Documente Academic
Documente Profesional
Documente Cultură
V200R001C00
Issue 05
Date 2013-04-10
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://enterprise.huawei.com
Intended Audience
This document provides the basic concepts, basic configuration procedures, and configuration
examples supported by the S6700.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
2 CLI Overview.................................................................................................................................6
2.1 CLI Introduction.................................................................................................................................................7
2.1.1 Command Line Interface...........................................................................................................................7
2.1.2 Command Levels.......................................................................................................................................7
2.1.3 Command Views.......................................................................................................................................8
2.2 Online Help.......................................................................................................................................................10
2.2.1 Full Help..................................................................................................................................................10
2.2.2 Partial Help..............................................................................................................................................11
2.2.3 Error Messages of the Command Line Interface.....................................................................................11
2.3 CLI Features.....................................................................................................................................................12
2.3.1 Editing.....................................................................................................................................................12
2.3.2 Displaying................................................................................................................................................13
2.3.3 Regular Expressions................................................................................................................................13
2.3.4 Previously-Used Commands...................................................................................................................17
2.4 Shortcut Keys...................................................................................................................................................18
2.4.1 System Shortcut Keys..............................................................................................................................18
2.5 Configuration Examples...................................................................................................................................19
2.5.1 Example for Using the Tab Key..............................................................................................................20
4 Basic Configuration.....................................................................................................................31
4.1 Configuring the Basic System Environment....................................................................................................32
4.1.1 Establishing the Configuration Task.......................................................................................................32
4.1.2 Configuring the Equipment Name...........................................................................................................32
4.1.3 Setting the System Clock.........................................................................................................................33
4.1.4 Configuring a Header..............................................................................................................................39
4.1.5 Configuring Command Levels................................................................................................................40
4.2 Displaying System Status Messages.................................................................................................................41
4.2.1 Displaying System Configuration...........................................................................................................41
4.2.2 Displaying System Status........................................................................................................................42
4.2.3 Collecting System Diagnostic Information.............................................................................................42
6.7.4 Example for Configuring User Login by Using Secure Web Network Management...........................110
You can log in to a new switch through the console port to configure the switch.
1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
1.2 Logging In to the Device Through the Console Port
This section describes how to establish the configuration environment by using the console port
to connect a terminal to a switch.
1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
A main control board provides a console port To configure a device, connect the user terminal
serial port to the device console port.
Applicable Environment
When the switch is powered on for the first time, you could use the console port to log in to the
switch to configure and manage the switch.
Pre-configuration Tasks
Before logging in to the switch through the console port, complete the following tasks:
Data Preparation
To log in to the switch through the console port, you need the following data.
No. Data
NOTE
The system automatically uses default parameter values for the first login.
Procedure
Step 1 Power on all devices to perform a self-check.
Step 2 Connect the COM port on the PC and the console port on the switch by a cable.
----End
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used during the first login to the device.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.
Step 3 Set communication parameters to match the switch defaults, as shown in Figure 1-3.
Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the set password.
Please configure the login password (maximum length 16)
Enter Password:
Confirm Password:
NOTE
l After the password for the user interface is set successfully during the first login, you must enter this
password for authentication when you relog in to the system in password authentication mode using
this user interface.
----End
2 CLI Overview
The command line interface (CLI) is used to configure and maintain devices.
l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to use the display current-configuration command, entering d cu, di cu, or dis cu will run
the command. Entering d c or dis c will not run the command, because these entries are not unique to
the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system is restarted, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.
By default, the command level of a user is a value ranging from 0 to 3, and the user access level
is a value ranging from 0 to 15. Table 2-1 lists the association between user access levels and
command levels.
Table 2-1 Association between user access levels and command levels
User Com Level Description
Level man Name
d
Level
0 0 Visit This level gives access to commands that run network diagnostic
level tools (such as ping and tracert) and commands that start from a
local device, visit external devices (such as Telnet client side ),
and a part of display commands.
1 0 and Monitor This level gives access to commands, like the display command,
1 ing that are used for system maintenance and fault diagnosis.
level NOTE
Some display commands are not at this level. For example, the display
current-configuration and display saved-configuration commands
are at level 3. For details about command level, see S6700 Series
Command Reference.
3-15 0, 1, Manage This level gives access to commands that control basic system
2, and ment operations and provide support for services. These commands
3 level include file system commands, FTP commands, TFTP
commands, configuration file switching commands, power
supply control commands, backup board control commands,
user management commands, level setting commands, and
debugging commands for fault diagnosis.
To implement efficient management, you can increase the command levels to 0-15. For the
increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring
Command Levels in the S6700 Series Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l Login users have 16 levels. The login users can use only the command of the levels that are equal to
or lower than their own levels. The user privilege level level command sets the user level.
# Type aaa in the system view, and you can enter the AAA view.
[Quidway] aaa
[Quidway-aaa]
NOTE
The prompt <Quidway> indicates the default switch name. The prompt <> indicates the user view and the
prompt [] indicates other views.
Some commands that are implemented in the system view can also be implemented in the other
views; however, the functions that can be implemented are command view-specific.
Common Views
The S6700 provides various command line views. For the methods of entering the command
line views except the following views, see the Quidway S6700 Series Ethernet Switches
Command Reference.
l User View
Item Description
Entry command Enters the user view after the connection is set up.
l System View
Item Description
Function Sets the system parameters of the S6700, and enters other function
views from this view.
NOTE
X/Y/Z indicates the number of a XGE interface that needs to be configured. It is in the format of
slot number/sub card number/interface sequence number.
l Enter a command and a ? separated by a space. If a keyword is in place of the ?, all keywords
and their descriptions are listed. Here is an example.
[Quidway-ui-vty0] authentication-mode ?
aaa AAA authentication
password Authentication through the password of a user terminal interface
[Quidway-ui-vty0] authentication-mode aaa ?
<cr>
[Quidway-ui-vty0] authentication-mode aaa
aaa and password are keywords. AAA authentication and Authentication through the
password of a user terminal interface are the descriptions of the two keywords.
<cr> indicates that no key word or parameter is in this position and you can press Enter to
repeat the command in the next command line.
l Enter a command and a ? separated by a space. If a parameter is in place of the ?, all
parameters and their descriptions are listed. Here is an example.
<Quidway> system-view
[Quidway] sysname ?
Procedure
l Use any of the following methods to obtain partial help from a command line.
– Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<Quidway> d?
debugging delete
dir display
– Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<Quidway> display b?
bfd bgp
bootrom bpdu
bpdu-tunnel bridge
buffer
– Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key work,
continuing to press Tab will display different key words. You can select the needed key
word.
----End
2.3.1 Editing
The command line editing function allows you to edit command lines or obtain help by using
certain keys.
The command line of S6700 supports multi-line edition. The maximum length of each command
is 510 characters.
Keys for editing that are often used are shown in Table 2-3.
Key Function
Common key Inserts a character at the current position of the cursor if the editing
buffer is not full. The cursor then moves to the right. If the buffer
is full, an alarm is generated.
Backspace Moves the cursor to the left and deletes the character at that
position. When the cursor reaches the head of the command, an
alarm is generated.
Left cursor key ← or Moves the cursor to the left a single space at a time. When the
Ctrl_B cursor reaches the head of the command, an alarm is generated.
Right cursor key → or Moves the cursor to the right a single space at a time. When the
Ctrl_F cursor reaches the end of the command, an alarm is generated.
Tab Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.
2.3.2 Displaying
Command lines have a feature to control how they are displayed. You can set the command line
display mode as required.
You can control the display of information on the CLI as follows:
l If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 2-4.
* Matches the preceding element zero 10* matches "1", "10", "100", and
or more times. "1000".
(10)* matches "null", "10", "1010",
and "101010".
+ Matches the preceding element one 10+ matches "10", "100", and
or more times "1000".
(10)+ matches "10", "1010", and
"101010".
? Matches the preceding element zero 10? matches "1" and "10".
or one time. (10)? matches "null" and "10".
NOTE
Huawei datacom devices do not support
regular expressions with ?. When
regular expressions with ? are entered
on Huawei datacom devices, helpful
information is provided.
[xyz] Matches any single character in the [123] matches the character 2 in
regular expression. "255".
[^xyz] Matches any character that is not [^123] matches any character except
contained within the brackets. for "1", "2", and "3".
[a-z] Matches any character within the [0-9] matches any character ranging
specified range. from 0 to 9.
[^a-z] Matches any character beyond the [^0-9] matches all non-numeric
specified range. characters.
_ Matches a comma "," left brace "{", _2008_ matches "2008", "space
right brace "}", left parenthesis "(", 2008 space", "space 2008", "2008
and right parenthesis ")". space", ",2008,", "{2008}",
Matches the starting position of the "(2008)", "{2008", and "(2008}".
input string.
Matches the ending position of the
input string.
Matches a space.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
l Degeneration of special characters
Special characters are characters listed in Table 2-5. A special character becomes a
common character when following \. In the following situations, the special characters
listed in Table 2-6 function as common characters.
– The special characters "*", "+", and "?" placed at the starting position of the regular
expression, a special character becomes a common character. For example, +45 matches
"+45" and abc(*def) matches "abc*def".
– The special character "^" placed at any position except for the start of the regular
expression, a special character becomes a common character. For example, abc^
matches "abc^".
– The special character "$" placed at any position except for the end of the regular
expression, a special character becomes a common character. For example, 12$2
matches "12$2".
– A right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[", a special character becomes a common character. For
example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when preceding regular expressions are
subexpressions within parentheses.
l Combinations of common and special characters
In actual usage, regular expressions combine multiple common and special characters to
match certain strings.
Regular Description
Expression
(abc)* Matches strings with abc occurring zero or more times, for example,
d and dabc.
^100([0-9]+)*200$ Matches strings beginning with 100 and ending with 200, and with
zero or several digits in the middle, for example, 100200.
Windows_(95|98| Matches Windows 95, Windows 98, Windows 2000, or Windows XP.
2000|XP))
100[^0-9]? Matches strings beginning with 100 followed by zero or one non-digit
character, for example, 100 or 100@.
CAUTION
The S6700 Series uses a regular expression to implement the pipe character filtering function.
A display command supports the pipe character only when there is excessive output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are as follows:
l | begin regular-expression: displays information that begins with the line that matches
regular expression.
l | exclude regular-expression: displays information that excludes the lines that match
regular expression.
l | include regular-expression: displays information that includes the lines that match regular
expression.
NOTE
When the output of the following commands is displayed screen by screen, you can specify a filtering
mode:
l display current-configuration
l display interface
l display arp
When a lot of information is displayed screen by screen, you can specify a filtering mode in the
prompt "---- More ----".
l /regular-expression: displays the information that begins with the line that matches regular
expression.
l -regular-expression: displays the information that excludes lines that match regular
expression.
l +regular-expression: displays the information that includes lines that match regular
expression.
By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.
NOTE
Setting the number of saved previously-used commands to a reasonably low value is recommended. If a
large number of previously-used commands are saved, locating a command can be time-consuming and
affect efficiency.
Access the last Up cursor key (↑) or Display the last previously-used command if there
previously- Ctrl_P is an earlier previously-used command. Otherwise,
used an alarm is generated.
command.
Access the next Down cursor key Display the next previously-used command if there
previously- (↓) or Ctrl_N is a later previously-used command. Otherwise, the
used command is cleared and an alarm is generated.
command.
NOTE
Windows 9X defines keys differently and the cursor key ↑ cannot be used with Windows 9X
HyperTerminals. You may use Ctrl_P instead.
NOTE
Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different than those listed in this section.
ESC_F The cursor moves to the right to the end of next word.
ESC_SHIFT_< Sets the position of the cursor to the beginning of the clipboard.
ESC_SHIFT_> Sets the position of the cursor to the end of the clipboard.
Procedure
l If only one keyword contains the incomplete keyword,
do as follows on the S6700.
1. Enter an incomplete keyword.
[Quidway] info-
2. Press Tab.
The system replaces the incomplete keyword with a complete keyword and displays
the complete keyword in another line. There is only one space between the cursor and
the end of the keyword.
[Quidway] info-center
2. Press Tab.
The system displays the prefix of all the matched keywords. The prefix in this example
is log.
[Quidway] info-center log
3. Continue to press Tab to display all the keywords. There is no space between the
cursor and the end of the keywords.
[Quidway] info-center loghost
[Quidway] info-center logbuffer
Stop pressing Tab when you find the required keyword logbuffer.
4. Enter a space and enter the next keyword channel.
[Quidway] info-center logbuffer channel
----End
This chapter describes the concept of the interface and the basic configuration about the interface.
NOTE
A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called
interfaces in this document.
Management Interface
Management interfaces are used to manage and configure a device. You can log in to the
S6700 through a management interface to configure and manage the S6700. Management
interfaces do not transmit service data.
The S6700 provides a console interface and an MEth interface as the management interface.
Console The console interface complies The console interface is connected to the
interface with the EIA/TIA-232 standard COM series port of a configuration
and the interface type is DCE. terminal. It is used to set up the onsite
configuration environment.
MEth The MEth interface complies with The MEth interface can be connected to
interface the 10/100BASE-TX standard. the network interface of a configuration
terminal or network management
workstation. It is used to set up the onsite
or remote configuration environment.
The following table shows the rule for numbering management interfaces.
In a single switch, interfaces are numbered in the format slot ID/subcard ID/interface sequence
number.
l Slot ID: indicates the slot where an interface is located. The value is 0.
l Subcard ID: indicates the subcard where an interface is located. The value is 0 or 1.
The value 1 indicates that the subcard is a front card.
l Interface sequence number: indicates the sequence number of an interface.
In a stack system, interfaces are numbered in the format stack ID/subcard ID/interface sequence
number.
l Stack ID: indicates the ID of the switch in the stack system. The value ranges from 0 to 8.
l Subcard ID: indicates the ID of a subcard. The value is 0 or 1.
The value 1 indicates that the subcard is a front card.
l Interface sequence number: indicates the sequence number of an interface on the switch.
NOTE
For the device models that support the CSS function, see "Stacking" in the S6700 Series Ethernet Switches
Configuration Guide - Device Management.
Physical Interfaces
Physical interfaces are interfaces that actually exist on the S6700.
l Console interface
l MEth interface
l 10 Gigabit Ethernet interface
Logical Interfaces
Logical interfaces do not exist and are set up by configurations.
The S6700 supports the following logical interfaces:
l Eth-Trunk
The Eth-Trunk consists of Ethernet links only.
The Eth-Trunk technique has the following advantages:
– Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all
member interfaces.
– Improved reliability: When a link fails, traffic is automatically switched to other
available links. This ensures link reliability.
For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in the
S6700 Series Ethernet Switches Configuration Guide - Ethernet.
l Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address
127.0.0.0 as a loopback address. When the system starts, it automatically creates an
interface using the loopback address 127.0.0.1 to receive all data packets sent to the local
device.
Some applications such as mutual access between virtual private networks need a local
interface with a specified IP address without affecting the configuration of physical
interfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertised
by routing protocols.
The status of a loopback interface is always Up; therefore, the IP address of the loopback
interface can be used as the router ID, the label switching router (LSR) ID, or be land to a
tunnel.
For details, see 3.3 Configuring the Loopback Interface.
l Null interface
Null interfaces are similar to null devices supported by certain operating systems. Any data
packets sent to a null interface are discarded. Null interfaces are used for route selection
and policy-based routing (PBR). For example, if a packet matches no route during route
selection, the packet is sent to the null interface.
l Tunnel interface
Tunnel interfaces are used to establish IPv6 over IPv4 tunnels.
l VLANIF interface
When the S6700 needs to communicate with devices at the network layer, you can create
a logical interface of the Virtual Local Area Network (VLAN) on the S6700, namely, a
VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF
interfaces work at the network layer. The S6700 then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see "Creating a VLANIF Interface" in the S6700
Series Ethernet Switches Configuration Guide - Ethernet.
Applicable Environment
To facilitate the configuration and maintenance of an interface, the S6700 provides interface
views. The commands related to the interface are valid only in the interface views.
The basic interface configurations include entering an interface view, configuring interface
description, enabling an interface, and disabling an interface.
Pre-configuration Tasks
Installing the LPU on the S6700
Data Preparation
To set parameters of an interface, you need the following data.
No. Data
Context
Do as follows on the S6700.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
interface-type specifies the type of the interface and interface-number specifies the number of
the interface.
----End
Context
Do as follows on the S6700.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
?
All the commands in the view of the specified interface are displayed.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
description description
----End
Context
NOTE
Procedure
l Shutting down the interface
Do as follows on the S6700.
1. Run:
system-view
Context
To access a network through an interface, configure advanced interface parameters based on the
networking requirements in addition to basic configurations on the interface.
Advanced configurations of an interface include:
l Working mode
l Routing configuration
For details about advanced configurations of an interface, see the S6700 Series Ethernet Switches
Configuration Guide - Ethernet and S6700 Series Ethernet Switches Configuration Guide - IP
Routing.
Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running
status of the interface and the statistics on the interface.
Step 2 Run the display interface description command to check the brief information about the
interface
Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the
brief state of the interface.
----End
Applicable Environment
Some applications such as mutual access between virtual private networks need to be configured
with a local interface with a specified IP address when the configuration of a physical interface
is not affected. In this case, the IP address of the local interface needs to be advertised by routing
protocols. Loopback interfaces are used to improve the reliability of the configuration.
Pre-configuration Tasks
Before configuring the loopback interface, complete the following task:
l Switching on the S6700
Data Preparation
To configure the loopback interface, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface loopback interface-number
The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfaces
can be created.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
The loopback interface is configured to check the source IPv4 addresses of packets.
----End
Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of the loopback
interface.
----End
Procedure
Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user
view to clear the statistics on the interface.
----End
4 Basic Configuration
This chapter describes how to configure the switch to work properly in the network environment
and to suit your needs.
Applicable Environment
Before configuring services, you need to configure the basic system environment (for example,
the language mode, system time, device name, login information, and command level) to meet
environmental requirements.
Pre-configuration Tasks
Before configuring the basic system environment, power on the switch.
Data Preparation
To configure the basic system environment, you need the following data.
No. Data
1 System time
2 Host name
3 Login information
4 Command level
Context
New equipment names take effect immediately.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sysname host-name
----End
Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device operates properly with other
devices.
Setting the system clocks of all the devices on a network manually is time-consuming and cannot
ensure the clock accuracy. Network Time Protocol (NTP) can address this problem by
synchronizing all clocks of devices on the network so that the devices can provide uniform time-
based applications.
NOTE
A local system running NTP can be synchronized by other clock sources or acts as a clock source to
synchronize other clocks. In addition, mutual synchronization can be implemented through NTP packet
exchanges.
By default, the system clock of NTP-enabled devices is UTC. The time zone and daylight saving
time vary with the country and region, and if a time zone and daylight saving time are configured
on an NTP server, the same time zone and daylight saving time must be configured on NTP
clients.
Perform the following steps in the user view to set the system clock:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
NOTE
If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.
Step 2 Run:
clock timezone time-zone-name { add | minus } offset
Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
----End
2 Original system time +/- Run the clock timezone BJ add 8 command.
zone-offset Configured system time:
2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00
1, 2 date-time +/- zone-offset Run the clock datetime 8:0:0 2011-11-12 and
clock timezone BJ add 8 commands.
Configured system time:
2011-11-12 16:00:13+08:00
Saturday
Time Zone(BJ): UTC+08:00
date-time + offset if date- Run the clock datetime 9:0:0 2011-11-12 and
time is during the clock daylight-saving-time BJ one-year 9:0
configured daylight 2011-11-12 6:0 2011-12-01 2 commands.
saving time period Configured system time:
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 11-12 09:00:00
End time : 12-01 06:00:00
Saving time : 02:00:00
2, 3 or 3, 2 Original system time +/- Run the clock timezone BJ add 8 and clock
zone-offset if the value of daylight-saving-time BJ one-year 6:0 2011-1-1
Original system time +/- 6:0 2011-9-1 2 commands.
zone-offset is not during Configured system time:
the configured daylight 2010-01-01 16:01:29+08:00
saving time period Friday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00
1, 2, 3, or 1, date-time +/- zone-offset Run the clock datetime 8:0:0 2011-11-12, clock
3, 2 if the value of date-time timezone BJ add 8, and clock daylight-saving-
+/- zone-offset is not time BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
during the configured commands.
daylight saving time Configured system time:
period 2011-11-12 16:01:40+08:00
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2012
End year : 2012
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00
date-time +/- zone-offset Run the clock datetime 8:0:0 2011-1-1, clock
+ offset if the value of daylight-saving-time BJ one-year 6:0 2011-1-1
date-time +/- zone-offset 6:0 2011-9-1 2, and clock timezone BJ add 8
is during the configured commands.
daylight saving time Configured system time:
period 2011-01-01 18:00:43+08:00 DST
Saturday
Time Zone(BJ): UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
Saving time : 02:00:00
Context
A header is a text message displayed by the system at the time a user logs in to the switch.
Procedure
Step 1 Run:
system-view
Step 2 Run:
header login { information text | file file-name }
Step 3 Run:
header shell { information text | file file-name }
To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.
To display the header after the user has logged in, configure the parameter shell.
CAUTION
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and end the header by entering the first character when you are finished.
The system then exits from the interactive interface.
l If a user logs in to the switch using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the switch using SSH2.0, both login and shell headers are displayed.
----End
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
Context
You can use display commands to collect information about system status. The display
commands perform the following functions:
Procedure
l Run the display version command to display the system version.
l Run the display clock [ utc ] command to display the system time.
l Run the display calendar command to display system calendar.
l Run the display saved-configuration command to display the original configuration.
l Run the display current-configuration command to display the current configuration.
NOTE
l The original configuration refers to information about configuration files used by the device when
it is powered on and initialized. The current configuration refers to the configuration files that
take effect when the device is in use. For details, see the chapter "Configuring System Startup"
in the S6700 Basic-Configuration.
----End
Procedure
l Run the display this command to display the configuration of the current view.
----End
Context
If you cannot perform routine maintenance, you must run the various display commands to
collect information needed to locate faults. The display diagnostic-information command
gathers information about all system modules currently running.
Procedure
l Run:
display diagnostic-information [ file-name ]
When a user uses a console port, Telnet, or SSH (STelnet) to log in to the switch, the system
manages the session between the user and the switchon the corresponding user interface.
5.1 User Interface Overview
The system supports console and VTY user interfaces.
5.2 Configuring the Console User Interface
If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
5.3 Configuring the VTY User Interface
If you need to log in to the switch using Telnet or SSH to perform local or remote maintenance,
you can configure the VTY user interface as needed.
5.4 Configuration Examples
This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provide configuration roadmaps
and configuration notes.
Table 5-1 Description of absolute and relative numbers for user interfaces
NOTE
Run the display user-interface command to view the absolute number of user interfaces.
There are two user authentication modes: password and AAA, which are described as follows:
l Password authentication: Users must enter a password, but not a username, during the login
process.
l AAA authentication: Users must enter a password and a username during the login process.
Telnet users are usually authenticated in this mode.
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the
user level.
A user's level determines the level of commands that the user is authorized to run.
l In the case of password authentication, the level of the command that the user can run is
determined by the level of the user interface.
l In the case of AAA authentication, the command that the user can use is determined by the
level of the local user specified in the AAA configuration.
Applicable Environment
If you need to log in to the switch through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.
Pre-configuration Tasks
Before configuring a console user interface, log in to the switch with a terminal.
Data Preparation
To configure a console user interface, you need the following data.
No. Data
1 Baud rate, flow-control mode, parity, stop bit, and data bit
2 Idle timeout period, terminal screen length, number of characters in each line
displayed in a terminal screen, and the size of history command buffer
3 User priority
NOTE
All the default values (excluding the password and username) are stored on the switch and do not need
additional configuration.
Context
Physical attributes of a console port have default values on the switch and no additional
configuration is needed.
NOTE
When a user logs in to a switch through a console port, the physical attributes set for the console port on
the HyperTerminal must be consistent with the attributes of the console user interface on the switch, or the
user will not be able to log in.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface console interface-number
Step 3 Run:
speed speed-value
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the flow-control mode is none.
Step 5 Run:
parity { even | mark | none | odd | space }
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
----End
Context
Terminal attributes of the console user interface have default values on the switch that you may
modify as needed.
Procedure
Step 1 Run:
system-view
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
----End
Context
l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface console interface-number
Step 3 Run:
user privilege level level
NOTE
l By default, users logging in through the console user interface can use commands at level 3, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.
----End
Context
The system provides two authentication modes as shown in Table 5-2.
AAA AAA provides user authentication with high The configuration is complex.
security. The user name and password for
The user name and password must be entered AAA authentication must be
for login. created.
CAUTION
If the user authentication mode for the console user interface is password authentication or AAA
authentication, a password or user name must be set.
Procedure
l Configuring AAA authentication
1. Run:
system-view
A user name and password for the local user are created.
4. Run:
quit
1. Run:
system-view
Prerequisites
The user management function has been configured.
Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check online users.
----End
Example
Run the display users command to view information about the current user interface.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 00:00:44 pass no
Username : Unspecified
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
Run the display local-user command to view the local user list.
<Quidway> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)
Applicable Environment
If you need to log in to the switch using Telnet or SSH to perform local or remote maintenance,
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode. The preceding parameters have default values on the switch. You can
modify these parameters as needed.
Pre-configuration Tasks
Before configuring a VTY user interface, log in to the switch by using a terminal.
Data Preparation
To configure a VTY user interface, you need the following data.
No. Data
2 (Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces
3 Idle timeout period, number of characters in each line displayed on a terminal screen,
and the size of history command buffer
4 User priority
NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.
Context
The maximum number of VTY user interfaces equals the total number of users allowed to log
in to the switch using Telnet or SSH.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface maximum-vty number
NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the switch.
If the set maximum number of VTY user interfaces is smaller than the maximum number of
online users, a message is displayed indicating that the configuration failed.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for newly added user
interfaces.
Consider, for example, a system that allows a maximum of five users to be online. To allow 15
VTY users online at the same time, you must run the authentication-mode command to
configure authentication modes for VTY user interfaces from 5 to 14. The commands are run
as follows:
<Quidway> system-view
[Quidway] user-interface maximum-vty 15
[Quidway] user-interface vty 5 14
[Quidway-ui-vty5-14] authentication-mode password
----End
Context
Before setting restrictions for incoming and outgoing calls on a VTY user interface, run the
acl command in the system view to create an ACL. Enter the ACL view and run the rule
command to add rules to the ACL.
NOTE
l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging
from 3000 to 3999.
l For ACL configuration details, refer to the S6700 Series Ethernet Switches Configuration Guide -
Security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
Step 3 Run:
acl acl-number { inbound | outbound }
Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the switch, use the inbound command.
l If you want to prevent a user who logs in to a switch from accessing other switchs, use the
outbound command.
----End
Context
Terminal attributes of a VTY user interface have default values on the switch and you can set
them as needed.
Procedure
Step 1 Run:
system-view
----End
Context
l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty interface-number
Step 3 Run:
user privilege level level
By default, users logging in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.
----End
Context
The system provides two authentication modes as shown in Table 5-3.
AAA AAA provides user authentication with high The configuration is complex.
security. The user name and password for
The user name and password must be entered AAA authentication must be
for login. created.
CAUTION
l By default, the user authentication mode of the VTY user interface is not configured.
Administrators must manually set a user authentication mode for the VTY user interface. If
no user authentication mode is set for the VTY user interface, users cannot log in to the device
using the VTY user interface.
l If the user authentication mode of the VTY user interface is password authentication or AAA
authentication, a password or user name must be set for logging in to the system. In this case,
without password or user name set, users cannot log in to the device using the VTY user
interface.
CAUTION
If the user authentication mode for the VTY user interface is password or AAA, you must set
the password or user name for logging in to the device.
Procedure
l Configuring AAA authentication
1. Run:
system-view
A user name and password for the local user are created.
l Configuring password authentication
1. Run:
system-view
2. Run:
user-interface vty number1 [ number2 ]
Prerequisites
The VTY user interface has been configured.
Procedure
l Run the display users [ all ] command to check information about user interfaces.
l Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]
command to check the physical attributes and configurations of user interfaces.
l Run the display local-user command to check the local user list.
l Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view information about current user interfaces.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
34 VTY 0 00:00:12 TEL 10.138.77.38 no
Username : Unspecified
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Username : Unspecified
Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<Quidway> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<Quidway> display user-interface vty 0
Run the display local-user command to view the local user list.
<Quidway> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)
Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<Quidway> display vty mode
current VTY mode is Machine-Machine interface
Networking Requirements
A user uses the console user interface to log in to the switch to initialize switch configurations
or perform local router maintenance. You can set console user interface attributes as needed (for
example, security considerations) to allow user logins.
In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is huawei).
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enter the interface view and set physical attributes of the console user interface.
2. Set terminal attributes of the console user interface.
3. Set the user priority of the console user interface.
4. Set the user authentication mode and password of the console user interface.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Set physical attributes of the console user interface.
<Quidway> system-view
[Quidway] user-interface console 0
[Quidway-ui-console0] speed 4800
[Quidway-ui-console0] flow-control none
[Quidway-ui-console0] parity even
[Quidway-ui-console0] stopbits 2
[Quidway-ui-console0] databits 6
Step 4 Set the user authentication mode in the console user interface to password.
[Quidway-ui-console0] authentication-mode password
[Quidway-ui-console0] set authentication password cipher huawei
[Quidway-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the switch. For details on how a user
logs in to the switch, see the 6 Configuring User Login.
----End
Configuration Files
#
sysname Quidway
#
user-interface con 0
authentication-mode password
user privilege level 15
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
history-command max-size 20
idle-timeout 30 0
screen-length 30
databits 6
parity even
stopbits 2
speed 9600
#
return
Networking Requirements
A user uses Telnet to log in to the switch using a VTY channel. You can set VTY user interface
attributes as needed (for example, security considerations) to allow user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, with the password of "huawei", and a user with the IP address of 10.1.1.1 is
prohibited from logging in to the switch.
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enter the interface view and set the maximum number of VTY user interfaces to 15.
2. Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the switch.
3. Set terminal attributes of the VTY user interface.
4. Set the user priority of the VTY user interface.
5. Set the authentication mode and password of the VTY user interface.
Data Preparation
To complete the configuration, you need the following data:
l Maximum number of VTY user interfaces: 15
l ACL applied to restrict incoming calls on the VTY user interface: 2000
l Timeout period for disconnecting from the VTY user interface: 30 minutes
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<Quidway> system-view
[Quidway] user-interface maximum-vty 15
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule deny source 10.1.1.1 0
[Quidway-acl-basic-2000] quit
[Quidway] user-interface vty 0 14
[Quidway-ui-vty0-14] acl 2000 inbound
Step 5 Set the authentication mode and password of the VTY user interface.
[Quidway-ui-vty0-14] authentication-mode password
[Quidway-ui-vty0-14] set authentication password cipher huawei
[Quidway-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can use Telnet
to log in to the switch and perform local or remote maintenance on the switch. For details on
how a user logs in to the switch, see the 6 Configuring User Login.
----End
Configuration Files
#
sysname Quidway
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
authentication-mode password
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return
A user can log in to the switch through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the switch locally or remotely after login.
6.2 Logging in to A user logs in to the device By default, a user can directly log in to
the Devices using the console port on the the device using the console port. The
Through the user terminal to power on authentication mode is password
Console Port and configure the device for authentication, indicating that a
the first time. password is required for authentication.
l If a user cannot access The command access level is 3.
the device remotely, the
user can log in to the
device locally using the
console port.
l A user can log in using
the console port to
diagnose a fault if the
device fails to start or to
enter the BootROM to
upgrade the system.
6.3 Logging in to A user accesses the network By default, a user cannot log in to the
Devices Using using a user terminal and device directly using Telnet. To enable
Telnet logs in to the device using Telnet login, log in to the device locally
Telnet to perform local or using the console port and perform the
remote configuration. The following configuration tasks:
target device authenticates l Configure the IP address of the
the user using the management network port on the
configured login device and ensure that a reachable
parameters. route exists between the user terminal
The Telnet login mode and the device. By default, an IP
facilitates remote device address is not configured on the
management and device.
maintenance. l Configure the user authentication
mode of the VTY user interface. (By
default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Enable the Telnet server function. By
default, the Telnet server function is
enabled.
6.4 Logging in to A user accesses the network By default, a user cannot log in to the
Devices Using using a user terminal. If the device directly using STelnet. To enable
STelnet network is insecure, use the STelnet login, log in to the device locally
Secure Shell (SSH) protocol using the console port and perform the
to increase the security of following configuration tasks:
the transmission and utilize l Configure the IP address of the
a powerful authentication management network port on the
mechanism. SSH protects device and ensure that a reachable
the device system against route exists between the user terminal
attacks, such as IP proofing and the device. By default, an IP
and plain text password address is not configured on the
interception. device.
The STelnet login mode l Configure the user authentication
better ensures the security of mode of the VTY user interface. (By
the exchanged data. default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Configure the VTY user interface to
support the SSH protocol. By default,
the VTY user interface supports the
Telnet protocol.
l Configure the SSH user and specify
STelnet as a service mode. By default,
the SSH user is not configured on the
device, and the service mode of SSH
users is null (no service mode is
supported).
l Enable the STelnet server function.
By default, the STelnet server
function is disabled.
NOTE
Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is
transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in
both directions to guarantee secure transmissions on a conventional insecure network. SSH supports
security Telnet (STelnet).
For detailed information about SSH, see S6700 Feature Description - Basic Configurations.
Applicable Environment
A user can log in to a device locally through a console port. The user can log in through a console
port when a device is powered on for the first time.
l If a user cannot access the device remotely, the user can log in to the device locally using
the console port.
l A user can log in using the console port to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.
Pre-configuration Tasks
Before configuring user login through a console port, complete the following tasks:
l Configure the PC/terminal (including the serial port and RS-232 cable).
l Install the terminal emulator (for example, the Windows XP HyperTerminal) to the PC.
Data Preparation
To configure user login through a console port, you need the following data.
No. Data
1 l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, username, and password
Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and user authentication mode.
For detailed settings, see Configuring Console User Interface.
NOTE
Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when logged in to the device through the console
port. For this reason, logging into the device using another login mode is recommended when modifying
console user interface attributes. To log in to the device through the console port after changing the default
console user interface attributes, ensure that the configuration of the terminal emulator running on the PC
is consistent with the console user interface attributes configured on the device.
Context
l Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
l A user authentication mode must be configured on the console user interface, a user can
log in to the device only after being successfully authenticated. Authentication enhances
network security.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 6-1.
Step 3 Set communication parameters to match the switch defaults, as shown in Figure 6-3.
Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the set password.
Please configure the login password (maximum length 16)
Enter Password:
Confirm Password:
NOTE
l After the password for the user interface is set successfully during the first login, you must enter this
password for authentication when you relog in to the system in password authentication mode using
this user interface.
----End
Prerequisites
Configurations for user login through a console port are complete.
Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check online users.
----End
Example
Run the display users command to view information about the current user interface.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 00:00:44 pass no
Username : Unspecified
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<Quidway> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)
Applicable Environment
If you know the IP address of a remote switch, you can use Telnet to log in to the switch from
a local terminal. Telnet login allows you to maintain multiple remote switchs from one local
terminal, greatly facilitating device management.
Note that switch IP addresses must be preset through console ports.
Pre-configuration Tasks
Before configuring users to log in using Telnet, you must log in to the device through the console
port to change the default configurations on the device, so that users can remotely log in to the
device using Telnet to manage and maintain the device. The following default configurations
must be changed:
l Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
l 6.3.2 Configuring the User Access Level and User Authentication Mode of the VTY
User Interface for remote device management and maintenance
l 6.3.3 Enabling the Telnet Service so that users can remotely log in to the device through
Telnet
Data Preparation
BBefore configuring Telnet user login, you need the following data.
No. Data
1 l User priority
l User authentication mode, username, password
l (Optional) Maximum number of VTY user interfaces allowed
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, number of characters displayed in a terminal screen and size
of the history command buffer
3 TCP port number used by the remote device to provide Telnet services, VPN instance
name
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
Procedure
l Configure the user access level of the VTY user interface.
1. Run:
system-view
Table 6-2 Association between user access levels and command levels
User Co Level Description
Lev mm Name
el and
Lev
el
1 0 and Monit This level gives access to commands, like the display
1 oring command, that are used for system maintenance and fault
level diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command level, see S6700 Series Command Reference.
3-15 0, 1, Manag This level gives access to commands that control basic
2, ement system operations and provide support for services. These
and 3 level commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, and debugging
commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l Configure the user authentication mode of the VTY user interface.
Two authentication modes are available: password authentication, and AAA
authentication. Select one of them as needed.
– Configuring Password Authentication
1. Run:
system-view
Context
By default, the Telnet server function is enabled.
Perform the following steps on the device that serves as a Telnet server.
Select and perform one of the following two steps for IPv4 or IPv6.
Procedure
l For the IPv4 network
1. Run:
system-view
NOTE
l If the undo telnet [ ipv6 ] server enable command is run when a user logs in by using
Telnet, the command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only using SSH
or an asynchronous serial port rather than using Telnet.
----End
Context
Use either the Windows CLI or third-party software in the terminal to log in to the switch through
Telnet. This section describes use of the Windows command line prompt.
Perform the following steps on the user terminal:
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to telnet the device.
1. Input the IP address of the Telnet server.
2. Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 6-5.
----End
Context
By default, the listening port number of a Telnet server is 23. Users can directly log in to the
switch using the default listening port number. Attackers may access the default listening port,
consuming bandwidth, deteriorating server performance, and causing authorized users unable
to access the server. After the listening port number of the Telnet server is changed, attackers
do not know the new listening port number. This effectively prevents attackers from accessing
the listening port.
Perform the following steps on the switch that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
----End
Prerequisites
Configurations for Telnet logins are complete.
Procedure
l Run the display users [ all ] command to check information about users logged in to user
interfaces.
l Run the display tcp status command to check TCP connections.
l Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
34 VTY 0 00:00:12 TEL 10.138.77.38 no
Username : Unspecified
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Username : Unspecified
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID
State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0
Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Quidway> display telnet server status
TELNET IPV4 server :Enable
TELNET IPV6 server :Enable
TELNET server port :23
Applicable Environment
Telnet logins bring security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, SCP, and SFTP.
STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they
use the Telnet service.
Pre-configuration Tasks
Before configuring users to log in using STelnet, you must log in to the device through the
console port to change the default configurations on the device, so that users can remotely log
in to the device using Telnet to manage and maintain the device. The following default
configurations must be changed:
l Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
l Configuring the user access level and authentication mode of the VTY user
interface for remote device management and maintenance.
l Configuring the VTY user interface to support the SSH protocol, configuring the SSH
user and specify STelnet as a service mode for the SSH user, and enabling the STelnet
server function so that the user can remotely log in to the device through STelnet
Data Preparation
To configure users to log in using STelnet, you need the following data:
No. Data
2 Username, password, authentication mode, and service type of an SSH user and
remote public RSA or DSA key pair allocated to the SSH user
3 (Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm for key exchange
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
Procedure
l Configure the user access level of the VTY user interface.
1. Run:
system-view
Table 6-3 Association between user access levels and command levels
1 0 and Monit This level gives access to commands, like the display
1 oring command, that are used for system maintenance and fault
level diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command level, see S6700 Series Command Reference.
3-15 0, 1, Manag This level gives access to commands that control basic
2, ement system operations and provide support for services. These
and 3 level commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, and debugging
commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l Configure the user authentication mode of the VTY user interface.
– Configuring AAA Authentication
When the authentication mode of the VTY user interface is set to AAA authentication,
the access type of the local user must be specified.
1. Run:
system-view
----End
Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
Perform the following steps on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
Step 3 Run:
authentication-mode aaa
Step 4 Run:
protocol inbound ssh
----End
Context
l There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication and RSA authentication.
l The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.
Perform the following operations on the switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh user user-name
l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
Step 4 Perform the operations as described in Table 6-4 based on the configured SSH user
authentication mode.
Configure the Run the ssh authentication-type When you log in using SSH and
Default Password default password command use a TACACS server for
Authentication authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.
4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 6 Run:
ssh user username service-type { stelnet | all }
----End
Context
By default, no device is enabled with the STelnet server function. Users can establish connections
to the device using STelnet only after the device is enabled with the STelnet server function.
Perform the following steps on the device that serves as an SSH server:
Procedure
Step 1 Run:
system-view
----End
Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the help document of the
software.
Procedure
Step 1 Open the Windows CLI.
Step 2 Run relevant OpenSSH commands to log in to the switch in STelnet mode.
----End
Procedure
Step 1 Run:
system-view
Configure the Run the ssh server rekey-interval You can set an interval at which the
interval at interval command. key pair of an SSH server is updated.
which the key By default, the interval is 0, When the timer expires, the key pair
pair of the indicating that the key is never is automatically updated, improving
SSH server is updated. security.
updated
Configure the Run the ssh server timeout If a user fails to log in when the
timeout seconds command. timeout period of SSH
period of SSH By default, the timeout period is 60 authentication expires, the system
authentication seconds. disconnects the current connection
to ensure the system security.
Configure the Run the ssh server authentication- The number of times that SSH
number of retries times command. authentication is retried is set to deny
times that By default, SSH authentication access of unauthorized users.
SSH retries a maximum of 3 times.
authentication
is retried
Configure Run the ssh server compatible- There are two SSH versions:
earlier SSH ssh1x enable command. SSH1.X (earlier than SSH2.0) and
version By default, an SSH server running SSH2.0. SSH2.0 has an extended
compatibility SSH2.0 is compatible with SSH1.X. structure and supports more
To prevent clients running SSH1.3 to authentication modes and key
SSH1.99 from logging in, run the exchange methods than SSH1.X,
undo ssh server compatible-ssh1x SSH 2.0 can eliminate the security
enable command to disable support risks that SSH 1.X has. SSH 2.0 is
for earlier SSH protocol versions. more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The S6700 Series
supports SSH versions ranging from
1.3 to 2.0.
Configure the Run the ssh server port port- The default listening port number of
listening port number command. an SSH server is 22. Users can log in
number of the By default, the listening port number to the device by using the default
SSH server is 22. listening port number. Attackers
may access the default listening port,
If a new listening port is set, the SSH consuming bandwidth, deteriorating
server cuts off all established STelnet server performance, and causing
and SFTP connections, and uses the authorized users unable to access the
new port number to listen to server. After the listening port
connection requests. number of the SSH server is
changed, attackers do not know the
new port number. This effectively
prevents attackers from accessing
the listening port and improves
security.
----End
Prerequisites
Configurations for STelnet login are complete.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configurations.
l Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<Quidway> display ssh user-information client001
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : RSA
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view configurations of an SSH server.
<Quidway> display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server : Enable
Run the display ssh server session command. The command output shows information about
a session between the SSH server and client.
<Quidway> display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : stelnet
Authentication Type : password
Applicable Environment
After a device that supports web network management is enabled with the HTTP function, the
device can function as a web server. Users can log in to the device using HTTP and use web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 6-7, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using web pages.
Figure 6-7 Networking diagram for accessing another device by using HTTPS
VLANIF10
192.168.0.1/24
Network
PC HTTP-Server
Pre-configuration Tasks
Before configuring users to log in using secure web network management (HTTPS Mode),
complete the following tasks:
l Upload a digital certificate to a device that will function as an HTTPS server and copying
the certificate to the sub-directory named security of the system directory on the HTTPS
server.
l Install a Web browser on a PC.
Data Preparation
To configure users to log in using secure web network management (HTTPS Mode), you need
the following data.
No. Data
2 IP address, Web page file, and Web account of the HTTPS server
Context
Before using HTTPS to securely manage files, the HTTPS server needs to obtain a digital
certificate from a CA. The digital certificate is used to authenticate clients. This ensures that
only authorized clients can log in to the HTTPS server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
HTTPS server can be generated using a third-party tool such as OpenSSL. OpenSSL can be considered as
a CA. For the procedure for generating a digital certificate, see the OpenSSL usage guide.
The digital certificate includes information such as the name of a person or an organization that
applies for the certificate, public key, digital-signed signature of the CA that issues the digital
certificate, and validity period of the digital certificate. A CA can issue a certificate chain along
with a digital certificate. After receiving a certificate chain, the receiver owns all the certificates
on the chain.
Upload the server digital certificate and private key file to the security directory on the device
in FTP, SFTP, or SCP mode. If no security directory exists on the device, run the mkdir
security command to create one.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem. A PEM certificate contains only a public key but not a private key, and
the public key is usually encrypted.
The PEM format is applicable to text transmission between systems.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der. An ANS1 certificate contains only a public key but not a
private key, and the public key is not encrypted.
The ASN1 format is the default format for most browsers.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx. A PFX certificate can contain a private key, and the key is usually
encrypted.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssl policy policy-name
NOTE
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
----End
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
Before enabling the HTTPS server function, disable the HTTP server function.
Procedure
Step 1 Run:
system-view policy-name
The default listening port number of the HTTPS server is 443. When using the default listening
port number to access and control the HTTPS server, you do not need to specify the port number
in commands. Attackers may access the default listening port, consuming bandwidth, affecting
performance of the server, and causing authorized users unable to access the server. To improve
security, run this command to change the listening port number of the HTTPS server. After that,
attackers are deprived of information about the newly configured listening port number, and the
HTTPS server is therefore well protected.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
local-user user-name password cipher password
Step 4 Run:
local-user user-name service-type http
Step 5 Run:
local-user user-name privilege level level
NOTE
Setting the HTTP user level to 3 or higher is recommended so that the HTTP user can have management-
level rights. Users at levels 0, 1 and 2 have only visit-level rights.
----End
Open the Web browser on the PC. Enter the IP address of the HTTPS server in the address bar.
Press Enter and the dialog box shown in Figure 6-8 is displayed.
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.
Prerequisites
Login to the devices by using secure web network management (HTTPS Mode) has been
configured.
Procedure
l Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
l Run the display http server command to check the information about the current HTTP
server.
l Run the display http user [ username username ] command to check the information about
current online users.
----End
Example
Run the display ssl policy command. The command output shows detailed information about
the configured SSL policy and loaded digital certificate.
Run the display http server command to view information about the current HTTP server.
<Quidway> display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 3
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
Run the display http user command to view information about current online users.
<Quidway> display http user
Total online users: 1
------------------------------------------------------
User name Client IP Address Login Date
------------------------------------------------------
admin 192.168.0.1 2012-03-23 15:30:55+00:00
Applicable Environment
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage switchs safely.
Pre-configuration Tasks
Before performing operations after login, connect the terminal to the switch.
Data Preparations
Before performing operations after login, you need the following data:
No. Data
No. Data
Context
A password is required to increase user level. This prevents unauthorized users from gaining
access to high-level commands.
Procedure
Step 1 Run:
system-view
Step 2 Run:
super password [ level user-level ] [ cipher password ]
Step 3 Run:
quit
Step 4 Run:
super [ level ]
If the password entered is correct, the user can switch to a higher level. If an incorrect password
is entered three times in a row, the user is returned to the user view at the original level.
NOTE
When the super command is used to switch a user from a lower to a higher level, the system automatically
sends trap messages and records the switchover in a log. When a user is switched from a higher to a lower
level, the system only records the switchover in a log.
----End
Context
The user interface can be a console user interface or a VTY user interface.
Procedure
Step 1 Run:
lock
Step 2 Follow the system prompts and input a password to unlock the user interface.
<Quidway> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
You must enter the password previously set to unlock the user interface.
----End
Context
Users logged in to the switch can send messages from their user interface to users on other user
interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display, and press Ctrl_C to abort the display.
----End
Context
User name, address, and authentication and authorization information can be queried.
Procedure
l Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about users logged in to all user interfaces is displayed.
----End
Context
You can run the display users command to view users logging in to the switch.
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
----End
Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user locks the configuration set, you can exclusively lock the configuration.
Procedure
Step 1 Run:
configuration exclusive
NOTE
Step 2 Run:
system-view
The timeout period for automatically unlocking the configuration set is set.
After the timeout period expires, the configuration set is automatically unlocked, allowing other
users to configure the device.
By default, the timeout period is 30s.
NOTE
l When a user without exclusive configuration access runs this command, the system prompts an error
message.
l If the configuration set is locked by another user, this command cannot be configured, and the system
prompts an error message.
l If the configuration set is locked by the current user, the current user can run this command.
----End
Networking Requirements
If default values for console user interface parameters are modified, corresponding parameters
on the PC must be reset before another login to the switch can be implemented.
PC Switch
Configuration Roadmap
1. Connect a PC to the switch through a console port.
2. Set login parameters on the PC.
Data Preparation
Communication parameters for the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit:
2, flow control mode: none)
Procedure
Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the
switch.
Step 2 Run the terminal emulator on the PC. As shown in Figure 6-10, set communication parameters
for the PC to Figure 6-12. Set the transmission rate to 4800 bit/s, data bit to 6, parity bit to even,
stop bit to 2, and flow control mode to none.
Step 3 Power on the switch. The system starts an automatic configuration and a self-check. After the
self-check is complete, at the prompt "Password:," enter the correct authentication password and
press Enter. If the message (such as <Quidway>) is displayed, the login in to the system
succeeds.
Then, you can enter a command to view the operating status of the switch or configure the
switch.
----End
Networking Requirements
You can use a PC or other terminal to log in to the a switch on another network segments through
the PC or other terminals to perform remote maintenance.
VLANIF 2
10.137.217.221/16
NetWork
PC Switch
After a Telnet user logs in to the switch in AAA authentication mode, the Telnet user is prohibited
from logging in to another switch through the switch.
Configuration Roadmap
1. Establish a physical connection.
2. Assign IP addresses to interfaces on the switch.
3. Set parameters of the VTY user interface, including limit on call-in and call-out.
4. Set user login parameters.
5. Log in to the switch.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the PC
l IP address of the the switch: 10.137.217.221/16
l Maximum number of VTY user interfaces: 10
l Number of the ACL that is used to prohibit users from logging into another switch: 3001
l Timeout period for disconnecting from the VTY user interface: 20 minutes
l Number of lines that a terminal screen displays: 30
Procedure
Step 1 Respectively connect the PC and the switch to the network.
# Configure an ACL that is used to prohibit users from logging into another switch.
[Quidway]acl 3001
[Quidway-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[Quidway-acl-adv-3001]quit
[Quidway] user-interface vty 0 9
[Quidway-ui-vty0-9] acl 3001 outbound
Use the windows command line to telnet the switch. The Telnet login window is shown in the
following figure.
Press Enter, and then input the username and password in the login window. If user
authentication succeeds, a command line prompt of the system view is displayed. It indicates
that you have entered the user view.
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
vlan batch 2
#
interface Vlanif2
ip address 10.137.217.221 255.255.0.0
#
interface xgigabitethernet 0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
aaa
Networking Requirements
As shown in Figure 6-16, after the STelnet service is enabled on the SSH server, an STelnet
client can use any authentication mode (password, RSA, password-rsa, or all) to log in to the
SSH server.
VLANIF 2
10.164.39.210/24
Network
PC SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
2. Configure a VTY user interface on the SSH server.
3. Configure an SSH client, which involves setting a user authentication mode, a username,
and a password.
4. Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Generate a local key pair on the server.
<Quidway> system-view
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
# Log in to the device through the software putty, and enter the username client001 and the
password huawei.
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
vlan batch 2
#
interface Vlanif2
ip address 10.164.39.210 255.255.255.0
#
interface xgigabitethernet 0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001 authentication-type password
ssh user client001
ssh user client001 service-type stelnet
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
After a device that supports web network management is enabled with the HTTP function, the
device can function as a web server. Users can log in to the device using HTTP and use web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 6-19, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using web pages.
Figure 6-19 Networking diagram for accessing another device by using HTTPS
VLANIF10
192.168.0.1/24
Network
PC HTTP-Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Upload a digital certificate and a web page file.
Upload the digital certificate and web page file saved on the PC to the device that functions
as an HTTP server.
2. Load the digital certificate.
Copy the digital certificate from the system directory of the HTTP server to the security
sub-directory, configure an SSL policy, and load the digital certificate.
3. Load the web page file.
4. Create a web account.
5. Log in to the web system.
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of the HTTP server
l HTTP user name and password
l SSL digital certificate
l Web account
l Web page file
Procedure
Step 1 Upload the digital certificate and web page file.
# Configure an IP address for the device that functions as an HTTP server so that the PC and
HTTP server are reachable.
<Quidway> system-view
[Quidway] sysname HTTP-Server
[HTTP-Server] interface xgigabitethernet0/0/1
[HTTP-Server-XGigabitEthernet0/0/1] port link-type access
[HTTP-Server-XGigabitEthernet0/0/1] quit
[HTTP-Server] vlan 10
[HTTP-Server-vlan10] port xgigabitethernet0/0/1
[HTTP-Server-vlan10] quit
[HTTP-Server] interface vlanif 10
[HTTP-Server-Vlanif10] ip address 192.168.0.1 24
[HTTP-Server-Vlanif10] quit
# Configure the authentication information, authorization mode, and authorized directory for
FTP users.
[HTTP-Server] aaa
[HTTP-Server-aaa] local-user huawei password cipher huawei
[HTTP-Server-aaa] local-user huawei service-type ftp
[HTTP-Server-aaa] local-user huawei privilege level 15
[HTTP-Server-aaa] local-user huawei ftp-directory flash:
[HTTP-Server-aaa] quit
[HTTP-Server] quit
# Upload the digital certificate and web page file from the PC to the HTTP server, as shown in
Figure 6-20.
After the preceding configurations are complete, run the dir command on the HTTP server. The
command output shows that the digital certificate and web page file have been successfully
uploaded to the server.
<HTTP-Server> dir
Directory of flash:/
After the preceding configurations are complete, run the dir command in the security sub-
directory on the HTTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<HTTP-Server> cd security/
<HTTP-Server> dir
Directory of flash:/security/
After the preceding configurations are complete, run the display ssl policy command on the
HTTP server. The command output shows detailed information about the loaded certificate.
[HTTP-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
NOTE
Before enabling the HTTPS server function, disable the HTTP server function.
[HTTP-Server] undo http server enable
[HTTP-Server] http secure-server ssl-policy http_server
[HTTP-Server] http secure-server enable
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.
Step 6 Verify the configuration.
# Run the display http server command on the HTTPS server. The command output shows the
SSL policy name and the HTTPS server status.
[HTTP-Server] display http server
HTTP Server Status : disabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 0
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
----End
Configuration Files
Configuration file of the HTTPS server
#
sysname HTTP-Server
#
FTP server enable
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
vlan batch 10
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface XGigabitEthernet0/0/1
port link-type access
port default vlan 10
#
return
The file system manages the files and directories on the storage devices of the switch. It can
move or delete a file or directory, or display the contents of a file.
The file system has two functions: managing storage devices and managing the files that are
stored on those devices.
l Storage devices
Storage devices are hardware devices for storing data.
Different products support different storage devices. Currently, the S6700 supports the flash
memory.
l Files
A file is resources for storing and managing data.
l Directories
A directory is a logical container that the system uses to organize files.
l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
l FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
Applicable Environment
Use the file system to manage files or directories on the switch. If the switch is unable to save
or obtain data, log in to the file system to repair the faulty storage devices.
Pre-configuration Tasks
Before logging in to the file system to manage files, connect the client with the server correctly.
Data Preparation
To manage files by logging in to the file system, you need the following data:
No. Data
2 Directory name
3 File name
Context
When the file system on a storage device fails, the terminal of the switch prompts you to rectify
the fault.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device. After Formatting the storage devices, the files and directories
in the specified storage device are cleared and cannot be restored.
CAUTION
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.
Procedure
l Run:
fixdisk device-name
NOTE
If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
l Run:
format device-name
NOTE
If the storage device does not work after you run this command, there may be a hardware fault.
----End
Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.
Procedure
l Run:
cd directory
A directory is specified.
l Run:
pwd
----End
Context
l Managing files includes: displaying contents, copying, moving, renaming, compressing,
deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
l You can run the cd directory command to enter the directory you want from the current
directory.
Procedure
l Run:
more file-name [ offset ] [ all ]
l Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }
CAUTION
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l Run:
undelete filename
You can use this command to permanently delete files in the recycle bin.
l Running Files in Batches
You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the switch.
You can create and run a batch file to implement routine tasks.
1. Run:
system-view
The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.
1. Run:
system-view
CAUTION
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End
Applicable Environment
When an FTP client logs in to a switch serving as an FTP server, the user can transfer files
between the client and the server.
Pre-configuration Tasks
Before using FTP to manage files, connect the FTP client to the server.
Data Preparation
To use FTP to manage files, you need the following data:
No. Data
1 FTP username and password, and authorized FTP file directory name
Context
To use FTP to manage files, you must configure a local username and a password on the
switch and specify a service type and the directories that can be accessed.
Perform the following operations on the switch that functions as the FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
set default ftp-directory directory
NOTE
The configuration in this step takes effect only with TACACS users.
Step 3 Run:
aaa
Step 4 Run:
local-user user-name password cipher password
Step 5 Run:
local-user user-name service-type ftp
Step 6 Run:
local-user user-name privilege level level
NOTE
Step 7 Run:
local-user user-name ftp-directory directory
----End
Context
The default listening port number for an FTP server is 21. Users can log in to the switch directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, preventing
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
NOTE
Perform the following steps on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server port port-number
Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and begins to use the new listening port.
----End
Context
The FTP server is disabled by default on the switch. It must be enabled before FTP can be used.
Perform the following steps on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server enable
NOTE
When file operations between clients and the switch are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects switch security.
----End
Context
l You can configure a source IP address for the FTP server. The FTP client can only access
this address and this protects system security.
l You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Perform the following steps on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
----End
Context
When the switchfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Perform the following steps on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *
NOTE
Step 4 Run:
quit
Step 5 Run:
ftp [ ipv6 ] acl acl-number
----End
Context
You can use either the Windows command line prompt or third-party software to log in to the
switch. The example here uses the Windows command line prompt as an example.
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the ftp ip-address command to log in to the switch using FTP.
Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.
----End
Context
After logging in to the FTP server, you can perform the following operations:
l Configuring data type for the file
l Uploading or downloading files
l Creating directories or deleting directories on the FTP server
l Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:
Procedure
l Configuring the data type and transmission mode for a file
– Run:
ascii or binary
NOTE
FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
l Uploading or downloading files
– Upload or download a file.
– Run:
put local-filename [ remote-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
l Running one or more of the following commands to manage directories
– Run:
cd pathname
– Run:
ls [ remote-filename ] [ local-filename ]
When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.
----End
Prerequisites
Managing files using FTP has been configured.
Procedure
l Run the display [ ipv6 ] ftp-server command to check the configuration of the FTP server.
l Run the display ftp-users command to check how many users are currently logged in FTP
server.
----End
Example
Run the display [ ipv6 ] ftp-server to view the status of the FTP server.
<Quidway> display ftp-server
FTP server is running
Max user number 5
User count 1
Timeout value(in minute) 30
Listening Port 1080
Acl number 0
FTP SSL policy
FTP Secure-server is stopped
Run the display ftp-users command to view the username, port number, authorization directory
of the FTP user configured.
<Quidway> display ftp-users
username host port idle topdir
zll 100.2.150.226 1383 3 flash:
Applicable Environment
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server for data transmission.
Pre-configuration Tasks
Before using SFTP to manage files, configure reachable routes between the terminal and the
device.
Data Preparation
Before using SFTP to manage files, you need the following data.
No. Data
1 Maximum number of VTY user interfaces, (optional) ACL for restricting incoming
and outgoing calls on VTY user interfaces, connection timeout period of terminal
users, number of rows displayed in a terminal screen, size of the history command
buffer, user authentication mode, username, and password
2 Username, password, authentication mode, and service type of an SSH user, remote
public RSA or DSA key pair allocated to the SSH user, and SFTP working directory
of the SSH user
4 Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred HMAC algorithm from
the SFTP client to the SSH server, preferred HMAC algorithm from the SSH server
to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
No. Data
Context
Before a user logs in to the device by using SFTP, the user authentication mode in the VTY user
interface must be set. Otherwise, the user cannot log in to the device.
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, you
cannot log in to the switch using SFTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
Step 3 Run:
authentication-mode aaa
Step 4 Run:
protocol inbound ssh
----End
Context
l There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication and RSA authentication.
l The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.
Perform the following operations on the switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view
NOTE
l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
Step 5 Perform the operations as described in Table 7-1 based on the configured SSH user
authentication mode.
Configure the Run the ssh authentication-type When you log in using SSH and
Default Password default password command use a TACACS server for
Authentication authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.
4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 7 Run:
ssh user username service-type { SFTP | all }
The authorized directory of the SFTP service for the SSH user is configured.
By default, the authorized directory of the SFTP service for the SSH user is flash:.
----End
Context
By default, the SFTP server function is not enabled on the switch. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the switch.
Perform the following steps on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Configure the Run the ssh server rekey-interval You can set an interval at which the
interval at interval command. key pair of an SSH server is updated.
which the key By default, the interval is 0, When the timer expires, the key pair
pair of the indicating that the key is never is automatically updated, improving
SSH server is updated. security.
updated
Configure the Run the ssh server timeout If a user fails to log in when the
timeout seconds command. timeout period of SSH
period of SSH By default, the timeout period is 60 authentication expires, the system
authentication seconds. disconnects the current connection
to ensure the system security.
Configure the Run the ssh server authentication- The number of times that SSH
number of retries times command. authentication is retried is set to deny
times that By default, SSH authentication access of unauthorized users.
SSH retries a maximum of 3 times.
authentication
is retried
Configure Run the ssh server compatible- There are two SSH versions:
earlier SSH ssh1x enable command. SSH1.X (earlier than SSH2.0) and
version By default, an SSH server running SSH2.0. SSH2.0 has an extended
compatibility SSH2.0 is compatible with SSH1.X. structure and supports more
To prevent clients running SSH1.3 to authentication modes and key
SSH1.99 from logging in, run the exchange methods than SSH1.X,
undo ssh server compatible-ssh1x SSH 2.0 can eliminate the security
enable command to disable support risks that SSH 1.X has. SSH 2.0 is
for earlier SSH protocol versions. more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The S6700 Series
supports SSH versions ranging from
1.3 to 2.0.
Configure the Run the ssh server port port- The default listening port number of
listening port number command. an SSH server is 22. Users can log in
number of the By default, the listening port number to the device by using the default
SSH server is 22. listening port number. Attackers
may access the default listening port,
If a new listening port is set, the SSH consuming bandwidth, deteriorating
server cuts off all established STelnet server performance, and causing
and SFTP connections, and uses the authorized users unable to access the
new port number to listen to server. After the listening port
connection requests. number of the SSH server is
changed, attackers do not know the
new port number. This effectively
prevents attackers from accessing
the listening port and improves
security.
----End
Context
Third-party software can be used to access the switch from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.
NOTE
For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the switch, see help documentation for the
software.
Procedure
Step 1 Open the Windows CLI.
Step 2 Run relevant OpenSSH commands to log in to the switch in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, you have
entered the working directory of the SFTP server.
----End
Context
After logging in to the SFTP server, you can perform the following operations:
l Displaying the SFTP client command help
l Managing directories on the SFTP server
l Managing files on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.
Procedure
l Run:
help [ all | command-name ]
Prerequisites
SSH users have been configured.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
l Run the display ssh server status command on the SSH server to check its global
configurations.
l Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password.
[Quidway] display ssh user-information client001
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : RSA
Sftp-directory : -
Service-type : sftp
Authorization-cmd : Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view global configurations of an SSH server.
<Quidway> display ssh server status
<Quidway> display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 2 hours
SSH Authentication retries : 5 times
SFTP server : Enable
Stelnet server : Enable
Scp server : Enable
SSH server port : 55535
NOTE
If the default interception port is in use, information about the current interception port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<Quidway> display ssh server session
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : sftp
Authentication Type : password
Applicable Environment
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
As shown in Figure 7-3, an SSL policy is configured on the FTP server. After a digital certificate
is loaded and the FTPS server function is enabled on the server, you can log in to the server from
a terminal on which the SSL-capable FTP client software is installed to securely operate files
transmitted between the terminal and the server.
VLANIF10
192.168.0.1/24
Network
PC FTP-Server
Pre-configuration Tasks
Before using FTPS to manage files, complete the following tasks:
Data Preparation
Before using FTPS to manage files, you need the following data.
No. Data
Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view
l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
----End
Context
NOTE
Before enabling the FTPS server function, disable the FTP server function.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view
----End
Before accessing an FTPS server, install the SSL-capable FTP client software on a PC, and then
use a third-party software to log in to the FTPS server from the PC to securely manage files on
the FTPS server.
Prerequisites
Login to the devices by using FTPS has been configured.
Procedure
l Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
l Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
<Quidway> display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running
Networking Requirements
As shown in Figure 7-4, the local PC functions as the FTP client of which the IP address is
10.1.1.1/24.
The Switch acts as the FTP server, and IP address of the FTP server is 10.1.1.2/24.
The PC uploads files to the Switch.
Figure 7-4 Networking diagram of the Switch functioning as the FTP server
VLAN10
FTP Client FTP Session FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Set the correct FTP user name and password on the Switch that functions as the FTP server.
2. Log in to the Switch through FTP from the PC.
3. Upload files to the FTP server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1.1.2/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
Step 2 Start the FTP server on the Switch, and set the FTP user name to u1 and password to ftpwd.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user u1 password cipher ftppwd
[Quidway-aaa] local-user u1 service-type ftp
[Quidway-aaa] local-user u1 privilege level 15
[Quidway-aaa] local-user u1 ftp-directory flash:/
[Quidway-aaa] return
Step 3 On the PC, initiate a connection to the Switch with the user name u1 and the password
ftppwd.
Use Windows XP on the FTP client to illustrate the preceding operations.
C:\WINDOWS\Desktop> ftp 10.1.1.2
Connected to 10.1.1.2.
220 FTP service ready.
User (10.1.1.1:(none)): u1
331 Password required for u1
Password:
230 User logged in.
ftp>
Step 4 Set the mode of transferring files to binary and the local directory on the PC.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
----End
Configuration Files
#
sysname Quidway
#
FTP server enable
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
aaa
local-user u1 password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user u1 privilege level 15
local-user u1 ftp-directory flash:/
local-user u1 service-type ftp
#
Return
Networking Requirements
As shown in Figure 7-5, after SFTP services are enabled on the switch functioning as an SSH
server, you can log in to the server from an SFTP client PC in password, RSA, password-rsa,
DSA, password-DSA or all authentication mode.
Configure a user to log in to the SSH server in password authentication mode.
VLANIF 2
10.164.39.210/24
Network
PC SSH Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a local key pair on the SSH server to exchange data securely between the SFTP
client and the SSH server.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including user authentication mode, username, password, and
authorization directory.
4. Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure a local key pair on the SSH server.
<Quidway> system-view
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 3 Configure the SSH username and password on the SSH server.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher
huawei
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
Step 4 Enable SFTP and configure the user service type to be SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
vlan batch 10
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.137.217.225 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
As shown in Figure 7-7, an SSL policy is configured on the FTP server. After a digital certificate
is loaded and the FTPS server function is enabled on the server, you can log in to the server from
a terminal on which the SSL-capable FTP client software is installed to securely operate files
transmitted between the terminal and the server.
VLANIF10
192.168.0.1/24
Network
PC FTP-Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Upload a digital certificate.
Upload the digital certificate saved on the PC to the FTP server.
2. Load the digital certificate.
Copy the digital certificate from the system directory of the FTP server to the sub-directory
named security, configure an SSL policy, and load the digital certificate.
3. Enable the FTPS server function.
4. Install the SSL-capable FTP client software on the PC
Data Preparation
To complete the configuration, you need the following data:
l IP address of the FTP server
l FTP user name and password
l SSL digital certificate
Procedure
Step 1 Upload a digital certificate.
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
<Quidway> system-view
[Quidway] sysname FTP-Server
[FTP-Server] vlan 10
[FTP-Server-vlan10] quit
[FTP-Server] interface xgigabitethernet0/0/1
[FTP-Server-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[FTP-Server-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[FTP-Server-XGigabitEthernet0/0/1] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit
# Configure the authentication information, authorization mode, and authorized directory for an
FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password cipher huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei privilege level 15
[FTP-Server-aaa] local-user huawei ftp-directory flash:
[FTP-Server-aaa] quit
[FTP-Server] quit
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the correct
user name and password to set up an FTP connection to the FTP server, as shown in Figure
7-8.
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
7-9.
After the preceding configurations are complete, run the dir command on the FTP server. The
command output shows that the digital certificate has been successfully uploaded to the server.
<FTP-Server> dir
Directory of flash:/
After the preceding configurations are complete, run the dir command in the security sub-
directory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of flash:/security/
[FTP-Server-ssl-policy-ftp_server] quit
Before enabling the FTPS server function, disable the FTP server function.
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running
You can establish a connection with the FTPS server using the SSL-capable FTP client software
and upload files to and download files from the server.
----End
Configuration Files
Configuration file of the FTPS server
#
sysname FTP-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
vlan batch 10
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user huawei password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user huawei service-type ftp
local-user huawei privilege level 15
local-user huawei ftp-directory flash:/
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
When the switch is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the switch, you need to manage system software and configuration
files efficiently.
l The system can run the command with the maximum length of 510 characters, including the command
in an incomplete form.
l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the
command length in the configuration file may exceed 510 characters. When the system restarts, these
commands cannot be restored.
l A configuration file can contain 30000 command lines. If more than 30000 commands are configured,
some commands may be lost after an upgrade.
You can use the command line interface to modify current switch configurations. Use the
save command to save modified configurations to the configuration file on the default storage
devices. This configuration file will be used to initialize the switch when the switch is powered
on next time.
Applicable Environment
Configuration files can be saved, cleared, compared, backed up, and restored. Configuration file
management is required to upgrade the switch, take preventive measures, repair configuration
files, and view configurations after the switch starts.
Pre-configuration Tasks
Before managing configuration files, install and powering on the switch.
Data Preparation
To manage configuration files, you need the following data.
No. Data
3 Number of the start line from which the comparison of the configuration files
begins
Context
Configuration files can be saved on demand or the system can be set to save configuration files
at regular intervals. This prevents data loss if the switch restarts without warning or when it is
powered off.
Run one of the following commands to save configuration files.
Procedure
l Run:
1. system-view
{ ftp | sftp } ] user user-name password password [ path folder ] or set save-
configuration backup-to-server server server-ip transport-type tftp [ path
folder ] command to configure the server, including the IP address, username,
password of the server, destination path, and mode of transporting the configuration
file to the server.
NOTE
If TFTP is used, run the tftp client-source command to configure a loopback interface address as a
client source IP address on the switch, improving security.
l Run:
save [ all ] [ configuration-file ]
The extension for the configuration file must be .cfg or .zip. The system startup
configuration file must be saved in the root directory of a storage device.
You can modify the current configuration through the CLI. To set the current configuration
as initial configuration when the switch starts next time, you can use the save command to
save the current configuration in the flash memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that have not been inserted, to the next startup configuration
file.
NOTE
When saving the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the switch asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip" is
the default configuration file and initially contains no configuration.
----End
Context
The configuration file stored in the flash memory needs to be cleared in the following cases:
l The system software does not match the configuration file after the switch has been
upgraded.
l The configuration file is destroyed or an incorrect configuration file has been loaded.
Procedure
l Clear the currently loaded configuration file.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
– If the configuration file used for the current startup of the switch is the same as the file
to be used for the next startup, running the reset saved-configuration command clears
both files. The switch will use the default configuration file for the next startup.
– If the configuration file used for the current startup of the switch is different from the
file to be used for the next startup, running the reset saved-configuration command
clears the configuration file used for the current startup.
– If you run the reset saved-configuration command and the configuration file used for
the current startup of the switch is empty, the system will prompt that the configuration
file does not exist.
CAUTION
l Exercise caution when running this command. If necessary, do it under the guidance of
Huawei technical support personnel.
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name is left.
l After the configuration file is cleared, if you do not run the startup saved-
configuration configuration-file command to specify a new configuration file, or do
not run the save command to save the configuration file, the switch will use the default
configuration file at the next startup.
Context
You can determine whether to specify the current configuration file as the one for the next startup
by comparing the current configuration file with the one for the next startup.
Procedure
l Run:
compare configuration [ configuration-file ] [ current-line-number save-line-
number ]
The current configuration is compared with the configuration file for next startup.
– If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
– If no parameter is set, the comparison begins with the first lines of configuration files.
If values for current-line-number and save-line-number are set, the comparison
continues by ignoring differences between the configuration files.
The system begins to display the content of a current and a saved configuration file from
the first line of the two files that is different. Beginning with this line, 150 characters are
displayed by default for each of the files. If there are fewer than 150 characters remaining
after the first line with a difference, all remaining content in the files is displayed.
NOTE
When trying to compare configuration files, if the configuration file for next startup is unavailable
or its content is empty, the system prompts that reading files fails.
----End
Procedure
l Copying the screen directly
In the CLI, run the display current-configuration command. Copy all the display to txt
documents, then back up the configuration files to the hard disk of the maintenance terminal.
l Backing up the configuration files through TFTP
1. Copy the configuration files in the Flash directly.
This action is to back up the current configuration files that are stored in the Flash of
the device.
After startup of the device, use the following commands to back up the configuration
files in the Flash of the device.
<Quidway> save flash:/config.cfg
The current configuration will be written to the device.
Are you sure to continue?[Y/N]:y
Now saving the current configuration to the slot 0.
Info: Save the configuration successfully.
<Quidway> copy config.cfg flash:/backup.cfg
Copy flash:/config.cfg to flash:/backup.cfg?[Y/N]:y
100% complete/
Info: Copied file flash:/config.cfg to flash:/backup.cfg...Done.
Start the FTP server on the device. Create an FTP user whose username is huawei and
password is huawei.The user level must be set to 3 or higher. Authorize the user to
visit flash:\.
<Quidway> system-view
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei
[Quidway-aaa] local-user huawei privilege level 3
[Quidway-aaa] local-user huawei ftp-directory flash:/
[Quidway-aaa] local-user huawei service-type ftp
On the PC, establish an FTP connection with the device through the FTP client. For
example, the IP address of the device is 10.110.24.254.
C:\Documents and Setting\Administrator> ftp 10.110.24.254
Connected to 10.110.24.254.
220 FTP service ready.
User (10.110.24.254:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.
After the FTP user passes authentication, the FTP client prompts "ftp>". Enter
binary and specify the directory for storing the configuration files on the FTP client.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
Run the get command on the PC to download the configuration files to the local
specified directory and save them as backup.cfg.
ftp> get config.cfg backup.cfg
200 Port command okay.
150 Opening ASCII mode data connection for config.cfg.
226 Transfer complete.
ftp: 1021 bytes received in 0.06Seconds 60.02Kbytes/sec.
ftp>
6. Check whether the config.cfg and backup.cfg files are of the same size. If they are
of the same size, the backup is successful.
----End
Context
You can restore the configuration files through the following ways:
NOTE
After restoring the configuration files, restart the device to make the configuration files take effect. Run
the startup saved-configuration command to specify the configuration file for next startup. If the
configuration file name is unchanged, you do not need to run this command. Then run the reboot command
to restart the device.
Procedure
l Restoring the configuration files saved in the Flash
This operation is to restore the configuration files saved in the Flash of the device as the
configuration files of the current system.
The device works as the TFTP client. The restoration procedure is similar to that of backing
up the configuration files through TFTP. Run the tftp get command to download the
configuration files saved in the PC to the Flash of the device.
l Restoring the configuration files saved in the PC through FTP
The device acts as the FTP server. The restoration procedure is similar to that of backing
up the configuration files through FTP. Run the put command to upload the
configuration files saved in the PC to the Flash of the device.
----End
Prerequisites
Managing configuration files has been configured.
Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.
l Run the display startup command to check files for startup.
l Run the dir [ /all ] [ filename ] command to check files saved in the storage device.
l Run the display saved-configuration configuration command to view configurations of
the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations are unchanged (when
the period expires, configurations are automatically saved).
l Run the display changed-configuration time command to check the time of the last
configuration change.
----End
Example
Run the display startup command to check files for startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001.cc
Startup system software: flash:/S6700v200r001.cc
Next startup system software: flash:/S6700v200r001.cc
Startup saved-configuration file: flash:/vrpcfg1.cfg
Next startup saved-configuration file: flash:/vrpcfg1.cfg
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL
Applicable Environment
To enable the switch to provide user-defined configurations during the next startup, you need
to correctly specify the system software and configuration file for the next startup.
Pre-configuration Tasks
Before specifying a file for system startup, install the switch and powering it on properly.
Data Preparation
To specify a file for system startup, you need the following data.
No. Data
8.3.2 Configuring System Software for a switch to Load for the Next
Startup
If you need to upgrade system software of a switch, you can specify the switch system software
to be loaded at the next startup.
Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
The file name extension of the system software must be .cc and the file must be stored in the
root directory of a storage device.
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The S6700 system software to be loaded at the next startup of the switch is configured.
The system software package must use .cc as the extension and be saved to the root directory of
the flash memory.
If the BootROM version of next startup software that you specify is different from the current
BootROM version, the system prompts you to upgrade the BootRom.
----End
Context
Run the display startup command on the switch to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The file name extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the switch is powered on, it reads the configuration file from the flash memory by default
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the flash memory, the switch uses default parameters to initiate.
Procedure
l Run:
startup saved-configuration configuration-file
----End
Prerequisites
A configuration file has been specified for system startup.
Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.
l Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded at next startup.
l Run the display startup command to check information about the files to be used at next
startup.
----End
Example
Run the display startup command to check information about the files to be used at next startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001.cc
Startup system software: flash:/S6700v200r001.cc
Next startup system software: flash:/S6700v200r001.cc
Startup saved-configuration file: flash:/vrpcfg1.cfg
Next startup saved-configuration file: flash:/vrpcfg1.cfg
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL
Networking Requirements
After the switch is configured, new configurations take effect at next system startup.
Configuration Roadmap
The configuration roadmap is as follows:
1. Save the current configuration.
2. Specify the configuration file to be loaded at the next startup of the switch.
3. Specify the system software to be loaded at the next startup of the switch.
Data Preparation
To complete the configuration, you need the following data:
l Name of the configuration file
l File name of the system software
Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001c00b01.cc
Startup system software: flash:/S6700v200r001c00b01.cc
Next startup system software: flash:/S6700v200r001c00b01.cc
Startup saved-configuration file: flash:/test.cfg
Next startup saved-configuration file: flash:/test.cfg
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL
The system asks you whether you want to save the current configuration to the file named
vrpcfg.cfg. Enter y to save the configuration.
Step 3 Specify the configuration file to be loaded at the next startup of the switch.
<Quidway> startup saved-configuration vrpcfg.cfg
Step 4 Specify the system software to be loaded at the next startup of the switch.
<Quidway> startup system-software S6700v200r001c00.cc
----End
Configuration Files
None.
To manage configurations or operate files of another device, you can access the device by using
Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
Figure 9-1 Networking diagram for accessing another device from the switch
PC Client
As shown in Figure 9-1, when you run a terminal emulation or Telnet program on a PC to
connect to the switch, the switch can still function as a client to access another device on the
network. There are several ways to accomplish this.
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service.
l Telnet server: You can run the Telnet client program on a PC to log in to a switch to complete
configuration and management tasks. The switch acts as a Telnet server.
l Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the switch. You can then run the telnet command to log in to other
switchs to configure and manage them. As shown in Figure 9-2,Switch A serves as both
a Telnet server and a Telnet client.
Telnet Server
PC SwitchA SwitchB
As shown in Figure 9-3, Switch A logs in to Switch B through Telnet, and Switch B logs
in to Switch C through Telnet. Therefore, a cascade network is formed. In this case, Switch
A is the client of Switch B and Switch B is the client of Switch C. Figure 9-3 illustrates
the usage of shortcut keys.
Telnet Telnet
Client Server
NOTE
If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
Ctrl_]: The client interrupts the connection.
If the server fails and the client is unaware of the failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<SwitchC>
CAUTION
If remote login users are using all of the maximum number of VTY user interfaces allowed,
the system prompts that all user interfaces are in use and does not allow additional Telnet
logins.
SSH Overview
When users on an insecure network use Telnet to log in to the switch, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the switch from IP address
spoofing and other such attacks, and protects the switch against the interception of plain text
passwords.
The SSH client function allows users to establish SSH connections with switchs serving as SSH
servers or with UNIX hosts.
l STelnet client
STelnet is short for Secure Telnet.
Telnet does not provide secure authentication and TCP transmits data in plain text. This
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
and route spoofing also threaten system security. Telnet services are vulnerable to network
attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
– SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature
Algorithm authentication (DSA). SSH uses RSA authentication or DSA authentication
to generate and exchange public and private keys compliant with an asymmetric
encryption system that protects session security.
– SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
– SSH usernames and the passwords are encrypted in communication between an SSH
client and server. This prevents password interception.
– SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files. This improves data transmission security when the remote system is updated.
The client function allows you to use SFTP to log in to the remote device for secure file
transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l SCP client
SCP allows you to log in to the device securely from a remote device to upload or download
files. Data transfer in this mode is much safer for remote system update. In addition, SCP
provides the client function so that a local device can log in to a remote device for secure
data transfer.
Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and
file transfer, therefore improving configuration efficiency.
Overview
SSL is a cryptographic protocol that provides communication security over the Internet. It allows
a client and a server to communicate across a network in a way designed to prevent
eavesdropping by authenticating the server or the client. SSL has the following advantages:
l Provides high security assurance. It uses data encryption, authentication, and a message
integrity check to ensure secure data transmission over the network.
l Supports various application layer protocols. SSL is originally designed for securing World
Wide Web traffic. As SSL functions between the application layer and the transport layer,
it secures data transmission based on TCP connections for any application layer protocol.
l Is easy to deploy. Currently, SSL has become a world-wide communications standard for
authenticating Web site and Web page users and encrypting data transmitted between
browser users and Web servers.
l Helps authorized users to securely access servers and prevents unauthorized users from
accessing servers.
l Encrypts data transmitted between a client and a server for data transmission security and
computes a digest for data integrity, which implements security management for devices.
l Defines an access control policy on a device based on certificate attributes to control the
access rights of clients, which prevents unauthorized users from attacking the device.
Basic Concepts
l Certificate Authority (CA)
A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks the
validity of digital certificate owners, signs digital certificates to prevent eavesdropping and
tampering, and manages certificates and keys. The world-wide trusted CA is called a root
CA. The root CA can authorize other CAs as subordinate CAs. The CA identity is described
in a trusted-CA file.
For example, CA1 functions as the root CA and issues a certificate for CA2, CA2 then
issues a certificate for CA3 and so on, until CAn issues the final server certificate.
If CA3 issues the server certificate, certificate authentication on the client starts from server
certificate authentication. The CA3 certificate is used to authenticate the server certificate.
If authentication succeeds, the CA2 certificate is used to authenticate the CA3 certificate.
Finally, the CA1 certificate is used to authenticate the CA2 certificate. Server certificate
authentication succeeds only when the CA2 certificate has been authenticated by the CA1
certificate.
Figure 9-4 shows the certificate issuing and authentication processes.
l Digital certificate
A digital certificate is an electronic document which uses a digital signature to bind a public
key with an identity. The digital certificate includes information such as the name of a
person or an organization that applies for the certificate, public key, digital-signed signature
of the CA that issues the digital certificate, and validity period of the digital certificate. A
Application
Currently, SSL is only used for FTPS and HTTPS applications (secure Web network
management is an HTTPS application).
l FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, FTPS provides a secure FTP server access.
– Login to an FTPS server from a user terminal
an SSL policy is configured on the FTP server. After a digital certificate is loaded and
the FTPS server function is enabled on the server, you can log in to the server from a
terminal on which the SSL-capable FTP client software is installed to securely operate
files transmitted between the terminal and the server.
– Login to an FTPS server from an FTPS client
– An SSL policy needs to be configured and a trusted-CA file needs to be loaded to
an FTP client to verify the identity of the certificate owner, sign a digital certificate
to prevent eavesdropping and tampering, and manage the certificate and key.
– An SSL policy needs to be configured on and a digital certificate needs to be loaded
to an FTP server to verify the validity of the trusted-CA file. This ensures that only
authorized clients can log in to the server.
l HTTPS
HTTPS that adds support for SSL is an extension to the commonly used HTTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, HTTPS provides a secure Web access.
an SSL policy is configured on the device that functions as an HTTP server. After a digital
certificate is loaded to and the HTTPS server function is enabled on the server, users can
log in to the server to remotely manage the server using web pages.
Applicable Environment
Figure 9-5 Networking diagram for accessing another device from the device that you have
logged in to
Network Network
PC SwitchA SwitchB
As shown in Figure 9-5, you can use Telnet to log in to Switch A from a PC. You cannot,
however, manage Switch B remotely, because there is no reachable route between the PC and
Switch B. To manage Switch B remotely, you must use Telnet to log in to it from Switch A.
In this situation, Switch A functions as a Telnet client and Switch B functions as a server.
Pre-configuration Tasks
Before using Telnet to log in to another device on the network, complete the following tasks:
Data Preparation
To log in to another device by using Telnet, you need the following data:
No. Data
2 Number of the TCP port used by the SwitchB to provide Telnet services
Context
An IP address is configured for an interface on the switch and functions as the source IP address
of a Telnet connection. This allows for implementation of security checks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }
After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured one.
----End
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Perform the following steps on the switch that serves as a Telnet client:
Procedure
l Select and perform one of the following two steps for IPv4 or IPv6.
– Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]
----End
Prerequisites
Logging in to another device has been configured.
Procedure
l Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0
Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established
Applicable Environment
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device that you have logged in to functions as a Telnet client, and the
device that you want to log in to functions as an SSH server.
Pre-configuration Tasks
Before logging in to another device by using STelnet, complete the following tasks:
l 6.4 Logging in to Devices Using STelnet.
l Configure a reachable route between the client and SSH server.
Data Preparation
To log in to another device using STelnet, you need the following data.
No. Data
1 Name of the SSH server, and public key that is assigned by the client to the SSH server
2 IPv4 or IPv6 address or host name of the SSH server, number of the port monitored
by the SSH server, preferred encryption algorithm for data from the SFTP client to
the SSH server, preferred encryption algorithm for data from the SSH server to the
SFTP client, preferred HMAC algorithm for data from the SFTP client to the SSH
server, preferred HMAC algorithm for data from the SSH server to the SFTP client,
preferred algorithm of key exchange
The user information for logging in to the SSH server
Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA or DSA public key when logging in to the SSH server for the first time.
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Perform the following steps on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.
----End
Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA or DSA public key
validity check and cannot log in to the server. You must allocate an RSA or DSA public key to
the SSH server before the STelnet client logs in to the SSH server.
Perform the following steps on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }
Step 3 Run:
public-key-code begin
Step 4 Run:
hex-data
NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the switch that functions as the client.
Step 5 Run:
public-key-code end
l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
Context
When accessing an SSH server, an STelnet client can carry the source address and the VPN
instance name, can choose the key exchange algorithm, encryption algorithm, or HMAC
algorithm, and can configure the keepalive function.
Perform the following steps on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view
----End
Prerequisites
Logging in to another device by using STelnet has been configured.
Procedure
l Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA or DSA public keys on the client.
----End
Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
Server Name(IP) Server Public Key Type Server public key name
______________________________________________________________________________
Applicable Environment
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current Switch functions as a TFTP client, and theSwitch to be accessed functions as a TFTP
server.
Pre-configuration Tasks
Before configuring access to another device using TFTP, configure a reachable route between
the client and TFTP server.
Data Preparation
To access another device using TFTP, you need the following data.
No. Data
1 (Optional) Source address or source interface of the switch that functions as a TFTP
client
3 Name of the specific file in the TFTP server and the file directory
Context
An IP address is configured for an interface on the switch and functions as the source IP address
of a TFTP connection. This allows implementation of security checks.
The source address of a client can be configured as a source interface or a source IP address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
Context
An Access Control List (ACL) is a set of sequential rules. Rule descriptions are based on the
source addresses, destination addresses, and port numbers of packets. Switchs use ACL rules to
filter packets. When a rule is applied to an interface on a switch, the switch permits or denies
packets based on the rule.
An ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Perform the following steps on the switch that serves as the TFTP client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *
Step 4 Run:
quit
Step 5 According to the address type of the TFTP server, select and run one of the following two
commands.
l For IPv4 addresses,
Run the tftp-server acl acl-number command. You can use the ACL to limit the access to
the TFTP server.
l For IPv6 addresses,
Run the tftp-server ipv6 acl acl6-number command. You can use the ACL to limit the access
to the TFTP server.
----End
Perform the following steps on the switch that serves as the TFTP client:
Procedure
l Run the following commands according to the type of the server IP addresses.
– The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
----End
Perform the following steps on the switch that serves as the TFTP client:
Procedure
l Run the following commands according to the type of the server IP addresses.
– The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
----End
Prerequisites
Configurations for using the device as a TFTP client are complete.
Procedure
l Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
l Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<Quidway> display tftp-client
The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<Quidway> display acl 2001
Basic ACL 2001, 2 rules,
Acl's step is 5
rule 5 permit
rule 10 permit source 2.2.2.2 0
Applicable Environment
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the switch that you have logged in to as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.
Pre-configuration Tasks
Before configuring the use of FTP to access files on another device, configure a reachable route
between the switch and the FTP server.
Data Preparation
To configure the use of FTP to access files on another device, you need the following data:
No. Data
2 Host name or IP address of the FTP server, port number of connecting FTP, login
username and password
3 Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server
Prerequisites
An IP address is configured for an interface on the switch and functions as the source IP address
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.
Procedure
Step 1 Run:
system-view
----End
Context
You can log in to the FTP server in the user view or the FTP view.
Perform the following steps on the switch that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ port-
number ] [ public-net | vpn-instance vpn-instance-name ]
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is configured,
it will be used for FTP operations.
l If the IP address of the server is an IPv6 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]
----End
Context
After logging in to an FTP server, you can perform the following operations:
l Configure a data type for transmission files and a file transmission method.
l Check the online help about FTP commands in the FTP client view.
l Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
l Create directories on or delete directories from the FTP server.
l Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After logging in to the switch that functions as a client and entering the FTP client view, you
can perform the following steps:
Procedure
l Configuring data type and transmission mode for the file.
– Run:
ascii | binary
FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode ad required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
– Run:
passive
The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
The working path of the FTP server is switched to the upper-level directory.
– Run:
pwd
l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
l Run one or more of the following commands to manage files.
– Run:
ls [ remote-filename ] [ local-filename ]
----End
Context
If you are logged in to the S6700 functioning as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.
Procedure
l Run:
user user-name [ password ]
The user that logged in to the FTP server earlier is changed and the new user logs in to the
server.
When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.
----End
Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Perform the following steps on the switch that serves as the client.
Procedure
l Run one of the following commands depending on your system configurations.
– Run:
bye
Or,
quit
Or,
disconnect
----End
Prerequisites
Accessing other devices using FTP has been configured.
Procedure
l Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<Quidway> display ftp-client
The source address of FTP client is 1.1.1.1.
Applicable Environment
SFTP is a secure FTP protocol. SFTP is based on SSH. It allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
switch that functions as an SFTP client.
Pre-configuration Tasks
Before configuring the use of SFTP to access files on another device, configure a reachable route
between the client and SSH server.
Data Preparation
To use SFTP to access files on another device, you need the following data:
No. Data
2 (Optional) Public key that is assigned by the client to the SSH server
4 Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
User information for logging in to the SSH server
Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when logging in to the SSH server for the first time.
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Perform the following steps on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.
----End
Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA or DSA public key validity
check and cannot log in to the server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }
Step 3 Run:
public-key-code begin
Step 4 Run:
hex-data
NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the switch that functions as the client.
Step 5 Run:
public-key-code end
l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
Context
The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH
server, SFTP can carry the source address and the name of the VPN instance and choose the key
exchange algorithm, encryption algorithm, and HMAC algorithm, and configure the keepalive
function.
Perform the following steps on the switch that serves as an SSH client.
Procedure
Step 1 Run:
system-view
Step 2 According to the address type of the SSH server, select and perform one of the two configurations
below.
----End
Context
After logging in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
l Change file names, delete files, display a file list, and upload or download files.
l Display the SFTP client command help.
After logging in to the switch that functions as an SSH client and entering the SFTP client view,
you can perform the following steps:
Procedure
l Manage directories.
– Run:
cd [ remote-directory ]
– Run:
rename old-name new-name
----End
Prerequisites
The configuration for using SFTP to access files on another device is complete.
Procedure
l Run the display ssh server-info command to check the mapping between the SSH server
and the RSA or DSA public key on the SSH client.
----End
Example
Run the display ssh server-info command to view the mappings between all servers and the
RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
Server Name(IP) Server Public Key Type Server public key name
______________________________________________________________________________
Applicable Environment
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.
l Configure an SSL policy on the FTP client and load a trusted-CA file to the client.
l Configure an SSL policy on the FTP server and load a digital certificate to the server.
The client uses the trusted-CA file and digital certificate to authenticate the server so that the
authorized client can access the correct server.
l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identity of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
l An SSL policy needs to be configured on and a digital certificate needs to be loaded to an
FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.
FTP-Client FTP-Server
VLANIF20 VLANIF30
1.1.1.1/24 1.1.1.2/24
Network
VLANIF40
192.168.0.2/24
PC1
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
Pre-configuration Tasks
Before configuring the use of FTPS to access files on another device, complete the following
tasks:
l Load a trusted-CA file to the sub-directory named security of the system directory on the
FTPS client.
l Load a digital certificate to the sub-directory named security of the system directory on
the FTPS server.
Data Preparation
To use FTPS to access files on another device, you need the following data:
No. Data
1 SSL policy name, trusted-CA file, (optional) CRL file, and IP address of the FTPS
client
Context
A trusted-CA file can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
A CRL file can be in either the ASN1 or PEM format. These two formats represent the same
contents.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssl policy policy-name
l Run:
trusted-ca load pem-ca ca-filename
A maximum of four trusted-CA files can be loaded to an SSL policy. If multiple trusted-CA
files are loaded, these files will be added to the existing trusted-CA file list.
NOTE
l If the trusted-CA file configured on the FTPS server contains only one certificate, configure all the
trusted-CA certificates of upper levels to the root CA certificate on the client.
l If a certificate chain is configured on the FTPS server, configure only the root CA certificate on the
client.
A CRL is loaded.
A maximum of two CRL files can be loaded to an SSL policy. If multiple CRL files are loaded,
these files will be added to the existing CRL file list.
----End
Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssl policy policy-name
l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-
filename
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
Step 4 Run:
quit
NOTE
Before enabling the FTPS server function, disable the FTP server function.
----End
Procedure
l On an IPv4 network:
In the user view, run:
ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type
interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-
instance-name ] ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
l On an IPv6 network:
In the user view, run:
ftp ssl-policy policy-name ipv6 host [ port-number ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
----End
Follow-up Procedure
The client can log in to the server only after the entered user name and password are authenticated
by the server. After logging in to the FTPS server, you can operate files on the FTPS server in
the same way as that on an FTP server. Table 9-1 lists file operations on an FTP server.
Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to PORT.
By default, the PASV mode is used.
Enabling the file l If the prompt command is run in the FTP client view to
transfer prompt enable the file transfer prompt function, the system
function prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you whether to override the existing
ones regardless of whether the file transfer prompt function is
enabled.
Prerequisites
The configuration for using FTPS to access files on another device is complete.
Procedure
l Run the display ssl policy command to check the SSL policy configured on and trusted-
CA certificate loaded to the FTPS client as well as the SSL policy configured on and digital
certificate loaded to the FTPS server.
l Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS client. The command output shows detailed
information about the configured SSL policy and loaded trusted-CA file.
<Quidway> display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
<Quidway> display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running
Applicable Environment
SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file uploading
or downloading without user authentication and public key assignment, and also supports file
uploading or downloading in batches.
Pre-configuration Tasks
Before configuring the use of SCP to access files on another device, configure a reachable route
between the client and SCP server.
Data Preparation
To configure the use of SCP to access files on another device, you need the following data.
No. Data
2 Port number of the SCP server, encryption algorithm for uploading or downloading
files, source files to be uploaded or downloaded, and destination files to be uploaded
or downloaded, (Optional) Source IPv4 or IPv6 address and source interface of the
local device
Context
SCP is a secure file transfer method based on SSH2.0. By default, user interfaces support Telnet.
A user interface must be configured to support SSH for users to log in to the device using SCP.
l There are four SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
l The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
You can perform the following steps to configure the SCP server:
1. Configure a VTY user interface to support SSH.
2. Configure an SSH user to ensure that the SCP client can log in to the SCP server.
a. Create an SSH user.
b. Generate a local RSA or DSA key pair.
c. Configure an authentication mode for the SSH user.
d. Configure a service type for the SSH user.
NOTE
For configurations about the basic SSH authentication item and command line authorization, see Step
5 and Step 6 in Configuring an SSH User and Specifying the Service Type.
3. Enable the SCP service to allow the SCP client to log in to the SCP server.
Procedure
Step 1 Configuring SSH for the VTY User Interface
1. Run:
system-view
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
4. Run:
protocol inbound ssh
Return to the system view from the VTY user interface view.
Step 2 Configuring an SSH User
Table 9-2 shows how to configure an SSH user.
2 Run the rsa local-key-pair After generating a local key pair, you can run the
create or dsa local-key-pair display rsa local-key-pair public , display dsa
createcommand to generate the local-key-pair public command to view the
local RSA, DSAkey pair in the public key in the local key pair.
system view.
3 Run the ssh user user-name l Configure password authentication for the SSH
authentication-type user.
{ password | rsa | password- – Run:
rsa | all | dsa | password-dsa } ssh user user-name authentication-
command to configure the type password
4 Run the ssh user username By default, the service type of the SSH user is not
service-type { sftp | all } configured.
command to configure the
service type for the SSH user.
Step 3 Run:
scp server enable
----End
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configuration for using SCP to access files on another device is complete.
Procedure
l Run the display scp-client command to view the source IP address or source interface of
the SCP client.
----End
Example
Run the display scp-client command, and you can view the source IP address of the SCP client.
<Quidway> display scp-client
The source of SCP ipv4 client: 1.1.1.1
Networking Requirements
As shown in Figure 9-7, after logging in to Switch A, the user logs in to Switch B through Telnet
by using the default interface 23.
Figure 9-7 Networking diagram of the remote login of the Ethernet user
PC SwitchA SwitchB
10.10.10.8/24 10.10.10.9/24
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l ID of the VLAN
l IP address and number of the interface on the Switch A that functions as the Telnet client
l IP address and number of the interface on the Switch B that functions as the Telnet server
l Authentication mode and the password for a user to log in to Switch B through Telnet
Procedure
Step 1 Assign IP addresses.
# Assign IP address to Switch A that functions as the Telnet client.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
[SwitchA] interface xgigabitethernet 0/0/1
[SwitchA-XGigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchA-XGigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchA-XGigabitEthernet0/0/1] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.10.10.8 255.255.255.0
[SwitchA-Vlanif2] quit
[SwitchA]
Login authentication
Password:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
The current login time is 2012-03-20 11:04:45.
<SwitchB>
----End
Configuration Files
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.8 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
return
Networking Requirements
As shown in Figure 9-8, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode. In this example, the Huawei switch functions as an SSH server.
The following login users need to be configured.
l Client001, with the password as huawei and the authentication mode as password
l Client002, with the password as rsakey001 and the authentication mode as RSA
The user interface supports only the SSH protocol.
Figure 9-8 Networking diagram for logging in to another device by Using STelnet
SSH Server
10.164.39.222/24
10.164.39.220/24 10.164.39.221/24
Client001 Client002
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind
the client client002 to an RSA key to authenticate the client when the client attempts to log
in to the server.
4. Enable STelnet service on the SSH server.
5. Set the service type of Client001 and Client002 to STelnet.
6. Enable first-time authentication on the SSH client.
7. Users Client001 and Client002 log in to the SSH server through STelnet.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to interface VLANIF10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24
Assigning an IP address to the Switch that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES:If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
<Quidway> system-view
[Quidway] sysname client002
[client002] rsa local-key-pair create
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
# Client001 logs in to the SSH server in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 1.
<Quidway>
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
<Quidway>
----End
Configuration Files
l Configuration file of the Quidway, the SSH server
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B 0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type stelnet
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l Configuration file of Client001, the SSH client
#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
l Configuration file of Client002, the SSH client
#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
Networking Requirements
As shown in Figure 9-9, The remote server at 10.1.1.2 functions as the TFTP server.
The Switch acts as a TFTP client,and the IP address is 10.1.1.1/24.
The Switch downloads files from the TFTP server.
Figure 9-9 Networking diagram for accessing files on another device by using TFTP
TFTP session
configuration
PC cable TFTP Client TFTP Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the position where the source file is
located on the Switch.
2. Download files through TFTP commands on the Switch.
Data Preparation
To complete the configuration, you need the following data:
l TFTP software installed on the TFTP server
l Path of the source file on the TFTP server
l Name of the destination file and position where the destination file is located on the Switch
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file.
<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
Return
Networking Requirements
As shown in Figure 9-10, the remote server at 10.1.1.2 serves as the FTP server. The Switch
and the FTP server are directly connected and on the same network segment. The Switch has a
reachable route to the FTP server.
The Switch acts as the FTP client. Interfaces ranging from XGigabitEthernet0/0/1 to
XGigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP address
10.1.1.1.
Figure 9-10 Networking diagram for accessing files on another device by using FTP
FTP session
configuration
PC cable FTP Client FTP Server
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to
ftppwd.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface xgigabitethernet 0/0/2
[Quidway-XGigabitEthernet0/0/2] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/2] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/2] quit
[Quidway] interface xgigabitethernet 0/0/3
[Quidway-XGigabitEthernet0/0/3] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/3] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/3] quit
[Quidway] interface xgigabitethernet 0/0/4
[Quidway-XGigabitEthernet0/0/4] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/4] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/4] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.3 24
Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the password
ftppwd.
<Quidway> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.
[ftp]
Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type set to I.
[ftp] lcd flash:/
The current local directory is flash:.
Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface XGigabitEthernet0/0/2
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface XGigabitEthernet0/0/3
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface XGigabitEthernet0/0/4
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
Networking Requirements
As shown in Figure 9-11, after the SFTP service is enabled on the SSH server, the SFTP Client
can log in to the SSH server with the password, RSA, password-rsa, or all authentication. In this
example, the Huawei switch functions as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.
Figure 9-11 Networking diagram for accessing files on another device by using SFTP
SSH Server
10.164.39.222/24
10.164.39.220/24 10.164.39.221/24
Client001 Client002
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3. Create a local RSA key pair on the client Client002 and the SSH server, and bind the client
client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
4. Enable the SFTP service on the SSH server.
5. Configure the service mode and authorization directory for the SSH user.
6. Client001 and Client002 log in to the SSH server by using SFTP to access files on the
server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the S6700 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24
Assigning an IP address to the S6700 that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l In password ,password-rsa or password-dsa authentication mode, you must configure a local user.
l In RSA,DSA,password-rsa,password-dsa or all authentication mode, you must copy the RSA or DSA
public key of the SSH client to the server.
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
# Send the RSA public key created on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.
Two SSH users are configured on the SSH server: Client001 in the password authentication
mode and Client002 in the RSA authentication mode.
[Quidway] ssh user client001 service-type sftp
[Quidway] ssh user client001 sftp-directory flash:/
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory flash:/
Enter password:
sftp-client>
sftp-client>
----End
Configuration Files
l Configuration file of the Quidway, the SSH server
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type sftp
ssh user client002 service-type sftp
ssh user client001 sftp-directory flash:/
ssh user client002 sftp-directory flash:/
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
return
l Configuration file of Client001, the SSH client
#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
l Configuration file of Client002, the SSH client
#
sysname client002
#
vlan batch 10
#
interface Vlanif10
Networking Requirements
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
FTP-Client FTP-Server
VLANIF20 VLANIF30
1.1.1.1/24 1.1.1.2/24
Network
VLANIF40
192.168.0.2/24
PC1
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
Configuration Roadmap
The configuration roadmap is as follows:
1. Upload certificates.
l Upload the digital certificate saved on PC2 to the FTP server.
l Upload the trusted-CA file saved on PC1 to the FTP client.
2. Load the certificates and configure SSL policies.
l Copy the digital certificate from the system directory of the FTP server to the
security sub-directory, configure an SSL policy, and load the digital certificate.
l Copy the trusted-CA file from the system directory of the FTP client to the security
sub-directory, configure an SSL policy, and load the trusted-CA file.
3. Enable the FTPS server function on the FTP server.
4. Configure IP addresses for the interfaces that interconnect the FTP client and server to
ensure that the client and server are routable.
5. Run the ftp command on the FTP client to log in to the FTPS server to remotely manage
files.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Upload certificates.
l Perform the following steps on the FTP server:
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
<Quidway> system-view
[Quidway] sysname FTP-Server
[FTP-Server] vlan 10
[FTP-Server-vlan10] quit
[FTP-Server] interface xgigabitethernet0/0/1
[FTP-Server-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[FTP-Server-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[FTP-Server-XGigabitEthernet0/0/1] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit
# Configure the authentication information, authorization mode, and authorized directory for
an FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password cipher huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei privilege level 15
[FTP-Server-aaa] local-user huawei ftp-directory flash:
[FTP-Server-aaa] quit
[FTP-Server] quit
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the
correct user name and password to set up an FTP connection to the FTP server, as shown in
Figure 9-13.
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
9-14.
After the preceding configurations are complete, run the dir command on the FTP server.
The command output shows that the digital certificate has been successfully uploaded to the
server.
<FTP-Server> dir
Directory of flash:/
After the preceding configurations are complete, run the dir command in the security sub-
directory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of flash:/security/
After the preceding configurations are complete, run the display ssl policy command on the
FTP server. The command output shows detailed information about the loaded certificate.
[FTP-Server] display ssl policy
After the preceding configurations are complete, run the display ssl policy command on the
FTP client. The command output shows detailed information about the trusted-CA file.
[FTP-Client] display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Before enabling the FTPS server function, disable the FTP server function.
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server.
[FTP-Server] vlan 30
[FTP-Server-vlan30] quit
[FTP-Server] interface xgigabitethernet 0/0/2
[FTP-Server-XGigabitEthernet0/0/2] port hybrid pvid vlan 30
[FTP-Server-XGigabitEthernet0/0/2] port hybrid untagged vlan 30
[FTP-Server-XGigabitEthernet0/0/2] quit
[FTP-Server] interface vlanif 30
[FTP-Server-Vlanif30] ip address 1.1.1.2 24
[FTP-Server-Vlanif30] quit
Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.
<FTP-Client> ftp ssl-policy ftp_client 1.1.1.2
Trying 1.1.1.2 ...
Press CTRL+K to abort
Connected to 1.1.1.2.
220 FTP service ready.
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(1.1.1.2:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
The client can log in to the FTP server only after the correct user name and password are entered.
Step 6 Verify the configuration.
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running
You can use the FTP client to remotely manage files on the FTPS server.
----End
Configuration Files
l Configuration file of the FTP server
#
sysname FTP-Server
#
#
return
Networking Requirements
Unlike SFTP, SCP allows file uploading or downloading without user authentication and public
key assignment, and also supports file uploading or downloading in batches.
As shown in Figure 9-15, the device functioning as the SCP client has a reachable route to the
SCP server, and can download files from the SCP server.
Figure 9-15 Networking diagram for accessing files on another device by using SCP
SCP Server
172.16.104.110/24
1.1.1.1/32
SCP Client
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Create a local RSA key pair on the SSH server.
<Quidway> system-view
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 512
Generating keys...
.....++++++++++++
....++++++++++++
......++++++++
................................++++++++
# Configure the service type for the SSH users Client001 to all.
[SSH Server] ssh user client001 service-type all
Step 4 Download files from the SCP server to the SCP client.
# For the first login, you need to enable the first authentication on SSH client.
<Quidway> system-view
[Quidway] sysname SCP Client
[SCP Client] ssh client first-time enable
# Configure the IP address 1.1.1.1 of a loopback interface as the source IP address for the SCP
client.
[SCP Client] scp client-source -a 1.1.1.1
# Use 3des to encrypt the file license.txt, and then download the file to the local working
directory from the remote SCP server with the IP address of 172.16.104.110.
[SCP Client] scp -a 1.1.1.1 -cipher 3des client001@172.16.104.110:license.txt
license.txt
----End
Configuration Files
l Configuration file of the SCP server
#
sysname SSH Server
#
aaa
local-user client001 password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
scp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type all
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
9.9.8 Example for Configuring the SSH Server to Support the Access
from Another Port
In this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
Networking Requirements
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.
If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.
Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:
l Negotiating the version of the SSH protocol
l Negotiating the algorithm
Figure 9-16 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server
10.164.39.222/24
10.164.39.220/24 10.164.39.221/24
Client001 Client002
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 on the SSH server.
3. Create a local key pair on the SFTP client and SSH server separately.
4. Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5. Enable the STelnet and SFTP services on the SSH server.
6. Configure the type of the service and authenticated directory for the SSH user.
7. Set the listening port number on the SSH server.
8. Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.
Data Preparation
To complete the configuration, you need the following data:
l Server name
l Listening port number on the SSH server
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.164.39.222 24
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] 0240
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] 0203
[Quidway-rsa-key-code] 010001
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
NOTE
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
# Create an SSH user named Client001, and configure the authentication mode as password
for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password
# Create an SSH user named Client002, and configure the authentication mode as RSA for the
user. Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002
[Quidway] ssh user client002 authentication-type rsa
[Quidway] ssh user client002 assign rsa-key RsaKey001
# Set the type of service of Client002 to SFTP and the authorized directory as flash:/.
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory flash:/
Step 5 Enable the STelnet and SFTP services on the SSH server.
[Quidway] stelnet server enable
[Quidway] sftp server enable
Step 6 Configure the new listening port number on the SSH server.
[Quidway] ssh server port 1025
# The STelnet client logs in to the SSH server by using the new listening port.
[client001] stelnet 10.164.39.222 1025
Please input the username:client001
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.164.39.222. Please wait.
..
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 1.
<Quidway>
# The SFTP client logs in to the SSH server by using the new listening port.
[client002]sftp 10.164.39.222 1025
Please input the username:client002
Trying 10.164.39.222 ...
Press CTRL+K to abort
sftp-client>
After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can check the current listening port number on the SSH server,
and that the STelnet or SFTP client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Enable
Scp server :Disable
SSH server port :1025
----End
Configuration Files
l Configuration file of the Quidway, the SSH server
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
public-key-code begin
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user client001 service-type ssh
#
sftp server enable
stelnet server enable
ssh server port 1025
ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:/
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
return
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
ssh client first-time enable
#
interface XGigabitEthernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
Networking Requirements
When an RADIUS user is connected to an SSH server, the SSH server sends the user name and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (passed or failed) back to the
SSH server. If the authentication is successful, the user level is sent along with the result. The
SSH server determines whether the SSH client is allowed to set up a connection according to
the authentication result.
10.164.39.221/24 10.164.6.41/24
10.164.39.222/24 10.164.6.49/24
SSH Client SSH Server Radius Server
Configuration Roadmap
The configuration roadmap is as follows:
6. Configure the service mode and authorization directory of the SSH user.
7. Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
To complete the configuration, you need the following data:
l Configure the password authentication for the two SSH users .
l RADIUS authentication
l Name of the RADIUS template
l Name of the RADIUS domain
l Name and password of the RADIUS user
Procedure
Step 1 Generate a local key pair on the SSH server.
<Quidway> system-view
[Quidway] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
[Quidway-aaa-authen-newscheme] quit
# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812.
[Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812
# Configure the RADIUS domain of SSH server as ssh.com, applying authentication scheme
newscheme and RADIUS template ssh.
[Quidway] aaa
[Quidway-aaa] domain ssh.com
[Quidway-aaa-domain-ssh.com] authentication-scheme newscheme
[Quidway-aaa-domain-ssh.com] radius-server ssh
[Quidway-aaa-domain-ssh.com] quit
[Quidway-aaa] quit
# For the first login, you need to enable the first authentication on SSH client.
[client] ssh client first-time enable
[client] quit
# Connect the STelnet client to the SSH server in the RADIUS authentication.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username:ssh1@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.164.39.222. Please wait.
..
Enter password:
# Connect the SFTP client to the SSH server in the RADIUS authentication.
<client> system-view
[client] sftp 10.164.39.222
Please input the username:ssh2@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
Enter password:
sftp-client>
----End
Configuration Files
Configuration file of the SSH server
#
sysname Quidway
#
radius-server template ssh
radius-server authentication 10.164.6.49 1812
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
#
sftp server enable
stelnet server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh1@ssh.com authentication-type password
ssh user ssh2@ssh.com authentication-type password
ssh user ssh1@ssh.com service-type stelnet
ssh user ssh2@ssh.com service-type sftp
ssh user client001 sftp-directory flash:/
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
Return
Before configuring the device in Web mode, you need to configure the device as the Web server.
HTTP
Connection
PC
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface meth 0/0/1
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
----End
Prerequisites
The web page file has been saved on the S6700 before delivery, so you do not need to upload
this file when using the S6700 for the first time. (You still need to load the file). When the
S6700 is upgraded, upload the web page file to the S6700 again.
To obtain the Web page file of the device, log in to http://support.huawei.com/enterprise, and
then choose Software > Product Software > Enterprise Networking > Datacom Network >
Campus Switch. Download the software package based on the product name and version. The
Web page file is contained in the software package. The file name is Product Name - the
Version of Software.the Version of Web page file.web.zip.
Before uploading the Web page file, copy the Web page file to the client from which you log in
to the device.
Context
NOTE
You can also download Web files through TFTP. In this case, the device functions as the TFTP client, and
the terminal that stores the Web files functions as the TFTP server. For details, see 9.4.4 Downloading
Files Using TFTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp server enable
Step 3 Run:
aaa
Step 4 Run:
local-user user-name password cipher password
Step 5 Run:
local-user user-name privilege level level
NOTE
Step 6 Run:
local-user user-name ftp-directory directory
Step 7 Run:
local-user user-name service-type ftp
Step 8 Run the following command in the cmd view of the PC:
ftp ip-address
The user name and password are displayed. The PC can log in to the device.
C:\>ftp 10.1.1.132
Connected to 10.1.1.132.
220 FTP service ready.
User (10.1.1.132:(none)): client
331 Password required for client.
Password:
230 User logged in.
ftp>
----End
Context
Before loading the Web page file, upload it to the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
http server load file-name
----End
Context
Before enabling the HTTP server,load the Web Page File to device.
The device provides a default user account for logging in to the web network management
system, with the user name admin and password admin. You can use the default account to log
in to the web network management system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
http server enable
NOTE
The HTTP server function can be enabled only when the Web page loaded exists.
Step 4 Run:
aaa
Step 5 Run:
local-user user-name password cipher password
Step 6 Run:
local-user user-name privilege level level
NOTE
Set the HTTP user level to 3 or higher so that the HTTP user can have management-level rights. Users at
levels 0, 1 and 2 have only visit-level rights.
Step 7 Run:
local-user user-name service-type http
----End
Procedure
Step 1 Open the Web browser on the PC, and then enter the management address of the device in the
address bar (the PC and the device have reachable routes to each other). Then, press Enter to
display the Login dialog box. As shown in Figure 10-2, enter the pre-set Web user name,
password and verify code, and then choice the language.
NOTE
If you select Save my password before clicking Login, you do not need to enter the password at next
login.
Step 2 Click Login or press enter to display the homepage of the Web system.
You can configure the device after logging in to the Web system. For details on how to configure
the device on the Web system, see the S6700 Series Ethernet Switches Web System Guide.
----End