.
8-5
FTP can transmit files between hosts, and provide users with common FTP commands to simply
manage file system. To be specific, through the FTP client program outside the router, users can
upload or download the files and access the directories on the router; through the FTP client
program inside the router, users can transfer files to the FTP servers of other devices.
8.1.3 TFTP Method
On the network, if a client communicates with a server in a comparatively simple interaction
environment, you can enable TFTP services on the CX device that functions as a client to access
files on the TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Compared with FTP, TFTP does not have a complex interactive access interface and
authentication control. TFTP is applicable in an environment where there is no complex
interaction between the client and the server. For example, TFTP is used to obtain the memory
image of the system when the system starts up.
TFTP is implemented based on the User Datagram Protocol (UDP).
The client initiates the TFTP transfer. To download files, the client sends a read request packet
to the TFTP server, receives packets from the server, and sends acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives acknowledgement from the server.
TFTP transfers the files in two formats:
l The binary format: transfers program files.
l The ASCII format: transfers text files.
At present, the CX600 serves only as the TFTP client and transfers files in the binary format.
8.1.4 SSH Method
To securely access another device on the network, you can log in to it by using SSH (including
STelnet,SFTP) from the CX device that you have logged in to.
SSH Overview
When users on an insecure network log in to the CX device through Telnet, the Secure Shell
(SSH) feature ensures information security and authentication. It protects the CX device from
attacks such as IP address spoofing and interception of plain text password.
The SSH client function allows users to establish SSH connections with CX device serving as
SSH server or with UNIX hosts.
SSH Client Function
The CX600 supports the STelnet client function ,the SFTP client function.
l STelnet client
The Telnet protocol does not provide secure authentication. The TCP transmits data in plain
text. This leads to security problems. The system also faces serious threats from DOS
Issue 01 (2011-05-30)
(Denial of Service) attacks, the host IP address spoofing, and routing spoofing. Telnet
services are prone to network attacks.
SSH implements secure remote access on insecure networks and it has the following
advantages compared with Telnet:
SSH supports Remote Subscriber Access (RSA) authentication. In RSA authentication,
SSH generates and exchanges public and private keys compliant with asymmetric
encipherment system to ensure the session security.
SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
The user name and the password are both encrypted in the communication between the
SSH client and the SSH server. This prevents password interception.
SSH encrypts the transmitted data.
When the STelnet server or the connection to the client is faulty, the client must detect the
fault in time and release the connection voluntarily. To implement this, when logging in to
the server through Stelnet, the client must be configured with the interval for sending the
keepalive packet and the number of times for no reply restriction on the server if no packet
is received by the client. If a client does not receive any packet within specified period, the
client sends a keepalive packet to the server. If the number of times of no reply restriction
exceeds the specified number, the client releases the connection voluntarily.
l SFTP client
SFTP is short for Secure FTP. You can log in to a device from the secure remote end to
manage files. This improves the security of data transmission when the remote system is
updated. Meanwhile, the client function enables you to log in to the remote device through
SFTP for secure file transmission.
When the SFTP server or the connection between it and the client is faulty, the client must
detect the fault in time and releases the connection voluntarily. To implement this, when
logging in to the server through SFTP, the client must be configured with the period of
sending the keepalive packet and the number of times for no reply restriction on the server
if no packet is received by the client. If a client does not receive any packet within specified
period, the client sends a keepalive packet to the server. If the number of times of no reply
restriction exceeds the specified number, the client takes the initiative to release the
connection.
8.2 Logging in to Other Devices by Using Telnet
On the network, a large number of CX devices need to be managed and maintained. Not all CX
devices, however, can be connected to terminal PCs. In addition, there are not reachable routes
between some CX devices and terminal PCs. To manage and maintain CX devices remotely,
you can log in to them by using Telnet from a device that you have logged in to.
Before establishing the configuration task of logging in to another CX device from the CX
device that you have logged in to, familiarize yourself with the applicable environment, complete
8.2.2 (Optional) Configuring a Source IP Address for an Telnet Client
You can configure a source IP address for an Telnet client. Then, you can set up an Telnet
connection from the Telnet client to the server through a specific route by using this source IP
address.
8-7
8.2.3 Logging in to Another Device by Using Telnet
You can log in to another CX device and manage it by using Telnet.
When you log in to another CX device successfully from the CX device that you have logged
in to, you can check information about the established TCP connection.
Before establishing the configuration task of logging in to another CX device from the CX
device that you have logged in to, familiarize yourself with the applicable environment, complete
Figure 8-5 Networking diagram for accessing another device from the CX device that you have
logged in to
Network Network
PC CX-A CX-B

As shown in Figure 8-5, you can log in to CX- A from a PC by using Telnet, but cannot manage
CX- B remotely. This is because there is no reachable route between the PC and CX- B. To
manage CX- B remotely, you can log in to it from CX- A by using Telnet.
In this situation, CX- A functions as a Telnet client, and CX- B that you attempt to log in to
functions as a server.
Before logging in to another device on the network by using Telnet, complete the following
tasks:
l Ensuring that the CX device that you attempt to log in to works properly, and enabling
Telnet services on the device
l Ensuring that there is a reachable route between the CX device that you have logged into
and the CX device that you attempt to log in to
Data Preparation
To log in to another device by using Telnet, you need the following data:
No. Data
1 IP address or host name of CX-B
2 Number of the TCP port used by the CX-B to provide Telnet services
Issue 01 (2011-05-30)

8.2.2 (Optional) Configuring a Source IP Address for an Telnet
Client
You can configure a source IP address for an Telnet client. Then, you can set up an Telnet
connection from the Telnet client to the server through a specific route by using this source IP
address.
Context
An IP address is configured for an interface on the CX device and functions as the source IP
address of an telnet connection. In this manner, security checks can be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a CX device that functions as an Telnet client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of an Telnet client is configured.
After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured one.
----End
8.2.3 Logging in to Another Device by Using Telnet
You can log in to another CX device and manage it by using Telnet.
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can log in to a
host, and then remotely log in to another host by using Telnet to configure and manage the remote
host. In this manner, not each host is required to connect to a hardware terminal.
Do as follows on the CX device that serves as a Telnet client:
Procedure
l Select and perform one of the following two steps for IPv4 or IPv6.
Run:
telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-
name [ port-number ]
Log in to the CX device and manage other CX devices.
8-9
Run:
telnet ipv6 [ -a source-ip-address ] [ vpn-instance vpn-instance-name ]
host-name [ -i interface-type interface-number ] [ port-number ]
Log in to the CX device and manage other CX devices.
----End
When you log in to another CX device successfully from the CX device that you have logged
in to, you can check information about the established TCP connection.
Prerequisite
All configurations for logging in to another device are complete.
Procedure
l Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0
Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established
8.3 Connecting to Another Device by Using the Telnet
Redirection Function
If the client is not connected to the remote device on an IP network, you can manage the device
by using the Telnet redirection function on the CX device.
Before establishing the configuration task of redirecting the client login to another device,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain the required data. This can help you complete the configuration task quickly and
accurately.
8.3.2 Enabling the Telnet Redirection Function
After the redirection function is enabled on the CX device that functions as a Telnet client, you
can log in to a remote device from a specified interface of the client to manage and maintain the
remote device.
8.3.3 Connecting Another Device by Using the Telnet Redirection Function
You can log in to a device to be managed from the CX device functioning as a Telnet client by
using the Telnet redirection function.
Issue 01 (2011-05-30)
After logging in to another device remotely by using Telnet, you can check status information
about the current TCP connection.
Before establishing the configuration task of redirecting the client login to another device,
accurately.
If a remote device needs to be managed and maintained but is not connected with the terminal
PC on the IP network, such as a new device on the network, you can log in to the remote device
from a CX device by using the Telnet redirection function.
The remote device can be a device that supports serial interfaces, such as a CX device, a switch,
or a modem.
Figure 8-6 Schematic diagram of redirecting the client login to another device by using Telnet
Network
Console
PC CX-A CX-B
Aux
Session

As shown in Figure 8-6, remote CX- B is not connected with the client over the IP network. If
CX- B needs to be managed remotely, you can use the Telnet redirection function of CX- A.
That is, connect the asynchronous serial interface of CX- A to the serial interface of CX- B. This
allows you to run the Telnet client program on the PC to log in to CX- B by using a specified
interface, and thus to manage and maintain the device remotely.
CX- B in the diagram above has been configured with serial interfaces. CX- A is directly
connected with CX- B.
Before redirecting the client to another device by using Telnet, complete the following tasks:
l Configuring a reachable route between the client and CX- A
l Powering on the remote device
l CX deviceis directly connected with the remote device by configuring cable
Data Preparation
To log in to another device by using the Telnet redirection function, you need the following data:
8-11
No. Data
1 IP address of CX deviceCX- A

8.3.2 Enabling the Telnet Redirection Function
After the redirection function is enabled on the CX device that functions as a Telnet client, you
can log in to a remote device from a specified interface of the client to manage and maintain the
remote device.
Context
The Telnet redirection function is supported by the products whose AUX ports or TTY interfaces
can be configured with this function.
Perform the following steps on the CX device:
Procedure
Step 1 Run:
system-view
Step 2 Run:
The AUX0 user interface is displayed.
Step 3 Run:
undo shell
Terminal services are disabled on the AUX0 user interface.
Step 4 Run:
redirect
The Telnet redirection function is enabled on the AUX0 user interface.
NOTE
l After the Telnet redirection function is enabled, the interface number used for redirection will be
assigned. AUX0 is numbered as 33, and the interface number is therefore 2033.
l You can log in to the remote device that needs to be managed and maintained from the Telnet client
by using the specified interface.
----End
8.3.3 Connecting Another Device by Using the Telnet Redirection
Function
You can log in to a device to be managed from the CX device functioning as a Telnet client by
using the Telnet redirection function.
Issue 01 (2011-05-30)
Context
Users attempt to log in to another device by using a specified interface of the client.
Perform the following step on the client:
Procedure
l Run:
telnet host-name port-number
Logging in to the remote device succeeds.
The host-name parameter specifies the IP address or host name of the CX device that has
enabled the redirection function.
----End
After logging in to another device remotely by using Telnet, you can check status information
about the current TCP connection.
Prerequisite
The configurations for logging in to another device by using the Telnet redirection function are
complete.
Context
l Run the display tcp status command to check status information about the established TCP
connection.
Example
Run the display tcp status command to view status information about the established TCP
connection.
348d3c50 6 /1 0.0.0.0:21 0.0.0.0:0 23553
Listening
3b558554 128/1 0.0.0.0:23 0.0.0.0:0 23553
Listening
31cf1978 128/4 0.0.0.0:2033 0.0.0.0:0 23553
Listening
31cf1bb0 128/6 0.0.0.0:4033 0.0.0.0:0 23553
Listening
11a22ad8 128/3 10.137.217.225:23 10.138.77.38:3670 0
Established
8.4 Logging in to Another Device by Using STelnet
STelnet ensures secure Telnet services. You can log in to another CX device from the CX
device that you have logged in to by using STelnet, and thus to manage the device remotely.
8-13
Before establishing the configuration task of logging in to another device by using Stelnet,
accurately.
8.4.2 Configuring the First Successful Login to Another Device (Enabling the First-Time
Authentication on the SSH Client)
After the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time.
8.4.3 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key
to the SSH Server)
To configure the first successful login to another device on the SSH client, you need to allocate
an RSA public key to the SSH server before the login.
8.4.4 Logging in to Another Device by Using STelnet
You can log in to the SSH server from the SSH client by using STelnet.
8.4.5 Checking the configuration
After the configuration task of logging in to another device by using STelnet is established, you
can check the mappings between all SSH servers of the STelnet client and the RSA public keys
on the client, the global configurations of the SSH servers, and the sessions between the SSH
servers and the STelnet client.
Before establishing the configuration task of logging in to another device by using Stelnet,
accurately.
Logins by using Telnet bring security risks because no secure authentication mechanism is
available and data is transmitted by using TCP in plain text mode.
STelnet is short for SSH Telnet that is a secure Telnet protocol. STelnet is on the basis of SSH.
SSH users can use STelnet services as Telnet services.
In this configuration, the CX- that you have logged in to functions as a Telnet client, and
theCX- that you attempt to log in to functions as an SSH server.
Before logging in to another device by using STelnet, complete the following tasks:
l Configuring a reachable route between the client and SSH server
Data Preparation
To log in to another device by using STelnet, you need the following data:
No. Data
1 Name of the SSH server,Public key that is assigned by the client to the SSH server
Issue 01 (2011-05-30)
No. Data
2 IPv4 or IPv6 address or host name of the SSH server,Number of the port monitored
by the SSH server,Preferred encrypted algorithm from the SFTP client to the SSH
server,Preferred encrypted algorithm from the SSH server to the SFTP
client,Preferred HMAC algorithm from the SFTP client to the SSH server,Preferred
HMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of key
exchange
The user information for logging in to the SSH server

8.4.2 Configuring the First Successful Login to Another Device
(Enabling the First-Time Authentication on the SSH Client)
After the first-time authentication on the SSH client is enabled, the STelnet client does not check
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time. After
the login, the system automatically allocates the RSA public key and saves it for authentication
in next login.
Do as follows on the CX device that serves as an SSH client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh client first-time enable
The first-time authentication on the SSH client is enabled.
By default, the first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the
SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA
public key in advance to the SSH server on the SSH client in addition to enabling the first-time
authentication on the SSH client.
----End
8-15
(Allocating an RSA Public Key to the SSH Server)
Context
If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in
to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public
key validity and cannot log in to the server.So you need to allocate an RSA public key to the
SSH server before the STelnet client logs in to the SSH server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Step 4 Run:
hex-data
The public key must be a string of hexadecimal alphanumeric characters. It is automatically
generated by an SSH client. You can run the display rsa local-key-pair public command to
view a generated public key.
NOTE
Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH
server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo
the validity check on the RSA public key of the SSH server.
Step 5 Run:
public-key-code end
l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Issue 01 (2011-05-30)
Step 6 Run:
peer-public-key end
Step 7 Run:
ssh client servername assign rsa-key keyname
The RSA public key is assigned to the SSH server.
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run
the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH
server.
----End
8.4.4 Logging in to Another Device by Using STelnet
You can log in to the SSH server from the SSH client by using STelnet.
Context
When accessing an SSH server, the STelnet client can carry the source address and the VPN
instance name and choose the key exchange algorithm, encryption algorithm, or HMAC
algorithm, and configure the keepalive function.
Procedure
Step 1 Run:
system-view
Step 2 According to the address type of the SSH server, select and run one of the following two
commands.
l For IPv4 addresses,
Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-
name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher
{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] ]
*
[ -ki aliveinterval [ -kc alivecountmax ] ] command. You
can log in to the SSH server through STelnet.
Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ]
[ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher
{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] ]
*
[ -ki aliveinterval [ -kc alivecountmax ] ] command. You
can log in to the SSH server through STelnet.
----End
8-17
8.4.5 Checking the configuration
After the configuration task of logging in to another device by using STelnet is established, you
can check the mappings between all SSH servers of the STelnet client and the RSA public keys
on the client, the global configurations of the SSH servers, and the sessions between the SSH
servers and the STelnet client.
Prerequisite
The configurations for logging in to another device by using STelnet are complete.
Procedure
l Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA public keys on the client.
----End
Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP) Server public key name
________________________________________________________________________
1000::1 1000::1
10.164.39.223 10.164.39.223
11.11.11.23 11.11.11.23
10.164.39.204 10.164.39.204
10.164.39.222 10.164.39.222
8.5 Accessing Files on Another Device by Using TFTP
You can configure the CX device as a TFTP client, and log in to the TFTP server to upload and
download files.
Before accessing another device by using TFTP, familiarize yourself with the applicable
8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client
You can configure a source IP address for a TFTP client. Then, you can set up a TFTP connection
from the TFTP client to the server through a specific route by using this source IP address.
8.5.3 (Optional) Configuring TFTP Access Authority
This section describes how to use an ACL rule to authorize the users to specify the TFTP servers
that can be accessed by using TFTP from the CX device that you have logged in to.
8.5.4 Downloading Files by Using TFTP
You can download files from the TFTP server to the TFTP client.
8.5.5 Uploading Files by Using TFTP
You can upload files from the TFTP client to the TFTP server.
Issue 01 (2011-05-30)
When a device is configured to be a TFTP client, you can check the source address of the client
and the configured ACl rule.
Before accessing another device by using TFTP, familiarize yourself with the applicable
You can transfer files through TFTP between the server and the client in a simple interaction
environment.
The current CX- functions as a TFTP client, and theCX- to be accessed functions as a TFTP
server.
Before accessing another device by using TFTP, complete the following tasks:
l Configuring a reachable route between the client and TFTP server
Data Preparation
To access another device by using TFTP, you need the following data.
No. Data
1 (Optional) Source address or source interface of the CX device that functions as a
TFTP client
2 IP address or host name of the TFTP server
3 Name of the specific file in the TFTP server and the file directory

8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client
You can configure a source IP address for a TFTP client. Then, you can set up a TFTP connection
from the TFTP client to the server through a specific route by using this source IP address.
Context
address of a TFTP connection. In this manner, security checks can be implemented.
Do as follows on a CX device that functions as a TFTP client.
8-19
Procedure
Step 1 Run:
system-view
Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured.
After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
8.5.3 (Optional) Configuring TFTP Access Authority
This section describes how to use an ACL rule to authorize the users to specify the TFTP servers
that can be accessed by using TFTP from the CX device that you have logged in to.
Context
An Access Control List (ACL) is a set of sequential rules. These rules are described based on
the source address, destination address, and port number of a packet. CX-s use the ACL rules
to filter packets. With the rule applied to the interface on a CX device, the CX device permits
or denies the packets.
Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Do as follows on the CX device that serves as the TFTP client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address
source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ]
*
The ACL rule is configured.
Step 4 Run:
quit
Issue 01 (2011-05-30)
Step 5 Run:
tftp-server acl acl-number
The ACL can be used to limit the access to the TFTP server.
----End
8.5.4 Downloading Files by Using TFTP
You can download files from the TFTP server to the TFTP client.
Procedure
l Run the following commands according to the type of the server IP addresses.
The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
The CX device is configured to download files through TFTP.
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type
interface-number ] get source-filename [ destination-filename ]
The CX device is configured to download files through TFTP.
----End
8.5.5 Uploading Files by Using TFTP
You can upload files from the TFTP client to the TFTP server.
Procedure
l Run the following commands according to the type of the server IP addresses.
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
The CX device is configured to upload files through TFTP.
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type
interface-number ] put source-filename [ destination-filename ]
The CX device is configured to upload files through TFTP.
----End
When a device is configured to be a TFTP client, you can check the source address of the client
and the configured ACl rule.
8-21
Prerequisite
Configurations of using the device as a TFTP client are complete.
Procedure
l Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
l Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules,
Acl's step is 5
rule 5 permit
rule 10 permit source 1.1.1.1 0
8.6 Accessing Files on Another Device by Using FTP
This section describes how to configure the CX device as an FTP client to log in to the FTP
server, and to upload files to or download files from the server.
Before establishing the configuration task of accessing files on another device by using FTP,
accurately.
8.6.2 (Optional) Configuring Source IP Address and Interface of the FTP Client
This section describes how to configure the source IP address and interface of FTP client to
establish the connection with FTP server.
8.6.3 Connecting to Other Devices by Using FTP Commands
You can run FTP commands to log in to other devices from the CX device that functions as the
FTP client.
8.6.4 Operating Files by Using FTP Commands
After logging in to a FTP server, you can operate files by using FTP commands. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.
8.6.5 Changing Login Users
After logging in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.
8.6.6 Disconnecting from the FTP Server
Issue 01 (2011-05-30)
You can terminate the connection with the FTP server and return to the user view or FTP view.
After the configurations of accessing other devices by using FTP are complete, you can view
the source parameters configured on the FTP client.
accurately.
Before transmitting files between a client and a remote FTP server, or managing directories of
the server, you can configure the CX device that you have logged in to as an FTP client. Then,
you can access the FTP server by using FTP for file transmission or directory management.
complete the following tasks:
l Configuring a reachable route between the CX device and the FTP server
Data Preparation
To establish the configuration task of accessing files on another device by using FTP, you need
the following data:
No. Data
1 (Optional) Source IP address or source interface of the CX device functioning as an
FTP client
2 Host name or IP address of the FTP server, port number of connecting FTP, login
username and password
3 Local file name and file name on the remote FTP server,working directory name of
the remote FTP server, local working directory of the FTP client, or directory name
of the remote FTP server

8.6.2 (Optional) Configuring Source IP Address and Interface of the
FTP Client
This section describes how to configure the source IP address and interface of FTP client to
establish the connection with FTP server.
8-23
Prerequisite
address of an FTP connection. In this manner, security checks can be implemented.
The interface configuration is possible, only if the system has a loopback interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp client-source { -a ip-address }
The source IP address of the FTP client is configured.
or
ftp client-source { -i interface-type interface-number }
The loopback addresses of the FTP client is configured.
NOTE
Then, run the display ftp-client command on the CX device to view the current configuration of the FTP client.
----End
8.6.3 Connecting to Other Devices by Using FTP Commands
You can run FTP commands to log in to other devices from the CX device that functions as the
FTP client.
Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the CX device that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
In the user view, establish a connection to the FTP server.
Run:
ftp [ [ -a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ public-net | vpn-instance vpn-instace-name ]
The CX device is connected to the FTP server.
In the FTP view, establish a connection to the FTP server.
1. In the user view,Run:
ftp
Issue 01 (2011-05-30)
The FTP view is displayed.
2. Run:
open [-a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ vpn-instance vpn-instance-name ]
NOTE
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After that, the default VPN instance is used
in the FTP operation.
l If the IP address of the server is an IPv6 address, do as follows:
In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]
In the FTP view, establish a connection to the FTP server.
1. In the user view,Run:
ftp
The FTP view is displayed.
2. Run:
open ipv6 host-ipv6-address [ port-number ]
----End
8.6.4 Operating Files by Using FTP Commands
After logging in to a FTP server, you can operate files by using FTP commands. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.
Context
After logging in to the FTP server, you can perform the following operations:
l Configure a data type for transmission files and a file transmission method.
l Check the online help about FTP commands in the FTP client view.
l Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
l Create directories on or delete directories from the FTP server.
l Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After logging in to the CX device that functions as a client and entering the FTP client view,
you can perform the following steps:
Procedure
l Configuring data type and transmission mode for the file.
8-25
Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.
NOTE
FTP supports the ASCII type and the binary type. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
The selection of the FTP transmission mode is client-customized. The system defaults to the
ASCII transmission mode. The client can use a mode switch command to switch between the
ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary
mode is used to transmit binary files.
Run:
passive
The passive file transfer mode is configured.
Run:
verbose
The verbose mode for FTP is enabled.
When verbose is enabled, all FTP responses are displayed. After file transmission, the
statistics about transmission efficiency will be displayed.
l Viewing online help of the FTP command.
remotehelp [ command ]
The online help of the FTP command is displayed.
l Upload or download files.
Upload or download a file.
Run:
The local file is uploaded to the remote FTP server.
Run:
The FTP file is downloaded from the FTP server and saved to the local file.
Upload or download multiple files.
Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
l Run one or more commands in the following order to manage directories.
Run:
Issue 01 (2011-05-30)
cd pathname
The working path of the remote FTP server is specified.
Run:
cdup
The working path of the FTP server is switched to the upper-level directory.
Run:
pwd
The specified directory of the FTP server is displayed.
Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.
Run:
A directory is created on the FTP server.
Run:
rmdir remote-directory
A directory is removed from the FTP server.
NOTE
l The directory to be created can comprise letters and digits, but not special characters such as
<, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
l Run one or more commands in the following to manage files.
Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.
Run:
delete remote-filename
The specified file on the FTP server is deleted.
When local-filename is set, related information about the file can be downloaded locally.
----End
8.6.5 Changing Login Users
After logging in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.
8-27
Context
From the CX600 (an FTP client) that you have logged in to, you can log in to the FTP server by
using another username without logging out of the FTP client view. The established FTP
connection is identical with that established by running the ftp command.
Perform the following steps on the CX device that functions as a client:
Procedure
l Run:
user user-name [ password ]
The user that have logged in to the FTP server is changed and the new user logs in to the
server.
When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.
----End
8.6.6 Disconnecting from the FTP Server
You can terminate the connection with the FTP server and return to the user view or FTP view.
Context
You can select different commands to terminate the connection with the FTP server in the FTP
client view.
Do as follows on the CX device that serves as the client.
Procedure
l Run the following commands according to different configurations.
Run:
bye
Or,
quit
The client CX device is disconnected from the FTP server.
Return to the user view.
Run:
close
Or,
disconnect
The client CX device is disconnected from the FTP server.
Return to the FTP view.
----End
After the configurations of accessing other devices by using FTP are complete, you can view
the source parameters configured on the FTP client.
Issue 01 (2011-05-30)
Prerequisite
The configurations of accessing other devices by using FTP are complete.
Procedure
l Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<HUAWEI> display ftp-client
The source address of FTP client is 1.1.1.1.
8.7 Accessing Files on Another Device by Using SFTP
SFTP is a secure FTP service. After the CX device is configured as an SFTP client. The SFTP
server authenticates the client and encrypts data in both directions to provide secure data
transmission.
Before establishing the configuration task of accessing files on another device by using SFTP,
accurately.
8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client
You can configure a source IP address for an SFTP client. Then, you can set up an SFTP
connection from the SFTP client to the server through a specific route by using this source IP
address.
8.7.3 Configuring the First Successful Login to Another Device (Enabling the First-Time
Authentication on the SSH Client)
After the first-time authentication on the SSH client is enabled, the SFTP client does not check
8.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key
to the SSH Server)
8.7.5 Connecting to Other Devices by Using SFTP
You can log in to the SSH server from the SSH client through SFTP.
8.7.6 Operating Files by Using SFTP Commands
You can manage directories and files on the SSH server from the SFTP client, and check the
command help on the SFTP client.
After logging in to another device by using SFTP, you can view the source address of the SSH
client, the mappings between all SSH servers and the RSA public keys on the client, the global
configurations of the SSH servers, and the sessions between the SSH servers and the client.
8-29
accurately.
SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensures
that users can log in to a remote device securely for file management and transmission, and
enhances the security in data transmission. In addition, you can log in to a remote SSH server
from the CX device that functions as an SFTP client.
complete the following tasks:
l Configuring a reachable route between the client and SSH server
Data Preparation
To access files on another device by using SFTP, you need the following data:
No. Data
1 (Optional) Source address of the device that functions as the SFTP client
2 (Optional) Name of the SSH server
3 (Optional) Public key that is assigned by the client to the SSH server
4 IPv4 or IPv6 address or host name of the SSH server
5 Number of the port monitored by the SSH server,Preferred encrypted algorithm from
the SFTP client to the SSH server,Preferred encrypted algorithm from the SSH server
to the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSH
server,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferred
algorithm of key exchange,Name of the outgoing interface,Source address
The user information for logging in to the SSH server
6 Name and directory of a specified file on the SSH server

8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client
You can configure a source IP address for an SFTP client. Then, you can set up an SFTP
connection from the SFTP client to the server through a specific route by using this source IP
address.
Issue 01 (2011-05-30)
Context
address of an FTP connection. In this manner, security checks can be implemented.
Do as follows on a CX device that functions as an SFTP client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for an SFTP client.
----End
(Enabling the First-Time Authentication on the SSH Client)
After the first-time authentication on the SSH client is enabled, the SFTP client does not check
Context
If the first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA public key when logging in to the SSH server for the first time. After the
login, the system automatically allocates the RSA public key and saves it for authentication in
next login.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The first-time authentication on the SSH client is enabled.
By default, the first-time authentication on the SSH client is disabled.
8-31
NOTE
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the
SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA
public key in advance to the SSH server on the SSH client in addition to enabling the first-time
authentication on the SSH client.
----End
(Allocating an RSA Public Key to the SSH Server)
Context
If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to
the SSH server for the first time, the SFTP client fails to pass the check on the RSA public key
validity and cannot log in to the server.
Do as follows on the CX device functioning as an SSH client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
Step 4 Run:
hex-data
The public key must be a string of hexadecimal alphanumeric characters. It is automatically
generated by an SSH client. You can run the display rsa local-key-pair public command to
view a generated public key.
Issue 01 (2011-05-30)
NOTE
Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH
server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo
the validity check on the RSA public key of the SSH server.
Step 5 Run:
public-key-code end
l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Step 7 Run:
ssh client servername assign rsa-key keyname
The RSA public key is assigned to the SSH server.
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run
the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH
server.
----End
8.7.5 Connecting to Other Devices by Using SFTP
You can log in to the SSH server from the SSH client through SFTP.
Context
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the
SSH server, the SFTP can carry the source address and the name of the VPN instance and choose
the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the
keepalive function.
Do as follows on the CX device that serves as an SSH client.
Procedure
Step 1 Run:
system-view
Step 2 According to the address type of the SSH server, select and perform one of the two configurations
below.
8-33
Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |
aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] ]
*
[ -ki aliveinterval [ -kc
alivecountmax ] ]
You can log in to the SSH server through SFTP.
Run:
sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-
number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] |
[ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des |
3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] |
[ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ]
*
[ -ki aliveinterval
[ -kc alivecountmax ] ]
----End
8.7.6 Operating Files by Using SFTP Commands
You can manage directories and files on the SSH server from the SFTP client, and check the
command help on the SFTP client.
Context
After logging in to the SSH server from the SFTP client, you can perform the following
operations on the SFTP client:
l Create or delete a directory on the SSH server, and display the current working directory,
the specified directory and information about the file in the specified directory.
l Change a file name, delete a file, display a file list, and upload or download a file.
l Displaying the SFTP client command help.
After logging in to the CX device that functions as an SSH client and entering the SFTP client
view, you can perform the following steps:
Procedure
l Managing the directory
Run:
cd [ remote-directory ]
The current operating directory of users is changed.
Run:
cdup
The operating directory of users is switched to the upper-level directory.
Run:
pwd
The current operating directory of users is displayed.
Issue 01 (2011-05-30)
Run:
dir / ls [ remote-directory ]
The file list in the specified directory is displayed.
Run:
rmdir remote-directory & <1-10>
The directory on the server is deleted.
Run:
A directory is created on the server.
l Managing the file
Run:
rename old-name new-name
The name of the specified file on the server is changed.
Run:
get remote-filename [local-filename]
The file on the remote server is downloaded.
Run:
put local-filename [remote-filename]
The local file is uploaded to the remote server.
Run:
remove remote-filename
The file on the server is removed.
l Displaying the SFTP client command help
help [all | command-name ]
The SFTP client command help is displayed.
----End
After logging in to another device by using SFTP, you can view the source address of the SSH
client, the mappings between all SSH servers and the RSA public keys on the client, the global
configurations of the SSH servers, and the sessions between the SSH servers and the client.
Prerequisite
The configuration of accessing files on another device by using SFTP is complete.
Procedure
l Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.
l Run the display ssh server-info command to check the mapping between the SSH server
and the RSA public key on the SSH client.
----End
8-35
Example
Run the display sftp-client command on the client to view the source parameters of the device
functioning as an SFTP client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view the mappings between all servers and the
RSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP) Server public key name
________________________________________________________________________
1000::1 1000::1
10.164.39.223 10.164.39.223
11.11.11.23 11.11.11.23
10.164.39.204 10.164.39.204
10.164.39.222 10.164.39.222
This section describes examples for access another device. The examples explain networking
8.8.1 Example for Logging in to Another Device by Using Telnet
This section provides an example for logging in to another device by using Telnet.In this
example, the authentication mode and password are configured for users to log in through Telnet.
8.8.2 Example for Logging in to Another Device by Using the Telnet Redirection Function
This section describes an example for logging in to another device on the network by using the
Telnet redirection function. This allows users to manage the device remotely.
8.8.3 Example for Logging in to Another Device by Using Telnet on a VPN
This section provides an example for logging in to another device by using Telnet on a VPN.In
this example, the authentication mode and password are configured for users on a VPN so as to
log in to the CX device through Telnet.
8.8.4 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server; the public
RSA key is generated on the SSH server and then bound to the STelnet client. In this manner,
the STelnet client can connect to the SSH server.
8.8.5 Example for Accessing Files on Another Device by Using TFTP
In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. After that, you can upload and download files.
8.8.6 Example for Configuring the Access of the TFTP Server on the Public Network When the
Management VPN Instance Is Used
This part provides an example for configuring the access of the TFTP server on the public
network when the management VPN instance is used. In this example, after logging in to the
CX device that is configured with the management VPN instance, you can download files from
the TFTP server on the public network.
8.8.7 Example for Accessing Files on Another Device by Using FTP
Issue 01 (2011-05-30)
This section provides an example for accessing files on another device by using FTP. In this
example, a user logs in to the FTP server from the CX device to download system software and
configuration software from the FTP server.
8.8.8 Example for Configuring the Access of the FTP Server on the Public Network When the
Management VPN Instance Is Used
This part provides an example for configuring the access of the FTP server on the public network
when the management VPN instance is used. In this example, after logging in to the CX
device that is configured with the management VPN instance, you can download files from the
FTP server on the public network.
8.8.9 Example for Accessing Files on Another Device by Using SFTP
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
8.8.10 Example for Configuring the Access of the SFTP Server on the Public Network When
the Management VPN Instance Is Used
This part provides an example for configuring the access of the SFTP server on the public
network when the management VPN instance is used. In this example, after generating the local
key pair on the SFTP client and SSH server, generating the RSA public key on the SSH server,
and binding the RSA public key to the client, you can connect the SFTP client to the SFTP server
on the public network when using the management VPN instance.
8.8.11 Example for Accessing the SSH Server Through Other Port Numbers
This section provides an example for accessing the SSH server through other port numbers.In
this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
8.8.12 Example for an SSH Client in the Public Network to Access an SSH Server in the Private
Network
In this example, SSH attributes of users on the public network are configured so as to access the
SSH server on the private network through STelnet or SFTP.
8.8.1 Example for Logging in to Another Device by Using Telnet
This section provides an example for logging in to another device by using Telnet.In this
example, the authentication mode and password are configured for users to log in through Telnet.
As shown in Figure 8-7, users can telnet CX- A but cannot telnet CX- B. The route between
CX- A and CX- B is reachable. In this case, users can telnet CX- B from CX- A to remotely
configure and manage CX- B.
Figure 8-7 Networking diagram for logging in to another device by using Telnet
Network Network
PC CX-A
CX-B
Session Session
GE1/0/1
2.1.1.1/24
GE1/0/1
1.1.1.1/24
8-37

1. On CX- B, configure the authentication mode and password for users on CX- A to log in
to CX- B..
2. Configure a Telnet server port number on CX- B to ensure that users log in through this
port only.
Data Preparation
l Host address of CX- B is 2.1.1.1
l Password hello for users' login
l Telnet server port number is 1028
Procedure
Step 1 Configure the authentication mode and password for Telnet services on CX- B.
[HUAWEI] sysname CX-B
[CX-B] user-interface vty 0 4
[CX-B-ui-vty0-4] authentication-mode password
[CX-B-ui-vty0-4] set authentication password simple hello
[CX-B-ui-vty0-4] quit
To configure an ACL for Telnetting another device, run the following commands on CX- B.
[CX-B] acl 2000
[CX-B-acl-basic-2000] rule permit source 1.1.1.1 0
[CX-B-acl-basic-2000] quit
[CX-B-ui-vty0-4] acl 2000 inbound
NOTE
It is optional to configure an ACL for Telnet services.
Step 2 Log in to CX- B from CX- A through Telnet.
[HUAWEI] sysname CX-A
[CX-A] quit
<CX-A> telnet 2.1.1.1
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Login authentication
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2010-02-22 14:31:01.
<CX-B>
Step 3 Configure a Telnet server port number on CX- B.
<CX-B> system-view
[CX-B] telnet server port 1028
Warning: This operation will cause all the online Telnet users to be offline. Co
ntinue?[Y/N]: y
Issue 01 (2011-05-30)
Info: Succeeded in changing the listening port of telnet server.
Step 4 Use the port number 1028 to log in to CX- B from CX- A through Telnet.
<CX-A> telnet 2.1.1.1 1028
Trying 2.1.1.1 ...
Password:
<CX-B>
----End
Configuration Files
l Configuration file of CX- A
#
sysname CX-A
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return
l Configuration file of CX- B
#
sysname CX-B
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
acl 2000 inbound
set authentication password simple hello
#
return
8.8.2 Example for Logging in to Another Device by Using the Telnet
Redirection Function
This section describes an example for logging in to another device on the network by using the
Telnet redirection function. This allows users to manage the device remotely.
As shown in Figure 8-8, there is a reachable route between the PC and CX- A, and CX- A is
not connected with CX- B on the IP network. To manage CX- B remotely, you can enable the
Telnet redirection function on CX- A, and connect the asynchronous serial interface of CX- A
to the serial interface of CX- B. Then, you can log in toCX- B remotely from the terminal PC
by using the specified port number of CX- A to manage CX- B.
8-39
Figure 8-8 Networking of logging in to another device by using the Telnet redirection function
Network
Console
PC CX-A CX-B
Aux
Session
GE1/0/1
10.1.1.1/24

1. Use the AUX interface of CX- A to connect withCX- B.
2. Enable the Telnet redirection function on CX- A.
Data Preparation
l IP address of CX- A: 10.1.1.1
Procedure
Step 1 Open the AUX interface of CX- A.
[CX-A] interface Aux 0/0/1
[CX-A-Aux0/0/1] undo shutdown
[CX-A-Aux0/0/1] quit
Step 2 Enable the redirection function on CX- A.
[CX-A] user-interface aux 0
[CX-A-ui-aux0] undo shell
[CX-A-ui-aux0] redirect
Step 3 View the port number.
<CX-A> display tcp status
37b26538 6 /1 0.0.0.0:21 0.0.0.0:0 23553 Listening
37b20808 135/4 0.0.0.0:22 0.0.0.0:0 23553 Listening
15b8a270 135/1 0.0.0.0:23 0.0.0.0:0 23553 Listening
32fa2744 135/15 0.0.0.0:2033 0.0.0.0:0 23553 Listening
32facdac 135/17 0.0.0.0:4033 0.0.0.0:0 23553 Listening
32f9e4b4 88 /1 0.0.0.0:6000 0.0.0.0:0 23553 Listening
2ff6bbcc 135/9 10.137.217.226:23 10.138.77.21:2993 0 Established
Run the telnet 10.1.1.1 2033(or 4033) command on the PC to log in to CX- B.
----End
Configuration Files
Issue 01 (2011-05-30)
#
sysname CX-A
#
interface Aux0/0/1
undo shutdown
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shell
redirect
#
return
8.8.3 Example for Logging in to Another Device by Using Telnet on
a VPN
This section provides an example for logging in to another device by using Telnet on a VPN.In
this example, the authentication mode and password are configured for users on a VPN so as to
log in to the CX device through Telnet.
As shown in Figure 8-9, CX- A and CX- B can ping through each other. Users can log in to
CX- A from CX- B through Telnet.
Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN
CX-A CX-B
GE1/0/0
1.1.1.1 24
GE1/0/0
1.1.1.2 24
VPN tt
IP Network

1. Configure a VPN on CX- B.
2. Configure the authentication mode and the password of the user interface VTY0 to VTY4
on CX- B.
3. Set the user to enter the password to log in to CX- B from CX- A in Telnet mode.
Data Preparation
l Host IP address of CX- B
l Authentication mode and password
8-41
l VPN instance
Procedure
Step 1 Configure the VPN instance and IP address.
# Configure CX- A.
[CX-A] interface gigabitethernet1/0/0
[CX-A-GigabitEthernet1/0/0] undo shutdown
[CX-A-GigabitEthernet1/0/0] ip address 1.1.1.1 24
# Configure CX- B.
[CX-B] ip vpn-instance tt
[CX-B-vpn-instance-tt] route-distinguisher 1000:1
[CX-B-vpn-instance-tt] quit
[CX-B] interface gigabitethernet1/0/0
[CX-B-GigabitEthernet1/0/0] undo shutdown
[CX-B-GigabitEthernet1/0/0] ip binding vpn-instance tt
[CX-B-GigabitEthernet1/0/0] ip address 1.1.1.2 24
[CX-B-GigabitEthernet1/0/0] quit
[CX-B] quit
Step 2 Configure the Telnet authentication mode and password on CX- B.
<CX-B> system-view
[CX-B-ui-vty0-4] authentication-mode password
[CX-B-ui-vty0-4] set authentication password simple hello
To configure Telnet terminal services based on the ACL, do as follows on CX- B.
[CX-B] acl 2000
[CX-B-acl-basic-2000] rule permit vpn-instance tt source 1.1.1.1 0
[CX-B-acl-basic-2000] quit
[CX-B-ui-vty0-4] acl 2000 inbound
NOTE
Configuring Telnet terminal services based on the ACL is optional.
After the configuration is complete, you can log in to CX- B from CX- A through Telnet.
<CX-A> telnet 1.1.1.2
Trying 1.1.1.2 ...
Password:
Note: The max number of VTY users is 10, and the current number
<CX-B>
----End
Configuration Files
#
Issue 01 (2011-05-30)
sysname CX-A
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return
l Configuration file of CX- B
#
sysname CX-B
#
ip vpn-instance tt
route-distinguisher 1000:1
#
acl number 2000
rule 5 permit vpn-instance tt source 1.1.1.1 0
#
undo shutdown
ip binding vpn-instance tt
ip address 1.1.1.2 255.255.255.0
#
acl 2000 inbound
set authentication password simple hello
#
return
8.8.4 Example for Configuring the Device as the STelnet Client to
Connect to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server; the public
RSA key is generated on the SSH server and then bound to the STelnet client. In this manner,
the STelnet client can connect to the SSH server.
As shown in Figure 8-10, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode. In this example, the Huawei CX device functions as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.
Figure 8-10 Networking diagram for logging in to another device by Using STelnet
Client 002
GE1/0/1
10.10.3.3/16
SSH Server
GE1/0/1
10.10.1.1/16
Client 001
GE1/0/1
10.10.2.2/16
8-43

1. Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
2. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind
the client client002 to an RSA key to authenticate the client when the client attempts to log
in to the server.
3. Enable STelnet service on the SSH server.
4. Set the service type of Client001 and Client002 to STelnet.
5. Enable first-time authentication on the SSH client.
6. Users Client001 and Client002 log in to the SSH server through STelnet.
Data Preparation
l Client001 with the password as huawei and adopt the password authentication.
l Client002, adopt the RSA authentication and assign the public key RsaKey001 to
Client002.
l IP address of the SSH server is 10.10.1.1.
Procedure
The key name will be: SSH Server_Host
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Create an SSH user on the server.
NOTE
The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all.
l When the SSH adopts the password or password-rsa authentication mode, configure a local user with
the same name.
l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should save
the RSA public key for the SSH client.
# Configure the VTY user interface.
Issue 01 (2011-05-30)
l Create SSH user Client001.
# Configure the password authentication for the SSH user Client001.
[SSH Server] ssh user client001
# Configure the password of the SSH user Client001 to huawei.
[SSH Server] aaa
l Create SSH user Client002.
# Configure the RSA authentication for the SSH user Client002.
[SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key on the server.
# Generate a local key pair on the client.
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
# View the RSA public key generated on the client.
[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client software to the server.
8-45
[SSH Server]rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key]public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code]3047
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code]public-key-code end
[SSH Server-rsa-public-key]peer-public-key end
Step 4 Bind the SSH user Client002 to the RSA public key of the SSH client.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
# Enable the STelnet service.
Step 6 Configure the STelnet service for the SSH users Client001 and Client002.
[SSH Server] ssh user client001 service-type stelnet
Step 7 Connect the STelnet client to the SSH server.
# For the first login, you need to enable the first authentication on SSH client.
Enabling the first authentication on Client001.
[client001] ssh client first-time enable
# Client001 of the STelnet connects to SSH server with the password authentication mode . Enter
the user name and password.
<client001> system-view
[client001] stelnet 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
Enter the password huawei. It shows that the login is successful, as follows:
<SSH Server>
# Connect the STelnet client Client002 to the SSH server with the RSA authentication mode.
Issue 01 (2011-05-30)
[client002] stelnet 10.10.1.1
Please input the username: client002
Trying 10.10.1.1 ...
The server's public key will be saved with the name 10.10.1.1. Please wait...
<SSH Server>
After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the STelnet client is connected
to the SSH server successfully.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version : 1.99
SFTP server : Disable
Stelnet server : Enable
# Display the connection of the SSH server.
[SSH Server] display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Retry : 1
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
Kex : diffie-hellman-group1-sha1
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
Authentication Type : rsa
# Display the information about the SSH user.
[SSH Server] display ssh user-information
User 1:
Sftp-directory : -
8-47
User 2:
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory : -
----End
Configuration Files
#
sysname SSH Server
#
rsa peer-public-key rsakey001
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
ssh user client001
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
#
#
return
l Configuration file of Client001 on SSH client
#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return
l Configuration file of Client002 on SSH client
#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
Issue 01 (2011-05-30)
#
return
8.8.5 Example for Accessing Files on Another Device by Using TFTP
In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. After that, you can upload and download files.
As shown in Figure 8-11, the IP address of the TFTP server is 10.111.16.160/24.
Log in to the CX device from the HyperTerminal and then download the file
V600R003C00.cc from the TFTP server.
Figure 8-11 Networking diagram for accessing files on another device by using TFTP
TFTP Client TFTP Server PC
10.111.16.160/24

1. Run the TFTP application on the TFTP server, and set the location of the file on the server.
2. Use the TFTP command on the CX device to download the file.
3. Use the TFTP command on the CX device to upload the file.
Data Preparation
l The TFTP application installed on the TFTP server
l The path of the file on the TFTP server
l The destination file name and its path on the CX device
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V600R003C00.cc file resides. Figure 8-12 shows the interface.
8-49
Figure 8-12 Setting the Base Directory of the TFTP server

NOTE
The display may be different depending on different TFTP server applications run in the computer.
Step 2 Log in to the CX device from the computer HyperTerminal and enter the following command
to download the file.
<HUAWEI>tftp 10.111.16.160 get V600R003C00.cc cfcard:/V600R003C00.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully. 15805100 bytes received in 42734
second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the CX device.
<HUAWEI> dir cfcard:
1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt
2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat
3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat
4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg
5 -rw- 14343 May 19 2006 15:00:10 paf.txt
6 -rw- 1004 Feb 05 2001 09:51:22 vrp1.zip
7 -rw- 6247 May 19 2006 15:00:10 license.txt
8 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak
9 -rw- 86235884 Feb 05 2001 10:23:46 V600R003C00.cc
to upload the file.
<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully. 1217 bytes send in 1 second.
----End
Issue 01 (2011-05-30)
8.8.6 Example for Configuring the Access of the TFTP Server on the
Public Network When the Management VPN Instance Is Used
This part provides an example for configuring the access of the TFTP server on the public
network when the management VPN instance is used. In this example, after logging in to the
CX device that is configured with the management VPN instance, you can download files from
the TFTP server on the public network.
As shown in Figure 8-13, a management VPN instance is configured on the CX device. Users
use the VPN instance to access the FTP server from the CX device. To enable the client to access
the TFTP server on the public network, you need to connect the CX device to the TFTP server
on the public network.
Log in to the CX device from the HyperTerminal and then download the file
V600R003C00.cc from the TFTP server.
Figure 8-13 Networking diagram of configuring the access of the TFTP server on the public
network when the management VPN instance is used
PC
TFTP Client
TFTP Server
10.111.16.160/24
Network

1. Run the TFTP application on the TFTP server, and set the location of the file on the server.
2. Use the TFTP command on the CX device to download the file.
3. Use the TFTP command on the CX device to upload the file.
Data Preparation
l The TFTP application installed on the TFTP server
l The path of the file on the TFTP server
l The destination file name and its path on the CX device
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V600R003C00.cc file resides. Figure 8-14 shows the interface.
8-51
Figure 8-14 Setting the Base Directory of the TFTP server

NOTE
The display may be different depending on different TFTP server applications run in the computer.
to download the file.
<HUAWEI>tftp 10.111.16.160 public-net get V600R003C00.cc cfcard:/V600R003C00.cc
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully. 15805100 bytes received in 42734
second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the CX device.
<HUAWEI> dir cfcard:
1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt
2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat
3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat
4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg
5 -rw- 14343 May 19 2006 15:00:10 paf.txt
6 -rw- 1004 Feb 05 2001 09:51:22 vrp1.zip
7 -rw- 6247 May 19 2006 15:00:10 license.txt
8 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak
9 -rw- 86235884 Feb 05 2001 10:23:46 V600R003C00.cc
to upload the file.
<HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully. 1217 bytes send in 1 second.
----End
Issue 01 (2011-05-30)
Configuration Files
None.
8.8.7 Example for Accessing Files on Another Device by Using FTP
This section provides an example for accessing files on another device by using FTP. In this
example, a user logs in to the FTP server from the CX device to download system software and
configuration software from the FTP server.
As shown in Figure 8-15, the route between CX- A that functions as the FTP client and the FTP
server is reachable. A user needs to download system software and configuration software from
the FTP server. The Huawei CX device functions as an FTP server.
Figure 8-15 Networking diagram for accessing files on another device by using FTP
GE1/0/1
1.1.1.1/24
GE1/0/1
2.1.1.1/24
FTP Server CX-A
Network

1. Configure the user name and password for an FTP user to log in to the FTP server.
2. Enable the FTP server on the CX device.
3. Run certain login commands to log in to the FTP server.
4. Configure the file transmission mode and directories for the client before downloading
required files from the FTP server.
Data Preparation
l User name huawei and password 123 for a user's login
l IP address of the FTP server, that is, 1.1.1.1
l Target file and its location on CX- A
Procedure
Step 1 Configure an FTP user on the FTP server.
[HUAWEI] aaa
[HUAWEI-aaa] local-user huawei password simple 123
[HUAWEI-aaa] local-user huawei service-type ftp
[HUAWEI-aaa] local-user huawei ftp-directory cfcard:
8-53
[HUAWEI-aaa] quit
Step 2 Enable the FTP server.
[HUAWEI] ftp server enable
Step 3 Log in to the FTP server from CX- A.
<HUAWEI> ftp 1.1.1.1
Trying 1.1.1.1 ...
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
Step 4 On CX- A, configure the binary format as the file transfer mode and flash:/ as the working
directory.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.
Step 5 On CX- A, download the latest system software from the remote FTP server.
[ftp] get V600R003C00.cc
200 Port command okay.
150 Opening ASCII mode data connection for V600R003C00.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
You can run the dir command to check whether the required file is downloaded to the client.
----End
Configuration Files
l Configuration file on the FTP server
#
FTP server enable
#
aaa
local-user huawei password simple 123
local-user huawei service-type ftp
local-user huawei ftp-directory cfcard:
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
Return
l Configuration file on the FTP client
#
undo shutdown
ip address 2.1.1.1 255.255.255.0
Return
8.8.8 Example for Configuring the Access of the FTP Server on the
Public Network When the Management VPN Instance Is Used
This part provides an example for configuring the access of the FTP server on the public network
when the management VPN instance is used. In this example, after logging in to the CX
Issue 01 (2011-05-30)
device that is configured with the management VPN instance, you can download files from the
FTP server on the public network.
As shown in Figure 8-16, a management VPN instance is configured on CX- A. Users use the
VPN instance to access the FTP server. To enable CX- A to access the FTP server on the public
network, you need to connect the CX device to the FTP server on the public network.
The route between CX device that functions as the FTP client and the FTP server is reachable.
A user needs to download system software and configuration software from the FTP server on
the public network.
Figure 8-16 Networking diagram of configuring the access of the FTP server on the public
GE1/0/1
1.1.1.1/24
GE1/0/1
2.1.1.1/24
FTP Server CX-A
Network

1. Log in to the FTP server from the FTP client on the Public Network.
2. Download the system files form the server to the storage devices on the client side.
Data Preparation
l IP address of the FTP server is 1.1.1.1
l User name huawei and password huawei
l The destination file name and its position in the CX device
Procedure
Step 1 Log in to the FTP server from the CX device.
<HUAWEI> ftp 1.1.1.1 public-net
Trying 1.1.1.1
Connected to 1.1.1.1
User(ftp 1.1.1.1:(none)):huawei
331 Password required for huawei
Password:
230 User logged in.
Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcard
memory on the CX device..
[ftp] binary
200 Type set to I.
8-55
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.
Step 3 Download the newest system software from the remote FTP server on the CX device.
[ftp] get V600R003C00.cc
150 Opening ASCII mode data connection for V600R003C00.cc.
[ftp] quit
----End
Configuration Files
None.
8.8.9 Example for Accessing Files on Another Device by Using SFTP
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
As shown in Figure 8-17, after the SFTP service is enabled on the SSH server, the SFTP Client
can log in to the SSH server with the password, RSA, password-rsa, or all authentication. In this
example, the Huawei CX device functions as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.
Figure 8-17 Networking diagram for accessing files on another device by using SFTP
Client 002
GE1/0/1
10.10.3.3/16
SSH Server
GE1/0/1
10.10.1.1/16
Client 001
GE1/0/1
10.10.2.2/16

modes.
Issue 01 (2011-05-30)
in to the server.
3. Enable the SFTP service on the SSH server.
4. Configure the service mode and authorization directory for the SSH user.
5. Client001 and Client002 log in to the SSH server by using SFTP to access files on the
server.
Data Preparation
Client002.
Procedure
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++
NOTE
l When the SSH adopts the password or password-rsa authentication, configure a local user with the
same name.
l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the
RSA public key for the SSH client.
# Configure the VTY user Interface.
l Create Client001 for the SSH user.
# Create an SSH user with the name Client001. The authentication mode is password.
# Set huawei as the password for the Client001 of the SSH user.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password simple huawei
8-57
# Create an SSH user with user name Client002 and RSA authentication.
Step 3 Configure the RSA public key of the server.
=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-key-code] 3047
Issue 01 (2011-05-30)
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.
Step 6 Configure the service type and authorized directory of the SSH user.
Two SSH users are configured on the SSH server, namely, Client001 and Client002. The
password authentication mode is configured for Client001 and the RSA authentication mode is
configured for Client002.
[SSH Server] ssh user client001 sftp-directory cfcard:
# For the first login, you need to enable the first authentication on the SSH client.
# Connect the STelnet client Client001 to the SSH server with the password authentication mode.
[client001] sftp 10.10.1.1
Trying 10.10.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
Enter password:
sftp-client>
[client002] sftp 10.10.1.1
Trying 10.10.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
..
sftp-client>
8-59
commands. You can view that the STelnet service is enabled and the SFTP client is connected
SSH version : 1.99
SFTP server: Enable
Stelnet server: Disable
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Retry : 1
Service Type : sftp
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
Service Type : sftp
# Display information about the SSH user.
[SSH Server]display ssh user-information
User 1:
Sftp-directory : cfcard:
Service-type : sftp
User 2:
Service-type : sftp
----End
Issue 01 (2011-05-30)
Configuration Files
l Configuration file of the SSH server.
#
sysname SSH Server
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password simple huawei
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 service-type sftp
ssh user client001 sftp-directory cfcard:.
#
#
Return
l Configuration file of Client001 on the SSH client
#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return
#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
#
return
8-61
8.8.10 Example for Configuring the Access of the SFTP Server on
the Public Network When the Management VPN Instance Is Used
This part provides an example for configuring the access of the SFTP server on the public
network when the management VPN instance is used. In this example, after generating the local
key pair on the SFTP client and SSH server, generating the RSA public key on the SSH server,
and binding the RSA public key to the client, you can connect the SFTP client to the SFTP server
on the public network when using the management VPN instance.
As shown in Figure 8-18, a management VPN instance is configured for Client001 and
Client002. Users use the VPN instance to access the FTP server. To enable the client to access
the SFTP server on the public network, you need to connect the CX device to the SFTP server
on the public network.
The Huawei CX device functions as an SSH server. Two users client001 and client002 are
configured to access the SSH server in the authentication mode of password and RSA
respectively.
Figure 8-18 Networking diagram of configuring the access of the SFTP server on the public
Client 002
GE1/0/1
10.10.3.3/16
SSH Server
GE1/0/1
10.10.1.1/16
Client 001
GE1/0/1
10.10.2.2/16

modes..
in to the server.
3. Enable the SFTP service on the SSH server.
4. Configure the service mode and authorization directory for the SSH user.
5. Configure Client001 and Client002 to log in to the SSH server on the Public Network
through SFTP..
Issue 01 (2011-05-30)
Data Preparation
Client002.
Procedure
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++
NOTE
l When the SSH adopts the password or password-rsa authentication, configure a local user with the
same name.
[SSH Server] aaa
# Create an SSH user with user name Client002 and RSA authentication.
8-63
=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.
Issue 01 (2011-05-30)
Step 6 Configure the service type and authorized directory of the SSH user.
Two SSH users are configured on the SSH server, namely, Client001 and Client002. The
password authentication mode is configured for Client001 and the RSA authentication mode is
configured for Client002.
# For the first login, you need to enable the first authentication on the SSH client.
# Connect the STelnet client Client001to the SSH server with the password authentication mode.
[client001] sftp 10.10.1.1 public-net
Trying 10.10.1.1 ...
Enter password:
sftp-client>
[client002] sftp 10.10.1.1 public-net
Trying 10.10.1.1 ...
sftp-client>
commands. You can view that the STelnet service is enabled and the SFTP client is connected
SSH version : 1.99
SFTP server: Enable
STELNET server: Disable
8-65
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Retry : 1
Service Type : sftp
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
Service Type : sftp
# Display information about the SSH user.
[SSH Server] display ssh user-information
User 1:
Service-type : sftp
User 2:
Service-type : sftp
----End
Configuration Files
#
sysname SSH Server
#
3047
0240
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
Issue 01 (2011-05-30)
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
#
#
Return
#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return
#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
#
return
8.8.11 Example for Accessing the SSH Server Through Other Port
Numbers
This section provides an example for accessing the SSH server through other port numbers.In
this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
The standard monitored port number of the SSH protocol is 22. The frequent malicious accesses
to the standard port consume bandwidth and affect the performance of the server, and other users
cannot access the standard port.
After the number of the port monitored by the SSH server is set to other port numbers, the attacker
does not know the change of the number of the monitored port and keeps sending socket
connection requests with the standard port 22. After detecting that the port number inthe
connection requests is not the number of the monitored port, the SSH does not set up the socket
connection.
8-67
Thus, only the valid user can set up the socket connection through the non-standard monitored
port set by the SSH server, and follow the procedure of negotiating the SSH version number,
negotiating the algorithm, generating the session key, authenticating, sending session request,
and performing the interactive session.
The Huawei CX device functions as an SSH server. The client client001 is configured to log in
to the SSH server by using STelnet in the authentication mode of password; the client client002
is configured to log in to the SSH server by using SFTP in the authentication mode of RSA.
Figure 8-19 Networking diagram of accessing the SSH server through other port numbers
Client 002
GE1/0/1
10.10.3.3/16
SSH Server
GE1/0/1
10.10.1.1/16
Client 001
GE1/0/1
10.10.2.2/16

modes..
in to the server.
3. Enable the STelnet and SFTP service on the SSH server.
4. Configure the service mode and authorization directory of the SSH user.
5. Configure the interception port number for the SSH server so that the client can access the
server through other port numbers.
6. Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively.
Data Preparation
Client002.
l Number of the port monitored by the SSH server is 1025.
Issue 01 (2011-05-30)
Procedure
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
# Generate a local key pair of client on the client.
=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
8-69
NOTE
l When the SSH adopts the password or password-rsa authentication mode, configure a local user at the
same name.
l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should save
the RSA public key for the SSH client.
# Set huawei as the password toSSH user Client001.
[SSH Server] aaa
# Configure Client001 with service type of STelnet.
Create an SSH user with the name of Client002 and RSA authentication, bound to RSA public
key of the SSH client.
# Configure the service type of Client002 as SFTP and the authorization directory.
Step 4 Enable the STelnet service and the SFTP service on the SSH server.
# Enable the STelnet service and the SFTP service.
Step 5 Configure a new number of the port monitored by the SSH server.
[SSH Server] ssh server port 1025
Issue 01 (2011-05-30)
# Connect the STelnet client to the SSH server through the new port number.
[client001] stelnet 10.10.1.1 1025
Trying 10.10.1.1 ...
he server is not authenticated. Continue to access it?(Y/N):y
he server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
Enter the password Huawei and view as follows:
<SSH Server>
# Connect the SFTP client to the SSH server through the new port number.
[client002] sftp 10.10.1.1 1025
Trying 10.10.1.1 ...
..
sftp-client>
The attacker fails to access the SSH server through port 22.
[client002] sftp 10.10.1.1
Trying 10.10.1.1 ...
Error: Failed to connect to the server.
commands. You can view the number of the port monitored by the SSH server and that the
STelnet client or SFTP client is connected to the SSH server successfully.
SSH version : 1.99
SFTP server: Enable
STELNET server: Enable
8-71
SSH server port: 1025
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Retry : 1
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
Service Type : sftp
----End
Configuration Files
#
sysname SSH Server
#
3047
0240
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh server port 1025
ssh user client001
ssh user client002
ssh user client002 authentication-type RSA
Issue 01 (2011-05-30)
#
#
return
#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return
#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
#
return
8.8.12 Example for an SSH Client in the Public Network to Access
an SSH Server in the Private Network
In this example, SSH attributes of users on the public network are configured so as to access the
SSH server on the private network through STelnet or SFTP.
As shown in Figure 8-20, PE1 as an SSH client resides on an MPLS backbone network, and
CE1 as an SSH server is located at a private network of AS 65410. The users in the public
network can safely access and manage CE1 on the private network through PE1.
The Huawei CX device functions as an SSH server. The client client001 is configured to log in
to the SSH server by using STelnet in the authentication mode of password; the client client002
is configured to log in to the SSH server by using SFTP in the authentication mode of RSA.
8-73
Figure 8-20 Networking diagram of configuring the SSH client in public network accessing the
SSH server in the private network
PE1
(SSH
Client)
POS1/0/1
100.1.1.2/30
GE1/0/1
10.1.1.2/24
Loopback1
1.1.1.9/32
Loopback1
3.3.3.9/32
Loopback1
2.2.2.9/32
POS1/0/1
100.1.1.1/30
POS1/0/2
200.1.1.1/30 GE1/0/1
10.1.2.2/24
POS1/0/1
200.1.1.2/30
MPLS Backbone
AS:100
PE2
P
GE1/0/1
10.1.1.1/24
GE1/0/1
10.1.2.1/24
CE1
(SSH
server)
CE2
VPN Site VPN Site

The roadmap for configuring SSH supporting access from the private network as follows:
1. Configure a VPN instance on the PE functioning as an SSH client so that the CE can access
the PE.
2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.
in to the server.
4. Enable the STelnet and SFTP service on the SSH server.
5. Users in the public network access devices in the private network through STelent and
SFTP.
Data Preparation
To complete the configuration, you need the following data.
l Name of vpn-instance vpn1 on PE
l VPN-target on PE is 111:1
l IP address 10.1.1.2 of PE1; IP address 10.1.2.2 of PE2
l Client001 with the password as huawei and adopt the password authentication
l Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002
l IP address of the SSH server CE1 on the private network, that is, 10.1.1.1
Issue 01 (2011-05-30)
Procedure
Step 1 Configure the MPLS backbone network
With IGP configured on the MPLS backbone network, the PE on the backbone network can
communicate with P; configure the MPLS basic capability and MPLS LDP, and create LDP
LSPs.
The detailed configurations are not mentioned here. For more information, refer to the
configuration file of this example.
Step 2 Configure the VPN instance. Configure VPN on PE and connect CE to PE.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 111:1 both
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/1] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 200:1
[PE2-vpn-instance-vpn1] vpn-target 111:1 both
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1
[PE2-GigabitEthernet1/0/1] undo shutdown
[PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24
[PE2-GigabitEthernet1/0/1] quit
# Configure IP addresses of interfaces on CEs as shown in Figure 8-20. The detailed
configurations are not mentioned here.
After the configuration, run the display ip vpn-instance verbose command on PE. You can
view the configuration of VPN. Each PE can ping through the accessed CE.
NOTE
In case of several VPN interfaces bound with PE, you have to run the ping -vpn-instance vpn-instance-
name -a source-ip-address dest-ip-address command to ping the CE that connects to the peer PE. The
source IP address must be specified. Otherwise, it may fail to ping through.
Take PE1 and CE1 for example:
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Create date : 2007/06/08 11:42:58
Up time : 0 days, 00 hours, 03 minutes and 27 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : uniform
Interfaces : GigabitEthernet2/0/0
[PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms
8-75
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/108/260 ms
Step 3 Establish EBGP peer relationship between PEs and CEs and import VPN CX device.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure CE2.
[CE2] bgp 65420
[CE2-bgp] peer 10.1.2.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
After configuration, run the display bgp vpnv4 vpn-instance peer command on PE. You can
view that the BGP peer relationship between PE and CE is created and in the established state.
Take the peer relationship between PE 1 and CE 1 as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 3 3 0 00:00:37 Established 1
# Establish MP-BGP peer relationship between PEs.
The detailed configurations are not mentioned here. For more information, refer to the
configuration file of this example.
[CE1] rsa local-key-pair create
The key name will be: CE1_Host
Generating keys...
.......++++++++++++
Issue 01 (2011-05-30)
..........++++++++++++
...................................++++++++
......++++++++
# Generate a local key pair of client on the client.
[PE1] rsa local-key-pair create
The key name will be: PE1_Host
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
[PE1] display rsa local-key-pair public
=====================================================
Key name: PE1_Host
=====================================================
Key code:
3047
0240
BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
E2EE8EB5
0203
010001
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg7
2x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F
2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key
=====================================================
Key name: PE1_Server
=====================================================
Key code:
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F
23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40
278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437
D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4
970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
[CE1] rsa peer-public-key RsaKey001
[CE1-rsa-public-key] public-key-code begin
[CE1-rsa-key-code] 3067
[CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
8-77
[CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[CE1-rsa-key-code] E2EE8EB5
[CE1-rsa-key-code] public-key-code end
[CE1-rsa-public-key] peer-public-key end
[CE1-rsa-public-key] quit
NOTE
The SSH user can be authenticated in four modes namely, password, RSA, password-rsa, and all.
l When the SSH adopts the password or password-rsa authentication, a local user must be configured
with the same name.
# Configure the VTY user interface.
[CE1] user-interface vty 0 4
[CE1-ui-vty0-4] authentication-mode aaa
[CE1-ui-vty0-4] protocol inbound ssh
[CE1-ui-vty0-4] quit
[CE1] ssh user client001
[CE1] ssh user client001 authentication-type password
[CE1] aaa
[CE1-aaa] local-user client001 password simple huawei
[CE1-aaa] local-user client001 service-type ssh
[CE1-aaa] quit
# Configure service type of Client001 as STelnet.
[CE1] ssh user client001 service-type stelnet
l Create an SSH user with the name of Client002 and RSA authentication, bound to RSA public
key of the SSH client.
[CE1] ssh user client002
[CE1] ssh user client002 authentication-type rsa
[CE1] ssh user client002 assign rsa-key RsaKey001
# Configure the service type of Client002 as SFTP and the authorization directory.
[CE1] ssh user client002 service-type sftp
[CE1] ssh user client002 sftp-directory cfcard:
Step 7 Enable STelnet and SFTP services on the SSH server.
[CE1] stelnet server enable
[CE1] sftp server enable
Step 8 PE logs in to CE as the SSH client.
[PE1] ssh client first-time enable
# Log in to the SSH server through STelnet.
[PE1] stelnet 10.1.1.1 -vpn-instance vpn1
Trying 10.1.1.1 ...
Issue 01 (2011-05-30)
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name:10.1.1.1. Please wait...
Enter password:
Enter the password huawei. The following information is displayed:
<CE1>
# Log in to the SSH server by SFTP.
[PE1] sftp 10.1.1.1 -vpn-instance vpn1
Trying 10.1.1.1 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name:10.1.1.1. Please wait...
After successful login, the following information is displayed, and then you can continue.
sftp-client>
Step 9 Check the Configuration
When running the display this command in the PE interface view, you can view that the
configuration of the VPN instance is successful; when running the display ssh server session
command on CE, you can view that the STelnet client or SFTP client is connected to the SSH
server successfully.
# View information about SSH server connection.
[PE1] display ssh server session
Session 1:
Conn : VTY 0
Version : 2.0
State : started
Retry : 1
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
rsa peer-public-key RsaKey001
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5
419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8
9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
public-key-code end
8-79
peer-public-key end
#
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
sftp server enable
ssh user client001
ssh user client002
ssh user client002 authentication-type RSA
ssh user client002 sftp-directory cfcard
#
#
return
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface Pos1/0/1
link-protocol ppp
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
Issue 01 (2011-05-30)
#
bgp 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
#
#
return
l Configuration file of P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Pos1/0/1
link-protocol ppp
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos1/0/2
link-protocol ppp
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
vpn-target 111:1 export-extcommunity
8-81
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
ip binding vpn-instance vpn1
ip address 10.1.2.2 255.255.255.0
#
interface Pos1/0/1
link-protocol ppp
ip address 200.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 200.1.1.0 0.0.0.255
#
return
l Configuration file of CE2
#
sysname CE2
#
ip address 10.1.2.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
peer 10.1.2.2 enable
#
return
Issue 01 (2011-05-30)
9 Clock Synchronization Configuration
About This Chapter
Clock synchronization is used to keep differences in clock frequency and phase among network
elements within a tolerable range. Effective clock synchronization improves the transmission
performance of a network.
9.1 Introduction of Clock Synchronization Configuration
Clock synchronization ensures that digital pulse signals are sent and received in a specific
timeslot.
9.2 Setting Basic Configurations for Clock Synchronization
This section describes how to set basic configurations for clock synchronization.
9.3 Configuring an External BITS Clock Source
You can run commands on the CX deviceto configure the device to trace different types of
external BITS clock sources.
9.4 Configuring a Clock Reference Source Manually or Forcibly
This section describes how to manually or forcibly configure a clock reference source.
9.5 Configuring Clock Protection Switching Based on SSM Levels
The higher its SSM level, the more accurate a clock is. By default, a clock board uses the most
accurate clock source available.
9.6 Configuring Clock Protection Switching Based on Priorities
If clock sources are configured with different priorities, then the clock source with the second
highest priority becomes effective immediately after the clock source with the highest priority
fails.
9.7 Configuring Ethernet Clock Synchronization
Ethernet clock synchronization implements clock synchronization among devices on an IP
bearer network.
9.8 Configuration Examples of Clock Synchronization
This section provides examples for configuring clock protection switching and for configuring
Ethernet clock synchronization.
Configuration Guide - Basic Configurations 9 Clock Synchronization Configuration
9-1
9.1 Introduction of Clock Synchronization Configuration
timeslot.
9.1.1 Overview of Clock Synchronization Configuration
timeslot.
9.1.2 Clock Synchronization Supported by the CX600
9.1.1 Overview of Clock Synchronization Configuration
timeslot.
Definition
Synchronization must be maintained on Data Communications Networks (DCN). The sending
end places a pulse in a specified timeslot at the end of the digital pulse signal. The receiving end
extracts the pulse in the specified timeslot, so that normal communications between sending and
receiving ends are guaranteed. A clock ensures that signals are sent in a certain timeslot and then
received and extracted from that timeslot.
Purpose
Clock synchronization is used to keep differences in clock frequency and phase among network
elements on a digital network within a specific range. If the differences exceed the specified
range, bit errors and jitter occur and transmission performance is degraded.
9.1.2 Clock Synchronization Supported by the CX600
Clock Transmission
The clock signals can be transmitted on the Ethernet network, Asynchronous Transfer Mode
(ATM) network, and Synchronous Digital Hierarchy (SDH) network.
Tracing BITS Clock
For the Building Integrated Timing Supply System (BITS) clock source, the clock module
extracts Synchronization Status Messages (SSMs) from the 2.048 Mbit/s stream signals, or the
Main Processing Unit (MPU) sets a preset SSM level for the 2.048 MHz clock signals.
Stratum-3 Clock Source
The device that provides the clock signals for the local device is called the clock source. The
local device may have multiple clock sources. Include BITS0, BITS1, BITS2 and PTP.
Issue 01 (2011-05-30)
9.2 Setting Basic Configurations for Clock Synchronization
This section describes how to set basic configurations for clock synchronization.
9.2.2 Setting Basic Configurations for Clock Synchronization
Before configuring clock synchronization, you must set basic configurations.
None.
Data Preparation
None.
9.2.2 Setting Basic Configurations for Clock Synchronization
Context
Do as follows on every CX device on the clock synchronization network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock ethernet-synchronization enable
The Ethernet clock synchronization function is enabled.
Step 3 Run:
clock source { bits0 | bits1 | bits2 | ptp } synchronization enable
The clock synchronization function is enabled.
Step 4 Run:
interface interface-type interface-number
or
controller { e1 | cpos } controller-number
9-3
The interface view is displayed.
Step 5 Run:
clock synchronization enable
The clock synchronization function is enabled on a port.
Step 6 Run:
quit
Return to the system view from the interface view.
Step 7 (Optional) Run:
clock ssm-control { on | off }
SSM control is enabled.
By default, SSM control is enabled.
clock run-mode
The running mode of the Ethernet Equipment Clock (EEC) is set. By default, an EEC works in
normal mode.
clock switch { revertive | non-revertive }
The recovery mode for a clock is configured. By default, a clock is revertive.
clock wtr
The Wait to Recovery (WTR) time is configured.
By default, the WTR time is five minutes.
clock source-lost holdoff-time
The holdoff time is set for a clock when the timing signal is invalid.
By default, the holdoff time is 1000 ms.
clock max-out-ssm
The max out ssm value of the interface clock source is configured.
clock freq-deviation-detect enable
Clock frequency offset detection is enabled. By default, clock frequency offset detection is
disabled.
----End
Issue 01 (2011-05-30)
Procedure
l Run:
display clock config
Check whether basic configurations for clock synchronization take effect.
----End
9.3 Configuring an External BITS Clock Source
You can run commands on the CX deviceto configure the device to trace different types of
external BITS clock sources.
Before configuring the router to trace an external BITS clock source, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain the data required
the configuration. This will help you complete the configuration task quickly and accurately.
9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock
9.3.3 Configuring an External Clock Source and Its Signal Type on the CX device
The CX device supports four types of signals (2mhz, 2mbps, dcls, and 1pps).
Before configuring the router to trace an external BITS clock source, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain the data required
the configuration. This will help you complete the configuration task quickly and accurately.
On a synchronous Ethernet network, if the site where the CX device is located has a BITS clock,
the CX device must be set to trace the BITS clock. The CX device serves as the primary clock
to provide a clock source for the entire synchronous Ethernet network.
There are four types of BITS clocks: 2.048 MHz, 2.048 Mbit/s, 1 pps, and DCLS. You can use
commands to specify the type of external BITS clock source on the clock board.
None.
Data Preparation
None.
9.3.2 Configuring the Lower Threshold of the Clock Signals Output
by the BITS Clock
9-5
Context
Do as follows on all CX devices on the clock synchronization network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock bits output-threshold
The lower threshold (the lowest quality level) of clock signals output by the BITS clock is
configured.
----End
9.3.3 Configuring an External Clock Source and Its Signal Type on
the CX device
The CX device supports four types of signals (2mhz, 2mbps, dcls, and 1pps).
Context
Do as follows on every CX devices on the clock synchronization network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock bits-type
An external BITS clock source and its signal type are configured.
For information about clock source IDs and signal types, refer to the HUAWEI CX600 Metro
Services Platform - Command Reference.
----End
Context
Run the following commands to check the previous configuration.
Procedure
l Run the display clock source command to check the status and attributes of the clock
reference source.
Issue 01 (2011-05-30)
l Run the display clock config command to check the configuration informations of the
clock reference source.
----End
9.4 Configuring a Clock Reference Source Manually or
Forcibly
This section describes how to manually or forcibly configure a clock reference source.
9.4.2 Configuring a Clock Reference Source
Manually configuring the clock reference source and forcibly configuring the clock reference
source differ in the following aspects:
l The clock reference source cannot be configured manually in the following situations:
The clock reference source is not enabled with the clock synchronization enable
command.
The clock reference source is in the Abnormal state.
The quality level of the clock reference source is QL-DNU or is not the highest.
l The clock reference source cannot be configured forcibly in the following situations:
The clock reference source is not enabled with the clock synchronization enable
command.
The clock reference source is in the Abnormal state.
The QL of the clock reference source is QL-DNU.
The clock works in hold mode.
You can switch the mode of configuring the clock reference source from manual to forcible
through command lines.
The clock reference source should be specified on the master clock, as shown in Figure 9-1. On
CX- A, the external clock interface, bits0, on the master clock board is connected to BITS0, one
reference clock source; the external clock interface, bits0, on the slave clock board is connected
to BITS1, another reference clock source. The output clock signals of BITS0 and BITS1 are
same.
CX- A is manually or forcibly configured to trace the clock signal input through bits0. In normal
situations, CX- A traces the BITS0 clock reference source. When the master clock board fails,
a switchover of the clock boards is performed. After that, CX- A traces the BITS1 clock reference
source.
9-7
Figure 9-1 Diagram of configuring the clock reference source manually
BITS0
CLK-IN
CX-A
CLK-IN
BITS1
ETH ETH
CX-B CX-C

Before configuring the clock reference source manually, complete the following tasks:
Configuring an External Clock Reference Source and Its Signal Type on the device.
l Configuring an external clock reference source
l Configuring signal type of the external clock reference source
Data Preparation
None.
9.4.2 Configuring a Clock Reference Source
Context
Do as follows on all CX devices on the clock synchronization network.
Procedure
l Configure a clock reference source manually.
1. Run:
system-view
2. (Optional) Run:
clock clear [ 2msync-1 | 2msync-2 ]
Forcible specification of a clock reference source is cancelled.
If forcible specification of a clock reference source has been configured, you need to
run the clock clear command to cancel the configuration before configuring manual
specification of a clock reference source.
3. Run:
clock manual { 2msync-1 | 2msync-2 } source interface interface-type
interface-number
or
Issue 01 (2011-05-30)
clock manual source { bits0 | bits1 | bits2 | ptp | interface interface-
type interface-number}
A clock reference source is manually configured.
l Configure a clock reference source forcibly.
1. Run:
system-view
2. Run:
clock force { 2msync-1 | 2msync-2 } source interface interface-type
interface-number
or
clock force source { bits0 | bits1 | bits2 | ptp | interface interface-
type interface-number}
A clock reference source is forcibly configured.
----End
Context
Procedure
Step 1 Run:
display clock { config | source }
View the information about the clock source attributes.
----End
9.5 Configuring Clock Protection Switching Based on SSM
Levels
The higher its SSM level, the more accurate a clock is. By default, a clock board uses the most
accurate clock source available.
9.5.2 Configuring the Router to Automatically Select Clock Sources
9.5.3 Enabling SSM
SSM must be enabled for the system to perform clock protection switching based on SSM levels.
9.5.4 Configuring the SSM Level of the Clock Reference Source
9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs
9.5.6 Setting the Modes of Extracting SSM Levels
9-9
Synchronous Ethernet signals can be used to carry SSM messages. The system then selects one
clock source based on the SSM levels of all the available clock sources. If clock sources are
configured with SSM levels, the configured SSM levels are used; if clock sources are not
configured with SSM levels, the SSM levels carried in the SSM messages are extracted for use.
The SSM levels include Primary Reference Clock (PRC), primary level SSU (SSU-A), second
level SSU (SSU-B), SDH Equipment Clock (SEC), Do Not Use for synchronization (DNU),
and UNK in the descending order. If the SSM level of a clock source is DNU and SSM is enabled,
the clock source is not selected during protection switchover.
The BITS clock has two types of signal. When the BITS clock signal is 2.048 Mbit/s, the clock
board extracts the SSM from the signal. When the BITS clock signal is 2.048 MHz, set the SSM
level manually.
Before configuring protection switchover of clock sources based on SSM levels, complete the
following tasks:
l Configuring an external clock reference source and its signal type on the device.
Data Preparation
To configure protection switchover of clock sources based on SSM levels, you need SSM levels
of clock sources.
Context
Do as follows on all CX devices in the clock synchronization network:
Procedure
Step 1 Run:
system-view
Step 2 Run:
The CX device is configured to automatically select clock sources.
NOTE
If the clock sources are manually or forcibly specified, you need to run the clock clear command to enable
the system to automatically select clock sources. By default, the CX device automatically selects clock
sources.
Step 3 Run:
Issue 01 (2011-05-30)
clock run-mode normal
The Ethernet Equipment Clock (EEC) is configured to work in normal mode.
By default, the EEC works in normal mode.
----End
9.5.3 Enabling SSM
SSM must be enabled for the system to perform clock protection switching based on SSM levels.
Context
Do as follows on every CX device on the clock synchronization network:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock ssm-control on
SSM is enabled.
----End
9.5.4 Configuring the SSM Level of the Clock Reference Source
Context
Do as follows on the CX device that are connected with external clock sources:
Procedure
l Configuring the SSM level of the clock reference source
1. Run:
system-view
2. Run:
clock source { bits0 | bits1 | bits2 | ptp } ssm { prc | ssua | ssub |
sec | dnu | unk }
The SSM level of the external clock reference source is configured.
l Configuring the SSM level of the clock reference source on the interface
1. Run:
system-view
2. Run:
9-11
or
3. Run:
clock ssm { dnu | prc | sec | ssua | ssub | unk }
The SSM level of the clock reference source on the interface is configured.
----End
9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to
Carry SSMs
Context
Do as follows on the CX device that are connected with external BITS clock sources:
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock sa-bit { sa4 | sa5 | sa6 | sa7 | sa8 } source { bits0 | bits1 | bits2 }
The setting timeslot of the 2.048 Mbit/s BITS clock signal is set to carry SSMs.
----End
9.5.6 Setting the Modes of Extracting SSM Levels
Context
SSM levels can be configured in one of the following modes:
l Forcibly configuring an SSM level
l Extracting the SSM level from the interface
By default, the SSM level is extracted from the interface. If the SSM level is forcibly set, the
forcibly-set SSM level takes effect.
Do as follows on all CX devices in the clock synchronization network:
Procedure
l Forcibly configuring the SSM levels of clock reference sources
1. Run:
system-view
Issue 01 (2011-05-30)
2. Run:
clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec | ssua
| ssub | unk }
The SSM level of the clock reference source is configured.
NOTE
Repeat Step 2 to configure SSM levels for multiple clock reference sources.
To forcibly configure the SSM level of a clock reference source on the interface, you can
first enter the corresponding interface view and run the clock ssm { dnu | prc | sec | ssua
| ssub | unk } commands. This can achieve the same effect as that of Step 2.
l Extracting the SSM level of the clock reference source from the interface
1. Run:
system-view
2. Run:
undo clock source { bits0 | bits1 | bits2 | ptp }ssm { dnu | prc | sec |
ssua | ssub | unk }
Forcibly configuring the SSM level of a clock reference source is disabled.
To extract the SSM level of a clock reference source from the interface, you can first enter
the corresponding interface view and run the undo clock ssm command. This can achieve
the same effect as that of Step 2.
NOTE
The current version only supports extracting the SSM level of a clock reference source from the
Ethernet interface, GigabitEthernet interface and CE1 interface.
To extract the SSM level of a clock reference source from the CE1 interface , you need to configure
the frame format as crc4.
----End
Context
Procedure
l Run:
----End
9-13
9.6 Configuring Clock Protection Switching Based on
Priorities
If clock sources are configured with different priorities, then the clock source with the second
highest priority becomes effective immediately after the clock source with the highest priority
fails.
9.6.3 Disabling SSM
9.6.4 Setting Priorities of Clock Reference Sources
When you configure protection switchover of clock sources based on priorities, you need to run
the command clock ssm-control off to disable SSM.
When there are multiple clock sources, you can set different priorities for them. Normally, the
clock uses the clock source with the highest priority. When the clock source with the highest
priority is faulty, the clock uses the clock source with the second highest priority. By default the
priority of a clock reference source is not set, it indicates that this clock reference source does
not participate in selecting the clock source.
Before configuring protection switchover of clock sources based on priorities, complete the
following tasks:
l Configuring an external clock reference source and its signal type on the device.
Data Preparation
To configure protection switchover of clock sources based on priorities, you need the priorities
of different clock sources.
Context
Do as follows on all CX device in the clock synchronization network:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-05-30)
Step 2 Run:
The CX device is configured to automatically select clock sources.
NOTE
If the clock sources are manually or forcibly specified, you need to run the clock clear [ 2msync-1 |
2msync-2 ] command to enable the system to automatically select clock sources. By default, the CX
device automatically selects clock sources.
Step 3 Run:
clock run-mode normal
Set the Ethernet Equipment Clock (EEC) to work in normal mode.
By default, the EEC work in normal mode.
----End
9.6.3 Disabling SSM
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
clock ssm-control off
SSM is disabled.
NOTE
When SSM is disabled, the CX device selects a clock source based on priorities.
----End
9.6.4 Setting Priorities of Clock Reference Sources
Context
Do as follows on all CX devices in the clock synchronization network.
Procedure
l Setting priorities for the clock reference sources BITS and 1588
1. Run:
system-view
9-15
2. Run:
clock source { bits0 | bits1 | bits2 | ptp } priority priority-value
Priorities are set for the clock reference sources BITS and 1588.
Repeat the preceding step to configure priorities for multiple clock reference
sources.
You can set the same priority for multiple clock reference sources. The clock
reference source is selected according to the priority. In the case of the same
priority, the clock reference source is selected based on the type of the clock
reference source and port number.
l Setting the priority of a clock reference source on the interface
1. Run:
system-view
2. Run:
or
3. Run:
clock [ 2msync-1 | 2msync-2 ] priority priority-value
The priority of the clock reference source on the interface is set.
----End
Context
Procedure
Step 1 Run:
----End
9.7 Configuring Ethernet Clock Synchronization
Ethernet clock synchronization implements clock synchronization among devices on an IP
bearer network.
9.7.2 Enabling Ethernet Clock Synchronization
Issue 01 (2011-05-30)
9.7.3 Configuring Ethernet Clock Source
As shown in Figure 9-2, the IP and Ethernet technology is adopted on the IP bearer network
between the Radio Network Controller (RNC) and the Base Transceiver Station (BTS) in the
application of wireless service. The clock signals sent by the devices on the bearer network are
sent to the data communication devices that connect the BTS after pass through the Ethernet
clock synchronization. The Ethernet clock synchronization can ensure reliable quality of clock
transmission.
Figure 9-2 Networking diagram of applying Ethernet clock synchronization
BTS
FE
FE
BTS
BTS
GE
GE GE
CX-C
CX-B
GE
RNC
BITS
FE
CX-A

Before configuring the Ethernet clock synchronization, complete the following tasks:
l Configuring the parameters of the link layer protocols and assign IP addresses to the
interfaces so that the link layer protocol status of the interface is Up.
l Configuring a static route or the Interior gateway protocol (IGP) protocol to so that there
is reachable IP route between the nodes.
Data Preparation
To configure the Ethernet clock synchronization, you need the following data.
l Slot number, sub-card number, and port number of the Ethernet clock source
9-17
9.7.2 Enabling Ethernet Clock Synchronization
Context
NOTE
Ethernet clock signals can be transmitted only after the Ethernet clock synchronization is enabled on all
the CX device in an IP bearer network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The Ethernet clock synchronization is enabled.
----End
9.7.3 Configuring Ethernet Clock Source
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
or
Step 3 Run:
The Ethernet clock synchronization function is enabled.
Step 4 Run:
clock [ 2msync-1 | 2msync-2 ] priority priority-value
The priority of the clock reference source is configured.
Issue 01 (2011-05-30)
Step 5 Run:
clock ssm { dnu | prc | sec | ssua | ssub | unk }
The SSM level of the clock source is configured.
----End
Context
Procedure
l Run:
View information about the attributes of the clock source.
----End
9.8 Configuration Examples of Clock Synchronization
This section provides examples for configuring clock protection switching and for configuring
Ethernet clock synchronization.
Follow-up Procedure
NOTE
This document takes interface numbers and link types of the CX600-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
9.8.1 Example for Configuring Protection Switchover of Clock Sources
9.8.1 Example for Configuring Protection Switchover of Clock
Sources
As shown in Figure 9-3, there are two BITS clock sources on the network, and the master BITS
clock source is used to synchronize the clock of the entire network. If the NEs cannot trace the
clock signal from the master BITS clock source, they change to trace the clock signal from the
slave BITS clock source. As shown in Figure 9-3, CX- A to CX- F trace the clock signal from
BITS0. The figure shows the direction of clock tracing in normal situations.
9-19
Figure 9-3 Networking diagram of configuring clock source tracing
BITS 0
BITS 1
GE1/0/0
W
GE1/0/0 E
W
GE2/0/0
E
GE1/0/0
40.1.1.2
W
GE1/0/0
40.1.1.1
E GE2/0/0
50.1.1.1
W
GE2/0/0
30.1.1.2
E
GE2/0/0
30.1.1.1
W
GE1/0/0
20.1.1.2
E
GE1/0/0
20.1.1.1
W
GE2/0/0
10.1.1.2
E
GE2/0/0
10.1.1.1
CX-A
CX-B CX-F
CX-C
CX-D
CX-E

1. Configure the external BITS clock signal types of CX- A and CX- D.
2. Configure the priorities of all clock sources for the CX device.
Data Preparation
Table 9-1 Clock sources of all CX device and the priorities
CX- Current Clock
Source
Available Clock
Sources
Priority
CX-A BITS0 BITS0 1
CX-A BITS0 GE1/0/0 2
CX-A BITS0 Internal clock 3
CX-B GE1/0/0 GE1/0/0 1
CX-B GE1/0/0 GE2/0/0 2
CX-B GE1/0/0 Internal clock 3
Issue 01 (2011-05-30)
CX- Current Clock
Source
Available Clock
Sources
Priority
CX-C GE2/0/0 GE2/0/0 1
CX-C GE2/0/0 GE1/0/0 2
CX-C GE2/0/0 Internal clock 3
CX-D GE1/0/0 GE1/0/0 1
CX-D GE1/0/0 BITS1 2
CX-D GE1/0/0 Internal clock 3
CX-E GE1/0/0 GE1/0/0 1
CX-E GE1/0/0 GE2/0/0 2
CX-E GE1/0/0 Internal clock 3
CX-F GE2/0/0 GE2/0/0 1
CX-F GE2/0/0 GE1/0/0 2
CX-F GE2/0/0 Internal clock 3

Procedure
Step 1 Connect the CX device and the BITS clock sources as shown inFigure 9-3
Step 2 Configure the IP addresses of the interfaces.
The details are not mentioned here.
Step 3 Set the priorities of all clock sources for the CX device as shown inFigure 9-3.
# Configure CX-A
<CX-A> system-view
[CX-A] clock ethernet-synchronization enable
[CX-A] clock source bits0 synchronization enable
[CX-A] clock source bits0 ssm prc
[CX-A] clock source bits0 priority 1
[CX-A] interface GigabitEthernet 1/0/0
[CX-A-GigabitEthernet1/0/0] clock synchronization enable
[CX-A-GigabitEthernet1/0/0] clock priority 2
[CX-A-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[CX-A-GigabitEthernet2/0/0] clock synchronization enable
# Configure CX-B
<CX-B> system-view
[CX-B] clock ethernet-synchronization enable
[CX-B] interface GigabitEthernet 1/0/0
[CX-B-GigabitEthernet1/0/0] clock synchronization enable
[CX-B-GigabitEthernet1/0/0] clock priority 1
[CX-B-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[CX-B-GigabitEthernet2/0/0] clock synchronization enable
[CX-B-GigabitEthernet2/0/0] clock priority 2
# Configure CX-C
9-21
<CX-C> system-view
[CX-C] clock ethernet-synchronization enable
[CX-C] interface GigabitEthernet 1/0/0
[CX-C-GigabitEthernet1/0/0] clock synchronization enable
[CX-C-GigabitEthernet1/0/0] clock priority 2
[CX-C-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[CX-C-GigabitEthernet2/0/0] clock synchronization enable
[CX-C-GigabitEthernet2/0/0] clock priority 1
# Configure CX-D
<CX-D> system-view
[CX-D] clock ethernet-synchronization enable
[CX-D] clock source bits1 synchronization enable
[CX-D] clock source bits1 ssm ssua
[CX-D] clock source bits1 priority 2
[CX-D] interface GigabitEthernet 1/0/0
[CX-D-GigabitEthernet1/0/0] clock synchronization enable
[CX-D-GigabitEthernet1/0/0] clock priority 1
[CX-D-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[CX-D-GigabitEthernet2/0/0] clock synchronization enable
# Configure CX-E
<CX-E> system-view
[CX-E] clock ethernet-synchronization enable
[CX-E] interface GigabitEthernet 1/0/0
[CX-E-GigabitEthernet1/0/0] clock synchronization enable
[CX-E-GigabitEthernet1/0/0] clock priority 1
[CX-E-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[CX-E-GigabitEthernet2/0/0] clock synchronization enable
[CX-E-GigabitEthernet2/0/0] clock priority 2
# Configure CX-F
<CX-F> system-view
[CX-F] clock ethernet-synchronization enable
[CX-F] interface GigabitEthernet 1/0/0
[CX-F-GigabitEthernet1/0/0] clock synchronization enable
[CX-F-GigabitEthernet1/0/0] clock priority 2
[CX-F-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0
[CX-F-GigabitEthernet2/0/0] clock synchronization enable
[CX-F-GigabitEthernet2/0/0] clock priority 1
Step 4 Check the clock source attributes of CX- A.
<CX-A> display clock source
System trace source State: lock mode
into pull-in range
Current system trace source: bits0
Current 2M-1 trace source: system PLL

Master board
source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State
--------------------------------------------------------------------------
bits0 1 /---/--- prc dnu normal
GigabitEthernet1/0/0 2 /---/--- dnu prc normal
GigabitEthernet2/0/0 ---/---/--- dnu prc normal

Slave board
source In-SSM Out-SSM State
--------------------------------------------------------------------------
bits0 prc dnu normal
Step 5 Check the clock source attributes of other CX device.
# The displayed information about CX- B, CX- C, CX- D, CX- E, and CX- F is similar. The
following uses CX- B as an example.
Issue 01 (2011-05-30)
<CX-B> display clock source
System trace source State: lock
mode
into pull-in
range
Current system trace source:
GigabitEthernet1/0/0
Current 2M-1 trace source: system
PLL
Current 2M-2 trace source: system
PLL

Master
board
source Pri(sys/2m-1/2m-2) In-SSM Out-SSM
State

--------------------------------------------------------------------------

GigabitEthernet1/0/0 1 /---/--- prc dnu
normal
GigabitEthernet2/0/0 2 /---/--- dnu prc
normal

Slave
board
source In-SSM Out-SSM
State
--------------------------------------------------------------------------
When the master BITS clock source fails, all NEs trace the clock signal from the slave BITS
clock source.
The following takes CX- A as an example.
# Run the following command on CX- A.
<CX-A> display clock source
System trace source State: lock mode
into pull-in range
Current system trace source:
GigabitEthernet1/0/0

Master board
source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State
--------------------------------------------------------------------------
bits0 1 /---/--- prc ssua
abnormal
GigabitEthernet1/0/0 2 /---/--- ssua dnu normal
GigabitEthernet2/0/0 ---/---/--- ssua ssua normal

Slave board
source In-SSM Out-SSM State
--------------------------------------------------------------------------
bits0 prc ssua abnormal
# After the connection between the BITS clock source and CX- A is closed, all CX device
perform clock source tracing switchover/
Figure 9-4shows the clock source tracing after the connection between the BITS clock source
and CX- A is closed.
9-23
Figure 9-4 Networking diagram of the clock source tracing after the connection between the
BITS clock source and CX- A is closed
W
E
W
E
W
E
W
E
W
E
W
E
CX-A
CX-B CX-F
CX-C
CX-D
CX-E
BITS 1

----End
Configuration Files
l CX-A Configuration Files
#
sysname CX-A
#
clock source bits0 priority 1
clock source bits0 ssm prc
clock source bits0 synchronization enable
#
undo shutdown
clock priority 2
#
undo shutdown
#
return
l CX-B Configuration Files
#
sysname CX-B
#
#
undo shutdown
clock priority 1
#
Issue 01 (2011-05-30)
undo shutdown
clock priority 2
#
return
l CX-C Configuration Files
#
sysname CX-C
#
#
undo shutdown
clock priority 2
#
undo shutdown
clock priority 1
#
return
l CX-D Configuration Files
#
sysname CX-D
#
clock source bits1 priority 2
clock source bits1 ssm ssua
clock source bits1 synchronization enable
#
undo shutdown
clock priority 1
#
undo shutdown
#
return
l CX-E Configuration Files
#
sysname CX-E
#
#
undo shutdown
clock priority 1
#
undo shutdown
clock priority 2
#
return
l CX-F Configuration Files
#
sysname CX-F
#
#
9-25
undo shutdown
clock priority 2
#
undo shutdown
clock priority 1
#
return
Issue 01 (2011-05-30)
10 Device Maintenance
About This Chapter
With routine device maintenance, you can detect potential operation threats on devices and then
eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.
10.1 Introduction of Device Maintenance
Device maintenance involves replacing boards and monitoring the internal environment.
10.2 Powering off the MPU
To ensure non-stop services, you can power off the slave MPU only. If the device has only one
MPU, confirm the action before powering off the MPU.
10.3 Powering off the SFU
When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU.
10.4 Powering off the NPU
This section describes how to power off the NPU.
10.5 Powering off the LPU
When the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU.
10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s
To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need to
bind a valid Global Trotter License (GTL) file to the NPU.
10.7 Switching Between the Operation Modes of the LPUF-10
You can run a command to configure the LPUF-10 to work in either FR or ATM mode.
10.8 Configuring the CMU
10.9 Configuring a Cleaning Cycle for the Air Filter
This section describes the procedure for configuring a cleaning cycle for the air filter.
10.10 Monitoring the Device Status
Monitoring the device status facilitates fault location and cause analysis.
10.11 Board Maintence
Board Maintenance involves resetting a board and clearing the maximum CPU usage.
10.12 Configuring NAP-based Remote Deployment
Configuration Guide - Basic Configurations 10 Device Maintenance
10-1
Using NAP, you can remotely log in to devices with empty configurations to implement remote
deployment.
10.13 Configuration Examples of the Device Maintenance
This section provides examples for powering off different types of boards to describe common
device maintenance operations.
Issue 01 (2011-05-30)
10.1 Introduction of Device Maintenance
10.1.1 Overview of Device Maintenance
10.1.2 Maintenance Features Supported by the CX600
The CX600boards to be powered off and allows the operation status to be monitored.
10.1.1 Overview of Device Maintenance
Concept
The stable running of a CX devicedepends on the mature network planning and the routine
maintenance. In addition, fast location of the hidden hazards is necessary.
The maintenance personnel must check the alarm information in time and deal with the fault
properly to keep the device in normal operation and reduce the failure rate. Thus, the system
runs in a safe, stable, and reliable environment.
Maintenance Operation
Maintenance such as board replacement and internal environment check ensures the normal
operation of the CX device.
10.1.2 Maintenance Features Supported by the CX600
The CX600boards to be powered off and allows the operation status to be monitored.
Powering off
You can power on or power off the boards through command lines to perform hot plugging
without interrupting the services on the CX device.
Monitoring
In routine maintenance of the device, you can run the display commands to view the working
status of the CX device. This can help the maintenance personnel fast locate the fault during the
troubleshooting procedure.
10.2 Powering off the MPU
To ensure non-stop services, you can power off the slave MPU only. If the device has only one
MPU, confirm the action before powering off the MPU.
Before powering off the MPU, familiarize yourself with the applicable environment, complete
10-3
10.2.2 Powering off the Slave MPU
When the MPU is faulty or you need to routinely maintain the MPU, you can power off the
MPU.
After the MPU is powered off, you can run the display device command to check whether the
MPU has been powered off.
Before powering off the MPU, familiarize yourself with the applicable environment, complete
The two Main Processing Units (MPUs) are in 1:1 backup mode. During operation, one MPU
serves as the master MPU and the other as the slave MPU. Remove the MPUs in the following
situations:
l Maintenance of the MPU such as dust removing
l Upgrade of the hardware on the MPUs such as memory capacity extending
l Failure of the MPU
Before powering off the MPU, complete the following tasks:
l Checking the slot of the MPU to be powered off
l Running the display device command to check the status of the MPU
If the MPU is the master MPU, perform the master and slave switchover first.
Data Preparation
To power off the MPU, you need the following data.
No. Data
1 Slot number of the MPU to be powered off

10.2.2 Powering off the Slave MPU
When the MPU is faulty or you need to routinely maintain the MPU, you can power off the
MPU.
Issue 01 (2011-05-30)
Context
WARNING
The CX device cannot work with a single MPU for a long time. If the single MPU fails, the
whole system breaks down. After powering off the slave MPU, restore the MPU immediately.
Do as follows on the CX device to be configured:
Procedure
Step 1 Run:
power off slot slot-id
The slave MPU is powered off.
NOTE
If there is no terminal on the deployment site, you can power off the slave MPU by using the OFL (offline)
button. The OFL button is in the upper part of the slave MPU. Press the button for six seconds.
If the OFL indicator is on, it means that the slave MPU is powered off successfully.
----End
After the MPU is powered off, you can run the display device command to check whether the
MPU has been powered off.
Context
Procedure
l Run:
display device
Check the registration of the SRU/MPU.
----End
Example
After the power-off operation, run the display device command. If the slave SRU/MPU is in
the abnormal state, it means that the operation succeeds. For example:
<HUAWEI> display device
CX600-X16's Device status:
Slot # Type Online Register Status Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -
5 LPU Present Registered Normal NA
10-5
17 MPU Present Unregistered Abnormal Slave
18 MPU Present NA Normal Master
19 SFU Present Registered Normal NA
23 CLK Present Registered Normal NA
25 PWR Present Registered Normal NA
27 FAN Present Registered Normal NA
10.3 Powering off the SFU
NOTE
SFUs are not supported on the X1 and X2 models of the CX600.
Before powering off the SFU, familiarize yourself with the applicable environment, complete
10.3.2 Powering off the SFU
You can power off the SFU by using a command or pressing the OFL button.
After the SFU is powered off, you can run the display device command to check whether the
SFU has been powered off.
Before powering off the SFU, familiarize yourself with the applicable environment, complete
During normal operation of the device, four Switch and Fabric Units (SFUs) work in 3+1 load
balancing mode. Remove the SFUs in the following situations:
l Maintenance of the SFU such as dust removing
l Failure of the SFU and replacement or repair of the SFU
Before powering off the SFU, complete the following tasks:
l Checking the slot of the SFU to be powered off
Issue 01 (2011-05-30)
Data Preparation
To power off the SFU, you need the following data.
No. Data
1 Slot number of the SFU to be powered off

10.3.2 Powering off the SFU
You can power off the SFU by using a command or pressing the OFL button.
Context
Procedure
Step 1 Run:
The SFU is powered off.
NOTE
SFU is not supported on the X1 and X2 models of the CX600.
If there is no terminal on the deployment site, you can power off the slave SFU by using the OFL button.
The OFL button is in the upper part of the slave SFU. Press the button for six seconds. If the OFL indicator
is on, it means that powering off the SFU succeeds.
----End
After the SFU is powered off, you can run the display device command to check whether the
SFU has been powered off.
Context
Procedure
Step 1 Run:
display device
Check the registration of the SFU.
----End
Example
After the power-off operation, run the display device command. If the SFU is in the unregistered
state, it means that the operation succeeds. For example:
10-7
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -
17 MPU Present Registered Normal Slave
19 SFU Present Unregistered Abnormal NA
10.4 Powering off the NPU
This section describes how to power off the NPU.
NOTE
NPUs are only supported on the X1 and X2 models of the CX600.
10.4.2 Powering off the NPU
Remove the NPU in the following situations:
l Maintenance of the NPU such as dust removing
l Failure of the NPU and replacement or repair of the NPU
Before powering off the NPU, complete the following tasks:
None.
Data Preparation
To power off the NPU, you need the following data.
Issue 01 (2011-05-30)
No. Data
1 Slot number of the NPU to be powered off

10.4.2 Powering off the NPU
Context
Procedure
Step 1 Run:
The NPU is powered off.
NOTE
If there is no terminal on the deployment site, you can power off the slave NPU by using the OFL button.
The OFL button is in the upper part of the slave NPU. Press the button for six seconds. If the OFL indicator
is on, it means that powering off the NPU succeeds.
----End
Context
Procedure
Step 1 Run:
display device
Check the registration of the NPU.
----End
Example
After the power-off operation, run the display device command. If the NPU is in the unregistered
state, it means that the operation succeeds. For example:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 NPU Present Unregistered Abnormal NA
2 PIC Present Registered Normal NA
10-9
12 CLK Present Registered Normal Master
10.5 Powering off the LPU
Before powering off the LPU, familiarize yourself with the applicable environment, complete
10.5.2 Powering off the LPU
You can power off the LPU by using a command or pressing the OFL button.
After the LPU is powered off, you can run the display device command to check whether the
LPU has been powered off.
Before powering off the LPU, familiarize yourself with the applicable environment, complete
Power off the LPU in the following situations:
l Maintenance of the LPU such as dust removing
l Failure of the LPU and replacement of the LPU
Before powering off the LPU, you need finish the following task:
l prepare a slave LPU.
Data Preparation
To power off the LPU, you need the following data:
No. Data
1 The slot number of the LPU to be powered off
2 A slave LPU whose board type and Physical Interface Card (PIC) type are the same
as those of the LPU to be powered off

Issue 01 (2011-05-30)
10.5.2 Powering off the LPU
You can power off the LPU by using a command or pressing the OFL button.
Context
Procedure
Step 1 Run:
The LPU is powered off.
NOTE
l To power off the sub-cards of the FPICs, Run:power off slot slot-id card card-idcommand.
l If there is no terminal on the deployment site, you can power off the LPU by using the OFL button.
The OFL button is in the upper part of the LPU. Press the button for six seconds. If the OFL indicator
is on, it means that powering off the LPU succeeds.
----End
After the LPU is powered off, you can run the display device command to check whether the
LPU has been powered off.
Context
Procedure
l Run:
display device
Check the registration of the LPU.
----End
Example
After the power-off operation, run the display device command. If the LPU is in the unregistered
state, it means that the operation succeeds. Take powering off the LPU in slot 5 for example:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -
5 LPU Present Unregistered Abnormal NA
10-11
10.6 Restoring the Bandwidth of 10GE LAN/WAN
Interfaces on an NPU to 10 Gbit/s
To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need to
bind a valid Global Trotter License (GTL) file to the NPU.
NOTE
NPUs are only supported on the X1 and X2 models of the CX600.
Before restoring the bandwidth of 10GE LAN/WAN interfaces on the NPU to 10 Gbit/s ,
accurately.
10.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s
To restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s , you need
to bind a valid Global Trotter License (GTL) file to the NPU.
After enabling the 10GE LAN/WAN interface on an NPU, you can check the current PIC cards
on the device.
Before restoring the bandwidth of 10GE LAN/WAN interfaces on the NPU to 10 Gbit/s ,
accurately.
Application Environment
By default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restore
the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.
None.
Data Preparation
To restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, you need the following
data.
Issue 01 (2011-05-30)
No. Data
1 GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s

10.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces on
an NPU to 10 Gbit/s
To restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s , you need
to bind a valid Global Trotter License (GTL) file to the NPU.
Context
By default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restore
the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.
Procedure
Step 1 Run:
license active file-name
The GTL file for enabling 10GE LAN/WAN interfaces is activated.
Step 2 Run:
system-view
Step 3 Run:
slot slot-id
The slot view is displayed.
Step 4 Run:
active 10ge-interface
The GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s is bound
to the NPU.
NOTE
The active 10ge-interface command takes effect only in the view of the slot where the NPU resides.
After binding the GTL file to the NPU, you are recommended to run the save command to save the
configuration. Otherwise, you need to bind the GTL file again once the device is restarted.
----End
After enabling the 10GE LAN/WAN interface on an NPU, you can check the current PIC cards
on the device.
Context
Run the following command to check the previous configuration.
10-13
Procedure
Step 1 Run the display device pic-status command to view the current PIC cards on the device.
----End
Example
# View the current PIC cards on the device.
<HUAWEI> display device pic-status
Pic-status information in Chassis 1:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SLOT PIC Status Type Port_count Init_result Logic down
7 0 Registered LAN_WAN_2x10GX_V_CARD 2 SUCCESS SUCCESS
7 6 Registered ETH_8xGF_B_CARD 8 SUCCESS SUCCESS
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10.7 Switching Between the Operation Modes of the
LPUF-10
You can run a command to configure the LPUF-10 to work in either FR or ATM mode.
NOTE
LPUF-10 is not supported on the X1 and X2 models of the CX600.
Before configuring the operation mode of the LPUF-10, familiarize yourself with the applicable
10.7.2 Switching Between the Operation Modes of the LPUF-10
FR and ATM services cannot be configured together on the LPUF-10.
After the operation mode of the LPUF-10 is configured, you can check the configuration.
Before configuring the operation mode of the LPUF-10, familiarize yourself with the applicable
When configuring FR or ATM services on the LPUF-10, you need to manually switch the
operation mode of the LPUF-10. An LPUF-10 can operate in either of the following modes:
l support-atm mode
When operating in support-atm mode, the LPUF-10 can support ATM services, instead of
FR services.
l support-fr mode
Issue 01 (2011-05-30)
When operating in support-fr mode, the LPUF-10 can support FR services, instead of ATM
services.
Before switching the operation mode of the LPUF-10, complete the following task:
l Identifying the current operation mode of the LPUF-10
Data Preparation
To switch the operation mode of the LPUF-10, you need the following data.
No. Data
1 Slot ID of the LPU and the ID of the subcardwhose operation mode needs to be
switched

10.7.2 Switching Between the Operation Modes of the LPUF-10
FR and ATM services cannot be configured together on the LPUF-10.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
slot slot-id
The slot view is displayed.
Step 3 Run:
switch lpuf work-mode {support-atm | support-fr}
The operation mode of the LPUF-10 is switched.
----End
10-15
Follow-up Procedure
NOTE
l FR and ATM services are mutually exclusive on an LPUF-10.
l When the board is switched to a slot where FR is configured for a POS interface, the operation mode
of the LPUF-10 is automatically switched to support-fr. The FR configuration for the POS interface
needs to be deleted if ATM services are required to be configured.
l If the operation mode of the board is not set, the board adopts the support-atm mode by default when
starting.
After the operation mode of the LPUF-10 is configured, you can check the configuration.
Context
Run the following command to check the previous configuration.
Procedure
Step 1 Run the display work-mode [slot slot-id] command to view the operation mode of the board.
----End
Example
# View the current operation mode of the board in slot 1.
<HUAWEI> display work-mode slot 1
CX600-X8's current work-mode on lpuf-10:
Slot Type Current-workmode
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 LPUF-10 SUPPORT-ATM
10.8 Configuring the CMU
Before Configuring Monitor Items for a CMU, familiarize yourself with the applicable
10.8.2 Configuring Monitor Items for a CMU
Before Configuring Monitor Items for a CMU, familiarize yourself with the applicable
In remote and unattended equipment rooms, CX device providing the environment monitoring
function can monitor the working environment in real time. Upon receiving an input signal
Issue 01 (2011-05-30)
indicating that a specific environment variable is abnormal, a CX device will generate an alarm.
Then, the maintenance personnel can take immediate actions to adjust the environment variable,
without having to wait on site for environment monitoring. This effectively reduces equipment
room maintenance costs for carriers.
The CMU on the AUXQ can be connected to an environment monitoring device. Based on the
received input signals from the environment monitoring device, the CMU generates an alarm
and reports the alarm to the NMS so that the maintenance personnel can be informed of the
problem and come to the site to address the problem.
None.
Data Preparation
None.
10.8.2 Configuring Monitor Items for a CMU
Prerequisite
In remote and unattended equipment rooms, CX device providing the environment monitoring
function can monitor the working environment in real time. Upon receiving an input signal
indicating that a specific environment variable is abnormal, a CX device will generate an alarm.
Then, the maintenance personnel can take immediate actions to adjust the environment variable,
without having to wait on site for environment monitoring. This effectively reduces equipment
room maintenance costs for carriers.
The CMU on the AUXQ can be connected to an environment monitoring device. Based on the
received input signals from the environment monitoring device, the CMU generates an alarm
and reports the alarm to the NMS so that the maintenance personnel can be informed of the
problem and come to the site to address the problem.
Procedure
Step 1 Run:
system-view
Step 2 Run:
cmu-switch switch-id slot slot-id name { voltage | door | humidity | fog |
temperature } alarm-mode { 0 | 1 }
Monitor items such as objects to be monitored and an alarm mode are configured for a CMU.
NOTE
A CX device can monitor four types of environment variables at a time. You need to run the cmu-
switch command to configure each environment variable that needs to be monitored and the associated
alarm mode.
----End
10-17
10.9 Configuring a Cleaning Cycle for the Air Filter
This section describes the procedure for configuring a cleaning cycle for the air filter.
Context
NOTE
The X1 and X2 models of the CX600 do not have air filter.
10.9.2 Configuring a Cleaning Cycle for the Air Filter
10.9.3 Remonitoring the Cleaning Cycle of the Air Filter
You need to clean the air filter after the air filter has been running for a period of time.
None.
Data Preparation
To configure a cleaning cycle for the air filter, you need the following data.
No. Data
1 Cleaning cycle of the air filter

10.9.2 Configuring a Cleaning Cycle for the Air Filter
Context
Procedure
Step 1 Run:
system-view
Step 2 Run
dustproof check-timer day days
Issue 01 (2011-05-30)
The cleaning cycle for the air filtered is configured.
NOTE
The air filter is a component without memory. All the monitored information is saved on the MPU, which
may be inserted, removed, switched, or replaced during usage. Therefore, the monitoring cycle may differ
from the set cycle, but this does not affect the monitoring function.
----End
10.9.3 Remonitoring the Cleaning Cycle of the Air Filter
Context
The system generates an alarm about cleaning the air filter. After ensuring that the air filter is
cleaned or does not need to be cleaned, you need to clear the alarm and remonitor the cleaning
cycle of the air filter.
Procedure
Step 1 Run:
reset dustproof run-time
The alarm is cleared. The cleaning cycle of the air filter is monitored.
----End
Procedure
Step 1 Run:
display dustproof
Information about the air filter is displayed.
----End
Example
Run the display dustproof command. You can view information about the cleaning cycle of
the air filter, the last time when the air filter was cleaned (referring to the time on the CX
device), how many days the router had been run since the previous cleaning, and how long the
alarm about cleaning the air filter exists. For example:
<HUAWEI> display dustproof
Clean Dustproof-Net cycle : 365(days)
Last clean date : 2009/02/07
Up to last clean days : 1(day)
Clean alarm existence days: 0(day)
10-19
10.10 Monitoring the Device Status
Monitoring the device status facilitates fault location and cause analysis.
10.10.1 Displaying the System Version Information
The system version information includes the system software version and various hardware
versions.
10.10.2 Displaying Basic Information About the Router
The basic information includes detailed information about the LPU, MPU, SFU, clock board,
power supply, and fan module.
10.10.3 Displaying the Electronic Label
The electronic label information includes the type of the board/card, bar code, BOM code,
English description, production date, supplier name, issuing number, Common Language
Equipment Identification (CLEI) code, and sales BOM code.
10.10.4 Displaying the Soft Boot Mode
By default, the soft boot mode function is automatically enabled, which shortens the time spent
on system restart.
10.10.5 Displaying the Threshold of the Memory Usage
By specifying the slot ID, you can check the memory usage of the MPU or of the LPU.
10.10.6 Displaying the Threshold of CPU Usage
By specifying the slot ID, you can check the CPU usage of the MPU or of the LPU.
10.10.7 Displaying Alarm Information
The alarm information includes the alarm level, alarm date and time, and alarm description.
10.10.8 Displaying the Board Temperature
The temperature information includes the temperature status of each board, temperature alarm
thresholds of a board, and actual temperature of a board.
10.10.9 Displaying the Board Voltage
The voltage information includes the number of voltage sensors on each board, working voltage
sensor of each board, working status of the voltage sensor on each board, and voltage alarm
thresholds of each board.
10.10.10 Displaying the Power Supply Status
The power supply information includes the slot ID of the power supply module, whether the
power supply module is registered, working mode of the power supply module, and cable status
of the power supply module.
10.10.11 Displaying Current Information About Boards
10.10.12 Displaying Entironment Information About the Device
You can check environment information about the device that is installed with an environment
monitoring board.
10.10.13 Displaying the Fan Status
The fan status information includes the slot ID of the fan module, whether a fan module is
registered, registration status, working status of the fan module, and speed mode of the fan
module.
10.10.14 Displaying the Sequence Number of the MPU
Each MPU has a globally unique equipment serial number (ESN).
Issue 01 (2011-05-30)
10.10.15 Displaying the Next Start Mode of the Board
A board supports two startup modes, namely, fast startup and normal startup.
10.10.16 Displaying the Number of the Registered SFUs By Default
The number of actually used SFUs must be greater than the number of SFUs that the system
requires for registration by default; otherwise, an alarm will be generated.
10.10.1 Displaying the System Version Information
The system version information includes the system software version and various hardware
versions.
Procedure
Step 1 Run:
display version
The system version information is displayed.
In practice, using this command in any view, you can view the system version information. The
main information is as follows:
l System software version
l Hardware and software version of the MPUs
l Hardware and software version of the SFUs
l Hardware and software version of the LPUs
.
l Hardware and software version of the Fan and Black Plane
.
----End
10.10.2 Displaying Basic Information About the Router
The basic information includes detailed information about the LPU, MPU, SFU, clock board,
power supply, and fan module.
Procedure
Step 1 Run:
display device [ pic-status | slot-id]
Basic information about the CX device is displayed.
In practice, using this command in any view, you can view the basic device information. Enter
slot-id to view information about the board in the specified slot.
l Choose a board in a certain slot. You can view basic information about this board.
l Run:
display device pic-status
Basic information about the PIC card of the LPU is displayed.
----End
10-21
10.10.3 Displaying the Electronic Label
The electronic label information includes the type of the board/card, bar code, BOM code,
English description, production date, supplier name, issuing number, Common Language
Equipment Identification (CLEI) code, and sales BOM code.
Procedure
Step 1 Run:
display elabel [ backplane | slot-id ]
The electronic label is displayed.
In practice, using this command in the user view, you can view information about the electronic
label of the boards. Enter slot-id to view information about the electronic label of the board in
the specified slot.
NOTE
For the range of numbers of the slots on the CX device, refer to the HUAWEI CX600 Metro Services
Platform Hardware Description.
Information displayed includes the type of the board and PIC card, bar code, BOM, English
description, production date, supplier name, issuing number, CLEI (Common Language
Equipment Identification) code, and sales BOM.
NOTE
You can back up the electronic label of the specified board in the following methods:
l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label to the
CF card on the CX device.
l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command to back
up the electronic label to the specified FTP server.
----End
10.10.4 Displaying the Soft Boot Mode
By default, the soft boot mode function is automatically enabled, which shortens the time spent
on system restart.
Procedure
Step 1 Run the display system soft-bootmode command, you can view the soft boot mode.
NOTE
By default, the soft boot mode function is automatically enabled, which shortens the time spent on system
startup during reset. You can run the undo set system soft-bootmode command in the system view to
disable the boot function as required.
----End
10.10.5 Displaying the Threshold of the Memory Usage
By specifying the slot ID, you can check the memory usage of the MPU or of the LPU.
Issue 01 (2011-05-30)
Procedure
Step 1 Run:
display memory-usage [ slave | slot slot-id ]
The threshold of the memory usage of the main MPU and LPU are displayed.
NOTE
To set the threshold of the memory usage in the main MPU and LPU, you can run the set memory-usage
threshold threshold [ slot slot-id ]command.
----End
10.10.6 Displaying the Threshold of CPU Usage
By specifying the slot ID, you can check the CPU usage of the MPU or of the LPU.
Procedure
Step 1 Run:
display cpu-usage entry-number [ offset ] [ verbose ] [ slave | slot slot-id ]
[ history ]
The threshold of the CPU usage of the main MPU and LPU are displayed.
Select the following parameters as required when you run this command:
l entry-number: specifies the number of entries to be displayed.
l offset: specifies the entry with the offset value before the current entry.
l verbose: displays information about each record.
l history: displays history records of the CPU usage.
NOTE
To set the threshold of the CPU usage on the main MPU and LPU, you can run the set cpu-usage
threshold threshold-value [ slave slot slot-id ] command, and run the [ slave | slot slot-id ] command can
display the current configuration of the CPU usage.
----End
10.10.7 Displaying Alarm Information
The alarm information includes the alarm level, alarm date and time, and alarm description.
Procedure
Step 1 Run:
display alarm { slot-id | all }
Information about the alarm is displayed.
In the operation, using this command in any view, you can view current information about the
alarm of the CX device. Alarm information includes the following:
l Alarm level
l Alarm date and time
10-23
l Alarm description
NOTE
After displaying the alarm of the CX device, you can run the clear alarm index index-id { send-trap |
no-trap } command to clear the alarm at the specified index-id.
----End
10.10.8 Displaying the Board Temperature
The temperature information includes the temperature status of each board, temperature alarm
thresholds of a board, and actual temperature of a board.
Procedure
Step 1 Run:
display temperature [ lpu | mpu | sfu | slot slot-id ]
The temperature of the specified board is displayed.
NOTE
l Run the display temperature [ lpu slot slot-id [ pic pic-id ] ] command to view the temperature of the
specified subcard in the specified slot.
l Run the display temperature command to view the temperature of each module of all the boards on
the CX device.
In practice, using this command in any view, you can view the current temperature of the CX
device.The temperature information includes the following:
l Current temperature status of the board
l Threshold to the alarm temperature of the board
l Actual temperature of the board
----End
10.10.9 Displaying the Board Voltage
The voltage information includes the number of voltage sensors on each board, working voltage
sensor of each board, working status of the voltage sensor on each board, and voltage alarm
thresholds of each board.
Procedure
Step 1 Run:
display voltage [ lpu | mpu | sfu | slot slot-id]
The board voltage is displayed.
NOTE
l Run the display voltage [lpu | slot slot-id [pic pic-id]] command to view the voltage of the specified
subcard on the specified LPU.
l Run the display voltage command to view the voltage of all the boards on the CX device.
In practice, using this command in any view, you can view the voltage of all the boards. The
voltage information includes the following:
Issue 01 (2011-05-30)
l Number of the voltage sensors
l Working voltage sensors
l Working status of the voltage sensors
l Alarm field value of the voltage
l Actual board voltage
l Normal working temperature of the voltage sensors
----End
10.10.10 Displaying the Power Supply Status
The power supply information includes the slot ID of the power supply module, whether the
power supply module is registered, working mode of the power supply module, and cable status
of the power supply module.
Procedure
Step 1 Run:
display power[{environment-info|manufacture-info}slot slot-id|slot[slot-id]]
The power supply status is displayed.
In practice, using this command in any view, you can view the power supply status. The displayed
information includes the following:
l Slot number of the power supply module
l Presence status of the power supply module
l Operation mode of the power supply module
l Cable status of the power supply module
----End
10.10.11 Displaying Current Information About Boards
Context
Do as follows on the CX device.
Procedure
Step 1 Run:
display board-current [ slot slot-id ]
Current information about a specified board is displayed.
----End
10.10.12 Displaying Entironment Information About the Device
You can check environment information about the device that is installed with an environment
monitoring board.
10-25
Context
Procedure
Step 1 Run:
display device [ CMU-slotID ]
Entironment information about the device is displayed.
This command is supported only on the CX600-X8 and CX600-X16 on which the entironment
monitoring board is installed and runs normally.
----End
10.10.13 Displaying the Fan Status
The fan status information includes the slot ID of the fan module, whether a fan module is
registered, registration status, working status of the fan module, and speed mode of the fan
module.
Procedure
Step 1 Run:
display fan
The fan status is displayed.
In practice, using this command in any view, you can view the fan status. The information
includes the following:
l Slot number of the fan module
l Presence and registration status of the fan module
l Working status of the fan module
l Fan speed mode of the fan module
----End
10.10.14 Displaying the Sequence Number of the MPU
Each MPU has a globally unique equipment serial number (ESN).
Procedure
Step 1 Run:
display esn
The sequence number of the MPU is displayed. In the operation, using this command in any
view, you can view the sequence number of the MPU on the CX device.
----End
10.10.15 Displaying the Next Start Mode of the Board
A board supports two startup modes, namely, fast startup and normal startup.
Issue 01 (2011-05-30)
Procedure
Step 1 Run:
display bootmode-next
The next start mode of the board is displayed.
In the operation, you can use the command in any view to check the next start mode of each
board on the CX device, including the MPU, LPU, and SFU. The start modes are as follows:
l The fast start mode
l The normal start mode
----End
10.10.16 Displaying the Number of the Registered SFUs By Default
The number of actually used SFUs must be greater than the number of SFUs that the system
requires for registration by default; otherwise, an alarm will be generated.
Context
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
display least sfuboard
The number of the registered SFUs that the device requires by default is displayed.
In the operation, if the number of the SFUs that is actually used is smaller than the number of
the SFUs that the device requires for registration, the trap is generated. Run the least
sfuboardindex-id command to change the number of the SFUs that the device requires for
registration.
----End
10.11 Board Maintence
Board Maintenance involves resetting a board and clearing the maximum CPU usage.
10.11.1 Resetting a Board
You need to back up important data before resetting a board.
10.11.2 Clearing the Maximum CPU Usage
To recalculate the maximum CPU usage, you can clear the original statistics.
10-27
10.11.1 Resetting a Board
You need to back up important data before resetting a board.
Context
In the case that a board is faulty, you can use the reset slot command to reset the board.
WARNING
Back up important data before resetting the board.
Procedure
Step 1 Run:
reset slot slot-id [card card-id]
The board is reset.
NOTE
l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset with
the CPU being powered on. If a slave MPU exists, this command performs master/slave MPU
switchover.
l If the board is still abnormal after being reset, contact the Huawei technical support personnel.
----End
10.11.2 Clearing the Maximum CPU Usage
To recalculate the maximum CPU usage, you can clear the original statistics.
Context
CAUTION
The maximum CPU usage cannot be restored after you clear it. So, confirm the action before
you use the command.
To clear the maximum CPU usage statistics, run the following reset command in the system
view.
Procedure
Step 1 Run the reset cpu-usage record [ slot slot-id | slave ] command to clear the maximum CPU
usage.
----End
Issue 01 (2011-05-30)
10.12 Configuring NAP-based Remote Deployment
Using NAP, you can remotely log in to devices with empty configurations to implement remote
deployment.
Context
CAUTION
After the device with an empty configuration is powered on and started, you must make sure
that its interfaces connected to the devices on the current network are Up and support NAP;
otherwise, the function of NAP-based remote deployment cannot take effect.
Before configuring NAP-based remote deployment, familiarize yourself with the applicable
10.12.2 Configuring and Starting the NAP Master Interface
You can assign an IP address to the NAP master interface or use the IP address that is
automatically allocated by the system to start the NAP master interface.
10.12.3 Remote Login
After the neighbor relationship is set up, you can log in to the NAP slave device from the NAP
master device.
10.12.4 Disabling NAP on the Slave Device
If the NAP function is no longer required, you need to disable NAP on the slave interface of the
slave device.
After configuring NAP-based remote deployment, you can view the NAP status globally or on
a specified interface.
Before configuring NAP-based remote deployment, familiarize yourself with the applicable
To deploy devices having empty configurations, you can use NAP to perform remote login to
the devices from a device in the current network. In this manner, you can implement remote
deployment of devices.
Before configuring NAP-based remote deployment, complete the following tasks:
10-29
l Connecting the device having an empty configuration to a device in the current network
via a single hop by using network cables
l Ensuring that the interfaces connecting the device with an empty configuration and the
device in the current network are both in the Up state, and support NAP.
Data Preparation
NOTE
l If the IP addresses used for establishing NAP connections are to be manually configured, you need to
prepare the following data before configuring NAP.
l Conversely, if the IP addresses for establishing NAP connections are to be automatically configured,
you can skip this.
To configure NAP-based remote deployment, you need the following data.
No. Data
1 Two primary IP addresses. The two IP addresses are primary IP addresses for the
master interface and the slave interface respectively, and should be on the same
network segment.
2 Two secondary IP addresses. The two IP addresses are secondary IP addresses for
the master interface and the slave interface respectively, and should be on the same
network segment.

10.12.2 Configuring and Starting the NAP Master Interface
You can assign an IP address to the NAP master interface or use the IP address that is
automatically allocated by the system to start the NAP master interface.
Context
CAUTION
If commands affecting the IP address configuration or IP packet forwarding (such as
configurations and commands related to the VPN, Eth-Trunk, IP-Tunk, or Layer 2 interface)
exist on device of the master interface, NAP enabled on the master interface becomes
unavailable. You are recommended to delete these commands and re-enable NAP.
Do as follows on the CX device to configure and start the NAP master interface.
In NAP, IP addresses can be allocated either automatically or manually.
Procedure
l Automatic allocation of IP addresses
1. Run:
system-view
Issue 01 (2011-05-30)
2. Run:
3. Run:
nap port master
The NAP Master interface is configured and started.
l Manual IP address allocation
Two methods are available for manually allocating IP addresses. You can choose the
method according to actual needs.
You can specify the NAP IP address pool. Then, IP addresses are automatically allocated
to the IP address pool. To use this method, do as follows.
1. Run:
system-view
2. Run:
nap ip-pool ip-address mask-length
An IP address pool is configured for NAP.
The default IP address pool for establishing NAP connections is 10.167.253.0/24. You
can run the nap ip-pool ip-address mask-length command to change the IP address
pool.
NOTE
After NAP is started on the master device, the IP address pool cannot be changed.
3. Run:
4. Run:
nap port master
The NAP Master interface is configured and started.
You can also specify the NAP IP addresses. To use this method, do as follows.
1. Run:
system-view
2. Run:
3. Run:
nap port master
The NAP master interface is configured and started.
4. Run:
nap local-ip mast-inter-mast-ip sub-ip mast-inter-sub-ip peer-ip sub-
inter-mast-ip sub-ip sub-inter-sub-ip mask-length
10-31
IP addresses are configured for establishing NAP connections.
The default IP address pool for establishing NAP connections is 10.167.253.0/24.
When configuring IP addresses, ensure that the primary IP addresses of both the master
and the slave interfaces are on the same network segment, and that the secondary IP
addresses of both the master and the slave interfaces are on the same network segment.
----End
10.12.3 Remote Login
After the neighbor relationship is set up, you can log in to the NAP slave device from the NAP
master device.
Context
Using the display nap interface command, you can view the NAP status of an interface to
ensure that the interface is assigned a correct IP address.
Do as follows on the CX device where the NAP master interface is configured.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
nap login neighbor
The login to the slave device from the master device is performed.
l If the slave device has an empty configuration, you can log in to the slave device from the
master device without a user name and a password.
l If, however, the slave device is configured with user name(s) and password(s), you must
enter the correct user name and password to perform a NAP-based remote login to the slave
device.
NOTE
To ensure security for NAP, the slave device having an empty configuration checks the source address of
the Telnet login. If the Telnet source address is the NAP address of the master device that is telnetting to
the slave device, the slave device allows the master device to directly log in without being authenticated.
This is because by default, the user level of the remote login based on the NAP address is the same as the
login through the console interface, which enjoys the highest user level. If the Telnet source address is not
the NAP address of the master device, the remote login fails.
----End
10.12.4 Disabling NAP on the Slave Device
If the NAP function is no longer required, you need to disable NAP on the slave interface of the
slave device.
Issue 01 (2011-05-30)
Context
The master device has logged in to the slave device through Telnet. The NAP function is no
longer required, and to ensure security of the network, NAP should be globally disabled on the
slave interface of the slave device.
Do as follows on the CX device that is configured as the NAP slave device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo nap slave enable
NAP is disabled on the slave device.
----End
After configuring NAP-based remote deployment, you can view the NAP status globally or on
a specified interface.
Prerequisite
NAP-based remote deployment has been completed.
Procedure
Step 1 Using the display nap status command, you can view the current NAP status.
Step 2 Using the display nap interface [ interface-type interface-number ] command, you can view
the NAP status of the specified interface.
----End
Example
Run the display nap status command to view the current NAP status.
<HUAWEI> display nap status
Slave port status : Enable
Nap ip-pool/Mask : 12.12.12.0/24
Run the display nap interface interface-type interface-number command to view the NAP status
of the specified interface.
<HUAWEI> display nap interface gigabitethernet1/0/1
l If the interface is not assigned an IP address, the following information is displayed.
------------------------------------------------------
NAP master port list:
Port count : 2
------------------------------------------------------
Port property : Master
Current status : DETECTING
10-33
Local port : GigabitEthernet1/0/1
Peer port : GigabitEthernet1/0/1
Local primary ip : NULL
Peer primary ip : NULL
Local secondary ip : NULL
Peer secondary ip : NULL
Hello time : 3s
Linked time : 00:00:00
------------------------------------------------------
Current status : DETECTING
Local primary ip : NULL
Peer primary ip : NULL
Local secondary ip : NULL
Peer secondary ip : NULL
Hello time : 3s
------------------------------------------------------
l If the interface is assigned an IP address, the following information is displayed.
------------------------------------------------------
NAP master port list :
Port count : 2
------------------------------------------------------
Current status : IP-ASSIGNED
Local primary ip : 12.12.12.5
Peer primary ip : 12.12.12.6
Local secondary ip : 12.12.12.9
Peer secondary ip : 12.12.12.10
Hello time : 3s
------------------------------------------------------
Hello time : 3s
------------------------------------------------------
10.13 Configuration Examples of the Device Maintenance
This section provides examples for powering off different types of boards to describe common
device maintenance operations.
Follow-up Procedure
NOTE
This document takes interface numbers and link types of the CX600-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
10.13.1 Example for Powering off the MPU
On a dual-MPU router, if the master MPU malfunctions or you need to routinely maintain the
master MPU, you can power off the master MPU after performing the master/slave switchover.
10.13.2 Example for Powering off the SFU
Issue 01 (2011-05-30)
10.13.3 Example for Powering off the LPU
10.13.4 Example for Configuring the Operation Mode of the LPUF-10
You can set the working mode of the LPUF-10 to enable the LPUF-10 to support ATM or FR
services.
10.13.5 Example for Configuring NAP-based Remote Deployment in Automatic Mode
In this example, the temporary neighbor relationship is set up between a CX device and another
CX device that has the empty configuration to implement remote deployment in automatic mode.
10.13.6 Example for Configuring NAP-based Remote Deployment in Static Mode
In this example, the temporary neighbor relationship is set up between the CX device and the
device with the empty configuration and IP addresses are assigned to the CX device and the
device to implement remote deployment in manual mode.
10.13.1 Example for Powering off the MPU
On a dual-MPU router, if the master MPU malfunctions or you need to routinely maintain the
master MPU, you can power off the master MPU after performing the master/slave switchover.
After checking the alarm information, you find that the hardware on the master MPU fails. Then,
check the hardware by powering off the master MPU.
1. Switch the master MPU to the slave MPU through the master and slave switchover.
2. Power off the slave MPU
Data Preparation
l Slot number of the master MPU
l In this example, the slot number of the master MPU is.17
Procedure
Step 1 Perform the master and slave switchover on the CX device.
[HUAWEI] slave switchover enable
Before performing the master and slave switchover, make sure that the user interfaces such as
AUX, console, and VTY are connected to the two MPUs. Otherwise, the users that use the
interfaces connected with the former master MPU automatically quit the login after the master
and slave switchover.
[HUAWEI] slave switchover
Caution!!! Confirm switch slave to master[Y/N]?y
Switching......................................................................
10-35
......
Step 2 Power off the MPU in slot 17.
<HUAWEI> power off slot 17
Caution!!! This command may affect operation by wrong use, please carefully use
it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y
# Check the registration status of the MPU. You can view that the MPU in slot 17 is in the
unregistered and abnormal state. It means that powering off the MPU succeeds.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -
17 MPU Present Unregistered Abnormal Slave
----End
Configuration Files
None
10.13.2 Example for Powering off the SFU
NOTE
You need to power off the SFUs before dust removing.
l Power off the SFU.
Issue 01 (2011-05-30)
Data Preparation
Slot number of the current SFU In this example, the slot number of the SFU is 19.
Procedure
Step 1 Power off the SFU in slot 19
# Check the registration status of the SRU in slot 19. You can view that the SRU is in the
unregistered and abnormal state. It means that powering off the SRU succeeds.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -
19 SFU Present Unregistered Abnormal NA
----End
Configuration Files
None
10.13.3 Example for Powering off the LPU
NOTE
LPUs are not supported on the X1 and X2 models of the CX600.
None
10-37
Replace the failed LPU.
Data Preparation
l Slot number of the LPU that needs replacement
In this example, the slot number of the LPU is 5.
l Service part whose PIC card type and board type are the same as that of the LPU to be
replaced
Procedure
Step 1 Power off the LPU in slot 5.
# Check the registration status of the LPU in slot 51. You can view that the LPU is in the
unregistered and abnormal state. It means that powering off the LPU succeeds.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -
5 LPU Present Unregistered Abnormal NA
----End
Configuration Files
None
Issue 01 (2011-05-30)
10.13.4 Example for Configuring the Operation Mode of the
LPUF-10
You can set the working mode of the LPUF-10 to enable the LPUF-10 to support ATM or FR
services.
NOTE
LPUF-10 is not supported on the X1 and X2 models of the CX600.
It is required that the FR service be configured for the POS interface on the LPUF-10. If the
LPUF-10 operates in support-atm mode, you need to switch the operation mode to support-fr.
1. Check the current operation mode of the LPUF-10.
2. Switch the operation mode of the LPUF-10.
Data Preparation
l Slot number of the LPUF-10, that is, slot 1 in this example
Configuration Procedure
1. Check the operation mode of the LPUF-10 in slot 1. You can find that the LPUF-10 operates
in support-atm mode.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 LPUF-10 SUPPORT-ATM
2. Switch the operation mode of the LPUF-10 to support-fr.
[HUAWEI] slot 1
[HUAWEI-slot-1] switch lpuf work-mode support-fr
Warning: After this operation, ATM cards on this board will be powered off.
Are you sure to switch[Y/N]?y
Now begin to switch the working mode. Please wait.......................
Info: The switch is successful and the current working mode on slot1 is SUPPORT-
FR.
3. Verify the configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 LPUF-10 SUPPORT-FR
You can find that the LPUF-10 in slot 1 operates in support-fr mode.
10-39
Configuration Files
None.
10.13.5 Example for Configuring NAP-based Remote Deployment
in Automatic Mode
In this example, the temporary neighbor relationship is set up between a CX device and another
CX device that has the empty configuration to implement remote deployment in automatic mode.
As shown in Figure 10-1, the user needs to perform a remote login to CX- B from CX- A.
CX- B is the master device, and temporary neighbor relationship is to be set up between CX- B
and CX- C having an empty configuration. CX- B and CX- C need to be directly connected via
a single hop. Both the interfaces connecting CX- B and CX- C should be in the Up state, and
should support NAP.
Figure 10-1 Networking diagram of configuring NAP-based remote deployment
Network
CX-A PC CX-B CX-C

1. Configure a primary IP address and a secondary IP address on CX- B.
2. Configure the NAP master interface on CX- B.
3. Telnet to CX- C from CX- B by means of NAP.
Data Preparation
None
Procedure
Step 1 Configuring the NAP master interface
# Do as follows on CX- B.
[CX-B-GigabitEthernet1/0/1] undo shutdown
[CX-B-GigabitEthernet1/0/1] nap port master
Step 2 Logging in to the slave device from the master device.
Issue 01 (2011-05-30)
# Do as follows on CX- B.
[CX-B-GigabitEthernet1/0/1] nap login neighbor
Trying 10.167.253.10 ...
Connected to 10.167.253.10 ...
<HUAWEI>
Step 3 Shutting down NAP on the slave device.
# Do as follows on CX- C.
[HUAWEI] sysname CX-C
[CX-C] undo nap slave enable
----End
Configuration Files
None
10.13.6 Example for Configuring NAP-based Remote Deployment
in Static Mode
In this example, the temporary neighbor relationship is set up between the CX device and the
device with the empty configuration and IP addresses are assigned to the CX device and the
device to implement remote deployment in manual mode.
As shown in Figure 10-2, the user needs to perform a remote login to CX- B from CX- A.
CX- B is the master device, and temporary neighbor relationship is to be set up between CX- B
and CX- C having an empty configuration. CX- B and CX- C need to be directly connected via
a single hop. Both the interfaces connecting CX- B and CX- C should be in the Up state, and
should support NAP.
Figure 10-2 Networking diagram of configuring NAP-based remote deployment
Network
CX-A PC CX-B CX-C

1. Configure a NAP master interface on CX- B.
10-41
2. Configure an IP address for establishing a NAP connection on CX- B.
3. Use NAP to log in to CX- C from CX- B by means of Telnet.
Data Preparation
l Two primary IP addresses. The two IP addresses are primary IP addresses for the master
interface and the slave interface respectively, and should be on the same network segment.
l Two secondary IP addresses. The two IP addresses are secondary IP addresses for the
master interface and the slave interface respectively, and should be on the same network
segment.
Procedure
Step 1 Configure a NAP master interface on CX- B
[CX-B-GigabitEthernet1/0/1] nap port master
Step 2 Configure an IP address for establishing a NAP connection on CX- B
[CX-B-GigabitEthernet1/0/1] nap local-ip 12.12.12.5 sub-ip 12.12.12.9 peer-ip
12.12.12.6 sub-ip 12.12.12.10 30
Are you sure to continue?[Y/N] y
# After the preceding configuration is complete, run the display nap status command on CX-
B. You can view that NAP has been enabled on CX- B. Then, run the display nap interface
command. You can view that the primary and secondary IP addresses have been assigned to the
master and slave interfaces. For example:
[CX-B-GigabitEthernet1/0/1] display nap status
Slave port status : Enable
Nap ip-pool/Mask : 10.167.253.0/24
[CX-B-GigabitEthernet1/0/1] display nap interface
------------------------------------------------------
NAP master port list
Port count : 1
------------------------------------------------------
Hello time : 3s
------------------------------------------------------
Step 3 Log in to the slave device from the master device.
# Configure CX- B.
[CX-B-GigabitEthernet1/0/1] nap login neighbor
Trying 12.12.12.10 ...
Connected to 12.12.12.10 ...
Issue 01 (2011-05-30)
Step 4 Disable NAP on the slave device.
# Configure CX- C.
[HUAWEI] sysname CX-C
[CX-C] undo nap slave enable
----End
Configuration Files
None
10-43
11 Device Upgrading
About This Chapter
When you need to add new features, optimize existing features, or solve problems in the current
version, you can upgrade the device.
11.1 Overview of Device Upgrade
11.2 Upgrade Modes Supported by the CX600
Configuration Guide - Basic Configurations 11 Device Upgrading
11-1
11.1 Overview of Device Upgrade
A device is upgraded when new features need to be added, existing performance needs to be
optimized, and existing problems in the current version need to be solved.
Application Scenario of Device Upgrade
To perform the following actions, you need to upgrade the CX600:
l Adding new features
l Optimizing the existing performance
l Solving existing problems in the current version
Note
Before upgrading the CX600, pay attention to the following items:
l When upgrading the CX600 at the site, prepare a spare part for each board.
l Obtain the new system software, the Product Adaptive File (PAF) or license file, and the
corresponding documents of the new version from Huawei.
l Back up configuration files, and collect and save service configurations.
l Enable the log function to record all the operations during the upgrade process.
l Check software versions of all modules on each board, including versions of the BootROM,
Firmware, and MonitorBus.
11.2 Upgrade Modes Supported by the CX600
At present, the CX600 can be upgraded by using the command line, mobile storage device, or
BootROM.
Upgrade by Using the Command Line
This mode is applicable for the following situations. For operation details, refer to the "CX600
V600R003C00 Version Upgrade Instructions" of the corresponding system software version.
l The CX600 works properly and uses FTP/TFTP for the upgrade. Other devices can perform
remote login to the CX600.
l The CX600 is upgraded for the first time and has been loaded with the system software
package. Other devices can log in to the CX600 through the serial interface to configure
the IP address or perform remote login to the CX600 through NAP.
Upgrade by Using a Mobile Storage Device ( CF card or USB )
Upgrading the CX600 by using the CF card or USB is mainly used during the engineering stage
or troubleshooting process. Before the upgrade, prepare two CF cards or two USBs.
In this mode, the CX600 is upgraded by replacing the CF card on the master and slave MPU/
SRU with CF cards containing the system software package or inserting a USB to any USB
11 Device Upgrading
Issue 01 (2011-05-30)
interface on the MPU/SRU. For operation details, refer to the "Version Upgrade Instructions"
of the corresponding system software version.
Upgrade by Using BootROM
This mode is applicable for the following situations. For operation details, refer to the "CX600
V600R003C00 Version Upgrade Instructions" of the corresponding system software version:
l The CX600 is upgraded for the first time, but the system software package of the CX600
does not exist or is incorrect.
l After the CX600 is upgraded and restarted, both the master and slave MPUs/SRUs cannot
be registered.
l After the CX600 is upgraded, the master MPU/SRU can be registered but the slave MPUs/
SRUs cannot be registered.
l The MPU/SRU is replaced.
l Other devices cannot log in to the CX600 through Telnet.
Configuration Guide - Basic Configurations 11 Device Upgrading
11-3
12 Patch Management
About This Chapter
Patch management includes checking the running patch, loading patch files, and installing
patches.
12.1 Introduction of Patch Management
This section describes the basics of the patch.
12.2 Checking the Running of Patch in the System
The system allows only one patch to run. Therefore, confirm that no patch is running before
loading a new patch.
12.3 Loading a Patch
Patches can be loaded through FTP, TFTP, or XModem.
12.4 Installing a Patch
To repair the system that has vulnerabilities or defects, you can install a patch on the system.
By installing a patch, you can upgrade the system without upgrading the system software.
12.5 (Optional) Unactivating the activating of Patch
If an installed patch does not take effect, you need to deactivate the patch.
12.6 Configuration Examples of the Patch Management
This section describes some Configuration Examples.
Configuration Guide - Basic Configurations 12 Patch Management
12-1
12.1 Introduction of Patch Management
This section describes the basics of the patch.
12.1.1 Overview of Patch Management
You can install patches to improve system functions.
12.1.2 Patches Supported by the CX600
The CX600 allows patches to be loaded to the system or a certain board.
12.1.1 Overview of Patch Management
You can install patches to improve system functions.
Patch Overview
During the operation of the device, you need to revise the system software sometimes such as
remove the system defects or add new functions for service requirements. We used to upgrade
the software after shutting down the system. This static upgrade affects the service on the device
and does not improve the communication. If we load a patch to the system software, we can
upgrade it online without interrupting the operation of the device. This dynamic upgrade does
not affect the service and can improve the communication.
Patch Area
In the memory of the Main Processing Unit (MPU) and Line Processing Unit (LPU), a certain
space is reserved to save the patch. This space is called patch area.
To install the patch, save the patch to the patch area in advance in the memory of the board.
The patch saved in the patch area is numbered uniquely. Up to 200 patches can be saved to the
patch area in the memory of the MPU or LPU.
Patch States
Patch status can be idle, deactive, active, and running. For details, seeTable 12-1,
Table 12-1 Patch states
State Description States Conversion
No patch
(idle)
The patch file is saved to the CF
card but not loaded to the patch
area in the memory.
When the patch is loaded to the patch
area, the patch status is set to deactive.
deactive The patch is loaded to the patch
area but disabled.
The patch in the deactive state can be as
follows:
l Uninstalled, that is, deleted from the
patch area.
l Enabled temporarily and turns to the
active state.
12 Patch Management
Issue 01 (2011-05-30)
State Description States Conversion
active The patch is loaded to the patch
area and enabled temporarily.
If the board is reset, the active
patch on that board turns to the
deactive state.
The patch in the active state can be as
follows:
l Uninstalled, that is, deleted from the
patch area.
l Enabled temporarily and turned into
the active state.
l Enabled permanently, and turns to
the running state.
running The patch is loaded to the patch
area and enabled permanently.
If the board is reset, the patch on
the board keeps in the running
state.
The patch in the running state can be
uninstalled and deleted from the patch
area.

Figure 12-1shows the conversion between patch states.
Figure 12-1 Conversion between the statuses of a patch
Deactivated No patch
Running Activated
Delete patch
Delete patch
Run patch
Deactive patch Active patch
Delete patch
Load patch

12.1.2 Patches Supported by the CX600
The CX600 allows patches to be loaded to the system or a certain board.
12-3
Patch Functions
Installing patches can improve system functions or fix bugs. By installing a patch, you can
upgrade the system without upgrading the system software.
In some special scenarios, you can install patches specific to an MPU or LPU to optimize board
functions.
Logic Relationships Between Configuration Tasks
Figure 12-2Shows the logic relationships between the configuration tasks.
Figure 12-2 Logical relationships between configuration tasks
Run VRP
Normally run
End
Resort to
technical
support for
new patch
Enable patch
temporarily
Bug removed Disable patch
Unload patch
No
Yes
No
Yes

12.2 Checking the Running of Patch in the System
The system allows only one patch to run. Therefore, confirm that no patch is running before
Before checking the running patch, familiarize yourself with the applicable environment,
12.2.2 Checking the Running of Patch in the System
By running the display patch-information command, you can view information about the
running patch units, activated patch units, and deactivated patch units.
12.2.3 (Optional) Deleting a Patch
The system allows only one patch to run. If there is a running patch, you need to delete it before
12 Patch Management
Issue 01 (2011-05-30)
Before checking the running patch, familiarize yourself with the applicable environment,
At a certain time, the system allows the running of only one patch. Therefore, you need to confirm
no patch is running in the current system before installing a patch. If a patch runs, delete the
patch before installing the new patch.
Before checking the running of patch in the system, complete the following tasks:
l Ensuring that the CX device is started normally after power-on
l Ensuring that the CX device can be logged in to
Data Preparation
None
12.2.2 Checking the Running of Patch in the System
By running the display patch-information command, you can view information about the
running patch units, activated patch units, and deactivated patch units.
Context
Do as follows on the CX device to be upgraded:
Procedure
Step 1 Run:
display patch-information
All the information about the current patch is displayed, including information about the patch
units that are running, the patch units that are activated, and the patch units that are deactivated.
----End
Example
<PE> display patch-information
Info: No patch exists.
This indicates that no patch runs in the current system.
NOTE
If there are patches running, you must delete them before loading new patches.
12.2.3 (Optional) Deleting a Patch
The system allows only one patch to run. If there is a running patch, you need to delete it before
12-5
Context
Before installing a patch, you need to delete the running patch.
Do as follows on the CX device to be upgraded.
Procedure
Step 1 Run:patch delete all
The running patch is deleted.
----End
12.3 Loading a Patch
Patches can be loaded through FTP, TFTP, or XModem.
Before loading a patch, familiarize yourself with the applicable environment, complete the pre-
configuration tasks, and obtain the required data. This can help you complete the configuration
task quickly and accurately.
12.3.2 Loading a Patch
On a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.
After a patch is loaded, you can check patch information.
Before loading a patch, familiarize yourself with the applicable environment, complete the pre-
configuration tasks, and obtain the required data. This can help you complete the configuration
task quickly and accurately.
Before a patch is installed, it should be uploaded to the root directory of the CF card of the master
and slave MPUs. Upload the patch to the root directory of the CF card of the master MPU. Then,
copy the patch to the root directory of the CF card of the slave MPU.
The three methods to upload a patch are FTP, TFTP and XModem.
Before loading a patch, complete the following tasks:
l Ensuring that the CX device is started normally after power-on
l Ensuring that the CX device can be logged in to
Data Preparation
Before running a patch, you need to obtain a patch that is consistent with the board.
12 Patch Management
Issue 01 (2011-05-30)
No. Data
1 Uploading a Patch to the Root Directory of the CF Card of the Master MPU
2 Copying a Patch to the Root Directory of the CF Card of the Slave MPU

On a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.
Context
Procedure
Step 1 Upload a patch to the root directory of the CF card of the master MPU.
The CX device supports the uploading of files through FTP, TFTP and XModem, for more
infirmation ,please see: "FTP, TFTP and XModem". Choose an uploading method based on the
requirements.
Step 2 Run:
copy source-filename slave#cfcard:/destination-filename
The patch is copied to the root directory of the CF card of the slave MPU.
Step 3 Run:
startup patch file-name
The patch package is specified for the master MPU on the next startup.
Step 4 Run:
startup patch file-name slave-board
The patch package is specified for the slave MPU on the next startup.
----End
After a patch is loaded, you can check patch information.
Context
Procedure
l Run:
dir cfcard:/
Check the files on the MPU.
12-7
l Run:
dir slave#cfcard:/
Check the files on the slave MPU.
l Run:
display startup
Check the patch file used in the next system startup.
----End
Example
After uploading the files, run the commands of dir cfcard:/ and dir slave#cfcard:/. The
patch.pat file is contained in the files on the CF card.
For example, check the files on the CF card of the master MPU:
1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip
2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt
3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip
5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc
6 -rw- 134213212 Nov 18 2007 05:30:11 V600R003C00.cc
7 -rw- 4041 Nov 02 2007 11:04:00 patch.pat
For example, check the files on the CF card of the slave MPU:
<HUAWEI> dir slave#cfcard:/
Directory of slave#cfcard:/
1 -rw- 418 Jul 26 2007 19:52:14 vrpcfg.zip
2 -rw- 38017 Aug 01 2007 11:02:00 paf.txt
3 -rw- 2292 Aug 21 2006 15:35:50 vrp.zip
5 -rw- 117013076 Jul 13 2007 10:40:44 V600R003C00.cc
6 -rw- 134213212 Nov 18 2007 05:30:11 V600R003C00.cc
7 -rw- 4041 Nov 02 2007 11:04:00 patch.pat
For example, check the patch file used in the next system startup.
<HUAWEI>display startup
MainBoard:
Configed startup system software: cfcard:/V600R003C00.cc
Startup saved-configuration file: cfcard:/current_cfg.cfg
Next startup saved-configuration file: cfcard:/current_cfg.cfg
Startup paf file: cfcard:/paf-V600R003C00.txt
Next startup paf file: cfcard:/paf-V600R003C00.txt
Startup license file: cfcard:/license-V600R003C00.txt
Next startup license file: cfcard:/license-V600R003C00.txt
Startup patch package: Null
Next startup patch package: cfcard:/patch.pat
12 Patch Management
Issue 01 (2011-05-30)
12.4 Installing a Patch
To repair the system that has vulnerabilities or defects, you can install a patch on the system.
By installing a patch, you can upgrade the system without upgrading the system software.
Before installing a patch on the system, familiarize yourself with the applicable environment,
A patch can be successfully loaded only when the patch version matches the system software
version.
12.4.3 Activating a Patch
A patch can be activated only when it is correctly loaded and is in the deactivated state.
12.4.4 Running a Patch
A patch can be run only after it is activated. Running a patch means that the patch is activated
permanently.
12.4.5 (Optional) Synchronizing Patches
After patches on the active and standby MPUs are synchronized, the patches on the active and
standby MPUs are the same.
After a patch is installed on the system, you can check the patch status and the patch for the next
startup.
Before installing a patch on the system, familiarize yourself with the applicable environment,
CAUTION
When installing a patch, it is recommended to specify all to install the patch for all boards at
one time rather than specify slot to install the patch for boards one by one. In some special
scenarios, you must specify slot to install a patch for the master and slave MPUs, and then for
all LPUs one by one.
Installing patches can fix system vulnerabilities or correct system defects. By installing a patch,
you can upgrade the system without upgrading the system software.
When a patch is uploaded, the system checks that the patch version is the same as the system
version. If the two versions are not the same, the system prompts that the patch uploading fails.
12-9
Before installing a patch, upload the patch to the root directory of the CF card of the master and
slave MPUs.
Data Preparation
None
A patch can be successfully loaded only when the patch version matches the system software
version.
Context
Procedure
Step 1 Run:
patch load file-name all
The patch is loaded.
----End
Follow-up Procedure
When a patch is loaded, the system checks that the patch version is the same as the system
version. If the two versions are not the same, the system prompts that the patch loading fails.
When the patch is loaded successfully, it's status is Deactive and keeps Deactive after the board
is reset.
12.4.3 Activating a Patch
A patch can be activated only when it is correctly loaded and is in the deactivated state.
Context
Procedure
Step 1 Run:
patch active all
The patch is activated.
----End
12 Patch Management
Issue 01 (2011-05-30)
Follow-up Procedure
A patch can be activated only when it is correctly loaded and is in the deactivated state. When
a patch is activated, it becomes valid immediately. After the board is reset, however, the status
of the patch becomes Deactive , and the patch does not remain valid.
12.4.4 Running a Patch
permanently.
Context
Do as follows on the CX device be upgraded:
Procedure
Step 1 Run:
patch run all
The patch is run.
----End
Follow-up Procedure
permanently and the patch remains valid after the board is reset. The status of the patch keeps
Running.
12.4.5 (Optional) Synchronizing Patches
After patches on the active and standby MPUs are synchronized, the patches on the active and
standby MPUs are the same.
Context
Procedure
Step 1 Enter the user view.
Step 2 Run:
patch configuration-synchronize
The patch is synchronized to the standby MPU.
After patch configurations and patch files are synchronized from the active MPU to the standby
MPU, the patch files, patch configurations, and patch status can remain unchanged if the active-
standby MPU switchover occurs.
----End
12-11
After a patch is installed on the system, you can check the patch status and the patch for the next
startup.
Procedure
l Run:
Check the patch state.
----End
Example
After the patch is loaded, run the display patch-information command. The results are as
follows:
<HUAWEI> display patch-information
Service pack Version:V600R003C00SPH001
Pack file name cfcard:/patch.pat
----------The patch information of slot 3----------
This slot does not need patch
Total Patch Unit : 1
Running Patch Unit :
Active Patch Unit :
Deactive Patch Unit : 1 - 1
Active Patch Unit :
<HUAWEI>display patch-information configure-file
Codes: M(Max patch ID in the board)
-------------------------------------------------------------
Slot State Run Active Deactive NPPatch
-------------------------------------------------------------
1 registered - - M deactive
2 registered - - M deactive
3 unregistered - - M deactive
12 Patch Management
Issue 01 (2011-05-30)
17 registered - - M idle
18 registered - - M idle
-------------------------------------------------------
<HUAWEI>display patch-information configure-file next-startup
-----------------------------------------
Slot Run Active Deactive NPPatch
-----------------------------------------
1 - - M deactive
2 - - M deactive
3 - - M deactive
4 - - M deactive
5 - - M deactive
6 - - M deactive
7 - - M deactive
8 - - M deactive
9 - - M deactive
10 - - M deactive
11 - - M deactive
12 - - M deactive
13 - - M deactive
14 - - M deactive
15 - - M deactive
16 - - M deactive
17 - - M idle
18 - - M idle
--------------------------------------
After the patch is actived, run the display patch-information command. The results are as
follows:
Active Patch Unit : 1 - 1
Deactive Patch Unit :
Active Patch Unit : 1 - 1
-------------------------------------------------------------
-------------------------------------------------------------
1 registered - M - active
2 registered - M - active
3 unregistered - M - active
12-13
17 registered - M - idle
18 registered - M - idle
-------------------------------------------------------
-----------------------------------------
-----------------------------------------
1 - M - active
2 - M - active
3 - M - active
4 - M - active
5 - M - active
6 - M - active
7 - M - active
8 - M - active
9 - M - active
10 - M - active
11 - M - active
12 - M - active
13 - M - active
14 - M - active
15 - M - active
16 - M - active
17 - M - idle
18 - M - idle
--------------------------------------
After running the patch , run the display patch-information command. The results are as
follows:
Running Patch Unit : 1 - 1
Active Patch Unit :
Running Patch Unit : 1 - 1
Active Patch Unit :
-------------------------------------------------------------
12 Patch Management
Issue 01 (2011-05-30)
-------------------------------------------------------------
1 registered M - - run
2 registered M - - run
3 unregistered M - - run
17 registered M - - idle
18 registered M - - idle
-------------------------------------------------------
-----------------------------------------
-----------------------------------------
1 M - - run
2 M - - run
3 M - - run
4 M - - run
5 M - - run
6 M - - run
7 M - - run
8 M - - run
9 M - - run
10 M - - run
11 M - - run
12 M - - run
13 M - - run
14 M - - run
15 M - - run
16 M - - run
17 M - - idle
18 M - - idle
--------------------------------------
12.5 (Optional) Unactivating the activating of Patch
If an installed patch does not take effect, you need to deactivate the patch.
Before deactivating a patch, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
12.5.2 Deactivating a Patch
Deactivating a patch makes an active patch become inactive.
After a patch is deactivated, you can run the display command to check the patch status.
12-15
Before deactivating a patch, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
After a patch is activated, you need to judge that the patch has achieved the expected effect. If
the patch does not become valid, you need to activate the patch.
A patch can be deactivated only after it is activated.
None
Data Preparation
None
12.5.2 Deactivating a Patch
Deactivating a patch makes an active patch become inactive.
Procedure
Step 1 Run:
patch deactive all
The patch is deactivated.
----End
After a patch is deactivated, you can run the display command to check the patch status.
Procedure
l Run:
Check the patch state.
----End
Example
After the preceding configuration succeeds, run the display patch-information command. The
results are as follows:
12 Patch Management
Issue 01 (2011-05-30)
Active Patch Unit :
Active Patch Unit :
12.6 Configuration Examples of the Patch Management
This section describes some Configuration Examples.
12.6.1 Example for Installing a Patch
When the system has vulnerabilities or defects, you can install a patch to repair the system.
12.6.1 Example for Installing a Patch
When the system has vulnerabilities or defects, you can install a patch to repair the system.
Figure 12-3shows that some urgent bug occurs to the system software at the Provider Edge (PE)
connected to the Internet. Huawei provides the patch file to remove the bug. The patch in this
patch file must be installed to remove the bug.
Figure 12-3 Networking diagram of installing a patch
MPLS Core
PE
FTP Server
GE0/0/0
10.1.1.1/24
PC
10.1.1.2/24
10.1.1.3/24

12-17
1. Save the patch file to the root directory of the CF card on the master and slave MPUs.
2. Load the patch.
3. Activate the patch.
4. Run the patch.
Data Preparation
l File name of the patch: patch.pat
l Path the patch saved to on the MPU: cfcard:/
Procedure
Step 1 Upload the patch file for the system software.
# Log in to the FTP server.
<PE> ftp 10.1.1.2
Trying 10.1.1.2 ...
Connected to 192.168.1.2.
User(10.1.1.2:(none)):huawei
331 Password required for huawei.
Password:
230 User logged in.
[ftp]
# Configure the binary transmission format and the working directory of the CF card on PE.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
% Local directory now cfcard:.
# Load the patch file for the current system software from the remote FTP server.
[ftp] get patch.pat
150 Opening ASCII mode data connection for license.txt.
[ftp] bye
221 Server closing.
<PE>
# Copy the patch file to the CF card on the slave MPU.
<PE> copy cfcard:/patch.pat slave#cfcard:/
Copy cfcard:/patch.pat to slave#cfcard:/patch.pat?[Y/N]:y
100% complete
Info:Copied file cfcard:/ patch.pat to slave#cfcard:/ patch.pat...Done
Step 2 Load the patch.
<PE> patch load patch.pat all
Step 3 Activate the patch.
12 Patch Management
Issue 01 (2011-05-30)
<PE> patch active all
Step 4 Run the patch.
<PE> patch run all
Step 5 Verify the configuration
<PE> display patch-information
Patch Package Name :cfcard:/patch.pat
Patch Package Version:V600R003C00SPH001
************************************************************************
* The hot patch information, as follows: *
************************************************************************
Slot Type State Count
------------------------------------------------------------
7 C Running 1
************************************************************************
* The cold patch information, as follows: *
************************************************************************
all slots do not need cold patch
----End
Configuration Files
None
12-19
A Glossary
This appendix collates frequently used terms in this document.
A
Accounting A network security service that records the user's access to the
network.
Agent A process that is used in all managed devices. It receives request
packets from the NM Station and performs the Read or Write
operation on managed variables according to packet types and
generates response packets and sends them to the NM Station.
AH Authentication Header. A security protocol that provides data
authentication and integrity for IP packets. AH is used in the
transmission mode and in the tunneling mode.
ASSP Analogue Sensor Signal Processes. An error tolerance protocol
that provides the interface backup in the multiple access, multicast
and broadcast in LAN (such as Ethernet).
Authentication A method used to prove user identity.
Authorization A method used to prove identity of users to use the service.

B
Backup center A mechanism in which the interfaces on a device back up each
other and trace the status of the interface. If an interface is Down,
the backup center provides a backup interface to undertake the
service.
BFD Bidirectional Forwarding Detection. A unified detection
mechanism that is used to detect and monitor the link or IP routes
forwarding at a fast pace.
Black list A filtering mode that is used to filter the packet according to the
source IP address. Compared with the ACL, the black list can filter
the packet at a high speed because its matching region is simple.
It can shield the packet from the specified IP address.
Configuration Guide - Basic Configurations A Glossary
A-1
C
CLI Command Line Interface. An interface that allows the user to
interact with the operating system. Users can configure and
manage the CX600 by entering commands through the CLI.
Congestion avoidance A flow control mechanism by which the network overload is
relieved by adjusting the network traffic. When the congestion
occurs and becomes worse, the packet is discarded by monitoring
the network resource.
Congestion management A flow control measure to solve the problem of network resource
competition. When the network congestion occurs, it places the
packet into the queue for buffer and determines the order of
forwarding the packet.
Command line level The priority of the system command that is divided into 4 levels.
Users of a level can run the command only of the same or lower
level.

E
Ethernet A baseband LAN specification created by Xerox and developed
by Xerox, Intel, and Digital Equipment Corporation (DEC). This
specification is similar to IEEE802.3.
Ethernet_II An encapsulation format of the Ethernet frame. Ethernet_II that
contains a 16-bit protocol type field is the standard ARPA Ethernet
Version 2.0 encapsulation.
Ethernet_SNAP An encapsulation format of the Ethernet frame. The frame format
complies with RFC 1042 and enables the transmission of the
Ethernet frame on the IEEE 802.2 media.

F
FIFO First In First Out. A queuing scheme in which the first data into
the network is also the fist data out of the network.
File system A method in which files and directories in the storage devices are
managed, such as creating a file system, creating, deleting,
modifying and renaming a file or directory or displaying the
contents of the file.
FTP File Transfer Protocol. An application protocol in the TCP/IP
stack, used for transferring files between remote hosts. FTP is
implemented based on the file system.

H
A Glossary
A-2 Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
HGMPv2 Huawei Group Management Protocol Version 2. A protocol with
which the discovery, topology collection, centralized management
and remote maintenance are implemented on Layer 2 devices of a
cluster that are connected with the CX device.

I
Information center The information hinge in the MA5200G that can classify and filter
the output information.
Interface mirroring A method of copying the packet of the mirrored interface to the
other mirroring interfaces to forward the packet.
IPv6 Internet Protocol Version 6. Replacement for the current version
of IP (version 4) designed by the IETF. It is the second generation
standard protocol of the internet layer and it is also called IPng
(next generation). The length of the IP address in IPv6 is 128 bits
and the length of the IP address in IPv4 is 32 bits.
IP negotiated An attribute of the interface. When the user accesses the Internet
through the ISP, the IP address is usually allocated by the peer
server. The PPP packet must be encapsulated and the IP address
negotiated attribute must be configured on the interface so that the
local interface accepts the IP address allocated by the peer end
through the PPP negotiation.
IP unnumbered A mechanism in which the interface that is not configured with an
IP address can borrow the IP address of the interface that is
configured with an IP address to save the IP address resource.
ISATAP tunnel Intra-site Automatic Tunnel Addressing Protocol. A protocol that
is used for the IPv4/IPv6 host in the IPv4 network to access the
IPv6 network. The ISATAP tunnel can be established between the
ISATAP hosts or between the ISATAP host and the ISATAP CX
device.
ISIS-TE Traffic engineering of IS-IS. (For the information of IS-IS, refer
to )

L
LAN interface Local Area Network interface. Often an Ethernet interface through
which the CX device can exchange data with the network device
in a LAN.
License Permission of some features that dynamically control the product.
Logical interface A configured interface that can exchange data but does not exist
physically. A logical interface can be a sub-interface, virtual-
template interface, virtual Ethernet interface, Loopback interface,
Null interface and Tunnel interface.

A-3
M
MIB Management Information Base. A database of variables of the
monitored network device. It can uniquely define a managed
object.
Modem Modulator-demodulator. Device that converts digital and analog
signals.
Multicast A process of transmitting packets of data from one source to many
destinations. The destination address of the multicast packet uses
Class D address, that is, the IP address ranges from 224.0.0.0 to
239.255.255.255. Each multicast address represents a multicast
group rather than a host.

N
NDP Neighbor Discovery Protocol. A protocol that is used to discover
the information of the neighboring Huawei device that is
connected with the local device.
NMS Network Management System. A system that sends various query
packets and receives the response packet and trap packet from the
managed devices and displays all the information.
NTDP A protocol that is used to collect the information of the adjacency
and the backup switch of each device in the network.
NTP Network Time Protocol. An application protocol that is used to
synchronize the distributed server and the client side.

O
OSPF-TE Traffic engineering of OSPF. (For the information of OSPF, refer
to )

P
Policy-based routing A routing scheme that forwards packets to specific interfaces based
on user-configured policies.

R
Regular expression When a lot of information is output, you can filter the unnecessary
contents out with regular expressions and display the necessary
contents.
RMON Remote monitoring. An MIB agent specification defined by the
IETF that defines functions for the remote monitoring of the data
flow of a network segment or the whole network.
A Glossary
Issue 01 (2011-05-30)
CX device A device on the network layer that selects routes in the network.
The CX device selects the optimal route according to the
destination address of the received packet through a network and
forwards the packet to the next CX device. The last CX device is
responsible for sending the packet to the destination host.
RRPP Rapid Ring Protection Protocol. A protocol that is applied on the
data link layer. When the Ethernet ring is complete, it can prevent
the broadcast storm caused by the data loop. When a link is
disconnected on an Ethernet ring, it can rapidly restore the
communication link between the nodes on the ring network.
RSVP-TE Traffic engineering of RSVP. (For the information of RSVP, refer
to )

S
Service tracing A method of service debugging, diagnosis and error detection that
is mainly used for service personnel to locate the fault in user
access. The service tracing can output the status change and the
result of the protocol processing of the specified user during the
access to the terminal or the server for the reference and analysis
of the service personnel.
SSH Secure Shell. A protocol that provides a secure connection to a
CX device through a TCP application.
Static ARP A protocol that binds some IP addresses to a specified gateway.
The packet of these IP addresses must be forwarded through this
gateway.
System environment Basic parameters for running the MA5200G such as host name,
language mode and system time. After configuration, the system
environment can meet the requirements of the actual environment.

T
Telnet An application protocol of the TCP/IP stack that provides virtual
terminal services for a wide variety of remote systems.
Terminal A device that is connected with other devices through the serial
port. The keyboard and the display have no disk drives.
Traffic policing A process used to measure the actual traffic flow across a given
connection and compare it to the total admissible traffic flow for
that connection. When the traffic exceeds the flow that is agreed
upon , some restrictions or penalties are adopted to protect the
interest and the network resource of the operator.
Traffic shaping A flow control measure to shape the flow rate. It is often used to
control the flow in regular amounts to ensure that the traffic is
within the traffic stipulated for the downstream CX device and
prevents unnecessary discard and congestion.
A-5
Tunnel Secure communication path between two peers in the VPN that
protect the internal information of the VPN from the interruption.

V
VPN Virtual Private Network. A new technology developed with the
Internet to provide an apparent single private network over a public
network. "Virtual" means the network is a logical network.
VPR Versatile Routing Platform. A versatile routing operating system
platform developed for all data communication products of
Huawei. With the IP service as its core, the CX600 adopts the
componentized architecture. The CX600 realizes rich functions
and provides tailorability and scalability based on applications.
VRRP Virtual CX device Redundancy Protocol. An error tolerant
protocol defined in RFC 2338. It forms a backup group for a group
of CX device in a LAN that functions as a virtual CX device.
VTY Virtual type terminal. A terminal line that is used to access a CX
device through Telnet.

W

X
X.25 A protocol applied on the data link layer that defines how
connections between DTE and DCE are maintained for remote
terminal access and computer communications in PDNs.
XModem A transmission protocol in the format of the binary code.
XOT X.25 over TCP. A protocol that implements the interconnection
between two X.25 networks through the TCP packet bearing X.25
frames.
A Glossary
Issue 01 (2011-05-30)
B Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.
Numerics
3DES Triple Data Encryption Standard

A
AAA Authentication, Authorization and Accounting
ACL Access Control List
ARP Address Resolution Protocol
AES Advanced Encryption Standard
ASPF Application Specific Packet Filter
AUX Auxiliary port

B
BGP Border Gateway Protocol

C
CBQ Class-based Queue
CHAP Challenge Handshake Authentication Protocol
CQ Custom Queuing
CR-LDP Constraint-based Routing LDP

D
DES Data Encryption Standard
Configuration Guide - Basic Configurations B Acronyms and Abbreviations
B-1
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System

E
ESP Encapsulating Security Payload

F
FR Frame Relay

G
GRE Generic Routing Encapsulation

H
HDLC High Level Data Link Control

I
IETF Internet Engineering Task Force
IKE Internet Key Exchange
IPSec IP Security
IS-IS Intermediate System-to-Intermediate System intra-domain
routing information exchange protocol
ITU-T International Telecommunication Union Telecommunications
Standardization Sector

L
L2TP Layer Two Tunneling Protocol
LAPB Link Access Procedure Balanced
LDP Label Distribution Protocol

M
MAC Medium Access Control
MBGP Multiprotocol Extensions for BGP-4
MFR Multiple Frame Relay
B-2 Huawei Proprietary and Confidential
Issue 01 (2011-05-30)
MP MultiLink PPP
MPLS Multiprotocol Label Switching
MSDP Multicast Source Discovery Protocol
MTU Maximum Transmission Unit

N
NAT Network Address Translation
NAT-PT Network Address Translation - Protocol Translation

O
OAM Operation, Administration and Maintenance
OSPF Open Shortest Path First

P
PAP Password Authentication Protocol
PE Provider Edge
Ping Ping (Packet Internet Groper)
PPP Point-to-Point Protocol
PPPoA PPP over AAL5
PPPoE Point-to-Point Protocol over Ethernet
PPPoEoA PPPoE on AAL5
PQ Priority Queuing

Q
QoS Quality of Service

R
RADIUS Remote Authentication Dial In User Service
RIP Routing Information Protocol
RPR Resilient Packet Ring
RSVP Resource Reservation Protocol

Configuration Guide - Basic Configurations B Acronyms and Abbreviations
B-3
S
SFTP SSH File Transfer Protocol

T
TE Traffic Engineering
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol

V
VPN Virtual Private Network
VRP Versatile Routing Platform
VRRP Virtual Router Redundancy Protocol

W
WAN Wide Area Network
WFQ Weighted Fair Queuing
WRED Weighted Random Early Detection

X
XOT X.25 Over TCP

B-4 Huawei Proprietary and Confidential
Issue 01 (2011-05-30)

Configuration Guide - Basic Configurations (V600R003C00 - 01)

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Configuration Guide - Basic Configurations (V600R003C00 - 01)

Încărcat de

Drepturi de autor:

Formate disponibile

HUAWEI CX600 Metro Services Platform

S-ar putea să vă placă și