S6700 Configuration Guide Basic Configuration

S6700 Series Ethernet Switches
V200R001C00
Configuration Guide - Basic

Configuration
Issue 05
Date 2013-04-10
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Issue 05 (2013-04-10) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Configuration Guide - Basic Configuration About This Document
About This Document
Intended Audience
This document provides the basic concepts, basic configuration procedures, and configuration
examples supported by the S6700.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
DANGER
Indicates a hazard with a medium or low level of risk, which

if not avoided, could result in minor or moderate injury.
WARNING
Indicates a potentially hazardous situation, which if not

avoided, could result in equipment damage, data loss,
CAUTION
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.
NOTE Provides additional information to emphasize or supplement

important points of the main text.
Issue 05 (2013-04-10) Huawei Proprietary and Confidential ii

Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Password Setting Conventions

l If a password is set in plain text mode, the password is saved as the plain text in the
configuration file, which brings security risks. Therefore, the cipher text mode is
recommended for password setting. You are advised to change passwords regularly to
ensure device security.
l If a password is set to a valid cipher text (can be decrypted on the device) string that starts
and ends both with %$%$, the same cipher text is displayed when you check the
configuration file on the device. Therefore, this password setting method is not
recommended.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 05 (2013-04-10) Huawei Proprietary and Confidential iii

Changes in Issue 05 (2013-04-10)

The fifth commercial release has the following updates:
l 6.5.2 Configuring an SSL Policy and Loading a Digital Certificate.

The fourth commercial release has the following updates:
l 10 Web System Configuration.

The third commercial release has the following updates:
l Some contents in this document are optimized.

The second commercial release has the following updates:
l Some contents are modified according to updates in the product such as features and
commands.
l Output information of some commands is modified.

Initial commercial release.
Issue 05 (2013-04-10) Huawei Proprietary and Confidential iv

Configuration Guide - Basic Configuration Contents
Contents
About This Document.....................................................................................................................ii

1 Logging In to the System for the First Time............................................................................1
1.1 Introduction........................................................................................................................................................2
1.2 Logging In to the Device Through the Console Port..........................................................................................2
1.2.1 Establishing the Configuration Task.........................................................................................................2
1.2.2 Establishing the Physical Connection........................................................................................................3
1.2.3 Logging In to the Device...........................................................................................................................3
2 CLI Overview.................................................................................................................................6
2.1 CLI Introduction.................................................................................................................................................7
2.1.1 Command Line Interface...........................................................................................................................7
2.1.2 Command Levels.......................................................................................................................................7
2.1.3 Command Views.......................................................................................................................................8
2.2 Online Help.......................................................................................................................................................10
2.2.1 Full Help..................................................................................................................................................10
2.2.2 Partial Help..............................................................................................................................................11
2.2.3 Error Messages of the Command Line Interface.....................................................................................11
2.3 CLI Features.....................................................................................................................................................12
2.3.1 Editing.....................................................................................................................................................12
2.3.2 Displaying................................................................................................................................................13
2.3.3 Regular Expressions................................................................................................................................13
2.3.4 Previously-Used Commands...................................................................................................................17
2.4 Shortcut Keys...................................................................................................................................................18
2.4.1 System Shortcut Keys..............................................................................................................................18
2.5 Configuration Examples...................................................................................................................................19
2.5.1 Example for Using the Tab Key..............................................................................................................20
3 How to Use Interfaces.................................................................................................................21

3.1 Introduction to Interfaces..................................................................................................................................22
3.2 Setting Basic Parameters of an Interface..........................................................................................................24
3.2.1 Establishing the Configuration Task.......................................................................................................25
3.2.2 Entering the Interface View.....................................................................................................................25
3.2.3 Viewing All the Commands in the Interface View.................................................................................26
3.2.4 Configuring the Description for an Interface...........................................................................................26
Issue 05 (2013-04-10) Huawei Proprietary and Confidential v

3.2.5 Starting and Shutting Down an Interface................................................................................................26

3.2.6 Completing Advanced Configurations on an Interface...........................................................................27
3.2.7 Checking the Configuration.....................................................................................................................28
3.3 Configuring the Loopback Interface.................................................................................................................28
3.3.2 Configuring IPv4 Parameters of the Loopback Interface........................................................................29
3.3.3 Checking the Configuration.....................................................................................................................29
3.4 Maintaining the Interface..................................................................................................................................29
3.4.1 Clearing Statistics Information on the Interface......................................................................................30
4 Basic Configuration.....................................................................................................................31
4.1 Configuring the Basic System Environment....................................................................................................32
4.1.2 Configuring the Equipment Name...........................................................................................................32
4.1.3 Setting the System Clock.........................................................................................................................33
4.1.4 Configuring a Header..............................................................................................................................39
4.1.5 Configuring Command Levels................................................................................................................40
4.2 Displaying System Status Messages.................................................................................................................41
4.2.1 Displaying System Configuration...........................................................................................................41
4.2.2 Displaying System Status........................................................................................................................42
4.2.3 Collecting System Diagnostic Information.............................................................................................42
5 Configuring User Interfaces......................................................................................................43

5.1 User Interface Overview...................................................................................................................................44
5.2 Configuring the Console User Interface...........................................................................................................46
5.2.2 Setting Physical Attributes of the Console User Interface......................................................................46
5.2.3 Setting Terminal Attributes of the Console User Interface.....................................................................48
5.2.4 Configuring User Privilege of the Console User Interface......................................................................49
5.2.5 Configuring the User Authentication Mode of the Console User Interface............................................49
5.2.6 Checking the Configurations...................................................................................................................51
5.3 Configuring the VTY User Interface................................................................................................................52
5.3.2 Configuring the Maximum Number of VTY User Interfaces.................................................................53
5.3.3 (Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User Interfaces...................54
5.3.4 Setting Terminal Attributes of the VTY User Interface..........................................................................54
5.3.5 Setting User Priority of the VTY User Interface.....................................................................................55
5.3.6 Setting the User Authentication Mode of the VTY User Interface.........................................................56
5.4 Configuration Examples...................................................................................................................................59
5.4.1 Example for Configuring Console User Interface...................................................................................59
5.4.2 Example for Configuring a VTY User Interface.....................................................................................61
6 Configuring User Login.............................................................................................................63
Issue 05 (2013-04-10) Huawei Proprietary and Confidential vi

6.1 Overview of User Login...................................................................................................................................64

6.2 Logging in to the Devices Through the Console Port......................................................................................67
6.2.2 (Optional) Configuring the Console User Interface................................................................................67
6.2.3 Logging In to the Device Using a Console Port......................................................................................68
6.3 Logging in to Devices Using Telnet.................................................................................................................71
6.3.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........72
6.3.3 Enabling the Telnet Service.....................................................................................................................74
6.3.4 Logging in to the Device Using Telnet...................................................................................................75
6.3.5 (Optional) Configuring Listening Port Number for Telnet Server..........................................................76
6.4 Logging in to Devices Using STelnet...............................................................................................................78
6.4.2 Configuring the User Access Level and User Authentication Mode of the VTY User Interface...........79
6.4.3 Configuring SSH for the VTY User Interface.........................................................................................81
6.4.4 Configuring an SSH User and Specifying the Service Types.................................................................82
6.4.5 Enabling the STelnet Server Function.....................................................................................................86
6.4.6 Logging in to the Device Using STelnet.................................................................................................87
6.4.7 (Optional) Configuring the STelnet Server Parameters...........................................................................88
6.5 Logging in to the Devices by Using Secure Web Network Management (HTTPS Mode)..............................91
6.5.2 Configuring an SSL Policy and Loading a Digital Certificate................................................................92
6.5.3 Loading a Web Page File.........................................................................................................................94
6.5.4 Enabling the HTTPS Function................................................................................................................94
6.5.5 Creating a Web Account..........................................................................................................................95
6.5.6 Logging In to the Web System................................................................................................................95
6.6 Common Operations After Login.....................................................................................................................97
6.6.2 Switching User Levels.............................................................................................................................98
6.6.3 Locking User Interfaces...........................................................................................................................99
6.6.4 Sending Messages to Other User Interfaces............................................................................................99
6.6.5 Displaying Login Users...........................................................................................................................99
6.6.6 Clearing Logged-in Users......................................................................................................................100
6.6.7 Configuring Configuration Locking......................................................................................................100
6.7 Configuration Examples.................................................................................................................................101
6.7.1 Example for Configuring User Login Using a Console Port.................................................................101
6.7.2 Example for Configuring User Login Through Telnet..........................................................................104
6.7.3 Example for Configuring User Login by Using STelnet.......................................................................107
Issue 05 (2013-04-10) Huawei Proprietary and Confidential vii

6.7.4 Example for Configuring User Login by Using Secure Web Network Management...........................110
7 Managing the File System.......................................................................................................116

7.1 File System Overview....................................................................................................................................117
7.1.1 File System............................................................................................................................................117
7.1.2 Methods of File Management................................................................................................................117
7.2 Managing Files Using the File System...........................................................................................................118
7.2.1 Establishing the Configuration Task.....................................................................................................119
7.2.2 Managing Storage Devices....................................................................................................................119
7.2.3 Managing Directories............................................................................................................................120
7.2.4 Managing Files......................................................................................................................................120
7.3 Managing Files Using FTP.............................................................................................................................123
7.3.2 Configuring a Local FTP User..............................................................................................................123
7.3.3 (Optional) Specifying a Port Number for the FTP Server.....................................................................124
7.3.4 Enabling the FTP Server........................................................................................................................125
7.3.5 (Optional) Configuring the FTP Server Parameters..............................................................................126
7.3.6 (Optional) Configuring an FTP ACL....................................................................................................126
7.3.7 Accessing the System by Using FTP.....................................................................................................127
7.3.8 Managing Files Using FTP Commands.................................................................................................128
7.3.9 Checking the Configurations.................................................................................................................130
7.4 Managing Files Using SFTP...........................................................................................................................131
7.4.2 Configuring VTY User Interface...........................................................................................................132
7.4.3 Configuring SSH for the VTY User Interface.......................................................................................132
7.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types...........................................133
7.4.5 Enabling the SFTP Service....................................................................................................................137
7.4.6 (Optional) Configuring the SFTP Server Parameters............................................................................138
7.4.7 Accessing the System Using SFTP.......................................................................................................139
7.4.8 Managing Files Using SFTP..................................................................................................................140
7.5 Performing File Operations by Means of FTPS.............................................................................................143
7.5.2 Configuring an SSL Policy and Loading a Digital Certificate..............................................................144
7.5.3 Enabling the FTPS Function..................................................................................................................145
7.5.4 Accessing an FTPS Server....................................................................................................................146
7.6.1 Example for Managing Files Using FTP...............................................................................................147
7.6.2 Example for Managing Files Using SFTP.............................................................................................149
7.6.3 Example for Performing File Operations by Means of FTPS...............................................................151
8 Configuring System Startup....................................................................................................157

8.1 System Startup Overview...............................................................................................................................158
Issue 05 (2013-04-10) Huawei Proprietary and Confidential viii

8.1.1 System Software....................................................................................................................................158

8.1.2 Configuration Files................................................................................................................................158
8.1.3 Configuration Files and Current Configurations...................................................................................158
8.2 Managing Configuration Files........................................................................................................................159
8.2.2 Saving Configuration Files....................................................................................................................160
8.2.3 Clearing a Configuration File................................................................................................................161
8.2.4 Comparing Configuration Files.............................................................................................................162
8.2.5 Backing Up the Configuration Files......................................................................................................163
8.2.6 Restoring the Configuration Files..........................................................................................................164
8.3 Specifying a File for System Startup..............................................................................................................166
8.3.2 Configuring System Software for a switch to Load for the Next Startup.............................................167
8.3.3 Configuring the Configuration File for Switch to Load at the Next Startup.........................................167
8.4.1 Example for Configuring System Startup.............................................................................................168
9 Accessing Another Device.......................................................................................................171

9.1 Accessing Another Device.............................................................................................................................173
9.1.1 Telnet Method........................................................................................................................................173
9.1.2 FTP Method...........................................................................................................................................175
9.1.3 TFTP Method........................................................................................................................................175
9.1.4 SSH Method..........................................................................................................................................175
9.1.5 SSL Mode..............................................................................................................................................176
9.1.6 SCP Mode..............................................................................................................................................179
9.2 Logging in to Other Devices Using Telnet.....................................................................................................179
9.2.2 (Optional) Configuring a Source IP Address for a Telnet Client..........................................................180
9.2.3 Logging in to Another Device by Using Telnet....................................................................................180
9.3 Logging in to Another Device Using STelnet................................................................................................182
9.3.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)...............................................................................................................................................183
9.3.3 Configuring the First Successful Login to Another Device (Allocating a Public Key to the SSH Server)
........................................................................................................................................................................183
9.3.4 Logging in to Another Device Using STelnet.......................................................................................185
9.4 Accessing Files on Another Device Using TFTP...........................................................................................186
9.4.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................187
9.4.3 (Optional) Configuring TFTP Access Authority...................................................................................187
Issue 05 (2013-04-10) Huawei Proprietary and Confidential ix

9.4.4 Downloading Files Using TFTP............................................................................................................188

9.4.5 Uploading Files Using TFTP.................................................................................................................189
9.5 Accessing Files on Another Device Using FTP.............................................................................................190
9.5.2 (Optional) Configuring the Source IP Address and Interface of the FTP Client...................................191
9.5.3 Connecting to Other Devices Using FTP Commands...........................................................................191
9.5.4 Managing Files Using FTP Commands.................................................................................................192
9.5.5 Changing Login Users...........................................................................................................................195
9.5.6 Disconnecting from the FTP Server......................................................................................................195
9.6 Accessing Files on Another Device Using SFTP...........................................................................................196
9.6.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on
the SSH Client)...............................................................................................................................................197
9.6.3 Configuring the First Successful Login to Another Device (Allocating a Public Key to the SSH Server)
........................................................................................................................................................................198
9.6.4 Connecting to Other Devices by Using SFTP.......................................................................................199
9.6.5 Managing Files Using SFTP Commands..............................................................................................200
9.7 Accessing Files on Another Device by Using FTPS......................................................................................202
9.7.2 Configuring the FTPS Client.................................................................................................................203
9.7.3 Configuring the FTPS Server................................................................................................................205
9.7.4 Accessing an FTPS Server....................................................................................................................206
9.8 Accessing Files on Another Device by Using SCP........................................................................................210
9.8.2 Configuring the SCP Server..................................................................................................................211
9.8.3 Configuring the SCP Client...................................................................................................................215
9.9.1 Example for Logging in to Another Device by Using Telnet...............................................................216
9.9.2 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server..................218
9.9.3 Example for Accessing Files on Another Device by Using TFTP........................................................225
9.9.4 Example for Accessing Files on Another Device by Using FTP..........................................................226
9.9.5 Example for Accessing Files on Another Device by Using SFTP........................................................228
9.9.6 Example for Accessing Files on Another Device by Using FTPS........................................................235
9.9.7 Example for Accessing Files on Another Device by Using SCP..........................................................242
9.9.8 Example for Configuring the SSH Server to Support the Access from Another Port...........................244
9.9.9 Example for Authenticating SSH Through RADIUS............................................................................251
10 Web System Configuration...................................................................................................256

10.1 Overview of Web System.............................................................................................................................257
Issue 05 (2013-04-10) Huawei Proprietary and Confidential x

10.2 Starting Web System....................................................................................................................................257

10.2.1 Setting the Management IP Address of the Device.............................................................................257
10.2.2 Uploading Web Page Files..................................................................................................................258
10.2.3 Loading a Web Page File.....................................................................................................................259
10.2.4 Creating a Web Account......................................................................................................................260
10.2.5 Logging In to the Web System............................................................................................................261
Issue 05 (2013-04-10) Huawei Proprietary and Confidential xi

Configuration Guide - Basic Configuration 1 Logging In to the System for the First Time
1 Logging In to the System for the First Time
About This Chapter
You can log in to a new switch through the console port to configure the switch.
1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
1.2 Logging In to the Device Through the Console Port
This section describes how to establish the configuration environment by using the console port
to connect a terminal to a switch.
Issue 05 (2013-04-10) Huawei Proprietary and Confidential 1

1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
The console port is a linear port on the main control board.
A main control board provides a console port To configure a device, connect the user terminal
serial port to the device console port.
1.2 Logging In to the Device Through the Console Port

This section describes how to establish the configuration environment by using the console port
to connect a terminal to a switch.
1.2.1 Establishing the Configuration Task

Before logging in to the switch through the console port, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.
Applicable Environment
When the switch is powered on for the first time, you could use the console port to log in to the
switch to configure and manage the switch.
Pre-configuration Tasks
Before logging in to the switch through the console port, complete the following tasks:
l Install terminal emulation program on the PC (for example, Windows XP HyperTerminal).

l Prepare the RS-232 cable.
Data Preparation
To log in to the switch through the console port, you need the following data.
No. Data
1 Terminal communication parameters

l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode

NOTE
The system automatically uses default parameter values for the first login.
1.2.2 Establishing the Physical Connection

The console port of the switch must be connected to the COM port of a terminal using a console
cable.
Procedure
Step 1 Power on all devices to perform a self-check.
Step 2 Connect the COM port on the PC and the console port on the switch by a cable.
----End
1.2.3 Logging In to the Device

To manage a switch that is powered on for the first time, you can log in to it using the console
port.
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used during the first login to the device.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.
Figure 1-1 Connection creation

Step 2 Set an interface, as shown in Figure 1-2.
Figure 1-2 Interface settings
Step 3 Set communication parameters to match the switch defaults, as shown in Figure 1-3.
Figure 1-3 Communication parameter settings

Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the set password.
Please configure the login password (maximum length 16)
Enter Password:
Confirm Password:
NOTE
l After the password for the user interface is set successfully during the first login, you must enter this
password for authentication when you relog in to the system in password authentication mode using
this user interface.
----End

Configuration Guide - Basic Configuration 2 CLI Overview
2 CLI Overview
About This Chapter
The command line interface (CLI) is used to configure and maintain devices.
2.1 CLI Introduction

After you log in to the switch, a prompt is displayed and you can use the command line interface
(CLI). Users can interact with the switch through the CLI.
2.2 Online Help
When inputting command lines or configuring services, you can use the online help to obtain
real-time help.
2.3 CLI Features
The CLI provides several features to help users flexibly use it.
2.4 Shortcut Keys
System or user-defined shortcut keys make it easier to enter commands.
2.5 Configuration Examples
This section provides several examples that illustrate the use of command lines.

2.1 CLI Introduction

After you log in to the switch, a prompt is displayed and you can use the command line interface
(CLI). Users can interact with the switch through the CLI.
2.1.1 Command Line Interface

You can use CLI commands to configure and manage the switch.
The CLI provides users access to a number of features and capabilities:
l Local configuration through the console port.
l Local or remote configuration through Telnet or Secure Shell (SSH).
l The telnet command for directly logging in to and managing other switchs.
l FTP service for file uploads and downloads.
l A user interface view for specific configuration management.
l Hierarchical command protection structure giving certain levels of users permission to run
certain levels of commands.
l Entering "?" for online help at any time.
l Two authentication modes are supported, namely, password authentication, and
Authentication, Authorization, and Accounting (AAA) authentication. Password and AAA
authentication protect system security by prohibiting unauthorized users from logging in
to the switch.
l A command line interpreter provides intelligent text entry methods such as key word fuzzy
match and context conjunction. These methods help users to enter commands easily and
correctly.
l Network test commands such as tracert and ping for fast network diagnostics.
l Abundant debugging information to with network diagnostics.
l Running a command used previously on the device, like DosKey.
NOTE
l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to use the display current-configuration command, entering d cu, di cu, or dis cu will run
the command. Entering d c or dis c will not run the command, because these entries are not unique to
the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system is restarted, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.
2.1.2 Command Levels

The system structures access to command functions hierarchically to protect system security.
The system administrator sets user access levels that grant specific users access to specific
command levels.
By default, the command level of a user is a value ranging from 0 to 3, and the user access level
is a value ranging from 0 to 15. Table 2-1 lists the association between user access levels and
command levels.

Table 2-1 Association between user access levels and command levels
User Com Level Description
Level man Name
d
Level
0 0 Visit This level gives access to commands that run network diagnostic
level tools (such as ping and tracert) and commands that start from a
local device, visit external devices (such as Telnet client side ),
and a part of display commands.
1 0 and Monitor This level gives access to commands, like the display command,
1 ing that are used for system maintenance and fault diagnosis.
level NOTE
Some display commands are not at this level. For example, the display
current-configuration and display saved-configuration commands
are at level 3. For details about command level, see S6700 Series
Command Reference.
2 0, 1, Configu This level gives access to commands that configure network

and 2 ration services provided directly to users, including routing and
level network layer commands.
3-15 0, 1, Manage This level gives access to commands that control basic system
2, and ment operations and provide support for services. These commands
3 level include file system commands, FTP commands, TFTP
commands, configuration file switching commands, power
supply control commands, backup board control commands,
user management commands, level setting commands, and
debugging commands for fault diagnosis.
To implement efficient management, you can increase the command levels to 0-15. For the
increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring
Command Levels in the S6700 Series Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l Login users have 16 levels. The login users can use only the command of the levels that are equal to
or lower than their own levels. The user privilege level level command sets the user level.
2.1.3 Command Views

The command line interface has different command views. All the commands must register in
one or more command views. You can run a command only when you enter the corresponding
command view.
Basic Concepts of Command Views

# Establish connection with the switch. If the switch adopts the default configuration, you can
enter the user view with the prompt of <Quidway>.
<Quidway>

# Type system-view, and you can enter the system view.

<Quidway> system-view
[Quidway]
# Type aaa in the system view, and you can enter the AAA view.
[Quidway] aaa
[Quidway-aaa]
NOTE
The prompt <Quidway> indicates the default switch name. The prompt <> indicates the user view and the
prompt [] indicates other views.
Some commands that are implemented in the system view can also be implemented in the other
views; however, the functions that can be implemented are command view-specific.
Common Views
The S6700 provides various command line views. For the methods of entering the command
line views except the following views, see the Quidway S6700 Series Ethernet Switches
Command Reference.
l User View
Item Description
Function Displays the running status and statistics of the S6700.
Entry command Enters the user view after the connection is set up.
Prompt upon <Quidway>

entry
Quit command <Quidway>quit
Prompt upon None.

quit
l System View
Item Description
Function Sets the system parameters of the S6700, and enters other function
views from this view.
Entry command <Quidway> system-view
Prompt upon [Quidway]

entry
Quit command [Quidway] quit
Prompt upon <Quidway>

quit
l Ethernet Interface View

– XGE interface view

Item Description
Function Sets parameters related to XGE interfaces of the S6700 and

manages the XGE interfaces.
Entry [Quidway] interface XGigabitEthernet X/Y/Z

command
Prompt upon [Quidway-XGigabitEthernetX/Y/Z]

entry
Quit command [Quidway-XGigabitEthernetX/Y/Z] quit
Prompt upon [Quidway]

quit
NOTE
X/Y/Z indicates the number of a XGE interface that needs to be configured. It is in the format of
slot number/sub card number/interface sequence number.
2.2 Online Help

When inputting command lines or configuring services, you can use the online help to obtain
real-time help.
2.2.1 Full Help

When you enter a command line, you can view the description of keywords or parameters in the
command line through the Full Help.
You can obtain full help from a command view in the following methods:
l In a command view, enter ? to obtain all the commands in this command view and
descriptions of the commands.
<Quidway> ?
l Enter a command and a ? separated by a space. If a keyword is in place of the ?, all keywords
and their descriptions are listed. Here is an example.
[Quidway-ui-vty0] authentication-mode ?
aaa AAA authentication
password Authentication through the password of a user terminal interface
[Quidway-ui-vty0] authentication-mode aaa ?
<cr>
[Quidway-ui-vty0] authentication-mode aaa
aaa and password are keywords. AAA authentication and Authentication through the
password of a user terminal interface are the descriptions of the two keywords.
<cr> indicates that no key word or parameter is in this position and you can press Enter to
repeat the command in the next command line.
l Enter a command and a ? separated by a space. If a parameter is in place of the ?, all
parameters and their descriptions are listed. Here is an example.
[Quidway] sysname ?

TEXT Host name(1 to 246 characters)
TEXT is a parameter and Host name (1 to 246 characters) is the description.
2.2.2 Partial Help

If you enter only the first or first several characters of a command, partial help provides keywords
that begin with this character or character string.
Procedure
l Use any of the following methods to obtain partial help from a command line.
– Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<Quidway> d?
debugging delete
dir display
– Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<Quidway> display b?
bfd bgp
bootrom bpdu
bpdu-tunnel bridge
buffer
– Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key work,
continuing to press Tab will display different key words. You can select the needed key
word.
----End
2.2.3 Error Messages of the Command Line Interface

If a command is entered and passes the syntax check, the system executes it. Otherwise, the
system reports an error message.
Table 2-2 lists common error messages.
Table 2-2 Common error messages of the command line
Error messages Cause of the error
Error: Unrecognized command The command cannot be found

found at '^' position.
The key word cannot be found
Error: Wrong parameter found Parameter type error

at '^' position.
Parameter value out of range
Error:Incomplete command Incomplete command entered

Error: Too many parameters Too many parameters entered


Error messages Cause of the error
Error:Ambiguous command Ambiguous parameters entered

2.3 CLI Features

The CLI provides several features to help users flexibly use it.
2.3.1 Editing
The command line editing function allows you to edit command lines or obtain help by using
certain keys.
The command line of S6700 supports multi-line edition. The maximum length of each command
is 510 characters.
Keys for editing that are often used are shown in Table 2-3.
Table 2-3 Keys for editing
Key Function
Common key Inserts a character at the current position of the cursor if the editing
buffer is not full. The cursor then moves to the right. If the buffer
is full, an alarm is generated.
Backspace Moves the cursor to the left and deletes the character at that
position. When the cursor reaches the head of the command, an
alarm is generated.
Left cursor key ← or Moves the cursor to the left a single space at a time. When the
Ctrl_B cursor reaches the head of the command, an alarm is generated.
Right cursor key → or Moves the cursor to the right a single space at a time. When the
Ctrl_F cursor reaches the end of the command, an alarm is generated.
Tab Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.

2.3.2 Displaying
Command lines have a feature to control how they are displayed. You can set the command line
display mode as required.
You can control the display of information on the CLI as follows:
l If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 2-4.
Table 2-4 Display keys

Key Function
Ctrl_C Stops the display and the running of a command.

NOTE
You can also press any of the keys except the spacebar and Enter key
to stop the display and the running of a command.
Space Allows information to be displayed on the next screen.
Enter Allows information to be displayed on the next line.
2.3.3 Regular Expressions

A regular expression describes a set of strings. It consists of common characters (such as letters
from "a" to "z") and special characters (called metacharacters). The regular expression is a
template upon which you can base to search for required strings. Users can use regular
expressions to filter output to locate needed information quickly.
A regular expression provides the following functions:
l Search for sub-strings that match a rule in the main string.
l String substitution based on specific matching rules.
Formal Language Theory of the Regular Expression

A regular expression consists of common characters and special characters.
l Common characters
Common characters, including all upper-case and lower-case letters, digits, punctuation
marks, and special symbols, match themselves in a string. For example, "a" matches the
letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and "@" matches
the symbol "@" in "xxx@xxx.com".
l Special characters
Special characters are used together with common characters to match complex or special
string combination. Table 2-5 describes special characters and their syntax.

Table 2-5 Description of special characters

Special Syntax Example
characte
r
\ Defines an escape character, which \* matches "*".

is used to mark the next character
(common or special) as the common
character.
^ Matches the starting position of the ^10 matches "10.10.10.1" instead of

string. "20.10.10.1".
$ Matches the ending position of the 1$ matches "10.10.10.1" instead of

string. "10.10.10.2".
* Matches the preceding element zero 10* matches "1", "10", "100", and
or more times. "1000".
(10)* matches "null", "10", "1010",
and "101010".
+ Matches the preceding element one 10+ matches "10", "100", and
or more times "1000".
(10)+ matches "10", "1010", and
"101010".
? Matches the preceding element zero 10? matches "1" and "10".
or one time. (10)? matches "null" and "10".
NOTE
Huawei datacom devices do not support
regular expressions with ?. When
regular expressions with ? are entered
on Huawei datacom devices, helpful
information is provided.
. Matches any single character. 0.0 matches "0x0" and "020".

.oo matches "book", "look", and
"tool".
() Defines a subexpression, which can 100(200)+ matches "100200" and

be null. Both the expression and the "100200200".
subexpression should be matched.
x|y Matches x or y. 100|200 matches "100" or "200".

1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
[xyz] Matches any single character in the [123] matches the character 2 in
regular expression. "255".
[^xyz] Matches any character that is not [^123] matches any character except
contained within the brackets. for "1", "2", and "3".

Special Syntax Example

characte
r
[a-z] Matches any character within the [0-9] matches any character ranging
specified range. from 0 to 9.
[^a-z] Matches any character beyond the [^0-9] matches all non-numeric
specified range. characters.
_ Matches a comma "," left brace "{", _2008_ matches "2008", "space
right brace "}", left parenthesis "(", 2008 space", "space 2008", "2008
and right parenthesis ")". space", ",2008,", "{2008}",
Matches the starting position of the "(2008)", "{2008", and "(2008}".
input string.
Matches the ending position of the
input string.
Matches a space.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
l Degeneration of special characters
Special characters are characters listed in Table 2-5. A special character becomes a
common character when following \. In the following situations, the special characters
listed in Table 2-6 function as common characters.
– The special characters "*", "+", and "?" placed at the starting position of the regular
expression, a special character becomes a common character. For example, +45 matches
"+45" and abc(*def) matches "abc*def".
– The special character "^" placed at any position except for the start of the regular
expression, a special character becomes a common character. For example, abc^
matches "abc^".
– The special character "$" placed at any position except for the end of the regular
expression, a special character becomes a common character. For example, 12$2
matches "12$2".
– A right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[", a special character becomes a common character. For
example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when preceding regular expressions are
subexpressions within parentheses.
l Combinations of common and special characters
In actual usage, regular expressions combine multiple common and special characters to
match certain strings.

Regular Expression Examples

The key to using regular expressions is to design accurate regular expressions. Table 2-6 shows
how to design regular expressions using special characters and describes the meaning of those
regular expressions.
Table 2-6 Regular expression examples
Regular Description
Expression
^100 Matches strings beginning with 100, for example, 100085.
200$ Matches strings ending with 200, for example, 255.255.100.200.
[0-9]+ Matches strings of repeated digits ranging from 0 to 9, for example,

007
(abc)* Matches strings with abc occurring zero or more times, for example,
d and dabc.
^100([0-9]+)*200$ Matches strings beginning with 100 and ending with 200, and with
zero or several digits in the middle, for example, 100200.
Windows_(95|98| Matches Windows 95, Windows 98, Windows 2000, or Windows XP.
2000|XP))
100[^0-9]? Matches strings beginning with 100 followed by zero or one non-digit
character, for example, 100 or 100@.
.\.\* Matches a string beginning with a single character except \n followed

by . and *, for example, 1.* or a.*.
^172\.18\.(10)\. Matches an IP address in a line, for example, 172.18.10.X.

([0-9]+)$
Specifying a Filtering Mode in a Command
CAUTION
The S6700 Series uses a regular expression to implement the pipe character filtering function.
A display command supports the pipe character only when there is excessive output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are as follows:

l | begin regular-expression: displays information that begins with the line that matches
regular expression.
l | exclude regular-expression: displays information that excludes the lines that match
regular expression.
l | include regular-expression: displays information that includes the lines that match regular
expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Specify a Filtering Mode When Information Is Displayed Screen by Screen

NOTE
When the output of the following commands is displayed screen by screen, you can specify a filtering
mode:
l display current-configuration
l display interface
l display arp
When a lot of information is displayed screen by screen, you can specify a filtering mode in the
prompt "---- More ----".
l /regular-expression: displays the information that begins with the line that matches regular
expression.
l -regular-expression: displays the information that excludes lines that match regular
expression.
l +regular-expression: displays the information that includes lines that match regular
expression.
2.3.4 Previously-Used Commands

The CLI provides a function similar to DosKey that automatically saves any command used on
the device. If you need to run a command that has been previously executed, you can use this
function to call up the command.
By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.
NOTE
Setting the number of saved previously-used commands to a reasonably low value is recommended. If a
large number of previously-used commands are saved, locating a command can be time-consuming and
affect efficiency.
The operations are shown in Table 2-7

Table 2-7 Access the previously-used commands

Action Key or Command Result
Display display history- Display previously-used commands entered by

previously- command [ all- users.
used users ]
commands.
Access the last Up cursor key (↑) or Display the last previously-used command if there
previously- Ctrl_P is an earlier previously-used command. Otherwise,
used an alarm is generated.
command.
Access the next Down cursor key Display the next previously-used command if there
previously- (↓) or Ctrl_N is a later previously-used command. Otherwise, the
used command is cleared and an alarm is generated.
command.
NOTE
Windows 9X defines keys differently and the cursor key ↑ cannot be used with Windows 9X
HyperTerminals. You may use Ctrl_P instead.
When you use previously-used commands, note the following points:

l Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.
l A command is saved the first time it is run and subsequent runnings are not saved. If a
command is entered in different forms or with different parameters, each entry is considered
to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the disp ip routing command and the display ip
routing-table command are run, two previously-used commands are saved.
2.4 Shortcut Keys

System or user-defined shortcut keys make it easier to enter commands.
2.4.1 System Shortcut Keys

System-defined shortcut keys with fixed functions are defined by the system. Table 2-8 lists the
system-defined shortcut keys.
NOTE
Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different than those listed in this section.

Table 2-8 System-defined shortcut keys

Key Function
CTRL_A The cursor moves to the beginning of the current line.
CTRL_B The cursor moves to the left one space at a time.
CTRL_C Terminates the running function.
CTRL_D Deletes the character where the cursor lies.
CTRL_E The cursor moves to the end of the current line.
CTRL_F The cursor moves to the right one space at a time.
CTRL_H Deletes one character to the left of the cursor.
CTRL_K Stops the creation of the outbound connection.
CTRL_N Displays the next command in the previously-used command

buffer.
CTRL_P Displays the previous command in the previously-used

command buffer.
CTRL_R Repeats the display of the information of the current line.
CTRL_T Terminates the outbound connection.
CTRL_V Pastes the contents on the clipboard.
CTRL_W Deletes a character string or character to the left of the cursor.
CTRL_X Deletes all the characters to the left of the cursor.
CTRL_Y Deletes all the characters to the right of the cursor.
CTRL_Z Returns to the user view.
CTRL_] Terminates the inbound or redirection connections.
ESC_B The cursor moves to the left by one word.
ESC_D Deletes a word to the right of the cursor.
ESC_F The cursor moves to the right to the end of next word.
ESC_N The cursor moves downward to the next line.
ESC_P The cursor moves upward to the previous line.
ESC_SHIFT_< Sets the position of the cursor to the beginning of the clipboard.
ESC_SHIFT_> Sets the position of the cursor to the end of the clipboard.

This section provides several examples that illustrate the use of command lines.

2.5.1 Example for Using the Tab Key

You can obtain prompts on keywords or check whether the entered keywords are correct by
pressing Tab.
Procedure
l If only one keyword contains the incomplete keyword,
do as follows on the S6700.
1. Enter an incomplete keyword.
[Quidway] info-
2. Press Tab.
The system replaces the incomplete keyword with a complete keyword and displays
the complete keyword in another line. There is only one space between the cursor and
the end of the keyword.
[Quidway] info-center
l If more than one keyword contains the incomplete keyword,

do as follows on the S6700.
# The keyword info-center can be followed by the following keywords.
[Quidway] info-center log?
logbuffer loghost
1. Enter an incomplete keyword.

[Quidway] info-center l
2. Press Tab.
The system displays the prefix of all the matched keywords. The prefix in this example
is log.
[Quidway] info-center log
3. Continue to press Tab to display all the keywords. There is no space between the
cursor and the end of the keywords.
[Quidway] info-center loghost
[Quidway] info-center logbuffer
Stop pressing Tab when you find the required keyword logbuffer.
4. Enter a space and enter the next keyword channel.
[Quidway] info-center logbuffer channel
----End

Configuration Guide - Basic Configuration 3 How to Use Interfaces
3 How to Use Interfaces
About This Chapter
This chapter describes the concept of the interface and the basic configuration about the interface.
3.1 Introduction to Interfaces

This section describes different types of interfaces. The interfaces are provided by the S6700 to
receive and send data.
3.2 Setting Basic Parameters of an Interface
This section describes how to set the basic parameters of an interface.
3.3 Configuring the Loopback Interface
This section describes how to configure the loopback interface.
3.4 Maintaining the Interface
This section describes how to maintain the interface.

3.1 Introduction to Interfaces

This section describes different types of interfaces. The interfaces are provided by the S6700 to
receive and send data.
Interfaces are classified into management interfaces and service interfaces based on their
functions; interfaces are classified into physical interfaces and logical interfaces based on their
physical forms.
NOTE
A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called
interfaces in this document.
Management Interface
Management interfaces are used to manage and configure a device. You can log in to the
S6700 through a management interface to configure and manage the S6700. Management
interfaces do not transmit service data.
The S6700 provides a console interface and an MEth interface as the management interface.
Table 3-1 Description of management interfaces

Name Description Usage
Console The console interface complies The console interface is connected to the
interface with the EIA/TIA-232 standard COM series port of a configuration
and the interface type is DCE. terminal. It is used to set up the onsite
configuration environment.
MEth The MEth interface complies with The MEth interface can be connected to
interface the 10/100BASE-TX standard. the network interface of a configuration
terminal or network management
workstation. It is used to set up the onsite
or remote configuration environment.
The following table shows the rule for numbering management interfaces.
Table 3-2 Management interface numbers

Name Number
Console interface Console 0
MEth interface MEth 0/0/1

Classification of Service Interfaces

Service interfaces are used to transmit service data. They are classified into 100 Mbit/s interfaces,
1 Gbit/s interfaces and 10 Gbit/s interfaces according to their rates; they are classified into
electrical interfaces and optical interfaces according to their electrical properties.
The rules for numbering service interfaces are as follows:
In a single switch, interfaces are numbered in the format slot ID/subcard ID/interface sequence
number.
l Slot ID: indicates the slot where an interface is located. The value is 0.
l Subcard ID: indicates the subcard where an interface is located. The value is 0 or 1.
The value 1 indicates that the subcard is a front card.
l Interface sequence number: indicates the sequence number of an interface.
In a stack system, interfaces are numbered in the format stack ID/subcard ID/interface sequence
number.
l Stack ID: indicates the ID of the switch in the stack system. The value ranges from 0 to 8.
l Subcard ID: indicates the ID of a subcard. The value is 0 or 1.
The value 1 indicates that the subcard is a front card.
l Interface sequence number: indicates the sequence number of an interface on the switch.
NOTE
For the device models that support the CSS function, see "Stacking" in the S6700 Series Ethernet Switches
Configuration Guide - Device Management.
Table 3-3 FE and GE interface numbering rule
Figure of Interface Numbering Description
2 4 6 ... The S6700 has two rows of service

interfaces with the lower-left interface
...
numbered 1. The other interfaces are
...
1 3 5 numbered in ascending order from
bottom to up, and then from left to right.
For example, the upper-left interface
numbered 0/0/2.
Physical Interfaces
Physical interfaces are interfaces that actually exist on the S6700.
Physical interfaces include management interfaces and service interfaces.
The S6700 supports the following physical interfaces:
l Console interface
l MEth interface
l 10 Gigabit Ethernet interface

Logical Interfaces
Logical interfaces do not exist and are set up by configurations.
The S6700 supports the following logical interfaces:
l Eth-Trunk
The Eth-Trunk consists of Ethernet links only.
The Eth-Trunk technique has the following advantages:
– Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all
member interfaces.
– Improved reliability: When a link fails, traffic is automatically switched to other
available links. This ensures link reliability.
For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in the
S6700 Series Ethernet Switches Configuration Guide - Ethernet.
l Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address
127.0.0.0 as a loopback address. When the system starts, it automatically creates an
interface using the loopback address 127.0.0.1 to receive all data packets sent to the local
device.
Some applications such as mutual access between virtual private networks need a local
interface with a specified IP address without affecting the configuration of physical
interfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertised
by routing protocols.
The status of a loopback interface is always Up; therefore, the IP address of the loopback
interface can be used as the router ID, the label switching router (LSR) ID, or be land to a
tunnel.
For details, see 3.3 Configuring the Loopback Interface.
l Null interface
Null interfaces are similar to null devices supported by certain operating systems. Any data
packets sent to a null interface are discarded. Null interfaces are used for route selection
and policy-based routing (PBR). For example, if a packet matches no route during route
selection, the packet is sent to the null interface.
l Tunnel interface
Tunnel interfaces are used to establish IPv6 over IPv4 tunnels.
l VLANIF interface
When the S6700 needs to communicate with devices at the network layer, you can create
a logical interface of the Virtual Local Area Network (VLAN) on the S6700, namely, a
VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF
interfaces work at the network layer. The S6700 then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see "Creating a VLANIF Interface" in the S6700
Series Ethernet Switches Configuration Guide - Ethernet.
3.2 Setting Basic Parameters of an Interface

This section describes how to set the basic parameters of an interface.


Before configuring advanced functions of an interface such as the working mode and routes,
you need to complete the basic configuration of the interface.
To facilitate the configuration and maintenance of an interface, the S6700 provides interface
views. The commands related to the interface are valid only in the interface views.
The basic interface configurations include entering an interface view, configuring interface
description, enabling an interface, and disabling an interface.
Installing the LPU on the S6700
Data Preparation
To set parameters of an interface, you need the following data.
No. Data
1 Type and number of the interface to be configured
2 Description of the interface
3.2.2 Entering the Interface View

To configure an interface, you need to enter the interface view.
Context
Do as follows on the S6700.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The view of a specified interface is displayed.
interface-type specifies the type of the interface and interface-number specifies the number of
the interface.
----End

3.2.3 Viewing All the Commands in the Interface View

After entering the interface view, you can view all the commands in the interface view.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
?
All the commands in the view of the specified interface are displayed.
----End
3.2.4 Configuring the Description for an Interface

The description configured for an interface on the S6700 helps you identify and memorize the
usage of the interface, which facilitates the management.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
description description
The description is configured for the interface.
----End
3.2.5 Starting and Shutting Down an Interface

When a physical interface is idle and is not connected to a cable, shut down this interface to
protect the interface against interference. To use a shutdown interface, you need to start the
interface.

Context
NOTE
l A null interface is always Up and cannot be shut down by command.

l A loopback interface is always Up and cannot be shut down by command.
Procedure
l Shutting down the interface
1. Run:
system-view

2. Run:

3. Run:
shutdown
The interface is shut down.

NOTE
By default, an interface is enabled.

l Starting an interface
1. Run:
system-view

2. Run:

3. Run:
undo shutdown
The interface is started.

----End
3.2.6 Completing Advanced Configurations on an Interface

After configuring basic parameters on an interface, configure other interface parameters as
required.
Context
To access a network through an interface, configure advanced interface parameters based on the
networking requirements in addition to basic configurations on the interface.
Advanced configurations of an interface include:

l Working mode
l Routing configuration
For details about advanced configurations of an interface, see the S6700 Series Ethernet Switches
Configuration Guide - Ethernet and S6700 Series Ethernet Switches Configuration Guide - IP
Routing.
3.2.7 Checking the Configuration

After completing the basic configuration of an interface, you can use the display commands to
check the configuration.
Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running
status of the interface and the statistics on the interface.
Step 2 Run the display interface description command to check the brief information about the
interface
Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the
brief state of the interface.
----End
3.3 Configuring the Loopback Interface

This section describes how to configure the loopback interface.

The users can create or delete a loopback interface. When being created, the loopback interface
remains in the Up state until you delete it.
Some applications such as mutual access between virtual private networks need to be configured
with a local interface with a specified IP address when the configuration of a physical interface
is not affected. In this case, the IP address of the local interface needs to be advertised by routing
protocols. Loopback interfaces are used to improve the reliability of the configuration.
Before configuring the loopback interface, complete the following task:
l Switching on the S6700
Data Preparation
To configure the loopback interface, you need the following data.

No. Data
1 Number of the loopback interface
2 IP address of the loopback interface
3.3.2 Configuring IPv4 Parameters of the Loopback Interface

A loopback interface can be assigned an IPv4 address, bound to a VPN instance, and configured
to check the source IPv4 addresses of packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface loopback interface-number
A loopback interface is created.
The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfaces
can be created.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
An IPv4 address is assigned to the loopback interface.
Step 4 (Optional) Run:

ip verify source-address
The loopback interface is configured to check the source IPv4 addresses of packets.
----End
3.3.3 Checking the Configuration

After configuring a loopback interface, run the following commands to check the configuration.
Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of the loopback
interface.
----End
3.4 Maintaining the Interface

This section describes how to maintain the interface.

3.4.1 Clearing Statistics Information on the Interface

The statistics on the interface cannot be restored after you clear them. So, confirm the action
before you use the command.
Procedure
Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user
view to clear the statistics on the interface.
----End

Configuration Guide - Basic Configuration 4 Basic Configuration
4 Basic Configuration
About This Chapter
This chapter describes how to configure the switch to work properly in the network environment
and to suit your needs.
4.1 Configuring the Basic System Environment

This section describes how to configure the basic system environment.
4.2 Displaying System Status Messages
This section describes how to use display commands to check basic system configurations.

4.1 Configuring the Basic System Environment

This section describes how to configure the basic system environment.

Before configuring the basic system environment, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for the configuration.
Before configuring services, you need to configure the basic system environment (for example,
the language mode, system time, device name, login information, and command level) to meet
environmental requirements.
Before configuring the basic system environment, power on the switch.
Data Preparation
To configure the basic system environment, you need the following data.
No. Data
1 System time
2 Host name
3 Login information
4 Command level
4.1.2 Configuring the Equipment Name

If multiple devices on a network need to be managed, set equipment names to identify each
device.
Context
New equipment names take effect immediately.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sysname host-name
The equipment name is set.

By default, the equipment name of the switch is Quidway.
You can change the name of the switch that appears in the command prompt.
----End
4.1.3 Setting the System Clock

The system clock must be correctly set to ensure synchronization with other devices.
Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device operates properly with other
devices.
Setting the system clocks of all the devices on a network manually is time-consuming and cannot
ensure the clock accuracy. Network Time Protocol (NTP) can address this problem by
synchronizing all clocks of devices on the network so that the devices can provide uniform time-
based applications.
NOTE
A local system running NTP can be synchronized by other clock sources or acts as a clock source to
synchronize other clocks. In addition, mutual synchronization can be implemented through NTP packet
exchanges.
By default, the system clock of NTP-enabled devices is UTC. The time zone and daylight saving
time vary with the country and region, and if a time zone and daylight saving time are configured
on an NTP server, the same time zone and daylight saving time must be configured on NTP
clients.
Perform the following steps in the user view to set the system clock:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
The current date and time are set.
NOTE
If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.
Step 2 Run:
clock timezone time-zone-name { add | minus } offset

The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
NOTE
UTC stands for the Universal Time Coordinated.
Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
Daylight saving time is set.

By default, daylight saving time is not set.
The start time is the local mean time (LMT), and the end time is the daylight saving time (DST).
The start time and end time can be set to date+data, week+week, date+week, or week+date
format. To configure the daylight saving time, run the clock daylight-saving-time command.
----End
System Clock Display

The system clock is determined by the clock datetime, clock timezone, and clock daylight-
saving-time commands.
l If none of the preceding three commands have been run, the original system time will be
displayed after running the display clock command.
l The preceding three commands can also be run in combination with one another to
configure the system clock, as listed in Table 4-1.
In the following examples, the original system time is 08:00:00 January 1, 2010.
l 1: The clock datetime command is run to set the current date and time to date-time.
l 2: The clock timezone command is run to configure the time zone with the time zone offset
zone-offset.
l 3: The clock daylight-saving-time command is run to configure the daylight saving time
with the offset offset.
l [1]: The clock datetime command configuration is optional.

Table 4-1 System clock configuration examples

Operation Configured System Example
Time
1 date-time Run the clock datetime 8:0:0 2011-11-12

command.
Configured system time:
2011-11-12 08:00:03
Saturday
Time Zone(DefaultZoneName): UTC
2 Original system time +/- Run the clock timezone BJ add 8 command.
zone-offset Configured system time:
2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00
1, 2 date-time +/- zone-offset Run the clock datetime 8:0:0 2011-11-12 and
clock timezone BJ add 8 commands.
2011-11-12 16:00:13+08:00
Saturday
[1], 2, 1 date-time Run the lock timezone NJ add 8 and clock

datetime 9:0:0 2011-11-12 commands.
2011-11-12 09:00:02+08:00
Saturday
Time Zone(NJ): UTC+08:00
3 Original system time if Run the clock daylight-saving-time BJ one-year

the original system time 6:0 2011-8-1 6:0 2011-10-01 1 command.
is not during the Configured system time:
configured daylight 2010-01-01 08:00:51
saving time period Friday
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 08-01 06:00:00
End time : 10-01 06:00:00
Saving time : 01:00:00


Time
Original system time + Run the clock daylight-saving-time BJ one-year

offset if the original 6:0 2011-1-1 6:0 2011-9-1 2 command.
system time is during the Configured system time:
configured daylight 2010-01-01 10:00:34 DST
Time Zone(BJ): UTC
Name : BJ
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
1, 3 date-time if date-time is Run the clock datetime 9:0:0 2011-11-12 and

not during the configured clock daylight-saving-time BJ one-year 6:0
daylight saving time 2012-8-1 6:0 2012-10-01 1 commands.
period Configured system time:
2011-11-12 09:00:26
Saturday
Name : BJ
Start year : 2012
End year : 2012
Start time : 08-01 06:00:00
End time : 10-01 06:00:00
date-time + offset if date- Run the clock datetime 9:0:0 2011-11-12 and
time is during the clock daylight-saving-time BJ one-year 9:0
configured daylight 2011-11-12 6:0 2011-12-01 2 commands.
saving time period Configured system time:
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Name : BJ
Start year : 2011
End year : 2011
Start time : 11-12 09:00:00
End time : 12-01 06:00:00


Time
[1], 3, 1 date-time if date-time is Run the clock daylight-saving-time BJ one-year

not during the configured 6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime
daylight saving time 9:0 2011-11-12 commands.
2011-11-12 09:00:02
Saturday
Name : BJ
Start year : 2012
End year : 2012
Start time : 08-01 06:00:00
End time : 10-01 06:00:00
date-time if date-time is Run the clock daylight-saving-time BJ one-year

during the configured 1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime
daylight saving time 3:0 2011-1-1 commands.
2011-01-01 03:00:19 DST
Saturday
Time Zone(BJ): UTC
Name : BJ
Start year : 2011
End year : 2011
Start time : 01-01 01:00:00
End time : 09-01 01:00:00
2, 3 or 3, 2 Original system time +/- Run the clock timezone BJ add 8 and clock
zone-offset if the value of daylight-saving-time BJ one-year 6:0 2011-1-1
Original system time +/- 6:0 2011-9-1 2 commands.
zone-offset is not during Configured system time:
the configured daylight 2010-01-01 16:01:29+08:00
Name : BJ
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00


Time
Original system time +/- Run the clock daylight-saving-time BJ one-year

zone-offset +/- offset if 1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone
the value of Original BJ add 8 commands.
system time +/- zone- Configured system time:
offset is during the 2010-01-01 18:05:31+08:00 DST
configured daylight Friday
saving time period Time Zone(BJ): UTC+08:00
Name : BJ
Start year : 2010
End year : 2010
Start time : 01-01 01:00:00
End time : 09-01 01:00:00
1, 2, 3, or 1, date-time +/- zone-offset Run the clock datetime 8:0:0 2011-11-12, clock
3, 2 if the value of date-time timezone BJ add 8, and clock daylight-saving-
+/- zone-offset is not time BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
during the configured commands.
daylight saving time Configured system time:
period 2011-11-12 16:01:40+08:00
Saturday
Name : BJ
Start year : 2012
End year : 2012
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
date-time +/- zone-offset Run the clock datetime 8:0:0 2011-1-1, clock
+ offset if the value of daylight-saving-time BJ one-year 6:0 2011-1-1
date-time +/- zone-offset 6:0 2011-9-1 2, and clock timezone BJ add 8
is during the configured commands.
daylight saving time Configured system time:
period 2011-01-01 18:00:43+08:00 DST
Saturday
Name : BJ
Start year : 2011
End year : 2011
Start time : 01-01 06:00:00
End time : 09-01 06:00:00


Time
[1], 2, 3, 1 date-time if date-time is Run the clock daylight-saving-time BJ one-year

or [1], 3, 2, not during the configured 6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ
1 daylight saving time add 8, and clock datetime 8:0:0 2011-11-12
period commands.
2011-11-12 08:00:03+08:00
Saturday
Name : BJ
Start year : 2012
End year : 2012
Start time : 01-01 06:00:00
End time : 09-01 06:00:00
date-time if date-time is Run the clock timezone BJ add 8, clock daylight-

during the configured saving-time BJ one-year 1:0 2011-1-1 1:0
daylight saving time 2011-9-1 2, and clock datetime 3:0:0 2011-1-1
period commands.
2011-01-01 03:00:03+08:00 DST
Saturday
Name : BJ
Start year : 2011
End year : 2011
Start time : 01-01 01:00:00
End time : 09-01 01:00:00
4.1.4 Configuring a Header

If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.
Context
A header is a text message displayed by the system at the time a user logs in to the switch.
Procedure
Step 1 Run:
system-view
Step 2 Run:
header login { information text | file file-name }

A header displayed during login is set.
Step 3 Run:
header shell { information text | file file-name }
A header displayed after login is set.
To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.
To display the header after the user has logged in, configure the parameter shell.
CAUTION
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and end the header by entering the first character when you are finished.
The system then exits from the interactive interface.
l If a user logs in to the switch using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the switch using SSH2.0, both login and shell headers are displayed.
----End
4.1.5 Configuring Command Levels

This section describes how to configure command levels to ensure device security or allow low-
level users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l The commands of Level 0 and Level 1 remain unchanged.

l The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated
to Level 15.
l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
CAUTION
Changing the default level of a command is not recommended. If the default level of a command
is changed, some users may be unable to use the command any longer.

Procedure
Step 1 Run:
system-view

Step 2 Run:
command-privilege level rearrange
Update the command level in batches.

When no password is configured for a Level 15 user, the system prompts the user to set a super-
password for the level 15 user. At the same time, the system asks if the user wants to continue
with the update of command line level. Then, just select "N" to set a password. If you select "Y",
the command level can be updated in batches directly. This results in the user not logging in
through the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
4.2 Displaying System Status Messages

This section describes how to use display commands to check basic system configurations.
Context
You can use display commands to collect information about system status. The display
commands perform the following functions:
l Display system configurations.

l Display system running status.
l Display diagnostic information about a system.
l Displays the restart information about the main control board.
See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.
Run the following commands in any view.
4.2.1 Displaying System Configuration

This section describes how to use command lines to check the system version, system time,
original configuration, and current configuration.
Procedure
l Run the display version command to display the system version.

l Run the display clock [ utc ] command to display the system time.
l Run the display calendar command to display system calendar.
l Run the display saved-configuration command to display the original configuration.
l Run the display current-configuration command to display the current configuration.
NOTE
l The original configuration refers to information about configuration files used by the device when
it is powered on and initialized. The current configuration refers to the configuration files that
take effect when the device is in use. For details, see the chapter "Configuring System Startup"
in the S6700 Basic-Configuration.
----End
4.2.2 Displaying System Status

This section describes how to use command lines to check system operating status (the
configuration of the current view).
Procedure
l Run the display this command to display the configuration of the current view.
----End
4.2.3 Collecting System Diagnostic Information

This section describes how to collect information about system modules.
Context
If you cannot perform routine maintenance, you must run the various display commands to
collect information needed to locate faults. The display diagnostic-information command
gathers information about all system modules currently running.
Procedure
l Run:
display diagnostic-information [ file-name ]
System diagnostic information is displayed.

The display diagnostic-information command collects the same information as the
display clock, display version, display cpu-usage, display interface, display current-
configuration, display saved-configuration, display history-command, and other
commands gather.
----End

Configuration Guide - Basic Configuration 5 Configuring User Interfaces
5 Configuring User Interfaces
About This Chapter
When a user uses a console port, Telnet, or SSH (STelnet) to log in to the switch, the system
manages the session between the user and the switchon the corresponding user interface.
5.1 User Interface Overview
The system supports console and VTY user interfaces.
5.2 Configuring the Console User Interface
If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
5.3 Configuring the VTY User Interface
If you need to log in to the switch using Telnet or SSH to perform local or remote maintenance,
you can configure the VTY user interface as needed.
This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provide configuration roadmaps
and configuration notes.

5.1 User Interface Overview

The system supports console and VTY user interfaces.
Each user interface has a user interface view. A user interface view is a command line view
provided by the system. It is used to configure and manage all the physical and logical interfaces
in asynchronous mode.
User Interfaces Supported by the System

l Console port (CON)
The console port is a serial port provided by the main control board of the device.
The main control board provides one EIA/TIA-232 DCE console port. A terminal can use
this port to connect directly to a device in order to perform local configurations.
l Virtual type terminal (VTY)
A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet
to connect to a terminal by means of Telnet. This kind of connection is used for local or
remote access to a device. A maximum of 15 users can use the VTY user interface to log
in to the device.
Numbering of a User Interface

After a user logs in to the device, the system assigns the lowest numbered idle user interface to
the user. The type of interface assigned depends on the user's login mode. There are two ways
to number user interfaces:
l Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
– Number of the console port: CON 0
– Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
l Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON
-> VTY. There is only one console port and 0-20 VTY interfaces (VTY interfaces 0 to 14
are reserved for Telnet/SSH users and VTY interfaces 16 to 20 are reserved for network
management users). You can use the user-interface maximum-vty command to set the
maximum number of user interfaces. The default number is five.
Table 5-1 shows absolute numbers for user interfaces in this system.

Table 5-1 Description of absolute and relative numbers for user interfaces
User Description Absolute Relative Number

interface Number
Console user Manages and 0 0

interface monitors users
logging in through
the console port.
VTY user Manages and 34 to 48, and 50 l Absolute numbers 34 to

interface monitors users to 54 48 correspond to relative
logging in using Among the numbers TTY 0 to TTY
Telnet or SSH. absolute 14.
numbers, 49 is l Absolute numbers 50 to
reserved for 54 correspond to relative
future use and numbers TTY 16 to TTY
50 to 54 are 20.
reserved for the Among the relative numbers,
network VTY 15 is reserved for
management future use and VTY 16 to
system. VTY 20 are reserved for the
network management
system.
NOTE
The absolute numbers allocated for VTY interfaces are device-specific.
Run the display user-interface command to view the absolute number of user interfaces.
Authentication of a User Interface

After a user is configured, the system authenticates the user during user login.
There are two user authentication modes: password and AAA, which are described as follows:
l Password authentication: Users must enter a password, but not a username, during the login
process.
l AAA authentication: Users must enter a password and a username during the login process.
Telnet users are usually authenticated in this mode.
Priority of a User Interface

Users logged in to the switch are managed according to their levels.
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher the
user level.
A user's level determines the level of commands that the user is authorized to run.
l In the case of password authentication, the level of the command that the user can run is
determined by the level of the user interface.

l In the case of AAA authentication, the command that the user can use is determined by the
level of the local user specified in the AAA configuration.
5.2 Configuring the Console User Interface


Before configuring the console user interface, familiarize yourself with the usage scenario,
If you need to log in to the switch through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.
Before configuring a console user interface, log in to the switch with a terminal.
Data Preparation
To configure a console user interface, you need the following data.
No. Data
1 Baud rate, flow-control mode, parity, stop bit, and data bit
2 Idle timeout period, terminal screen length, number of characters in each line
displayed in a terminal screen, and the size of history command buffer
3 User priority
4 User authentication method, username, and password
NOTE
All the default values (excluding the password and username) are stored on the switch and do not need
additional configuration.
5.2.2 Setting Physical Attributes of the Console User Interface

You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.

Context
Physical attributes of a console port have default values on the switch and no additional
configuration is needed.
NOTE
When a user logs in to a switch through a console port, the physical attributes set for the console port on
the HyperTerminal must be consistent with the attributes of the console user interface on the switch, or the
user will not be able to log in.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.
Step 3 Run:
speed speed-value
The baud rate is set.
By default, the baud rate is 9600 bit/s.
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the flow-control mode is none.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set.
By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set.
By default, the value is 1 bit.
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bit is set.
By default, the data bit is 8.
----End

5.2.3 Setting Terminal Attributes of the Console User Interface

This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines or number of characters in each line
displayed in a terminal screen, and size of the history command buffer.
Context
Terminal attributes of the console user interface have default values on the switch that you may
modify as needed.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
shell
The terminal service is started.

Step 4 Run:
idle-timeout minutes [ seconds ]
The idle timeout period is set.

If a connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
screen-widthscreen-width
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
The history command buffer is set.

By default, the size of history command buffer is 10 entries.
----End
5.2.4 Configuring User Privilege of the Console User Interface

This section describes how to control a user' authority to log in to the switch and how to improve
switch security by configuring user priority.
Context
l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
user privilege level level
The user privilege is set.
NOTE
l By default, users logging in through the console user interface can use commands at level 3, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.
----End
5.2.5 Configuring the User Authentication Mode of the Console

User Interface
The system provides two authentication modes: AAA, password. Configuring user
authentication modes improves switch security.
Context
The system provides two authentication modes as shown in Table 5-2.

Table 5-2 Authentication Modes

Authen Advantage Disadvantage
tication
Mode
AAA AAA provides user authentication with high The configuration is complex.
security. The user name and password for
The user name and password must be entered AAA authentication must be
for login. created.
Passwor Password authentication is based on VTY It provides lower security

d channels, providing security. The compared with AAA.
authenti configuration is simple and only the login All users can log in to a device
cation password is needed. using the login password for the
device.
CAUTION
If the user authentication mode for the console user interface is password authentication or AAA
authentication, a password or user name must be set.
Procedure
l Configuring AAA authentication
1. Run:
system-view

2. Run:
aaa
The AAA view is displayed.

3. Run:
local-user user-name password cipher password
A user name and password for the local user are created.
4. Run:
quit
Exit from the AAA view.

5. Run:

6. Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.

l Configuring password authentication

1. Run:
system-view

2. Run:

3. Run:
authentication-mode password
The authentication mode is set to password authentication.

4. Run:
set authentication password [ cipher password ]
A password for password authentication is set.

----End
5.2.6 Checking the Configurations

After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.
Prerequisites
The user management function has been configured.
Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check online users.
----End
Example
Run the display users command to view information about the current user interface.
<Quidway> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 00:00:44 pass no
Username : Unspecified
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.

ActualPrivi: The actual privilege of user-interface.

Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<Quidway> display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)
5.3 Configuring the VTY User Interface

you can configure the VTY user interface as needed.

Before configuring a VTY user interface, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain any data required for the configuration.
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode. The preceding parameters have default values on the switch. You can
modify these parameters as needed.
Before configuring a VTY user interface, log in to the switch by using a terminal.
Data Preparation
To configure a VTY user interface, you need the following data.
No. Data
1 Maximum VTY user interfaces
2 (Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces
3 Idle timeout period, number of characters in each line displayed on a terminal screen,
and the size of history command buffer
4 User priority
5 User authentication method, username, and password

NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.
5.3.2 Configuring the Maximum Number of VTY User Interfaces

This section describes how to limit the number of users logging in to the switch by configuring
the maximum number of VTY user interfaces.
Context
The maximum number of VTY user interfaces equals the total number of users allowed to log
in to the switch using Telnet or SSH.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set.
NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the switch.
If the set maximum number of VTY user interfaces is smaller than the maximum number of
online users, a message is displayed indicating that the configuration failed.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for newly added user
interfaces.
Consider, for example, a system that allows a maximum of five users to be online. To allow 15
VTY users online at the same time, you must run the authentication-mode command to
configure authentication modes for VTY user interfaces from 5 to 14. The commands are run
as follows:
[Quidway] user-interface maximum-vty 15
[Quidway] user-interface vty 5 14
[Quidway-ui-vty5-14] authentication-mode password
----End

5.3.3 (Optional) Setting Restrictions for Incoming and Outgoing

Calls on VTY User Interfaces
This section describes how to configure an ACL to restrict access of incoming and outgoing
calls on a VTY user interface to specific IP addresses or address segments.
Context
Before setting restrictions for incoming and outgoing calls on a VTY user interface, run the
acl command in the system view to create an ACL. Enter the ACL view and run the rule
command to add rules to the ACL.
NOTE
l The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging
from 3000 to 3999.
l For ACL configuration details, refer to the S6700 Series Ethernet Switches Configuration Guide -
Security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
Step 3 Run:
acl acl-number { inbound | outbound }
Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the switch, use the inbound command.
l If you want to prevent a user who logs in to a switch from accessing other switchs, use the
outbound command.
----End
5.3.4 Setting Terminal Attributes of the VTY User Interface

This section describes how to configure terminal attributes of a VTY user interface, including
user idle timeout, number of lines or number of characters in each line displayed in a terminal
screen, and size of the history command buffer.
Context
Terminal attributes of a VTY user interface have default values on the switch and you can set
them as needed.

Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty number1 [ number2 ]

Step 3 Run:
shell
VTY terminal service is enabled.

Step 4 Run:
idle-timeout minutes [ seconds ]
User idle timeout is enabled.

If the connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length [temporary]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
history-command max-size size-value
Set the size of the history command buffer.

By default, a maximum number of 10 commands can be cached in the history command buffer.
----End
5.3.5 Setting User Priority of the VTY User Interface

This section describes how to control a user' authority to log in to the switch and how to improve
switch security by configuring user priority.
Context
l Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
l This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see "Command Level".

Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty interface-number
Step 3 Run:
The user priority is set.
By default, users logging in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.
----End
5.3.6 Setting the User Authentication Mode of the VTY User

Interface
The system provides two authentication modes: AAA, password. Configuring user
authentication modes improves switch security.
Context
The system provides two authentication modes as shown in Table 5-3.
Table 5-3 Authentication Modes
Authen Advantage Disadvantage

tication
Mode
AAA AAA provides user authentication with high The configuration is complex.
security. The user name and password for
The user name and password must be entered AAA authentication must be
for login. created.
Passwor Password authentication is based on VTY It provides lower security

d channels, providing security. The compared with AAA.
authenti configuration is simple and only the login All users can log in to a device
cation password is needed. using the login password for the
device.

CAUTION
l By default, the user authentication mode of the VTY user interface is not configured.
Administrators must manually set a user authentication mode for the VTY user interface. If
no user authentication mode is set for the VTY user interface, users cannot log in to the device
using the VTY user interface.
l If the user authentication mode of the VTY user interface is password authentication or AAA
authentication, a password or user name must be set for logging in to the system. In this case,
without password or user name set, users cannot log in to the device using the VTY user
interface.
CAUTION
If the user authentication mode for the VTY user interface is password or AAA, you must set
the password or user name for logging in to the device.
Procedure
l Configuring AAA authentication
1. Run:
system-view

2. Run:

3. Run:

4. Run:
quit
Exit from the VTY user interface view.

5. Run:
aaa

6. Run:
A user name and password for the local user are created.
l Configuring password authentication
1. Run:
system-view

2. Run:

3. Run:

4. Run:
A password in the encrypted text for password authentication is set.

----End

After configuring a VTY user interface, you can view information about user interfaces, the
maximum number of VTY user interfaces, and physical attributes and configurations of user
interfaces.
Prerequisites
The VTY user interface has been configured.
Procedure
l Run the display users [ all ] command to check information about user interfaces.
l Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]
command to check the physical attributes and configurations of user interfaces.
l Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view information about current user interfaces.
34 VTY 0 00:00:12 TEL 10.138.77.38 no
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<Quidway> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<Quidway> display user-interface vty 0


+ 34 VTY 0 - 14 14 N -
----------------------------------------------------------------------------
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)
Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<Quidway> display vty mode
current VTY mode is Machine-Machine interface

This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain networking requirements, and provide configuration roadmaps
and configuration notes.
5.4.1 Example for Configuring Console User Interface

In this example, a console user interface is configured to allow a user in password authentication
mode to log in to the switch. The physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the interface.
Networking Requirements
A user uses the console user interface to log in to the switch to initialize switch configurations
or perform local router maintenance. You can set console user interface attributes as needed (for
example, security considerations) to allow user logins.
In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is huawei).
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:

1. Enter the interface view and set physical attributes of the console user interface.
2. Set terminal attributes of the console user interface.
3. Set the user priority of the console user interface.
4. Set the user authentication mode and password of the console user interface.
Data Preparation
To complete the configuration, you need the following data:
l Transmission rate of the console user interface: 4800 bit/s

l Flow control mode of the console user interface: None
l Parity of the console user interface: even
l Stop bit of the console user interface: 2
l Data bit of the console user interface: 6
l Timeout period for disconnecting from the console user interface: 30 minutes
l Number of lines that a terminal screen displays: 30
l Number of characters that a terminal screen displays: 60
l Size of the history command buffer: 20
l User priority: 15
l User authentication mode: password (password: huawei@123)
Procedure
Step 1 Set physical attributes of the console user interface.
[Quidway] user-interface console 0
[Quidway-ui-console0] speed 4800
[Quidway-ui-console0] flow-control none
[Quidway-ui-console0] parity even
[Quidway-ui-console0] stopbits 2
[Quidway-ui-console0] databits 6
Step 2 Set terminal attributes of the console user interface.

[Quidway-ui-console0] shell
[Quidway-ui-console0] idle-timeout 30
[Quidway-ui-console0] screen-length 30
[Quidway-ui-console0] screen-width 60
[Quidway-ui-console0] history-command max-size 20
Step 3 Set the user priority of the console user interface.

[Quidway-ui-console0] user privilege level 15
Step 4 Set the user authentication mode in the console user interface to password.
[Quidway-ui-console0] authentication-mode password
[Quidway-ui-console0] set authentication password cipher huawei
[Quidway-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the switch. For details on how a user
logs in to the switch, see the 6 Configuring User Login.
----End

Configuration Files
#
sysname Quidway
#
user-interface con 0
user privilege level 15
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
history-command max-size 20
idle-timeout 30 0
screen-length 30
databits 6
parity even
stopbits 2
speed 9600
#
return
5.4.2 Example for Configuring a VTY User Interface

In this example, a VTY user interface is configured to allow a user in password authentication
mode to use Telnet to log in to the switch. The maximum number of VTY user interfaces allowed,
restrictions for incoming and outgoing calls, terminal attributes, authentication mode, and
password are set for the interface.
A user uses Telnet to log in to the switch using a VTY channel. You can set VTY user interface
attributes as needed (for example, security considerations) to allow user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, with the password of "huawei", and a user with the IP address of 10.1.1.1 is
prohibited from logging in to the switch.
If there is no user activity and a connection is idle for more than 30 minutes after login, the
connection is torn down.
1. Enter the interface view and set the maximum number of VTY user interfaces to 15.
2. Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the switch.
3. Set terminal attributes of the VTY user interface.
4. Set the user priority of the VTY user interface.
5. Set the authentication mode and password of the VTY user interface.
Data Preparation
l Maximum number of VTY user interfaces: 15
l ACL applied to restrict incoming calls on the VTY user interface: 2000
l Timeout period for disconnecting from the VTY user interface: 30 minutes


l Number of characters that a terminal screen displays: 60
l User priority: 15
l User authentication mode: password, password: huawei
Procedure
Step 1 Set the maximum number of VTY user interfaces.
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[Quidway] acl 2000
[Quidway-acl-basic-2000] rule deny source 10.1.1.1 0
[Quidway-acl-basic-2000] quit
[Quidway-ui-vty0-14] acl 2000 inbound
Step 3 Set terminal attributes of the VTY user interface.

[Quidway-ui-vty0-14] shell
[Quidway-ui-vty0-14] idle-timeout 30
[Quidway-ui-vty0-14] screen-length 30
[Quidway-ui-vty0-14] screen-width 60
[Quidway-ui-vty0-14] history-command max-size 20
Step 4 Set the user priority of the VTY user interface.

[Quidway-ui-vty0-14] user privilege level 15
Step 5 Set the authentication mode and password of the VTY user interface.
[Quidway-ui-vty0-14] authentication-mode password
[Quidway-ui-vty0-14] set authentication password cipher huawei
[Quidway-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can use Telnet
to log in to the switch and perform local or remote maintenance on the switch. For details on
how a user logs in to the switch, see the 6 Configuring User Login.
----End
Configuration Files
#
sysname Quidway
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
set authentication password cipher %$%$>tGNLl~,2=8vhc%-9O_B:[RI^3}]Ln;
[qJRbm_OzqGiLhaXS%$%$
idle-timeout 30 0
screen-length 30
#
return

Configuration Guide - Basic Configuration 6 Configuring User Login
6 Configuring User Login
About This Chapter
A user can log in to the switch through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the switch locally or remotely after login.
6.1 Overview of User Login

When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
6.2 Logging in to the Devices Through the Console Port
When a user needs to configure a switch that is powered on for the first time or maintain a
switch locally, the user can log in through a console port.
6.3 Logging in to Devices Using Telnet
When multiple switchs need to be configured and managed, there is no need to maintain each
switch locally. Instead, you can use Telnet to log in to the switchs remotely to perform
maintenance. This greatly facilitates device management.
6.4 Logging in to Devices Using STelnet
STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.
6.5 Logging in to the Devices by Using Secure Web Network Management (HTTPS Mode)
An SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digital
certificate is used by a client to verify the identity of the server.
6.6 Common Operations After Login
After logging in to the switch, you can perform user priority switching, terminal window locking,
and other operations as needed.
This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.

6.1 Overview of User Login

When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
Table 6-1 lists the modes by which a user can log in to the device to configure and manage it.
Table 6-1 User login modes

Login Mode Applicable Scenario Remarks
6.2 Logging in to A user logs in to the device By default, a user can directly log in to
the Devices using the console port on the the device using the console port. The
Through the user terminal to power on authentication mode is password
Console Port and configure the device for authentication, indicating that a
the first time. password is required for authentication.
l If a user cannot access The command access level is 3.
the device remotely, the
user can log in to the
device locally using the
console port.
l A user can log in using
the console port to
diagnose a fault if the
device fails to start or to
enter the BootROM to
upgrade the system.

6.3 Logging in to A user accesses the network By default, a user cannot log in to the
Devices Using using a user terminal and device directly using Telnet. To enable
Telnet logs in to the device using Telnet login, log in to the device locally
Telnet to perform local or using the console port and perform the
remote configuration. The following configuration tasks:
target device authenticates l Configure the IP address of the
the user using the management network port on the
configured login device and ensure that a reachable
parameters. route exists between the user terminal
The Telnet login mode and the device. By default, an IP
facilitates remote device address is not configured on the
management and device.
maintenance. l Configure the user authentication
mode of the VTY user interface. (By
default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Enable the Telnet server function. By
default, the Telnet server function is
enabled.

6.4 Logging in to A user accesses the network By default, a user cannot log in to the
Devices Using using a user terminal. If the device directly using STelnet. To enable
STelnet network is insecure, use the STelnet login, log in to the device locally
Secure Shell (SSH) protocol using the console port and perform the
to increase the security of following configuration tasks:
the transmission and utilize l Configure the IP address of the
a powerful authentication management network port on the
mechanism. SSH protects device and ensure that a reachable
the device system against route exists between the user terminal
attacks, such as IP proofing and the device. By default, an IP
and plain text password address is not configured on the
interception. device.
The STelnet login mode l Configure the user authentication
better ensures the security of mode of the VTY user interface. (By
the exchanged data. default, the user authentication mode
of the VTY user interface is not
configured. Administrators must
manually set a user authentication
mode for the VTY user interface.)
l Configure the user access level of the
VTY user interface. By default, the
user access level of the VTY user
interface is 0.
l Configure the VTY user interface to
support the SSH protocol. By default,
the VTY user interface supports the
Telnet protocol.
l Configure the SSH user and specify
STelnet as a service mode. By default,
the SSH user is not configured on the
device, and the service mode of SSH
users is null (no service mode is
supported).
l Enable the STelnet server function.
By default, the STelnet server
function is disabled.
NOTE
Logging in using Telnet is insecure because a secure authentication mechanism is not used and data is
transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts data in
both directions to guarantee secure transmissions on a conventional insecure network. SSH supports
security Telnet (STelnet).
For detailed information about SSH, see S6700 Feature Description - Basic Configurations.

6.2 Logging in to the Devices Through the Console Port

When a user needs to configure a switch that is powered on for the first time or maintain a
switch locally, the user can log in through a console port.

Before configuring user login through a console port, familiarize yourself with the usage
configuration.
A user can log in to a device locally through a console port. The user can log in through a console
port when a device is powered on for the first time.
l If a user cannot access the device remotely, the user can log in to the device locally using
the console port.
l A user can log in using the console port to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.
Before configuring user login through a console port, complete the following tasks:
l Configure the PC/terminal (including the serial port and RS-232 cable).
l Install the terminal emulator (for example, the Windows XP HyperTerminal) to the PC.
Data Preparation
To configure user login through a console port, you need the following data.
No. Data
1 l Transmission rate, flow control mode, parity mode, stop bit, data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, size of the history command buffer
l User priority
l User authentication mode, username, and password
6.2.2 (Optional) Configuring the Console User Interface


Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and user authentication mode.
For detailed settings, see Configuring Console User Interface.
NOTE
Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when logged in to the device through the console
port. For this reason, logging into the device using another login mode is recommended when modifying
console user interface attributes. To log in to the device through the console port after changing the default
console user interface attributes, ensure that the configuration of the terminal emulator running on the PC
is consistent with the console user interface attributes configured on the device.
6.2.3 Logging In to the Device Using a Console Port

A user can log in by connecting a terminal to the device using a console port.
Context
l Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
l A user authentication mode must be configured on the console user interface, a user can
log in to the device only after being successfully authenticated. Authentication enhances
network security.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 6-1.

Step 2 Set an interface, as shown in Figure 6-2.
Figure 6-2 Interface settings
Step 3 Set communication parameters to match the switch defaults, as shown in Figure 6-3.

Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the set password.
Please configure the login password (maximum length 16)
Enter Password:
Confirm Password:
NOTE
l After the password for the user interface is set successfully during the first login, you must enter this
password for authentication when you relog in to the system in password authentication mode using
this user interface.
----End

After logging in through a console port, a user can view the usage information, physical attributes
and configurations, local user list, and online users on the console user interface.
Prerequisites
Configurations for user login through a console port are complete.
Procedure
l Run the display users [ all ] command to check information about the user interface.
l Run the display user-interface console ui-number1 [ summary ] command to check
physical attributes and configurations of the user interface.
l Run the display access-user command to check online users.
----End
Example
Run the display users command to view information about the current user interface.
0 CON 0 00:00:44 pass no
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<Quidway> display user-interface console 0
0 CON 0 9600 - 3 - N -

----------------------------------------------------------------------------
----------------------------------------------------------------------------
aa A S -
admin A H -
huawei A F -
----------------------------------------------------------------------------
Total 3 user(s)
6.3 Logging in to Devices Using Telnet

When multiple switchs need to be configured and managed, there is no need to maintain each
switch locally. Instead, you can use Telnet to log in to the switchs remotely to perform
maintenance. This greatly facilitates device management.

Before configuring user login using Telnet, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for configuration.
If you know the IP address of a remote switch, you can use Telnet to log in to the switch from
a local terminal. Telnet login allows you to maintain multiple remote switchs from one local
terminal, greatly facilitating device management.
Note that switch IP addresses must be preset through console ports.
Before configuring users to log in using Telnet, you must log in to the device through the console
port to change the default configurations on the device, so that users can remotely log in to the
device using Telnet to manage and maintain the device. The following default configurations
must be changed:
l Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
l 6.3.2 Configuring the User Access Level and User Authentication Mode of the VTY
User Interface for remote device management and maintenance
l 6.3.3 Enabling the Telnet Service so that users can remotely log in to the device through
Telnet
Data Preparation
BBefore configuring Telnet user login, you need the following data.

No. Data
1 l User priority
l User authentication mode, username, password
l (Optional) Maximum number of VTY user interfaces allowed
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, number of characters displayed in a terminal screen and size
of the history command buffer
2 IPv4/IPv6 address or host name of the switch
3 TCP port number used by the remote device to provide Telnet services, VPN instance
name
6.3.2 Configuring the User Access Level and User Authentication

Mode of the VTY User Interface
By default, the user access level of the VTY user interface is 0. To enable a user terminal to log
in to the device remotely using Telnet for maintenance and management, log in to the device
using the console port, change the user access level and , and set a user authentication mode for
the VTY user interface.
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see Configuring the VTY User
Interface.
Procedure
l Configure the user access level of the VTY user interface.
1. Run:
system-view

2. Run:

3. Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 6-2 describes
the relationship between the user access levels and command levels.

User Co Level Description
Lev mm Name
el and
Lev
el
0 0 Visit This level gives access to commands that run network

level diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).
1 0 and Monit This level gives access to commands, like the display
1 oring command, that are used for system maintenance and fault
level diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command level, see S6700 Series Command Reference.
2 0, 1, Config This level gives access to commands that configure

and 2 uration network services provided directly to users, including
level routing and network layer commands.
3-15 0, 1, Manag This level gives access to commands that control basic
2, ement system operations and provide support for services. These
and 3 level commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, and debugging
commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l Configure the user authentication mode of the VTY user interface.
Two authentication modes are available: password authentication, and AAA
authentication. Select one of them as needed.
– Configuring Password Authentication
1. Run:
system-view

2. Run:


3. Run:

4. Run:
A password in the encrypted text for password authentication is set.

– Configuring AAA Authentication
When the user authentication mode of the VTY user interface is set to AAA
authentication, the access type of the local user must be specified.
1. Run:
system-view

2. Run:
aaa

3. Run:
A username and password for the local user are created.

4. Run:
local-user user-name service-type telnet
The access type of the local user is set to Telnet.

5. Run:
quit

6. Run:

7. Run:

----End
6.3.3 Enabling the Telnet Service

Before a user terminal establishes a Telnet connection with the device, log in to the device
through the console interface to enable the Telnet server function on the device, so that the user
terminal can remotely log in to the device using Telnet.
Context
By default, the Telnet server function is enabled.
Perform the following steps on the device that serves as a Telnet server.
Select and perform one of the following two steps for IPv4 or IPv6.

Procedure
l For the IPv4 network
1. Run:
system-view

2. Run:
telnet server enable
The Telnet service is enabled.

l For the IPv6 network
1. Run:
system-view

2. Run:
telnet ipv6 server enable
The Telnet service is enabled.
NOTE
l If the undo telnet [ ipv6 ] server enable command is run when a user logs in by using
Telnet, the command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only using SSH
or an asynchronous serial port rather than using Telnet.
----End
6.3.4 Logging in to the Device Using Telnet

After a remote device is configured, use Telnet to log in to the device from a terminal and perform
remote maintenance on the device.
Context
Use either the Windows CLI or third-party software in the terminal to log in to the switch through
Telnet. This section describes use of the Windows command line prompt.
Perform the following steps on the user terminal:
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to telnet the device.
1. Input the IP address of the Telnet server.

Figure 6-4 Windows CLI
2. Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 6-5.
Figure 6-5 Login
----End
6.3.5 (Optional) Configuring Listening Port Number for Telnet

Server
A user can configure or change the listening port number of a Telnet server. Changing the
listening port number ensures network security, because only the user that knows the current
listening port number can log in to the switch.
Context
By default, the listening port number of a Telnet server is 23. Users can directly log in to the
switch using the default listening port number. Attackers may access the default listening port,
consuming bandwidth, deteriorating server performance, and causing authorized users unable
to access the server. After the listening port number of the Telnet server is changed, attackers

do not know the new listening port number. This effectively prevents attackers from accessing
the listening port.
Perform the following steps on the switch that functions as a Telnet server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
telnet server port port-number
The listening port number of the Telnet server is set.

If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and then uses the new port number to listen to new requests for Telnet connections.
----End

After logging in to the system using Telnet, you can view the connection status of each user
interface including the current user interface, and status of all established TCP connections.
Prerequisites
Configurations for Telnet logins are complete.
Procedure
l Run the display users [ all ] command to check information about users logged in to user
interfaces.
l Run the display tcp status command to check TCP connections.
l Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
34 VTY 0 00:00:12 TEL 10.138.77.38 no
+ 35 VTY 1 00:00:00 TEL 10.138.77.57 no
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID
State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0

Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Quidway> display telnet server status
TELNET IPV4 server :Enable
TELNET IPV6 server :Enable
TELNET server port :23
6.4 Logging in to Devices Using STelnet

STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.

Before configuring users to log in using STelnet, familiarize yourself with the usage scenario,
Telnet logins bring security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, SCP, and SFTP.
STelnet is a secure Telnet protocol. SSH users can use the STelnet service in the same way they
use the Telnet service.
Before configuring users to log in using STelnet, you must log in to the device through the
console port to change the default configurations on the device, so that users can remotely log
in to the device using Telnet to manage and maintain the device. The following default
configurations must be changed:
l Configuring the IP address of the management network port on the device and ensuring
that a reachable route exists between the user terminal and the device
l Configuring the user access level and authentication mode of the VTY user
interface for remote device management and maintenance.
l Configuring the VTY user interface to support the SSH protocol, configuring the SSH
user and specify STelnet as a service mode for the SSH user, and enabling the STelnet
server function so that the user can remotely log in to the device through STelnet
Data Preparation
To configure users to log in using STelnet, you need the following data:

No. Data
1 user authentication mode, username, and password, (optional)Maximum number of

VTY user interfaces allowed, (optional) ACL for restricting incoming and outgoing
calls on VTY user interfaces, (optional)connection timeout period for terminal users,
number of rows displayed in a terminal screen, size of the history command buffer
2 Username, password, authentication mode, and service type of an SSH user and
remote public RSA or DSA key pair allocated to the SSH user
3 (Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred HMAC
algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from
the SSH server to the STelnet client, preferred algorithm for key exchange
6.4.2 Configuring the User Access Level and User Authentication

Mode of the VTY User Interface
By default, the user access level is 0. Before logging in to the device using STelnet for
maintenance and management, you must log in to the device through the console port to change
the user access level and , and set a user authentication mode.
Context
Interface.
Procedure
l Configure the user access level of the VTY user interface.
1. Run:
system-view

2. Run:

3. Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 6-3 describes
the relationship between the user access levels and command levels.

User Co Level Description

Lev mm Name
el and
Lev
el
0 0 Visit This level gives access to commands that run network

level diagnostic tools (such as ping and tracert) and commands
that start from a local device and visit external devices
(such as Telnet client side).
1 0 and Monit This level gives access to commands, like the display
1 oring command, that are used for system maintenance and fault
level diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command level, see S6700 Series Command Reference.
2 0, 1, Config This level gives access to commands that configure

and 2 uration network services provided directly to users, including
level routing and network layer commands.
3-15 0, 1, Manag This level gives access to commands that control basic
2, ement system operations and provide support for services. These
and 3 level commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
backup board control commands, user management
commands, level setting commands, and debugging
commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level lower than or equal to the command
level of the user. This ensures the security of the device to some extent.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
l Configure the user authentication mode of the VTY user interface.
– Configuring AAA Authentication
When the authentication mode of the VTY user interface is set to AAA authentication,
the access type of the local user must be specified.
1. Run:
system-view

2. Run:
aaa


3. Run:
A username and password for the local user are created.

4. Run:
local-user user-name service-type ssh
The access type of the local user is set to SSH.

5. Run:
quit

6. Run:

7. Run:
----End
6.4.3 Configuring SSH for the VTY User Interface

For users to log in to the device using STelnet, VTY user interfaces must be configured to support
SSH.
Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
Perform the following steps on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.
Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
protocol inbound ssh
The VTY user interface is configured to support SSH.
----End
6.4.4 Configuring an SSH User and Specifying the Service Types

To implement STelnet access, configure a Secure Shell (SSH) user, create a local Revist-Shamir-
Adleman algorithm (RSA) or digital signature algorithm (DSA) key pair, configure a user
authentication mode, and specify a service type for the SSH user.
Context
l There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
password-DSA, and all. Password authentication depends on Authentication,
Authorization and Accounting (AAA). Before a user logs in to the device in password,
password-RSA, or password-DSA authentication mode, you must create a local user with
the specified username in the AAA view.
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication and RSA authentication.
l The device must be configured to generate local RSA or DSA key pairs, which are a key
part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA or DSA key pair. If an
SSH user logs in to an SSH server in RSA or DSA authentication mode, configure both the
server and the client to generate local RSA or DSA key pairs.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.
Perform the following operations on the switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssh user user-name
An SSH user is created.
If password or password-RSA authentication, or password-DSA is configured for the SSH user,

create the same SSH user in the AAA view and set the local user access type to SSH.

1. Run the aaa command to enter the AAA view.

2. Run the local-user user-name password cipher password command to set the local user
access type to SSH.
Step 3 Create an RSA or DSA key pair.
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE
l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
Step 4 Perform the operations as described in Table 6-4 based on the configured SSH user
authentication mode.
Table 6-4 Configuring an authentication mode for the SSH user

Operation Command Description
Configure Run the ssh user user-name If local or HWTACACS

Password authentication-type password authentication is used and there
Authentication command are only a few users, use password
authentication.

Configure the Run the ssh authentication-type When you log in using SSH and
Default Password default password command use a TACACS server for
Authentication authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.
Configure RSA 1, Run the ssh user user-name -

authentication authentication-type rsa command
to configure RSA authentication.
2, Run the rsa peer-public-key key- -

name command to enter the public
key view.
3, Run the public-key-code begin -

command to enter the public key
edit view.
4, Enter hex-data to edit the public l In the public key edit view,
key. only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
5, Run the public-key-code end -

command to exit from the public
key edit view.

6, Run the peer-public-key end l Running the peer-public-key

command to return to the system end command generates a key
view. only after a valid hex-data
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.
7, Run the ssh user user-name -

assign rsa-key key-name command
to assign the SSH user a public key.
Configure DSA 1, Run the ssh user user-name -

authentication authentication-type dsa command
to configure DSA authentication.
2. Run the dsa peer-public-key -

key-name encoding-type { der |
pem } command to configure an
encoding format for a DSA public
key and enter the DSA public key
view.

edit view.

key edit view.


format is entered.
is displayed.

assign dsa-key key-name command
Step 5 (Optional) Authorize SSH users using command lines.
Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 6 Run:
ssh user username service-type { stelnet | all }
The service type for the SSH user is configured.
By default, the service type of the SSH user is not configured.
----End
6.4.5 Enabling the STelnet Server Function

By default, the STelnet server function is disabled. Before a user terminal logs in to the device
using STelnet, you must log in to the device through the console interface to enable the STelnet
server function on the device.
Context
By default, no device is enabled with the STelnet server function. Users can establish connections
to the device using STelnet only after the device is enabled with the STelnet server function.
Perform the following steps on the device that serves as an SSH server:

Procedure
Step 1 Run:
system-view

Step 2 Run:
stelnet server enable
The STelnet server function is enabled.

By default, the STelnet server function is disabled.
----End
6.4.6 Logging in to the Device Using STelnet

After you log in to the device through the console interface to complete relevant configurations,
users can remotely log in to the device using the Secure Shell (SSH) protocol from remote user
terminals to remotely maintain the device.
Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the help document of the
software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the switch in STelnet mode.

Figure 6-6 Logging in to the device in STelnet mode
----End
6.4.7 (Optional) Configuring the STelnet Server Parameters

You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated.
Procedure
Step 1 Run:
system-view

Step 2 Perform one or both of the operations shown in Table 6-5 as needed.

Table 6-5 Server parameters

Server Command Description
parameters
Configure the Run the ssh server rekey-interval You can set an interval at which the
interval at interval command. key pair of an SSH server is updated.
which the key By default, the interval is 0, When the timer expires, the key pair
pair of the indicating that the key is never is automatically updated, improving
SSH server is updated. security.
updated
Configure the Run the ssh server timeout If a user fails to log in when the
timeout seconds command. timeout period of SSH
period of SSH By default, the timeout period is 60 authentication expires, the system
authentication seconds. disconnects the current connection
to ensure the system security.
Configure the Run the ssh server authentication- The number of times that SSH
number of retries times command. authentication is retried is set to deny
times that By default, SSH authentication access of unauthorized users.
SSH retries a maximum of 3 times.
authentication
is retried
Configure Run the ssh server compatible- There are two SSH versions:
earlier SSH ssh1x enable command. SSH1.X (earlier than SSH2.0) and
version By default, an SSH server running SSH2.0. SSH2.0 has an extended
compatibility SSH2.0 is compatible with SSH1.X. structure and supports more
To prevent clients running SSH1.3 to authentication modes and key
SSH1.99 from logging in, run the exchange methods than SSH1.X,
undo ssh server compatible-ssh1x SSH 2.0 can eliminate the security
enable command to disable support risks that SSH 1.X has. SSH 2.0 is
for earlier SSH protocol versions. more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The S6700 Series
supports SSH versions ranging from
1.3 to 2.0.


parameters
Configure the Run the ssh server port port- The default listening port number of
listening port number command. an SSH server is 22. Users can log in
number of the By default, the listening port number to the device by using the default
SSH server is 22. listening port number. Attackers
may access the default listening port,
If a new listening port is set, the SSH consuming bandwidth, deteriorating
server cuts off all established STelnet server performance, and causing
and SFTP connections, and uses the authorized users unable to access the
new port number to listen to server. After the listening port
connection requests. number of the SSH server is
changed, attackers do not know the
new port number. This effectively
prevents attackers from accessing
the listening port and improves
security.
----End

After configuring users to log in using STelnet, you can view the SSH server configuration.
Prerequisites
Configurations for STelnet login are complete.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about SSH users.
l Run the display ssh server status command on the SSH server to check its configurations.
l Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<Quidway> display ssh user-information client001
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : RSA
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.

Run the display ssh server status command to view configurations of an SSH server.
<Quidway> display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server : Enable
Run the display ssh server session command. The command output shows information about
a session between the SSH server and client.
<Quidway> display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : stelnet
Authentication Type : password
6.5 Logging in to the Devices by Using Secure Web Network

Management (HTTPS Mode)
An SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digital
certificate is used by a client to verify the identity of the server.

Before configuring users to log in using secure web network management (HTTPS Mode),
familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain
the data required for the configuration. This will help you complete the configuration task quickly
and efficiently.
After a device that supports web network management is enabled with the HTTP function, the
device can function as a web server. Users can log in to the device using HTTP and use web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 6-7, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using web pages.

Figure 6-7 Networking diagram for accessing another device by using HTTPS
VLANIF10
192.168.0.1/24
Network
PC HTTP-Server
Before configuring users to log in using secure web network management (HTTPS Mode),
complete the following tasks:
l Upload a digital certificate to a device that will function as an HTTPS server and copying
the certificate to the sub-directory named security of the system directory on the HTTPS
server.
l Install a Web browser on a PC.
Data Preparation
To configure users to log in using secure web network management (HTTPS Mode), you need
the following data.
No. Data
1 SSL policy name and digital certificate
2 IP address, Web page file, and Web account of the HTTPS server
6.5.2 Configuring an SSL Policy and Loading a Digital Certificate

A digital certificate is used to authenticate the identities of both the user terminal and the HTTPS
server to ensure secure communication.
Context
Before using HTTPS to securely manage files, the HTTPS server needs to obtain a digital
certificate from a CA. The digital certificate is used to authenticate clients. This ensures that
only authorized clients can log in to the HTTPS server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
HTTPS server can be generated using a third-party tool such as OpenSSL. OpenSSL can be considered as
a CA. For the procedure for generating a digital certificate, see the OpenSSL usage guide.
The digital certificate includes information such as the name of a person or an organization that
applies for the certificate, public key, digital-signed signature of the CA that issues the digital
certificate, and validity period of the digital certificate. A CA can issue a certificate chain along
with a digital certificate. After receiving a certificate chain, the receiver owns all the certificates
on the chain.

Upload the server digital certificate and private key file to the security directory on the device
in FTP, SFTP, or SCP mode. If no security directory exists on the device, run the mkdir
security command to create one.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem. A PEM certificate contains only a public key but not a private key, and
the public key is usually encrypted.
The PEM format is applicable to text transmission between systems.
l The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der. An ANS1 certificate contains only a public key but not a
private key, and the public key is not encrypted.
The ASN1 format is the default format for most browsers.
l The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx. A PFX certificate can contain a private key, and the key is usually
encrypted.
The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ssl policy policy-name
An SSL policy is configured.
Step 3 Load a digital certificate.
Run one of the following commands as required:

l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-
filename auth-code auth-code
A PEM digital certificate is loaded.

l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-
filename
An ASN1 digital certificate is loaded.

l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code
A PFX digital certificate is loaded.

l Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-
A PEM digital certificate chain is loaded.

NOTE
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
----End
6.5.3 Loading a Web Page File

To manage and maintain a device on a graphical user interface (GUI), you can configure the
Web network management function. Before using the Web network management function, load
the related Web page file.
Procedure
Step 1 Run:
system-view

Step 2 Run:
http server load file-name
A Web page file is loaded.
----End
6.5.4 Enabling the HTTPS Function

After a device is configured with an SSL policy and enabled with the HTTPS function, the device
functions as an HTTPS server to provide SSL-based HTTP services.
Context
NOTE
Before enabling the HTTPS server function, disable the HTTP server function.
Procedure
Step 1 Run:
system-view policy-name

Step 2 Run:
http secure-server ssl-policy policy-name
An SSL policy is configured for a device.

Step 3 Run:
http secure-server enable
The HTTPS server function is enabled.

By default, the HTTPS server function is disabled.

http secure-server port port-number
The listening port number is configured for the HTTPS server.
The default listening port number of the HTTPS server is 443. When using the default listening
port number to access and control the HTTPS server, you do not need to specify the port number
in commands. Attackers may access the default listening port, consuming bandwidth, affecting
performance of the server, and causing authorized users unable to access the server. To improve
security, run this command to change the listening port number of the HTTPS server. After that,
attackers are deprived of information about the newly configured listening port number, and the
HTTPS server is therefore well protected.
----End
6.5.5 Creating a Web Account

Setting the HTTP user name and password is recommended for secure login to a web server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
The HTTP user name and password are set.
Step 4 Run:
local-user user-name service-type http
HTTP is configured as the service type.
Step 5 Run:
local-user user-name privilege level level
The HTTP user level is set.
NOTE
Setting the HTTP user level to 3 or higher is recommended so that the HTTP user can have management-
level rights. Users at levels 0, 1 and 2 have only visit-level rights.
----End
6.5.6 Logging In to the Web System

After logging in to the Web system, you can manage and maintain a device on a GUI.
Open the Web browser on the PC. Enter the IP address of the HTTPS server in the address bar.
Press Enter and the dialog box shown in Figure 6-8 is displayed.

Figure 6-8 Login GUI
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.

After logging in to the devices by using secure web network management (HTTPS Mode) is
configured, you can view the configured SSL policy and loaded digital certificate on the HTTPS
server as well as the HTTPS server status.
Prerequisites
Login to the devices by using secure web network management (HTTPS Mode) has been
configured.
Procedure
l Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
l Run the display http server command to check the information about the current HTTP
server.
l Run the display http user [ username username ] command to check the information about
current online users.
----End
Example
Run the display ssl policy command. The command output shows detailed information about
the configured SSL policy and loaded digital certificate.

<Quidway> display ssl policy

SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display http server command to view information about the current HTTP server.
<Quidway> display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 3
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
Run the display http user command to view information about current online users.
<Quidway> display http user
Total online users: 1
------------------------------------------------------
User name Client IP Address Login Date
------------------------------------------------------
admin 192.168.0.1 2012-03-23 15:30:55+00:00
6.6 Common Operations After Login

After logging in to the switch, you can perform user priority switching, terminal window locking,
and other operations as needed.

Before performing operations after login, familiarize yourself with the usage scenario, complete
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage switchs safely.
Before performing operations after login, connect the terminal to the switch.
Data Preparations
Before performing operations after login, you need the following data:
No. Data
1 Password used for switching user levels

No. Data
2 Type and number of the user interface
3 Contents of the message to be sent
6.6.2 Switching User Levels

A user who wants to upgrade from a lower to a higher level after logging in to the switch must
have a password already configured.
Context
A password is required to increase user level. This prevents unauthorized users from gaining
access to high-level commands.
Procedure
Step 1 Run:
system-view
Step 2 Run:
super password [ level user-level ] [ cipher password ]
The password for switching user levels is configured.
By default, the password for the user is set to Level 3.
Step 3 Run:
quit
Return to the user view.
Step 4 Run:
super [ level ]
User levels are switched.
By default, the level is 3.
Step 5 Follow the prompt and enter a password.
If the password entered is correct, the user can switch to a higher level. If an incorrect password
is entered three times in a row, the user is returned to the user view at the original level.
NOTE
When the super command is used to switch a user from a lower to a higher level, the system automatically
sends trap messages and records the switchover in a log. When a user is switched from a higher to a lower
level, the system only records the switchover in a log.
----End

6.6.3 Locking User Interfaces

If you must be away from your work area, you can lock the user interface on a terminal to prevent
unauthorized access.
Context
The user interface can be a console user interface or a VTY user interface.
Procedure
Step 1 Run:
lock
The user interface is locked.
Step 2 Follow the system prompts and input a password to unlock the user interface.
<Quidway> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
You must enter the password previously set to unlock the user interface.
----End
6.6.4 Sending Messages to Other User Interfaces

Users logged in to different interfaces can send messages to each other.
Context
Users logged in to the switch can send messages from their user interface to users on other user
interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces.
Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display, and press Ctrl_C to abort the display.
----End
6.6.5 Displaying Login Users

You can query information about login users.
Context
User name, address, and authentication and authorization information can be queried.

Procedure
l Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about users logged in to all user interfaces is displayed.
----End
6.6.6 Clearing Logged-in Users

If you want to force a logged-in user to log out of the switch, you can tear down the connection
between the switch and the user.
Context
You can run the display users command to view users logging in to the switch.
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
Online users are cleared.

Step 2 Based on displayed information, you can confirm whether specified logged-in users have been
cleared.
----End
6.6.7 Configuring Configuration Locking

When multiple users log in to the switch to configure the device, configuration conflict may
occur. To prevent configuration conflict from affecting services, you can enable the function of
configuration locking. This allows only one user to configure the device at a time.
Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user locks the configuration set, you can exclusively lock the configuration.
Procedure
Step 1 Run:
configuration exclusive
The user obtains exclusive configuration access.

After enabling the configuration locking function, you can exclusively enjoy the configuration
authority in an explicit manner.
NOTE
This command can be run in any view.

You can run the display configuration-occupied user command to check information about the user who
locks the configuration set at the moment.
If the configuration set is already locked, a prompt message is displayed after this command is run.

Step 2 Run:
system-view

Step 3 Run:
configuration-occupied timeout timeout-value
The timeout period for automatically unlocking the configuration set is set.
After the timeout period expires, the configuration set is automatically unlocked, allowing other
users to configure the device.
By default, the timeout period is 30s.
NOTE
l When a user without exclusive configuration access runs this command, the system prompts an error
message.
l If the configuration set is locked by another user, this command cannot be configured, and the system
prompts an error message.
l If the configuration set is locked by the current user, the current user can run this command.
----End

This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.
6.7.1 Example for Configuring User Login Using a Console Port

This example describes how to configure user login using a console port. Login settings that
enable access to the switch using a console port are configured on a PC.
If default values for console user interface parameters are modified, corresponding parameters
on the PC must be reset before another login to the switch can be implemented.
Figure 6-9 Networking diagram of user login using a console port
PC Switch
1. Connect a PC to the switch through a console port.
2. Set login parameters on the PC.

3. Log in to the switch.

NOTE
In this example, a terminal emulator is used.
Data Preparation
Communication parameters for the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit:
2, flow control mode: none)
Procedure
Step 1 Use a standard RS-232 cable to connect the serial port of the PC to the console port of the
switch.
Step 2 Run the terminal emulator on the PC. As shown in Figure 6-10, set communication parameters
for the PC to Figure 6-12. Set the transmission rate to 4800 bit/s, data bit to 6, parity bit to even,
stop bit to 2, and flow control mode to none.

Figure 6-11 Interface setting
Step 3 Power on the switch. The system starts an automatic configuration and a self-check. After the
self-check is complete, at the prompt "Password:," enter the correct authentication password and

press Enter. If the message (such as <Quidway>) is displayed, the login in to the system
succeeds.
Then, you can enter a command to view the operating status of the switch or configure the
switch.
----End
6.7.2 Example for Configuring User Login Through Telnet

This example describes how to set parameters for using Telnet to log in to the switch. In this
configuration example, a user logs in to the switch after setting the VTY user interface and user
login parameters.
You can use a PC or other terminal to log in to the a switch on another network segments through
the PC or other terminals to perform remote maintenance.
Figure 6-13 Networking diagram for login using Telnet
VLANIF 2
10.137.217.221/16
NetWork
PC Switch
After a Telnet user logs in to the switch in AAA authentication mode, the Telnet user is prohibited
from logging in to another switch through the switch.
1. Establish a physical connection.
2. Assign IP addresses to interfaces on the switch.
3. Set parameters of the VTY user interface, including limit on call-in and call-out.
4. Set user login parameters.
5. Log in to the switch.
Data Preparation
l IP address of the PC
l IP address of the the switch: 10.137.217.221/16
l Maximum number of VTY user interfaces: 10
l Number of the ACL that is used to prohibit users from logging into another switch: 3001
l Timeout period for disconnecting from the VTY user interface: 20 minutes


l Telnet user information (authentication mode: AAA, username: huawei, password: hello)
Procedure
Step 1 Respectively connect the PC and the switch to the network.
Step 2 Configure a login address.

[Quidway] vlan 2
[Quidway-vlan2] quit
[Quidway] interface xgigabitethernet 0/0/1
[Quidway-XGigabitEthernet0/0/1] port hybrid pvid vlan 2
[Quidway-XGigabitEthernet0/0/1] port hybrid untagged vlan 2
[Quidway-XGigabitEthernet0/0/1] quit
[Quidway] interface vlanif 2
[Quidway-Vlanif2] ip address 10.137.217.221 255.255.0.0
[Quidway-Vlanif2] quit
[Quidway]
Step 3 Configure the VTY user interface on the switch.
# Set the maximum number of VTY user interfaces.

# Configure an ACL that is used to prohibit users from logging into another switch.
[Quidway]acl 3001
[Quidway-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[Quidway-acl-adv-3001]quit
[Quidway-ui-vty0-9] acl 3001 outbound
# Set terminal attributes of the VTY user interface.

[Quidway-ui-vty0-9] shell
[Quidway-ui-vty0-9] idle-timeout 20
[Quidway-ui-vty0-9] screen-length 30
[Quidway-ui-vty0-9] history-command max-size 20
# Set the user authentication mode of the VTY user interface.

[Quidway-ui-vty0-9] authentication-mode aaa
Step 4 Set user login parameters on the switch.
# Specify the user authentication mode.

[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher hello
[Quidway-aaa] local-user huawei service-type telnet
[Quidway-aaa] local-user huawei privilege level 3
[Quidway-aaa] quit
Step 5 # Configure user login.
Use the windows command line to telnet the switch. The Telnet login window is shown in the
following figure.

Figure 6-14 Telnet login window on the PC
Press Enter, and then input the username and password in the login window. If user
authentication succeeds, a command line prompt of the system view is displayed. It indicates
that you have entered the user view.
Figure 6-15 Window after login of the switch
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
vlan batch 2
#
interface Vlanif2
ip address 10.137.217.221 255.255.0.0
#
interface xgigabitethernet 0/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
aaa

local-user huawei password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$

local-user huawei service-type telnet
local-user huawei privilege level 3
#
user-interface maximum-vty 10
user-interface con 0
acl 3001 outbound
idle-timeout 20 0
screen-length 30
#
return
6.7.3 Example for Configuring User Login by Using STelnet

This example describes how to configure user login through STelnet. After generating the local
key pair, configuring the SSH user name and password, and enabling the STelnet service on the
SSH server, you can connect the Stelnet client to the SSH server.
As shown in Figure 6-16, after the STelnet service is enabled on the SSH server, an STelnet
client can use any authentication mode (password, RSA, password-rsa, or all) to log in to the
SSH server.
This example uses the password authentication mode.
Figure 6-16 Networking diagram of configuring user login through STelnet
VLANIF 2
10.164.39.210/24
Network
PC SSH Server
1. Configure a local key pair on the SSH server for secure data exchange between the STelnet
client and the SSH server.
2. Configure a VTY user interface on the SSH server.
3. Configure an SSH client, which involves setting a user authentication mode, a username,
and a password.
4. Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
l SSH user authentication mode: password, username: client001, password: huawei

l User level of client001: 3

l IP address of the SSH server: 10.164.39.210
Procedure
Step 1 Generate a local key pair on the server.
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure a VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
Step 3 Configure the password of the SSH user Client001 as huawei.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher huawei
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
Step 4 Enable the STelnet service on the SSH server.

[SSH Server] ssh user client001 service-type stelnet
[SSH Server] stelnet server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] quit
Step 5 Verify the configuration.

# Log in to the device through the software putty, and specify the IP address of the device being
10.164.39.210 and the login protocol being SSH.

Figure 6-17 Putty configuration
# Log in to the device through the software putty, and enter the username client001 and the
password huawei.
Figure 6-18 Log in to the device through the software putty
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server

#
vlan batch 2
#
interface Vlanif2
ip address 10.164.39.210 255.255.255.0
#
interface xgigabitethernet 0/0/1
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
ssh user client001 authentication-type password
ssh user client001
ssh user client001 service-type stelnet
#
#
return
6.7.4 Example for Configuring User Login by Using Secure Web

Network Management
SSL can be used to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity. In this manner, secure web network management can
be ensured, providing secure web access.
After a device that supports web network management is enabled with the HTTP function, the
device can function as a web server. Users can log in to the device using HTTP and use web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 6-19, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using web pages.
Figure 6-19 Networking diagram for accessing another device by using HTTPS
VLANIF10
192.168.0.1/24
Network
PC HTTP-Server

1. Upload a digital certificate and a web page file.
Upload the digital certificate and web page file saved on the PC to the device that functions
as an HTTP server.
2. Load the digital certificate.
Copy the digital certificate from the system directory of the HTTP server to the security
sub-directory, configure an SSL policy, and load the digital certificate.
3. Load the web page file.
4. Create a web account.
5. Log in to the web system.
Data Preparation
l IP addresses of the HTTP server
l HTTP user name and password
l SSL digital certificate
l Web account
l Web page file
Procedure
Step 1 Upload the digital certificate and web page file.
# Configure an IP address for the device that functions as an HTTP server so that the PC and
HTTP server are reachable.
[Quidway] sysname HTTP-Server
[HTTP-Server] interface xgigabitethernet0/0/1
[HTTP-Server-XGigabitEthernet0/0/1] port link-type access
[HTTP-Server-XGigabitEthernet0/0/1] quit
[HTTP-Server] vlan 10
[HTTP-Server-vlan10] port xgigabitethernet0/0/1
[HTTP-Server-vlan10] quit
[HTTP-Server] interface vlanif 10
[HTTP-Server-Vlanif10] ip address 192.168.0.1 24
[HTTP-Server-Vlanif10] quit
# Enable the FTP server function.

[HTTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for
FTP users.
[HTTP-Server] aaa
[HTTP-Server-aaa] local-user huawei password cipher huawei
[HTTP-Server-aaa] local-user huawei service-type ftp
[HTTP-Server-aaa] local-user huawei privilege level 15
[HTTP-Server-aaa] local-user huawei ftp-directory flash:
[HTTP-Server-aaa] quit
[HTTP-Server] quit
# Upload the digital certificate and web page file from the PC to the HTTP server, as shown in
Figure 6-20.

Figure 6-20 Uploading a digital certificate
After the preceding configurations are complete, run the dir command on the HTTP server. The
command output shows that the digital certificate and web page file have been successfully
uploaded to the server.
<HTTP-Server> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time(LMT) FileName

0 -rw- 524,558 Apr 14 2011 16:24:39 private-data.txt
1 -rw- 1,302 Apr 14 2011 19:22:30 1_servercert_pem_rsa.pem
2 -rw- 951 Apr 14 2011 19:22:35 1_serverkey_pem_rsa.pem
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 web.zip
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 14 2011 04:56:35 snmpnotilog.txt
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam
304,292 KB total (300,782 KB free)
Step 2 Configure an SSL policy and load the digital certificate.

# Create a sub-directory named security and copy the digital certificate to this sub-directory.
<HTTP-Server> mkdir security/
<HTTP-Server> copy 1_servercert_pem_rsa.pem
<HTTP-Server> copy 1_serverkey_pem_rsa.pem security/
After the preceding configurations are complete, run the dir command in the security sub-
directory on the HTTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<HTTP-Server> cd security/

<HTTP-Server> dir
Directory of flash:/security/

1 -rw- 1,302 Apr 13 2011 14:29:31 1_servercert_pem_rsa.pem
2 -rw- 951 Apr 13 2011 14:29:49 1_serverkey_pem_rsa.pem
304,292 KB total (303,404 KB free)
# Create an SSL policy and load the PEM digital certificate.

<HTTP-Server> system-view
[HTTP-Server] ssl policy http_server
[HTTP-Server-ssl-policy-http_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
123456
[HTTP-Server-ssl-policy-http_server] quit
After the preceding configurations are complete, run the display ssl policy command on the
HTTP server. The command output shows detailed information about the loaded certificate.
[HTTP-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Step 3 Load the web page file.

[HTTP-Server] http server load web.zip
Step 4 Create a web account.

# Enable the HTTPS server function.
NOTE
Before enabling the HTTPS server function, disable the HTTP server function.
[HTTP-Server] undo http server enable
[HTTP-Server] http secure-server ssl-policy http_server
[HTTP-Server] http secure-server enable
# Configure authentication information and authorization mode for HTTP users.

[HTTP-Server] aaa
[HTTP-Server-aaa] local-user http password cipher http
[HTTP-Server-aaa] local-user http service-type http
[HTTP-Server-aaa] local-user http privilege level 15
[HTTP-Server-aaa] quit
Step 5 Log in to the web system.

Open the Web browser on the PC. Enter the IP address of the HTTP server in the address bar.
Press Enter and the dialog box shown in Figure 6-21 is displayed.

Figure 6-21 Login GUI
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.
# Run the display http server command on the HTTPS server. The command output shows the
SSL policy name and the HTTPS server status.
[HTTP-Server] display http server
HTTP Server Status : disabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 0
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
----End
Configuration Files
Configuration file of the HTTPS server
#
sysname HTTP-Server
#
FTP server enable
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
vlan batch 10
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file

1_serverkey_pem_rsa.pem auth-code 123456

#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
local-user http password cipher %$%$D/[nJdkW1WDY6^Ek83G;-\SJ%$%$
local-user http service-type http
local-user http privilege level 15
local-user huawei password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
local-user huawei service-type ftp
local-user huawei ftp-directory flash:
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface XGigabitEthernet0/0/1
port link-type access
port default vlan 10
#
return

Configuration Guide - Basic Configuration 7 Managing the File System
7 Managing the File System
About This Chapter
The file system manages the files and directories on the storage devices of the switch. It can
move or delete a file or directory, or display the contents of a file.
7.1 File System Overview

The switch uses the file system to manage all files.
7.2 Managing Files Using the File System
You can use the file system to manage storage devices, directories, and files.
7.3 Managing Files Using FTP
FTP can transmit files between local and remote hosts. It is widely used for version upgrade,
log downloading, file transmission, and configuration saving.
7.4 Managing Files Using SFTP
SFTP allows you to log in to the switch securely from a remote device to manage files. This
makes transmission of data to the remote end more secure.
7.5 Performing File Operations by Means of FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.
The examples in this section show how to use FTP, SFTP or FTPS to access the system and
manage files. These configuration examples explain networking requirements and provide
configuration roadmaps and configuration notes.

7.1 File System Overview

The switch uses the file system to manage all files.
7.1.1 File System

The file system manages files and directories on the storage devices. It can create, delete, modify,
or rename a file or directory, or display the contents of a file.
The file system has two functions: managing storage devices and managing the files that are
stored on those devices.
Managing Files Using the File System

After logging in to the switch by using the console port, Telnet, or STelnet, you can manage
storage devices, directories, and files.
l Storage devices
Storage devices are hardware devices for storing data.
Different products support different storage devices. Currently, the S6700 supports the flash
memory.
l Files
A file is resources for storing and managing data.
l Directories
A directory is a logical container that the system uses to organize files.
7.1.2 Methods of File Management

You can use the FTP, SFTP or FTPS to manage files.
Managing Files Using FTP

FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode,
one for control (the server port number is 21) and the other for data transmission (the server port
number is 20).
l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the throughput.
FTP has two file transfer modes:

l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:

l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
l FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
Managing Files Using SFTP

SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device
functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client needs
to detect the fault in time and removes the connection proactively. To help the client detect such
a fault in time, configure an interval at which Keepalive packets are sent if no packet is received
and the maximum number of times that the server does not respond for the client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
Managing Files Using FTPS

Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats. An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
By default, a user cannot log in to the device using FTPS. To log into the device using FTPS,
perform the following steps:
l Logging in to the device through the console port and loading a digital certificate to the
sub-directory named security of the system directory on the FTPS server
l Installing the FTP client software that supports SSL on the PC
7.2 Managing Files Using the File System

You can use the file system to manage storage devices, directories, and files.


Before using the file system to manage files, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration tasks quickly and correctly.
Use the file system to manage files or directories on the switch. If the switch is unable to save
or obtain data, log in to the file system to repair the faulty storage devices.
Before logging in to the file system to manage files, connect the client with the server correctly.
Data Preparation
To manage files by logging in to the file system, you need the following data:
No. Data
1 Storage device name
2 Directory name
3 File name
7.2.2 Managing Storage Devices

When a storage device file system on the switch does not function properly, you must repair and
format the file system before managing the storage device.
Context
When the file system on a storage device fails, the terminal of the switch prompts you to rectify
the fault.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device. After Formatting the storage devices, the files and directories
in the specified storage device are cleared and cannot be restored.
CAUTION
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.
Procedure
l Run:
fixdisk device-name

A storage device with file system problems is repaired.
NOTE
If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
l Run:
format device-name
The storage device is formatted.
NOTE
If the storage device does not work after you run this command, there may be a hardware fault.
----End
7.2.3 Managing Directories

You can manage directories to store files in logical hierarchy.
Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.
Procedure
l Run:
cd directory
A directory is specified.
l Run:
pwd
The current directory is displayed.

l Run:
dir [ /all ] [ filename | flash: ]
A list of files and sub-directories in the directory is displayed..
Either the absolute path or relative path is applicable.

l Run:
mkdir directory
The directory is created.

l Run:
rmdir directory
The directory is deleted.
----End
7.2.4 Managing Files

You can log in to the file system to view, delete, or rename files on the switch.

Context
l Managing files includes: displaying contents, copying, moving, renaming, compressing,
deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring
prompt modes.
l You can run the cd directory command to enter the directory you want from the current
directory.
Procedure
l Run:
more file-name [ offset ] [ all ]
The content of a file is displayed.
Specify parameters in the more command for file viewing options:

– Running the more file-name command to view the file named file-name. Contents of a
text file are displayed screen by screen. Hold and press the spacebar on the current
terminal to display all contents of the current file.
Two preconditions must be set to display the contents of a text file screen by screen:
– The value configured by screen-length screen-length temporary command must
be larger than 0.
– The total number of lines in the file must be greater than the value configured by
screen-length command.
– Running the more file-name offset command to view the file named file-name. Contents
of a text file are displayed screen by screen beginning with the line specified by offset.
Hold and press the spacebar on the current terminal to display all contents of the current
file.
Two preconditions must be met to display the contents of a text file screen by screen:
– The value configured by screen-length screen-length command must be greater than
0.
– The result difference between the number of file characters subtracted and the value
of offset must be greater than the value configured by the screen-length command.
– Running the more file-name all command to view the file named file-name. Contents
of a text file are completely displayed without pausing after each screen of information.
l Run:
copy source-filename destination-filename
The file is copied.

l Run:
move source-filename destination-filename
The file is moved.

l Run:
rename source-filename destination-filename
The file is renamed.

l Run:
zip source-filename destination-filename
The file is compressed.

l Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }
The file is deleted.
CAUTION
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l Run:
undelete filename
The deleted file is recovered.

l Run:
reset recycle-bin [ filename ]
The file is deleted.
You can use this command to permanently delete files in the recycle bin.
l Running Files in Batches
You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the switch.
You can create and run a batch file to implement routine tasks.
1. Run:
system-view

2. Run:
execute filename
The batched file is executed.

l Configuring Prompt Modes
The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.
1. Run:
system-view

2. Run:
file prompt { alert | quiet }
The file system prompt mode is configured.
The default prompt mode is alert.

CAUTION
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End
7.3 Managing Files Using FTP

FTP can transmit files between local and remote hosts. It is widely used for version upgrade,

Before using FTP to manage files, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain any data required for the configuration.
When an FTP client logs in to a switch serving as an FTP server, the user can transfer files
between the client and the server.
Before using FTP to manage files, connect the FTP client to the server.
Data Preparation
To use FTP to manage files, you need the following data:
No. Data
1 FTP username and password, and authorized FTP file directory name
2 (Optional) Listening port number specified on the FTP server
3 (Optional) Source IP address or source interface of the FTP server

(Optional) Timeout period for disconnection from the FTP server
4 IP address or host name of the FTP server
7.3.2 Configuring a Local FTP User

You can configure a user authorization mode and an authorized directory for FTP users to access.
Unauthorized users cannot access the specified directory, reducing security risks.

Context
To use FTP to manage files, you must configure a local username and a password on the
switch and specify a service type and the directories that can be accessed.
Perform the following operations on the switch that functions as the FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
set default ftp-directory directory
The default FTP working directory is configured.
NOTE
The configuration in this step takes effect only with TACACS users.
Step 3 Run:
aaa
Step 4 Run:
The local user name and password are configured.
Step 5 Run:
local-user user-name service-type ftp
The FTP service type is configured.
Step 6 Run:
The local user level is set.
NOTE
The local user level must be set to 3 or higher.
Step 7 Run:
local-user user-name ftp-directory directory
The authorized directory for the FTP user is configured.
----End
7.3.3 (Optional) Specifying a Port Number for the FTP Server

You can configure or change the listening port number for an FTP server. After the port number
is changed, only the user knows the current port number and this protects system security.

Context
The default listening port number for an FTP server is 21. Users can log in to the switch directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, preventing
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
NOTE
If FTP is not enabled, change the FTP port as required.

If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port.
Perform the following steps on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server port port-number
The port number of the FTP server is configured.
Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and begins to use the new listening port.
----End
7.3.4 Enabling the FTP Server

You must enable an FTP server on the switch before using FTP to manage files.
Context
The FTP server is disabled by default on the switch. It must be enabled before FTP can be used.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp [ ipv6 ] server enable
The FTP server is enabled.

NOTE
When file operations between clients and the switch are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects switch security.
----End
7.3.5 (Optional) Configuring the FTP Server Parameters

FTP server parameters include the FTP server source address and the timeout period for FTP
connections.
Context
l You can configure a source IP address for the FTP server. The FTP client can only access
this address and this protects system security.
l You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }
The source IP address and source interface of an FTP server is configured.

To log in to the FTP server, you must specify the source IP address for the server in the ftp
command, or you cannot log in to the FTP server.
Step 3 Run:
ftp [ ipv6 ] timeout minutes
The timeout period for the FTP server is configured.

If the client is idle for the configured time, the connection to the FTP server is terminated.
By default, the timeout value is 30 minutes.
----End
7.3.6 (Optional) Configuring an FTP ACL

After an FTP ACL is configured, only specified clients can access the deviceswitch.
Context
When the switchfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.

Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.
NOTE
FTP supports only the basic ACL.
Step 4 Run:
quit
Step 5 Run:
ftp [ ipv6 ] acl acl-number
The basic FTP ACL is configured.
----End
7.3.7 Accessing the System by Using FTP

After the FTP server is configured, you can use FTP to access the switch from a PC and manage
the files on the switch.
Context
You can use either the Windows command line prompt or third-party software to log in to the
switch. The example here uses the Windows command line prompt as an example.
Perform the following steps on the PC:
Procedure
Step 2 Run the ftp ip-address command to log in to the switch using FTP.
Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt are displayed in the FTP client view, such as ftp>, you have entered the working
directory of the FTP server.

Figure 7-1 Using FTP to log in to the device
----End
7.3.8 Managing Files Using FTP Commands

After logging in to the switch that functions as an FTP server using FTP, you can upload and
download files to and from the switch, or manage the directories on the switch.
Context
After logging in to the FTP server, you can perform the following operations:
l Configuring data type for the file
l Uploading or downloading files
l Creating directories or deleting directories on the FTP server
l Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:
Procedure
l Configuring the data type and transmission mode for a file
– Run:
ascii or binary
The data type of the file to be transmitted is ascii or binary.

NOTE
FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
l Uploading or downloading files
– Upload or download a file.
– Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.

– Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.
l Running one or more of the following commands to manage directories
– Run:
cd pathname
The working path of the remote FTP server is specified.

– Run:
pwd
The specified directory of the FTP server is displayed.

– Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

– Run:
mkdir remote-directory
A directory is created on the FTP server.

– Run:
rmdir remote-directory
A directory is removed from the FTP server.

l Running one or more of the following commands to manage files

– Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
– Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

– Run:
delete remote-filename
The specified file on the FTP server is deleted.

When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.
----End

After the configuration is complete, you can view the configuration and status of the FTP server
as well as login information about FTP users.
Prerequisites
Managing files using FTP has been configured.
Procedure
l Run the display [ ipv6 ] ftp-server command to check the configuration of the FTP server.
l Run the display ftp-users command to check how many users are currently logged in FTP
server.
----End
Example
Run the display [ ipv6 ] ftp-server to view the status of the FTP server.
<Quidway> display ftp-server
FTP server is running
Max user number 5
User count 1
Timeout value(in minute) 30
Listening Port 1080
Acl number 0
FTP SSL policy
FTP Secure-server is stopped

Run the display ftp-users command to view the username, port number, authorization directory
of the FTP user configured.
<Quidway> display ftp-users
username host port idle topdir
zll 100.2.150.226 1383 3 flash:
7.4 Managing Files Using SFTP

SFTP allows you to log in to the switch securely from a remote device to manage files. This
makes transmission of data to the remote end more secure.

Before using SFTP to manage files, familiarize yourself with the usage scenario, complete the
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server for data transmission.
Before using SFTP to manage files, configure reachable routes between the terminal and the
device.
Data Preparation
Before using SFTP to manage files, you need the following data.
No. Data
1 Maximum number of VTY user interfaces, (optional) ACL for restricting incoming
and outgoing calls on VTY user interfaces, connection timeout period of terminal
users, number of rows displayed in a terminal screen, size of the history command
buffer, user authentication mode, username, and password
2 Username, password, authentication mode, and service type of an SSH user, remote
public RSA or DSA key pair allocated to the SSH user, and SFTP working directory
of the SSH user
3 (Option) Number of the port monitored by the SSH server

(Option) The interval for updating the key pair on the SSH server
4 Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred HMAC algorithm from
the SFTP client to the SSH server, preferred HMAC algorithm from the SSH server
to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address

No. Data
5 Directory name and File name
7.4.2 Configuring VTY User Interface

To allow a user to log in to the device by using SFTP, you need to configure attributes of the
VTY user interface.
Context
Before a user logs in to the device by using SFTP, the user authentication mode in the VTY user
interface must be set. Otherwise, the user cannot log in to the device.
Interface.
7.4.3 Configuring SSH for the VTY User Interface

Before users can log in to the switch using SFTP, you must configure VTY user interfaces to
support SSH.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, you
cannot log in to the switch using SFTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
Step 3 Run:
Step 4 Run:
----End

7.4.4 Configuring an SSH User and Specifying SFTP as One of

Service Types
Before logging in to the switch using SFTP, you must configure an SSH user, configure the
switch to generate a local RSA or DSA key pair, configure a user authentication mode, and
specify a service type and authorized directory for the SSH user.
Context
l There are six SSH user authentication modes: RSA, DSA, password, password-RSA,
– Password-RSA authentication depends on both password authentication and RSA
authentication.
– Password-DSA authentication depends on both password authentication and DSA
authentication.
– All authentication depends on either of the following authentications: password
authentication, or DSA authentication and RSA authentication.
RSA key and DSA key are an algorithm for user authentication in SSH, respectively.
Compared with RSA authentication, DSA authentication adopts the DSA encryption mode
and is widely used. In many cases, SSH only supports DSA to authenticate the server and
the client. When the RSA or DSA authentication mode is used, the priority of users depends
on the priority of the VTY user interfaces used for login.
Perform the following operations on the switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name
An SSH user is created.

If password or password-RSA authentication, or password-DSA is configured for the SSH user,
create the same SSH user in the AAA view and set the local user access type to SSH.
2. Run the local-user user-name password cipher password command to set the local user
access type to SSH.
Step 3 Run:

The SSH user level is set.
NOTE
The SSH user level must be set to 3 or higher.
Step 4 Create an RSA or DSA key pair.

l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE
l You must configure the rsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The minimum length of the server key pair and the host key
pair is 512 bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1,024 bits and 2,048 bits. By default, the length of the key pair is 512 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
Step 5 Perform the operations as described in Table 7-1 based on the configured SSH user
authentication mode.
Table 7-1 Configuring an authentication mode for the SSH user

Configure Run the ssh user user-name If local or HWTACACS

Password authentication-type password authentication is used and there
Authentication command are only a few users, use password
authentication.

Configure the Run the ssh authentication-type When you log in using SSH and
Default Password default password command use a TACACS server for
Authentication authentication, the network
administrator needs to specify the
information about an SSH user on
the TACACS server. In most
cases, however, the SSH server
cannot obtain the user
information from the TACACS
server. To resolve this problem,
you can run the ssh
authentication-type default
password command to set the
authentication mode as password
authentication. Then, you can log
in to the device on the SSH server
safely.
Configure RSA 1, Run the ssh user user-name -

authentication authentication-type rsa command
to configure RSA authentication.
2, Run the rsa peer-public-key key- -

name command to enter the public
key view.

edit view.

key edit view.


format is entered.
is displayed.

assign rsa-key key-name command
Configure DSA 1, Run the ssh user user-name -

authentication authentication-type dsa command
to configure DSA authentication.
2. Run the dsa peer-public-key -

key-name encoding-type { der |
pem } command to configure an
encoding format for a DSA public
key and enter the DSA public key
view.

edit view.

key edit view.


format is entered.
is displayed.

assign dsa-key key-name command
Step 6 (Optional) Authorize SSH users using command lines.

Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 7 Run:
ssh user username service-type { SFTP | all }
The service type of an SSH user is set to SFTP or all.

By default, the service type of the SSH user is not configured.
Step 8 Run:
ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for the SSH user is configured.
By default, the authorized directory of the SFTP service for the SSH user is flash:.
----End
7.4.5 Enabling the SFTP Service

The STelnet service must be enabled before it can be used.
Context
By default, the SFTP server function is not enabled on the switch. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the switch.

Perform the following steps on the switch that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp server enable
The SFTP service is enabled.

By default, the SFTP service is disabled.
----End
7.4.6 (Optional) Configuring the SFTP Server Parameters

You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated.
Procedure
Step 1 Run:
system-view

Step 2 Perform one or both of the operations shown in Table 7-2 as needed.
Table 7-2 Server parameters

parameters
Configure the Run the ssh server rekey-interval You can set an interval at which the
interval at interval command. key pair of an SSH server is updated.
which the key By default, the interval is 0, When the timer expires, the key pair
pair of the indicating that the key is never is automatically updated, improving
SSH server is updated. security.
updated
Configure the Run the ssh server timeout If a user fails to log in when the
timeout seconds command. timeout period of SSH
period of SSH By default, the timeout period is 60 authentication expires, the system
authentication seconds. disconnects the current connection
to ensure the system security.


parameters
Configure the Run the ssh server authentication- The number of times that SSH
number of retries times command. authentication is retried is set to deny
times that By default, SSH authentication access of unauthorized users.
SSH retries a maximum of 3 times.
authentication
is retried
Configure Run the ssh server compatible- There are two SSH versions:
earlier SSH ssh1x enable command. SSH1.X (earlier than SSH2.0) and
version By default, an SSH server running SSH2.0. SSH2.0 has an extended
compatibility SSH2.0 is compatible with SSH1.X. structure and supports more
To prevent clients running SSH1.3 to authentication modes and key
SSH1.99 from logging in, run the exchange methods than SSH1.X,
undo ssh server compatible-ssh1x SSH 2.0 can eliminate the security
enable command to disable support risks that SSH 1.X has. SSH 2.0 is
for earlier SSH protocol versions. more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The S6700 Series
supports SSH versions ranging from
1.3 to 2.0.
Configure the Run the ssh server port port- The default listening port number of
listening port number command. an SSH server is 22. Users can log in
number of the By default, the listening port number to the device by using the default
SSH server is 22. listening port number. Attackers
may access the default listening port,
If a new listening port is set, the SSH consuming bandwidth, deteriorating
server cuts off all established STelnet server performance, and causing
and SFTP connections, and uses the authorized users unable to access the
new port number to listen to server. After the listening port
connection requests. number of the SSH server is
changed, attackers do not know the
new port number. This effectively
prevents attackers from accessing
the listening port and improves
security.
----End
7.4.7 Accessing the System Using SFTP

After the configuration is complete, you can use SFTP to log in to the switch from a user terminal
and manage files on the switch.
Context
Third-party software can be used to access the switch from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.

Install OpenSSH on the user terminal and then do as follows:
NOTE
For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the switch, see help documentation for the
software.
Procedure
Step 2 Run relevant OpenSSH commands to log in to the switch in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, you have
entered the working directory of the SFTP server.
Figure 7-2 Using SFTP to log in to the device
----End
7.4.8 Managing Files Using SFTP

You can log in to the SSH server from an SFTP client to create or delete directories on the SSH
server.

Context
After logging in to the SFTP server, you can perform the following operations:
l Displaying the SFTP client command help
l Managing directories on the SFTP server
l Managing files on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.
Procedure
l Run:
help [ all | command-name ]
The SFTP client command help is displayed.

l Perform one or multiple of the following operations as required.
– Run:
cd [ remote-directory ]
The current operating directory of users is changed.

– Run:
pwd
The current operating directory of users is displayed.

– Run:
dir/ls [ path ]
A list of files in the specified directory is displayed.

– Run:
rmdir remote-directory &<1-10>
The directory on the server is deleted.

– Run:
A directory is created on the server.

l Perform one or multiple of the following operations as required.
– Run:
rename old-name new-name
The name of the specified file on the server is changed.

– Run:
The file on the remote server is downloaded.

– Run:
The local file is uploaded to the remote server.

– Run:
rmdir remote-directory &<1-10>
The file on the server is removed.

----End


After using SFTP to manage files, you can view SSH user information and global configurations
for the SSH server.
Prerequisites
SSH users have been configured.
Procedure
l Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
l Run the display ssh server status command on the SSH server to check its global
configurations.
l Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password.
[Quidway] display ssh user-information client001
User-public-key-type : RSA
Sftp-directory : -
Service-type : sftp
Authorization-cmd : Yes
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view global configurations of an SSH server.
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 2 hours
SSH Authentication retries : 5 times
SFTP server : Enable
Stelnet server : Enable
Scp server : Enable
SSH server port : 55535
NOTE
If the default interception port is in use, information about the current interception port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<Quidway> display ssh server session
Session 2:
Conn : VTY 4
Version : 2.0
State : started

Retry : 1
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
Kex : diffie-hellman-group-exchange-sha1
Service Type : sftp
7.5 Performing File Operations by Means of FTPS


Before using FTPS to manage files, familiarize yourself with the usage scenario, complete the
As shown in Figure 7-3, an SSL policy is configured on the FTP server. After a digital certificate
is loaded and the FTPS server function is enabled on the server, you can log in to the server from
a terminal on which the SSL-capable FTP client software is installed to securely operate files
transmitted between the terminal and the server.
Figure 7-3 Networking diagram for a PC to log in to an FTPS server
VLANIF10
192.168.0.1/24
Network
PC FTP-Server
Before using FTPS to manage files, complete the following tasks:
l Configure an FTP user on the FTPS server.

l Load a digital certificate to the sub-directory named security of the system directory on
the FTPS server.
l Install the SSL-capable FTP client software on the PC.

Data Preparation
Before using FTPS to manage files, you need the following data.
No. Data
1 SSL policy name and digital certificate
2 IP address of the FTPS server
7.5.2 Configuring an SSL Policy and Loading a Digital Certificate

A client uses a digital certificate to authenticate the identity of a server for secure communication.
Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
FTPS server must be obtained from a corresponding CA.
certificate is .pem.
ASN1 digital certificate is .der.
digital certificate is .pfx.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
An SSL policy is configured and the SSL policy view is displayed.


l Run:

l Run:
filename

l Run:

l Run:

NOTE
chain.
----End
7.5.3 Enabling the FTPS Function

After a device is configured with an SSL policy and enabled with the FTPS server function, the
device functions as an FTPS server to provide SSL-based FTP services.
Context
NOTE
Before enabling the FTPS server function, disable the FTP server function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp secure-server ssl-policy policy-name
An SSL policy is configured for the device.

Step 3 Run:
ftp secure-server enable
The FTPS server function is enabled.

By default, the FTPS server function is disabled.
----End

7.5.4 Accessing an FTPS Server

You can use a PC with the SSL-capable FTP client software or an FTPS client to access an FTPS
server for secure management of files on the FTPS server.
Before accessing an FTPS server, install the SSL-capable FTP client software on a PC, and then
use a third-party software to log in to the FTPS server from the PC to securely manage files on
the FTPS server.

After the configuration of login to an FTPS server from a user terminal is complete, you can
view the SSL policy, digital certificate, and status of the FTPS server.
Prerequisites
Login to the devices by using FTPS has been configured.
Procedure
l Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
l Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
FTP server is stopped
Max user number 5
User count 1
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running


The examples in this section show how to use FTP, SFTP or FTPS to access the system and
manage files. These configuration examples explain networking requirements and provide
configuration roadmaps and configuration notes.
7.6.1 Example for Managing Files Using FTP

This example shows how to use FTP to manage files. In the example, a user uses FTP to log in
to the switch from a PC and then download files to the FTP client.
As shown in Figure 7-4, the local PC functions as the FTP client of which the IP address is
10.1.1.1/24.
The Switch acts as the FTP server, and IP address of the FTP server is 10.1.1.2/24.
The PC uploads files to the Switch.
Figure 7-4 Networking diagram of the Switch functioning as the FTP server
VLAN10
FTP Client FTP Session FTP Server
Ethernet L2 Switch Ethernet Switch

PC
Switch Interface VLANIF interface IP address
FTP Server XGigabitEthernet0/0/1 VLANIF 10 10.1.1.2/24
1. Set the correct FTP user name and password on the Switch that functions as the FTP server.
2. Log in to the Switch through FTP from the PC.
3. Upload files to the FTP server.
Data Preparation
l IP address of the FTP server

l Name of the FTP user set as u1 and the password set as ftppwd on the server

l Correct path of the source file on the PC

l Name of the destination file and position where the destination files are located on the
Switch
Procedure
Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1.1.2/24 to VLANIF 10.
[Quidway] vlan 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
Step 2 Start the FTP server on the Switch, and set the FTP user name to u1 and password to ftpwd.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user u1 password cipher ftppwd
[Quidway-aaa] local-user u1 service-type ftp
[Quidway-aaa] local-user u1 privilege level 15
[Quidway-aaa] local-user u1 ftp-directory flash:/
[Quidway-aaa] return
Step 3 On the PC, initiate a connection to the Switch with the user name u1 and the password
ftppwd.
Use Windows XP on the FTP client to illustrate the preceding operations.
C:\WINDOWS\Desktop> ftp 10.1.1.2
Connected to 10.1.1.2.
220 FTP service ready.
User (10.1.1.1:(none)): u1
331 Password required for u1
Password:
230 User logged in.
ftp>
Step 4 Set the mode of transferring files to binary and the local directory on the PC.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
Step 5 Upload d006.cc and vrpcfg.cfg to the Switch on the PC.

ftp> put d006.cc d006.cc
200 Port command okay.
150 Opening BINARY mode data connection for d006.cc.
ftp> put vrpcfg.cfg vrpcfg.cfg
150 Opening BINARY mode data connection for vrpcfg.cfg.
ftp> quit
C:\WINDOWS\Desktop>
----End
Configuration Files
#
sysname Quidway
#
FTP server enable

#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
aaa
local-user u1 password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
local-user u1 privilege level 15
local-user u1 ftp-directory flash:/
local-user u1 service-type ftp
#
Return
7.6.2 Example for Managing Files Using SFTP

This example shows how to use SFTP to manage files. In the example, a local key pair, and a
username and a password are configured on the SSH server for an SSH user. After SFTP services
are enabled on the server and the SFTP client is connected to the server, you can manage files
between the client and the server.
As shown in Figure 7-5, after SFTP services are enabled on the switch functioning as an SSH
server, you can log in to the server from an SFTP client PC in password, RSA, password-rsa,
DSA, password-DSA or all authentication mode.
Configure a user to log in to the SSH server in password authentication mode.
Figure 7-5 Networking diagram for managing files using SFTP
VLANIF 2
10.164.39.210/24
Network
PC SSH Server
1. Configure a local key pair on the SSH server to exchange data securely between the SFTP
client and the SSH server.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including user authentication mode, username, password, and
authorization directory.
4. Enable SFTP services on the SSH server and configure a user service type.
Data Preparation

l SSH user authentication mode: password, username: client001, password: huawei

l User level of client001: 3
l IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure a local key pair on the SSH server.
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure VTY user interfaces on the SSH server.

Step 3 Configure the SSH username and password on the SSH server.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher
huawei
Step 4 Enable SFTP and configure the user service type to be SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 service-type sftp
Step 5 Configure the authorization directory for the SSH user.

[SSH Server] ssh user client001 sftp-directory flash:
Step 6 Verify the configurations.

Figure 7-6 Access interface
----End
Configuration Files
l Configuration file of the SSH server
#
sysname SSH Server
#
vlan batch 10
#
aaa
local-user client001 password cipher %$%$PoPK$x&v~12^g\0]Y$u3"'{r%$%$
#
interface Vlanif10
ip address 10.137.217.225 255.255.255.0
#
#
sftp server enable
ssh user client001
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
#
return
7.6.3 Example for Performing File Operations by Means of FTPS

You can use a terminal on which the SSL-capable FTP client software is installed to log in to
an FTPS server to securely operate files transmitted between the terminal and the server.

As shown in Figure 7-7, an SSL policy is configured on the FTP server. After a digital certificate
is loaded and the FTPS server function is enabled on the server, you can log in to the server from
a terminal on which the SSL-capable FTP client software is installed to securely operate files
transmitted between the terminal and the server.
Figure 7-7 Operating files using FTPS
VLANIF10
192.168.0.1/24
Network
PC FTP-Server
1. Upload a digital certificate.
Upload the digital certificate saved on the PC to the FTP server.
2. Load the digital certificate.
Copy the digital certificate from the system directory of the FTP server to the sub-directory
named security, configure an SSL policy, and load the digital certificate.
3. Enable the FTPS server function.
4. Install the SSL-capable FTP client software on the PC
Data Preparation
l FTP user name and password
l SSL digital certificate
Procedure
Step 1 Upload a digital certificate.
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
[Quidway] sysname FTP-Server

[FTP-Server] vlan 10
[FTP-Server-vlan10] quit
[FTP-Server] interface xgigabitethernet0/0/1
[FTP-Server-XGigabitEthernet0/0/1] port hybrid pvid vlan 10
[FTP-Server-XGigabitEthernet0/0/1] port hybrid untagged vlan 10
[FTP-Server-XGigabitEthernet0/0/1] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit

[FTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for an
FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password cipher huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei privilege level 15
[FTP-Server-aaa] local-user huawei ftp-directory flash:
[FTP-Server-aaa] quit
[FTP-Server] quit
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the correct
user name and password to set up an FTP connection to the FTP server, as shown in Figure
7-8.
Figure 7-8 Logging in to an FTP server from a user terminal
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
7-9.

After the preceding configurations are complete, run the dir command on the FTP server. The
command output shows that the digital certificate has been successfully uploaded to the server.
<FTP-Server> dir

0 drw- - May 10 2011 05:05:40 src
1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
3 -rw- 1,302 May 10 2011 05:32:05 1_servercert_pem_rsa.pem
4 -rw- 951 May 10 2011 05:32:44 1_serverkey_pem_rsa.pem
304,292 KB total (303,770 KB free)
Step 2 Configure an SSL policy and load the digital certificate.

<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/
directory on the FTP server. The command output shows that the digital certificate has been
<FTP-Server> cd security/
<FTP-Server> dir

304,292 KB total (303,766 KB free)

<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
123456

[FTP-Server-ssl-policy-ftp_server] quit
Step 3 Enable the FTPS server function.

NOTE
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Install the SSL-capable FTP client software on the PC.

For details about the operation procedure, see the help document about the third-party software.
# Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the loaded certificate.
[FTP-Server] display ssl policy
Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
Max user number 5
User count 1
Listening port 21
Acl number 0
You can establish a connection with the FTPS server using the SSL-capable FTP client software
and upload files to and download files from the server.
----End
Configuration Files
Configuration file of the FTPS server
#
sysname FTP-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
vlan batch 10
#
ssl policy ftp_server
#
aaa

local-user huawei ftp-directory flash:/
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
return

Configuration Guide - Basic Configuration 8 Configuring System Startup
8 Configuring System Startup
About This Chapter
When the switch is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the switch, you need to manage system software and configuration
files efficiently.
8.1 System Startup Overview

When the switch is powered on, system software starts and configuration files are loaded.
8.2 Managing Configuration Files
You can manage the configuration files for the current and next startup operations on the
switch.
8.3 Specifying a File for System Startup
You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the switch.
The example in this section shows how to configure system startup. The example explains
networking requirements, and provides a configuration roadmap and configuration notes.

8.1 System Startup Overview

When the switch is powered on, system software starts and configuration files are loaded.
8.1.1 System Software

System software provides an operating system for the switch. System software must be set up
correctly for the switch to run properly and provide services.
The extension for the system software file is .cc. The file must be saved in the root directory of
the storage device.
8.1.2 Configuration Files

The configuration file is the add-in configuration item when restarting the switch this time or
next time.
The configuration file is a text file in the following formats:
l The configuration file of V200R001 must begin with the message like "!Software Version
V200R001C00."
l It is saved in the command format.
l To save space, default parameters are not saved.
l Commands are organized on the basis of the command view. All commands of the identical
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
l The sequence of command sections is global configuration, physical interface
configuration, logic interface configuration, routing protocol configuration and so on.
l The file name extension of the configuration file must be .cfg or .zip, and must be stored
in the root directory of a storage device.
NOTE
l The system can run the command with the maximum length of 510 characters, including the command
in an incomplete form.
l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the
command length in the configuration file may exceed 510 characters. When the system restarts, these
commands cannot be restored.
l A configuration file can contain 30000 command lines. If more than 30000 commands are configured,
some commands may be lost after an upgrade.
8.1.3 Configuration Files and Current Configurations

When the switch is running, current configurations differ from configuration files.
The concepts of configuration files and current configurations are as follows.

Concept Identifying Method
Configuration files Initial configurations: When l Run the display startup

powered on, the switch command to view the
retrieves configuration files configuration files for the
from a default save path to current startup and next
initialize itself. If startup on the switch.
configuration files do not l Run the display saved-
exist in the default save path, configuration command
the switch uses default to view the configuration
initialization parameters. file for the next startup on
the switch.
Current configurations Current configurations: Run the display current-

indicates the configurations configuration command to
in effect on the switch when it view current configurations
is actually running. on the switch.
You can use the command line interface to modify current switch configurations. Use the
save command to save modified configurations to the configuration file on the default storage
devices. This configuration file will be used to initialize the switch when the switch is powered
on next time.
8.2 Managing Configuration Files

You can manage the configuration files for the current and next startup operations on the
switch.

Before managing configuration files, familiarize yourself with the usage scenario, complete the
Configuration files can be saved, cleared, compared, backed up, and restored. Configuration file
management is required to upgrade the switch, take preventive measures, repair configuration
files, and view configurations after the switch starts.
Before managing configuration files, install and powering on the switch.
Data Preparation
To manage configuration files, you need the following data.

No. Data
1 Configuration file and its name
2 Configuration file saving interval and delay interval
3 Number of the start line from which the comparison of the configuration files
begins
8.2.2 Saving Configuration Files

The configurations completed by using command lines are valid for only the current operation
on the switch. To allow the configurations to be valid for the next startup, you need to save the
current configurations to configuration files before restarting the switch.
Context
Configuration files can be saved on demand or the system can be set to save configuration files
at regular intervals. This prevents data loss if the switch restarts without warning or when it is
powered off.
Run one of the following commands to save configuration files.
Procedure
l Run:
1. system-view

2. set save-configuration [ interval interval | cpu-limit cpu-usage |delay
delay-interval ] *
The configuration file is saved at intervals.

After the parameter interval interval is specified, the system saves the current
configuration if the configuration has changed; if the configuration has not changed,
the system does not save the current configuration.
– If the set save-configuration command is not run, the system does not
automatically save configurations.
– If the set save-configuration command without specified interval is run, the
system automatically saves configurations at an interval of 30 minutes.
When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After delay delay-interval is specified, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After automatic saving of configurations is configured, the system automatically saves
the changed configurations to the configuration file for the next startup and
configuration files are changed accordingly with the saved configurations.
Before configuring the automatic configure file saving on the server, you need to run
the set save-configuration backup-to-server server server-ip [ transport-type

{ ftp | sftp } ] user user-name password password [ path folder ] or set save-
configuration backup-to-server server server-ip transport-type tftp [ path
folder ] command to configure the server, including the IP address, username,
password of the server, destination path, and mode of transporting the configuration
file to the server.
NOTE
If TFTP is used, run the tftp client-source command to configure a loopback interface address as a
client source IP address on the switch, improving security.
l Run:
save [ all ] [ configuration-file ]
The current configurations are saved.
The extension for the configuration file must be .cfg or .zip. The system startup
configuration file must be saved in the root directory of a storage device.
You can modify the current configuration through the CLI. To set the current configuration
as initial configuration when the switch starts next time, you can use the save command to
save the current configuration in the flash memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that have not been inserted, to the next startup configuration
file.
NOTE
When saving the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the switch asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip" is
the default configuration file and initially contains no configuration.
----End
8.2.3 Clearing a Configuration File

This section describes how to clear the content of the configuration file that has been loaded to
a device or how to delete configurations on an interface to restore the default configurations.
Context
The configuration file stored in the flash memory needs to be cleared in the following cases:
l The system software does not match the configuration file after the switch has been
upgraded.
l The configuration file is destroyed or an incorrect configuration file has been loaded.
Perform the following operations to clear the content of a configuration file:
Procedure
l Clear the currently loaded configuration file.
Run the reset saved-configuration command to clear the currently loaded configuration
file.
– If the configuration file used for the current startup of the switch is the same as the file
to be used for the next startup, running the reset saved-configuration command clears
both files. The switch will use the default configuration file for the next startup.

– If the configuration file used for the current startup of the switch is different from the
file to be used for the next startup, running the reset saved-configuration command
clears the configuration file used for the current startup.
– If you run the reset saved-configuration command and the configuration file used for
the current startup of the switch is empty, the system will prompt that the configuration
file does not exist.
CAUTION
l Exercise caution when running this command. If necessary, do it under the guidance of
Huawei technical support personnel.
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name is left.
l After the configuration file is cleared, if you do not run the startup saved-
configuration configuration-file command to specify a new configuration file, or do
not run the save command to save the configuration file, the switch will use the default
configuration file at the next startup.
l Clear the configurations of a specified interface.

1. Run the system-view command to enter the system view.
2. Run the clear configuration interface interface-type interface-number command to
clear the configurations of the specified interface.
----End
8.2.4 Comparing Configuration Files

You can determine whether the current configuration file is the same as the one for the next
startup or a specified one on the switch by comparing them.
Context
You can determine whether to specify the current configuration file as the one for the next startup
by comparing the current configuration file with the one for the next startup.
Procedure
l Run:
compare configuration [ configuration-file ] [ current-line-number save-line-
number ]
The current configuration is compared with the configuration file for next startup.
– If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
– If no parameter is set, the comparison begins with the first lines of configuration files.
If values for current-line-number and save-line-number are set, the comparison
continues by ignoring differences between the configuration files.
The system begins to display the content of a current and a saved configuration file from
the first line of the two files that is different. Beginning with this line, 150 characters are

displayed by default for each of the files. If there are fewer than 150 characters remaining
after the first line with a difference, all remaining content in the files is displayed.
NOTE
When trying to compare configuration files, if the configuration file for next startup is unavailable
or its content is empty, the system prompts that reading files fails.
----End
8.2.5 Backing Up the Configuration Files

Context
You can back up the configuration files by using the following ways:
Procedure
l Copying the screen directly
In the CLI, run the display current-configuration command. Copy all the display to txt
documents, then back up the configuration files to the hard disk of the maintenance terminal.
l Backing up the configuration files through TFTP
1. Copy the configuration files in the Flash directly.
This action is to back up the current configuration files that are stored in the Flash of
the device.
After startup of the device, use the following commands to back up the configuration
files in the Flash of the device.
<Quidway> save flash:/config.cfg
The current configuration will be written to the device.
Are you sure to continue?[Y/N]:y
Now saving the current configuration to the slot 0.
Info: Save the configuration successfully.
<Quidway> copy config.cfg flash:/backup.cfg
Copy flash:/config.cfg to flash:/backup.cfg?[Y/N]:y
100% complete/
Info: Copied file flash:/config.cfg to flash:/backup.cfg...Done.
2. Assign an IP address for the device.

The device acts as the TFTP client.
Connect the device to the maintenance terminal. Establish the Telnet environment and
assign an IP addresses for the interface. A reachable route must exist between the
TFTP client and the TFTP server.
3. Start the TFTP server application program.
Start the TFTP server application in the PC. Set the path, the IP address, and the port
number of the TFTP server to download the configuration files.
4. Transfer the configuration files.
In the user view, run the tftp command.
<Quidway> tftp 10.110.24.209 put config.cfg
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
3501 bytes send in 1 second.

l Backing up the configuration files through FTP

1. Connect the device to the maintenance terminal, establish the Telnet environment and
assign an IP address for the interface.
2. Start the FTP service.
The device acts as the FTP server.
Start the FTP server on the device. Create an FTP user whose username is huawei and
password is huawei.The user level must be set to 3 or higher. Authorize the user to
visit flash:\.
[Quidway] ftp server enable
[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei
[Quidway-aaa] local-user huawei privilege level 3
[Quidway-aaa] local-user huawei ftp-directory flash:/
[Quidway-aaa] local-user huawei service-type ftp
3. Initiate an FTP connection to the device from the maintenance terminal.
On the PC, establish an FTP connection with the device through the FTP client. For
example, the IP address of the device is 10.110.24.254.
C:\Documents and Setting\Administrator> ftp 10.110.24.254
User (10.110.24.254:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.
4. Set the parameters.
After the FTP user passes authentication, the FTP client prompts "ftp>". Enter
binary and specify the directory for storing the configuration files on the FTP client.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
5. Transfer the configuration files.
Run the get command on the PC to download the configuration files to the local
specified directory and save them as backup.cfg.
ftp> get config.cfg backup.cfg
150 Opening ASCII mode data connection for config.cfg.
226 Transfer complete.
ftp: 1021 bytes received in 0.06Seconds 60.02Kbytes/sec.
ftp>
6. Check whether the config.cfg and backup.cfg files are of the same size. If they are
of the same size, the backup is successful.
----End
8.2.6 Restoring the Configuration Files
Context
You can restore the configuration files through the following ways:

NOTE
After restoring the configuration files, restart the device to make the configuration files take effect. Run
the startup saved-configuration command to specify the configuration file for next startup. If the
configuration file name is unchanged, you do not need to run this command. Then run the reboot command
to restart the device.
Procedure
l Restoring the configuration files saved in the Flash
This operation is to restore the configuration files saved in the Flash of the device as the
configuration files of the current system.
Run the following commands when the device works normally.

<Quidway> copy flash:/backup.cfg flash:/vrpcfg.zip
Copy flash:/backup.cfg to flash:/vrpcfg.zip?[Y/N]:y
100% complete/
Info: Copied file flash:/backup.cfg to flash:/vrpcfg.zip...Done.
l Restoring the configuration files saved in the PC through TFTP
The device works as the TFTP client. The restoration procedure is similar to that of backing
up the configuration files through TFTP. Run the tftp get command to download the
configuration files saved in the PC to the Flash of the device.
l Restoring the configuration files saved in the PC through FTP
The device acts as the FTP server. The restoration procedure is similar to that of backing
up the configuration files through FTP. Run the put command to upload the
configuration files saved in the PC to the Flash of the device.
----End

After managing configuration files, you can view the current configuration files and files in the
storage device.
Prerequisites
Managing configuration files has been configured.
Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.
l Run the display startup command to check files for startup.
l Run the dir [ /all ] [ filename ] command to check files saved in the storage device.
l Run the display saved-configuration configuration command to view configurations of
the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations are unchanged (when
the period expires, configurations are automatically saved).

l Run the display changed-configuration time command to check the time of the last
configuration change.
----End
Example
Run the display startup command to check files for startup.
<Quidway> display startup
MainBoard:
Configured startup system software: flash:/S6700v200r001.cc
Startup system software: flash:/S6700v200r001.cc
Next startup system software: flash:/S6700v200r001.cc
Startup saved-configuration file: flash:/vrpcfg1.cfg
Next startup saved-configuration file: flash:/vrpcfg1.cfg
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL
8.3 Specifying a File for System Startup

You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the switch.

Before specifying a file for system startup, familiarize yourself with the usage scenario, complete
To enable the switch to provide user-defined configurations during the next startup, you need
to correctly specify the system software and configuration file for the next startup.
Before specifying a file for system startup, install the switch and powering it on properly.
Data Preparation
To specify a file for system startup, you need the following data.
No. Data
1 System software and its file name on the S6700
2 Configuration file and its file name on the device

8.3.2 Configuring System Software for a switch to Load for the Next
Startup
If you need to upgrade system software of a switch, you can specify the switch system software
to be loaded at the next startup.
Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
The file name extension of the system software must be .cc and the file must be stored in the
root directory of a storage device.
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The S6700 system software to be loaded at the next startup of the switch is configured.
The system software package must use .cc as the extension and be saved to the root directory of
the flash memory.
If the BootROM version of next startup software that you specify is different from the current
BootROM version, the system prompts you to upgrade the BootRom.
----End
8.3.3 Configuring the Configuration File for Switch to Load at the

Next Startup
Before restarting a switch, you can specify which configuration files will be loaded at the next
startup.
Context
Run the display startup command on the switch to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The file name extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the switch is powered on, it reads the configuration file from the flash memory by default
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the flash memory, the switch uses default parameters to initiate.
Procedure
l Run:
startup saved-configuration configuration-file

A configuration file is saved for the switch to load at next startup.
----End

After specifying a configuration file for system startup, you can check the content of the
configuration file and information about the files to be used at the next startup on the switch.
Prerequisites
A configuration file has been specified for system startup.
Procedure
l Run the display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.
l Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded at next startup.
l Run the display startup command to check information about the files to be used at next
startup.
----End
Example
Run the display startup command to check information about the files to be used at next startup.
MainBoard:
Configured startup system software: flash:/S6700v200r001.cc
Startup system software: flash:/S6700v200r001.cc
Next startup system software: flash:/S6700v200r001.cc
Startup saved-configuration file: flash:/vrpcfg1.cfg
Next startup saved-configuration file: flash:/vrpcfg1.cfg

The example in this section shows how to configure system startup. The example explains
networking requirements, and provides a configuration roadmap and configuration notes.
8.4.1 Example for Configuring System Startup

This example shows how to configure system startup. In the example, a configuration file is
saved and the system software and configuration file to be loaded at the next startup are specified
so that the switch can start in a required manner.

After the switch is configured, new configurations take effect at next system startup.
1. Save the current configuration.
2. Specify the configuration file to be loaded at the next startup of the switch.
3. Specify the system software to be loaded at the next startup of the switch.
Data Preparation
l Name of the configuration file
l File name of the system software
Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
MainBoard:
Configured startup system software: flash:/S6700v200r001c00b01.cc
Startup system software: flash:/S6700v200r001c00b01.cc
Next startup system software: flash:/S6700v200r001c00b01.cc
Startup saved-configuration file: flash:/test.cfg
Next startup saved-configuration file: flash:/test.cfg
Step 2 Save the current configuration to the specified file.

<Quidway> save vrpcfg.cfg
The system asks you whether you want to save the current configuration to the file named
vrpcfg.cfg. Enter y to save the configuration.
Step 3 Specify the configuration file to be loaded at the next startup of the switch.
<Quidway> startup saved-configuration vrpcfg.cfg
Step 4 Specify the system software to be loaded at the next startup of the switch.
<Quidway> startup system-software S6700v200r001c00.cc

After the configuration is complete, run the following command to check which configuration
file and system software will be loaded at the next startup of the switch.
MainBoard:
Configured startup system software: flash:/S6700v200r001c00b01.cc
Startup system software: flash:/S6700v200r001c00b01.cc
Next startup system software: flash:/S6700v200r001c00.cc
Startup saved-configuration file: flash:/test.cfg
Next startup saved-configuration file: flash:/vrpcfg.cfg


----End
Configuration Files
None.

Configuration Guide - Basic Configuration 9 Accessing Another Device
9 Accessing Another Device
About This Chapter
To manage configurations or operate files of another device, you can access the device by using
Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to.
9.1 Accessing Another Device

To manage configurations or use files on a device other than the device you are logged in to,
you can use Telnet, FTP, TFTP, or SSH to access that device.
9.2 Logging in to Other Devices Using Telnet
On most networks, multiple switchs need to be managed and maintained, but it may be
impossible to connect some of these switchs to a PC terminal. In other cases, there may be no
reachable route between a router and a PC terminal. You can log in to a local switch and then
use Telnet to log in to remote switchs to complete management and maintenance tasks.
9.3 Logging in to Another Device Using STelnet
STelnet provides secure Telnet services. You can use STelnet to log in to another switch from
the switch that you have logged in to and manage the device remotely.
9.4 Accessing Files on Another Device Using TFTP
You can configure the switch as a TFTP client, and log in to the TFTP server to upload and
download files.
9.5 Accessing Files on Another Device Using FTP
This section describes how to configure a switch as an FTP client to log in to a FTP server, and
to upload files to or download files from the server.
9.6 Accessing Files on Another Device Using SFTP
SFTP is a secure FTP service. After the switch is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.
9.7 Accessing Files on Another Device by Using FTPS
The FTPS client and FTPS server authenticate each other's identities to ensure that only
authorized users can access the FTPS server, improving access security.
9.8 Accessing Files on Another Device by Using SCP
The SCP client sets up a secure connection with the SCP server so that the client can upload
files to the server or download files from the server.


This section describes examples for access another device. The examples explain networking
requirements, configuration notes, and configuration roadmap.

9.1 Accessing Another Device

To manage configurations or use files on a device other than the device you are logged in to,
you can use Telnet, FTP, TFTP, or SSH to access that device.
Figure 9-1 Networking diagram for accessing another device from the switch
Network Network Server
PC Client
As shown in Figure 9-1, when you run a terminal emulation or Telnet program on a PC to
connect to the switch, the switch can still function as a client to access another device on the
network. There are several ways to accomplish this.
9.1.1 Telnet Method

To configure and manage a remote device on the network, you can use the switch that you have
logged in to as a client to log in to that device.
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service.
The S6700 provides the following Telnet services:
l Telnet server: You can run the Telnet client program on a PC to log in to a switch to complete
configuration and management tasks. The switch acts as a Telnet server.
l Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the switch. You can then run the telnet command to log in to other
switchs to configure and manage them. As shown in Figure 9-2,Switch A serves as both
a Telnet server and a Telnet client.
Figure 9-2 Telnet client services

Telnet Session 1 Telnet Session2
Telnet Server
PC SwitchA SwitchB
l Interruption of Telnet services

In Telnet connection, two shortcut key combinations can terminate the connection.

As shown in Figure 9-3, Switch A logs in to Switch B through Telnet, and Switch B logs
in to Switch C through Telnet. Therefore, a cascade network is formed. In this case, Switch
A is the client of Switch B and Switch B is the client of Switch C. Figure 9-3 illustrates
the usage of shortcut keys.
Figure 9-3 Usage of Telnet shortcut keys

Telnet Session 1 Telnet Session2
Telnet Telnet
Client Server
SwitchA SwitchB SwitchC
Ctrl_]: The server interrupts the connection.

If the network connection is normal and you press Ctrl_], the Telnet server terminates the
current Telnet connection. For example:
<SwitchC>
Press Ctrl_] to return to the prompt of Switch B.

Info: The max number of VTY users is 20, and the number
of current VTY users on line is 2.
Info: The connection was closed by the remote host.
<SwitchB>
Press Ctrl_] to return to the prompt of Switch A.

Info: The connection was closed by the remote host.
<SwitchA>
NOTE
If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
Ctrl_]: The client interrupts the connection.
If the server fails and the client is unaware of the failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<SwitchC>
Press Ctrl_T to terminate and quit a Telnet connection.

<SwitchA>
CAUTION
If remote login users are using all of the maximum number of VTY user interfaces allowed,
the system prompts that all user interfaces are in use and does not allow additional Telnet
logins.

9.1.2 FTP Method

To access files on a remote FTP server, you can use FTP to establish a connection between the
switch that you have logged in to and the remote FTP server.
FTP can transmit files between hosts and it provides users with common FTP commands for file
system management. That is, using an FTP client program not residing on the switch, you can
upload or download the files and access the directories on the router; using an FTP client program
residing on the switch, you can transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts, and is widely used for version upgrade,
9.1.3 TFTP Method

If network client/server interaction requirements are relatively simple, you can enable the TFTP
service on the switch that functions as a TFTP client to access files on a TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Unlike FTP, TFTP does not have a complex interactive access interface and authentication
control. TFTP is for use in environments where there is no complex interaction between the
client and the server. For example, TFTP is used to obtain a memory image of the system when
the system starts up.
Implementation of TFTP is based on the User Datagram Protocol (UDP).
The client initiates a TFTP transfer. To download files, the client sends a read request packet to
the TFTP server, receives packets from the server, and returns an acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives acknowledgement from the server.
TFTP uses two formats for file transfer:
l Binary format: transfers program files.
l ASCII format: transfers text files.
At present, the S6700 can only serve as a TFTP client and can only transfer files in binary format.
9.1.4 SSH Method

Logging in to a remote device using SSH (including STelnet, SFTP and SCP) provides secure
communications between the remote device and the switch you are logged in to.
SSH Overview
When users on an insecure network use Telnet to log in to the switch, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the switch from IP address
spoofing and other such attacks, and protects the switch against the interception of plain text
passwords.
The SSH client function allows users to establish SSH connections with switchs serving as SSH
servers or with UNIX hosts.
SSH Client Function

The S6700 supports the STelnet client function, SCP client function, and SFTP client function.

l STelnet client
STelnet is short for Secure Telnet.
Telnet does not provide secure authentication and TCP transmits data in plain text. This
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
and route spoofing also threaten system security. Telnet services are vulnerable to network
attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
– SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature
Algorithm authentication (DSA). SSH uses RSA authentication or DSA authentication
to generate and exchange public and private keys compliant with an asymmetric
encryption system that protects session security.
– SSH supports Data Encryption Standard (DES), 3DES, and AES authentications.
– SSH usernames and the passwords are encrypted in communication between an SSH
client and server. This prevents password interception.
– SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files. This improves data transmission security when the remote system is updated.
The client function allows you to use SFTP to log in to the remote device for secure file
transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at a configured time interval. If there is no reply from the server to a configured number of
keepalive packets, the client determines that there is a fault and releases the connection.
l SCP client
SCP allows you to log in to the device securely from a remote device to upload or download
files. Data transfer in this mode is much safer for remote system update. In addition, SCP
provides the client function so that a local device can log in to a remote device for secure
data transfer.
Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and
file transfer, therefore improving configuration efficiency.
9.1.5 SSL Mode

Logging in to a remote device using SSL provides secure communications between the remote
FTPS server and the local device you are logged in to.
Overview
SSL is a cryptographic protocol that provides communication security over the Internet. It allows
a client and a server to communicate across a network in a way designed to prevent
eavesdropping by authenticating the server or the client. SSL has the following advantages:

l Provides high security assurance. It uses data encryption, authentication, and a message
integrity check to ensure secure data transmission over the network.
l Supports various application layer protocols. SSL is originally designed for securing World
Wide Web traffic. As SSL functions between the application layer and the transport layer,
it secures data transmission based on TCP connections for any application layer protocol.
l Is easy to deploy. Currently, SSL has become a world-wide communications standard for
authenticating Web site and Web page users and encrypting data transmitted between
browser users and Web servers.
SSL improves device security from the following aspects:
l Helps authorized users to securely access servers and prevents unauthorized users from
accessing servers.
l Encrypts data transmitted between a client and a server for data transmission security and
computes a digest for data integrity, which implements security management for devices.
l Defines an access control policy on a device based on certificate attributes to control the
access rights of clients, which prevents unauthorized users from attacking the device.
Basic Concepts
l Certificate Authority (CA)
A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks the
validity of digital certificate owners, signs digital certificates to prevent eavesdropping and
tampering, and manages certificates and keys. The world-wide trusted CA is called a root
CA. The root CA can authorize other CAs as subordinate CAs. The CA identity is described
in a trusted-CA file.
For example, CA1 functions as the root CA and issues a certificate for CA2, CA2 then
issues a certificate for CA3 and so on, until CAn issues the final server certificate.
If CA3 issues the server certificate, certificate authentication on the client starts from server
certificate authentication. The CA3 certificate is used to authenticate the server certificate.
If authentication succeeds, the CA2 certificate is used to authenticate the CA3 certificate.
Finally, the CA1 certificate is used to authenticate the CA2 certificate. Server certificate
authentication succeeds only when the CA2 certificate has been authenticated by the CA1
certificate.
Figure 9-4 shows the certificate issuing and authentication processes.
Figure 9-4 Schematic diagram for certificate issuing and authentication
l Digital certificate
A digital certificate is an electronic document which uses a digital signature to bind a public
key with an identity. The digital certificate includes information such as the name of a
person or an organization that applies for the certificate, public key, digital-signed signature
of the CA that issues the digital certificate, and validity period of the digital certificate. A

digital certificate validates the identities of two communicating parties, improving

communication reliability.
A user must obtain the public key certificate of the information sender in advance to decrypt
and authenticate information in the certificate. In addition, the user also needs the CA
certificate of the information sender to verify the identity of the information sender.
l Certificate Revocation List (CRL)
A CRL is a list of certificates that have been revoked, and therefore should not be relied
upon. The CRL is issued by a CA.
The lifetime of a digital certificate is limited. A CA can revoke a digital certificate to shorten
its lifetime. The lifetime of a CRL is usually shorter than the lifetime of certificates in the
CRL. If a CA revokes a digital certificate, the key pair defined in the certificate can no
longer be used even if the digital certificate does not expire. After a certificate in a CRL
expires, the certificate is deleted from the CRL to shorten the CRL.
Before using a digital certificate, the client checks the CRL. If the digital certificate is in
the CRL, the corresponding CA marks the digital certificate as expired, and adds a
certificate expiration list (CEL) when issuing a new CRL. After the CEL expires, it is
automatically deleted from the CRL.
Application
Currently, SSL is only used for FTPS and HTTPS applications (secure Web network
management is an HTTPS application).
l FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, FTPS provides a secure FTP server access.
– Login to an FTPS server from a user terminal
an SSL policy is configured on the FTP server. After a digital certificate is loaded and
the FTPS server function is enabled on the server, you can log in to the server from a
terminal on which the SSL-capable FTP client software is installed to securely operate
files transmitted between the terminal and the server.
– Login to an FTPS server from an FTPS client
– An SSL policy needs to be configured and a trusted-CA file needs to be loaded to
an FTP client to verify the identity of the certificate owner, sign a digital certificate
to prevent eavesdropping and tampering, and manage the certificate and key.
– An SSL policy needs to be configured on and a digital certificate needs to be loaded
to an FTP server to verify the validity of the trusted-CA file. This ensures that only
authorized clients can log in to the server.
l HTTPS
HTTPS that adds support for SSL is an extension to the commonly used HTTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be
transmitted, and check message integrity, HTTPS provides a secure Web access.
an SSL policy is configured on the device that functions as an HTTP server. After a digital
certificate is loaded to and the HTTPS server function is enabled on the server, users can
log in to the server to remotely manage the server using web pages.

9.1.6 SCP Mode

Secure Copy Protocol(SCP) is based on SSH2.0. It guarantees secure file transfer on a traditional
insecure network by authenticating the client and encrypting data in bidirectional mode.
SCP is a technology used to remotely and securely copy files, including uploading and
downloading files. SCP commands are easy to run, improving the efficiency of network
maintenance.
SCP is developed based on the Remote Copy Protocol (RCP). RCP transmits data in plain text
mode, which is of low security. SCP is developed based on SSH, therefore enhancing the security
of data transmission.
SCP enables you to log in to the device securely from a remote device to upload or download
files. Data transfer in this mode is much safer for remote system update. In addition, SCP
provides the client function so that a local device can log in to a remote device for secure data
transfer.
Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and file
transfer, therefore improving the configuration efficiency.
9.2 Logging in to Other Devices Using Telnet

On most networks, multiple switchs need to be managed and maintained, but it may be
impossible to connect some of these switchs to a PC terminal. In other cases, there may be no
reachable route between a router and a PC terminal. You can log in to a local switch and then
use Telnet to log in to remote switchs to complete management and maintenance tasks.

Before configuring login to another device from the device that you have logged in to, familiarize
yourself with the usage scenario, complete the pre-configuration tasks, and obtain any data
required for the configuration.
Figure 9-5 Networking diagram for accessing another device from the device that you have
logged in to
Network Network
PC SwitchA SwitchB
As shown in Figure 9-5, you can use Telnet to log in to Switch A from a PC. You cannot,
however, manage Switch B remotely, because there is no reachable route between the PC and
Switch B. To manage Switch B remotely, you must use Telnet to log in to it from Switch A.
In this situation, Switch A functions as a Telnet client and Switch B functions as a server.

Before using Telnet to log in to another device on the network, complete the following tasks:
l 6.3 Logging in to Devices Using Telnet.

l Configure a reachable route between the client and Telnet server.
Data Preparation
To log in to another device by using Telnet, you need the following data:
No. Data
1 IP address or host name of SwitchB
2 Number of the TCP port used by the SwitchB to provide Telnet services
9.2.2 (Optional) Configuring a Source IP Address for a Telnet Client

You can configure a source IP address for a Telnet client and then use this address to set up a
Telnet connection from the client to server along a specific route.
Context
An IP address is configured for an interface on the switch and functions as the source IP address
of a Telnet connection. This allows for implementation of security checks.
The source of a client can be a source interface or a source IP address.
Perform the following steps on a switch that functions as a Telnet client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a Telnet client is configured.
After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured one.
----End
9.2.3 Logging in to Another Device by Using Telnet

You can use Telnet to log in to and manage another switch.

Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Perform the following steps on the switch that serves as a Telnet client:
Procedure
l Select and perform one of the following two steps for IPv4 or IPv6.
– Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]
Log in to the switch and manage other switchs.

– Run:
telnet ipv6 [ -a source-ip-address ] host-name [ -oi interface-type
interface-number ] [ port-number ]
Log in to the switch and manage other switchs.
----End

When you log in to another switch successfully from the switch that you have logged in to, you
can check information about the established TCP connection.After you have logged in to another
switch from the switch that you have logged in to, you can check information about the
established TCP connection.
Prerequisites
Logging in to another device has been configured.
Procedure
l Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0
Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849
Listening
34042c80 73 /17 10.164.39.99:23 10.164.6.13:1147 0
Established

9.3 Logging in to Another Device Using STelnet

STelnet provides secure Telnet services. You can use STelnet to log in to another switch from
the switch that you have logged in to and manage the device remotely.

Before configuring login to another device using Stelnet, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain any date required for the
configuration.
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device that you have logged in to functions as a Telnet client, and the
device that you want to log in to functions as an SSH server.
Before logging in to another device by using STelnet, complete the following tasks:
l 6.4 Logging in to Devices Using STelnet.
l Configure a reachable route between the client and SSH server.
Data Preparation
To log in to another device using STelnet, you need the following data.
No. Data
1 Name of the SSH server, and public key that is assigned by the client to the SSH server
2 IPv4 or IPv6 address or host name of the SSH server, number of the port monitored
by the SSH server, preferred encryption algorithm for data from the SFTP client to
the SSH server, preferred encryption algorithm for data from the SSH server to the
SFTP client, preferred HMAC algorithm for data from the SFTP client to the SSH
server, preferred HMAC algorithm for data from the SSH server to the SFTP client,
preferred algorithm of key exchange
The user information for logging in to the SSH server

9.3.2 Configuring the First Successful Login to Another Device

(Enabling the First-Time Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA or DSA public key when logging in to the SSH server for the first time.
Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA or DSA public key when logging in to the SSH server for the first time.
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Perform the following steps on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh client first-time enable
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.
----End

(Allocating a Public Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA or DSA public key to the SSH server before the login.
Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA or DSA public key

validity check and cannot log in to the server. You must allocate an RSA or DSA public key to
the SSH server before the STelnet client logs in to the SSH server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }
The public key view is displayed.
Step 3 Run:
public-key-code begin
The public key editing view is displayed.
Step 4 Run:
hex-data
The public key is edited.
The public key is a string of hexadecimal alphanumeric characters automatically generated by

an SSH client.
NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the switch that functions as the client.
Step 5 Run:
public-key-code end
Quit the public key editing view.
l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.
Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
The RSA or DSA public key is assigned to the SSH server

NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
9.3.4 Logging in to Another Device Using STelnet

You can use STelnet to log in to an SSH server from an SSH client.
Context
When accessing an SSH server, an STelnet client can carry the source address and the VPN
instance name, can choose the key exchange algorithm, encryption algorithm, or HMAC
algorithm, and can configure the keepalive function.
Procedure
Step 1 Run:
system-view

Step 2 According to the address type of the SSH server, select and run one of the following two
commands.
For IPv4 addresses,
Run the stelnet host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { dsa
| rsa } ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1
| sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ -
ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH server through
STelnet.
For IPv6 addresses,
Run the stelnet ipv6 host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ identity-key
{ dsa | rsa } ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher
{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 |
md5_96 } ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH
server through STelnet.
----End

After configuring login to another device using STelnet, you can check the mappings between
all SSH servers of the STelnet client and the RSA or DSA public keys on the client, the global
configurations of the SSH servers, and information about sessions between the SSH servers and
the STelnet client.

Prerequisites
Logging in to another device by using STelnet has been configured.
Procedure
l Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA or DSA public keys on the client.
----End
Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
Server Name(IP) Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216 RSA 10.137.128.216

10.137.128.217 RSA 10.137.128.217
10.137.128.217 DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1 RSA 127.0.0.1
127.0.0.1 DSA 10.137.128.217
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA 1fff:00ffff:00ffff:
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:00ffff:ffff:00ffff:
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:ffff:ffff:00ffff:
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2 RSA 8.1.1.2
9.4 Accessing Files on Another Device Using TFTP

You can configure the switch as a TFTP client, and log in to the TFTP server to upload and
download files.

Before configuring access to another device using TFTP, familiarize yourself with the usage
configuration.
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current Switch functions as a TFTP client, and theSwitch to be accessed functions as a TFTP
server.

Before configuring access to another device using TFTP, configure a reachable route between
the client and TFTP server.
Data Preparation
To access another device using TFTP, you need the following data.
No. Data
1 (Optional) Source address or source interface of the switch that functions as a TFTP
client
2 IP address or host name of the TFTP server
3 Name of the specific file in the TFTP server and the file directory
9.4.2 (Optional) Configuring a Source IP Address for a TFTP Client

You can configure a source IP address for a TFTP client and then use the source IP address to
set up a TFTP connection from the TFTP client to the server along a specific route.
Context
of a TFTP connection. This allows implementation of security checks.
The source address of a client can be configured as a source interface or a source IP address.
Perform the following steps on a switch that functions as a TFTP client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured.
After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
9.4.3 (Optional) Configuring TFTP Access Authority

This section describes how to use an ACL rule to specify which TFTP servers can be accessed
by using TFTP from the switch that you have logged in to.

Context
An Access Control List (ACL) is a set of sequential rules. Rule descriptions are based on the
source addresses, destination addresses, and port numbers of packets. Switchs use ACL rules to
filter packets. When a rule is applied to an interface on a switch, the switch permits or denies
packets based on the rule.
An ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL,
and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Perform the following steps on the switch that serves as the TFTP client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.
Step 4 Run:
quit
Step 5 According to the address type of the TFTP server, select and run one of the following two
commands.
l For IPv4 addresses,
Run the tftp-server acl acl-number command. You can use the ACL to limit the access to
the TFTP server.
Run the tftp-server ipv6 acl acl6-number command. You can use the ACL to limit the access
to the TFTP server.
----End
9.4.4 Downloading Files Using TFTP

You can download files from a TFTP server to a TFTP client.

Procedure
l Run the following commands according to the type of the server IP addresses.
– The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
The switch is configured to download files through TFTP.

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ interface-type
interface-number ] get source-filename [ destination-filename ]
The switch is configured to download files using TFTP.
----End
9.4.5 Uploading Files Using TFTP

You can upload files from a TFTP client to a TFTP server.
Procedure
l Run the following commands according to the type of the server IP addresses.
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-
server [ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
The switch is configured to upload files using TFTP.

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type
interface-number ] put source-filename [ destination-filename ]
The switch is configured to upload files using TFTP.
----End

When a device is configured as a TFTP client, you can check the source address of the client
and the configured ACL rule.
Prerequisites
Configurations for using the device as a TFTP client are complete.
Procedure
l Run the display tftp-client command to check the device address that is set to the source
address of the TFTP client.
l Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End

Example
Run the display tftp-client command to view the source address of the TFTP client.
<Quidway> display tftp-client
The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<Quidway> display acl 2001
Basic ACL 2001, 2 rules,
Acl's step is 5
rule 5 permit
rule 10 permit source 2.2.2.2 0
9.5 Accessing Files on Another Device Using FTP

This section describes how to configure a switch as an FTP client to log in to a FTP server, and
to upload files to or download files from the server.

Before configuring the use of FTP to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the switch that you have logged in to as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.
Before configuring the use of FTP to access files on another device, configure a reachable route
between the switch and the FTP server.
Data Preparation
To configure the use of FTP to access files on another device, you need the following data:
No. Data
1 (Optional) Source IP address or source interface of the switch functioning as an FTP

client
2 Host name or IP address of the FTP server, port number of connecting FTP, login
username and password
3 Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server

9.5.2 (Optional) Configuring the Source IP Address and Interface

of the FTP Client
This section describes how to configure the source IP address and interface of an FTP client to
connect to an FTP server.
Prerequisites
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp client-source { -a source-ip-address | -i interface-type interface-number }
The source address of the FTP client is configured.

After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
----End
9.5.3 Connecting to Other Devices Using FTP Commands

You can run FTP commands to log in to other devices from the switch that functions as the FTP
client.
Context
You can log in to the FTP server in the user view or the FTP view.
Perform the following steps on the switch that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ port-
number ] [ public-net | vpn-instance vpn-instance-name ]
The switch is connected to the FTP server.

– In the FTP view, establish a connection to the FTP server.

1. In the user view,Run:
ftp
The FTP view is displayed.

2. Run:
open [ -a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ public-net | vpn-instance vpn-instance-name ]

NOTE
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is configured,
it will be used for FTP operations.
l If the IP address of the server is an IPv6 address, do as follows:
– In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]

– In the FTP view, establish a connection to the FTP server.
1. In the user view,Run:
ftp
The FTP view is displayed.

2. Run:
open ipv6 host-ipv6-address [ port-number ]
----End
9.5.4 Managing Files Using FTP Commands

After logging in to an FTP server, you can use FTP commands to manage files. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.
Context
After logging in to an FTP server, you can perform the following operations:
l Configure a data type for transmission files and a file transmission method.
l Check the online help about FTP commands in the FTP client view.
l Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
l Create directories on or delete directories from the FTP server.
l Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After logging in to the switch that functions as a client and entering the FTP client view, you
can perform the following steps:

Procedure
l Configuring data type and transmission mode for the file.
– Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.

NOTE
FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode ad required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
– Run:
passive
The passive file transfer mode is configured.

– Run:
verbose
The verbose mode for FTP is enabled.

When verbose is enabled, all FTP responses are displayed. After file transmission
efficiency statistics will be displayed.
l View online help for FTP commands.
remotehelp [ command ]
The online help of the FTP command is displayed.

l Upload or download files.
– Upload or download a file.
– Run:
The local file is uploaded to the remote FTP server.

– Run:
The FTP file is downloaded from the FTP server and saved to the local file.
– Upload or download multiple files.
– Run the mput local-filenames command to upload multiple local files
synchronously to the remote FTP server.
– Run the mget remote-filenames command to download multiple files from the FTP
server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client
view to enable the file transmission prompt function, the system will prompt you to confirm the
uploading or downloading operation.
l If the prompt command is run again in the FTP client view, the file transmission prompt function
will be disabled.

l Run one or more of the following commands order to manage directories.

– Run:
cd pathname
The working path of the remote FTP server is specified.

– Run:
cdup
The working path of the FTP server is switched to the upper-level directory.
– Run:
pwd
The specified directory of the FTP server is displayed.

– Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

– Run:
A directory is created on the FTP server.

– Run:
rmdir remote-directory
A directory is removed from the FTP server.

NOTE
l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
l Run one or more of the following commands to manage files.
– Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
– Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
– Run:
delete remote-filename
The specified file on the FTP server is deleted.

----End

9.5.5 Changing Login Users

After logging in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.
Context
If you are logged in to the S6700 functioning as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.
Perform the following steps on the switch that functions as a client:
Procedure
l Run:
user user-name [ password ]
The user that logged in to the FTP server earlier is changed and the new user logs in to the
server.
When the username that is used to log in to the FTP server is changed, the original
connection between the user and the FTP server is interrupted.
----End
9.5.6 Disconnecting from the FTP Server

You can terminate the connection with an FTP server and return to the user view or FTP view.
Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Perform the following steps on the switch that serves as the client.
Procedure
l Run one of the following commands depending on your system configurations.
– Run:
bye
Or,
quit
The client switch is disconnected from the FTP server.

Return to the user view.
– Run:
close
Or,
disconnect
The client switch is disconnected from the FTP server.

Return to the FTP view.
----End

After the configurations for accessing other devices using FTP are complete, you can view the
source parameters configured on the FTP client.
Prerequisites
Accessing other devices using FTP has been configured.
Procedure
l Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<Quidway> display ftp-client
The source address of FTP client is 1.1.1.1.
9.6 Accessing Files on Another Device Using SFTP

SFTP is a secure FTP service. After the switch is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.

Before configuring the use of SFTP to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain any data required for the
configuration.
SFTP is a secure FTP protocol. SFTP is based on SSH. It allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
switch that functions as an SFTP client.
Before configuring the use of SFTP to access files on another device, configure a reachable route
between the client and SSH server.
Data Preparation
To use SFTP to access files on another device, you need the following data:

No. Data
1 (Optional) Name of the SSH server
2 (Optional) Public key that is assigned by the client to the SSH server
3 IPv4 or IPv6 address or host name of the SSH server
4 Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm of key exchange, name of the outgoing
interface, source address
User information for logging in to the SSH server
5 Name and directory of a specified file on the SSH server

(Enabling the First-Time Authentication on the SSH Client)
After first-time authentication on the SSH client is enabled, the SFTP client does not check the
Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
After the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at next login.
Procedure
Step 1 Run:
system-view

Step 2 Run:
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.

NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the check of the RSA or DSA public key validity and
cannot log in to the server.
TIP
To ensure that an STelnet client can log in to an SSH server at the first attempt, you can assign an RSA or
DSA public key in advance to the SSH server on the SSH client in addition to enabling first-time
authentication on the SSH client.
----End

(Allocating a Public Key to the SSH Server)
To configure the first successful login to another device on an SSH client, you must allocate an
RSA or DSA public key to the SSH server before the login.
Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA or DSA public key validity
check and cannot log in to the server.
Perform the following steps on the switch functioning as an SSH client:
Procedure
Step 1 Run:
system-view
Step 2 Run:
rsa peer-public-key key-name or dsa peer-public-key key-name encoding-type { der |
pem }
Step 3 Run:
Step 4 Run:
hex-data
The public key is a string of hexadecimal alphanumeric characters automatically generated by

an SSH client.

NOTE
l The RSA or DSA public key assigned to the SSH server must be generated on the server. Otherwise,
the validity check for the RSA or DSA public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA public key generated on the server to
the switch that functions as the client.
Step 5 Run:
public-key-code end
l If the specified hex-data is invalid, the public key cannot be generated after the peer-public-
key end command is run.
l If the specified key-name is deleted in other views, the system prompts that the key does not
exist after the peer-public-key end command is run and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.
Step 7 Run:
ssh client servername assign { rsa-key | dsa-key } keyname
The RSA or DSA public key is assigned to the SSH server
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key } command to cancel the association between the SSH client and the SSH server.
Then, run the ssh client servername assign { rsa-key | dsa-key } keyname command to allocate a new
RSA or DSA public key to the SSH server.
----End
9.6.4 Connecting to Other Devices by Using SFTP

You can use SFTP to log in to an SSH server from an SSH client.
Context
The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH
server, SFTP can carry the source address and the name of the VPN instance and choose the key
exchange algorithm, encryption algorithm, and HMAC algorithm, and configure the keepalive
function.
Perform the following steps on the switch that serves as an SSH client.
Procedure
Step 1 Run:
system-view
Step 2 According to the address type of the SSH server, select and perform one of the two configurations
below.


Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |
aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] | [ identity-key { dsa | rsa } ] ] *
You can log in to the SSH server through SFTP.

Run:
sftp ipv6 [[ -a source-address | -oi interface-type interface-number ] |
[ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] | [ -ki aliveinterval] |[ -kc
alivecountmax ] | [ identity-key { dsa | rsa } ] ]* host-ipv6 [ port ]
----End
9.6.5 Managing Files Using SFTP Commands

You can use an SFTP client to manage directories and files on the SSH server, and check the
command help on the SFTP client.
Context
After logging in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
l Change file names, delete files, display a file list, and upload or download files.
l Display the SFTP client command help.
After logging in to the switch that functions as an SSH client and entering the SFTP client view,
you can perform the following steps:
Procedure
l Manage directories.
Perform the following steps as required:
– Run:
cd [ remote-directory ]
The current operating directory of users is changed.

– Run:
cdup
The view is switched to a directory one level up.

– Run:
pwd

The current operating directory of users is displayed.

– Run:
dir / ls [ remote-directory ]
A list of files in the specified directory is displayed.

– Run:
rmdir remote-directory & <1-10>
– The directory on the server is deleted.

– Run:
A directory is created on the server.

l Manage files.
Perform the following steps as required:
– Run:
rename old-name new-name
The name of the specified file on the server is changed.

– Run:
get remote-filename [local-filename]
The file on the remote server is downloaded.

– Run:
put local-filename [remote-filename]
The local file is uploaded to the remote server.

– Run:
remove remote-filename
The file on the server is removed.

l Display the SFTP client command help.
help [all | command-name ]
The SFTP client command help is displayed.
----End

After using SFTP to log in to another device, you can view the source address of the SSH client,
mappings between all SSH servers and the RSA, or DSA public keys on the client, global
configurations of the SSH servers, and sessions between the SSH servers and the client.
Prerequisites
The configuration for using SFTP to access files on another device is complete.
Procedure
l Run the display ssh server-info command to check the mapping between the SSH server
and the RSA or DSA public key on the SSH client.
----End

Example
Run the display ssh server-info command to view the mappings between all servers and the
RSA or DSA public keys on the SSH client.
<Quidway> display ssh server-info
______________________________________________________________________________
10.137.128.216 RSA 10.137.128.216

10.137.128.217 RSA 10.137.128.217
10.137.128.217 DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1 RSA 127.0.0.1
127.0.0.1 DSA 10.137.128.217
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA 1fff:00ffff:00ffff:
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:00ffff:ffff:00ffff:
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA 1fff:ffff:ffff:00ffff:
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2 RSA 8.1.1.2
______________________________________________________________________________
10.1.1.1 RSA key1
9.7 Accessing Files on Another Device by Using FTPS

The FTPS client and FTPS server authenticate each other's identities to ensure that only
authorized users can access the FTPS server, improving access security.

Before configuring the use of FTPS to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
bringing security threats.
l Configure an SSL policy on the FTP client and load a trusted-CA file to the client.
l Configure an SSL policy on the FTP server and load a digital certificate to the server.
The client uses the trusted-CA file and digital certificate to authenticate the server so that the
authorized client can access the correct server.
As shown in Figure 9-6,

l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identity of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
l An SSL policy needs to be configured on and a digital certificate needs to be loaded to an
FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.
Figure 9-6 Accessing Files on Another Device by Using FTPS
FTP-Client FTP-Server
VLANIF20 VLANIF30
1.1.1.1/24 1.1.1.2/24
Network
VLANIF40
192.168.0.2/24
PC1
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
Before configuring the use of FTPS to access files on another device, complete the following
tasks:
l Load a trusted-CA file to the sub-directory named security of the system directory on the
FTPS client.
l Load a digital certificate to the sub-directory named security of the system directory on
the FTPS server.
Data Preparation
To use FTPS to access files on another device, you need the following data:
No. Data
1 SSL policy name, trusted-CA file, (optional) CRL file, and IP address of the FTPS
client
2 Digital certificate and IP address of the FTPS server
9.7.2 Configuring the FTPS Client

An SSL policy needs to be configured on and a trusted-CA file needs to be loaded to an FTP
client. The FTPS client can use the trusted-CA file to authenticate an FTPS server to ensure that
only authorized users can log in to the FTPS server.

Context
A trusted-CA file can be in the PEM, ASN1, or PFX format. Details are as follows:
A CRL file can be in either the ASN1 or PEM format. These two formats represent the same
contents.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Load a trusted-CA file.
l Run:
trusted-ca load pem-ca ca-filename
A PEM trusted-CA file is loaded.

l Run:
trusted-ca load asn1-ca ca-filename
An ASN1 trusted-CA file is loaded.

l Run:
trusted-ca load pfx-ca ca-filename auth-code auth-code
A PFX trusted-CA file is loaded.
A maximum of four trusted-CA files can be loaded to an SSL policy. If multiple trusted-CA
files are loaded, these files will be added to the existing trusted-CA file list.
NOTE
l If the trusted-CA file configured on the FTPS server contains only one certificate, configure all the
trusted-CA certificates of upper levels to the root CA certificate on the client.
l If a certificate chain is configured on the FTPS server, configure only the root CA certificate on the
client.

crl load { pem-crl | asn1-crl } crl-filename
A CRL is loaded.

A maximum of two CRL files can be loaded to an SSL policy. If multiple CRL files are loaded,
these files will be added to the existing CRL file list.
----End
9.7.3 Configuring the FTPS Server

Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
FTPS server must be obtained from a corresponding CA.
Procedure
Step 1 Run:
system-view
Step 2 Run:

l Run:

l Run:
filename

l Run:

l Run:

NOTE
chain.
Step 4 Run:
quit
Return to the system view.

Step 5 Run:
ftp secure-server ssl-policy policy-name
An SSL policy is configured for the device.

Step 6 Run:
ftp secure-server enable
The FTPS server function is enabled.

By default, the FTPS server function is disabled.
NOTE
----End
9.7.4 Accessing an FTPS Server

You can use specified commands to log in to an FTPS server from an FTPS client to remotely
manage the FTPS server.
Procedure
l On an IPv4 network:
In the user view, run:
ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type
interface-number ] host [ port-number ] [ public-net | vpn-instance vpn-
instance-name ] ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.

l On an IPv6 network:
In the user view, run:
ftp ssl-policy policy-name ipv6 host [ port-number ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
----End
Follow-up Procedure
The client can log in to the server only after the entered user name and password are authenticated
by the server. After logging in to the FTPS server, you can operate files on the FTPS server in
the same way as that on an FTP server. Table 9-1 lists file operations on an FTP server.
Table 9-1 File operations

File Operation Operation
Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to PORT.
By default, the PASV mode is used.
Uploading files l Run the put local-filename [ remote-filename ]

command to upload a file from the local device to a
remote server.
l Run the mput local-filenames command to upload files
from the local device to a remote server.
Downloading l Run the get remote-filename [ local-filename ] command

files to download a file from a remote server and save the file
on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the local
device.

Enabling the file l If the prompt command is run in the FTP client view to
transfer prompt enable the file transfer prompt function, the system
function prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you whether to override the existing
ones regardless of whether the file transfer prompt function is
enabled.
Enabling the FTP Run the verbose command.

verbose function After the verbose function is enabled, all FTP response
information is displayed. After file transfer is complete,
statistics about the transmission rate are displayed.
Managin Changing the Run the cd pathname command.

g working path of a
directori remote FTP server
es
Changing the Run the cdup command.
working path of an
FTP server to the
parent directory
Displaying the Run the pwd command.

working path of an
FTP server
Displaying files in Run the dir [ remote-directory [ local-filename ] ] command.

the directory and If no path name is specified for a specified remote file, the
the list of sub- system will search the file in the authorized directory of the
directories user.
Displaying a Run the ls [ remote-directory [ local-filename ] ] command.

specified remote
directory or file on
an FTP server
Displaying or Run the lcd [ directory ] command.

changing the The lcd command displays the local working path of the FTP
working path of an client, whereas the pwd command displays the working path
FTP client of the remote FTP server.
Creating a Run the mkdir remote-directory command.

directory on an The directory can be a combination of letters and numbers,
FTP server excluding special characters such as "<", ">", "?", "\", or ":".

Deleting a Run the rmdir remote-directory command.

directory from an
FTP server
Displaying online help for an Run the remotehelp [ command ] command.

FTP command
Changing an FTP user Run the user username [ password ] command.

After using FTPS to log in to another device, you can view the FTPS client, SSL policy
configured on the FTPS server, trusted-CA file loaded to the FTPS client, and digital certificate
loaded to the FTPS server.
Prerequisites
The configuration for using FTPS to access files on another device is complete.
Procedure
l Run the display ssl policy command to check the SSL policy configured on and trusted-
CA certificate loaded to the FTPS client as well as the SSL policy configured on and digital
certificate loaded to the FTPS server.
l Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS client. The command output shows detailed
information about the configured SSL policy and loaded trusted-CA file.
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
Key-pair Type: RSA


Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
Max user number 5
User count 1
Listening port 21
Acl number 0
9.8 Accessing Files on Another Device by Using SCP


Before configuring the use of SCP to access files on another device, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file uploading
or downloading without user authentication and public key assignment, and also supports file
uploading or downloading in batches.
Before configuring the use of SCP to access files on another device, configure a reachable route
between the client and SCP server.
Data Preparation
To configure the use of SCP to access files on another device, you need the following data.
No. Data
1 Username, password, authentication mode, and service type of an SSH user
2 Port number of the SCP server, encryption algorithm for uploading or downloading
files, source files to be uploaded or downloaded, and destination files to be uploaded
or downloaded, (Optional) Source IPv4 or IPv6 address and source interface of the
local device

9.8.2 Configuring the SCP Server

This section describes how to configure the SCP server by configuring an SSH user, creating a
local RSA or DSA key pair, enabling the SCP service, and establishing a secure connection
between the client and server to ensure secure remote access on an insecure network.
Context
SCP is a secure file transfer method based on SSH2.0. By default, user interfaces support Telnet.
A user interface must be configured to support SSH for users to log in to the device using SCP.
l There are four SSH user authentication modes: RSA, DSA, password, password-RSA,
You can perform the following steps to configure the SCP server:
1. Configure a VTY user interface to support SSH.
2. Configure an SSH user to ensure that the SCP client can log in to the SCP server.
a. Create an SSH user.
b. Generate a local RSA or DSA key pair.
c. Configure an authentication mode for the SSH user.
d. Configure a service type for the SSH user.
NOTE
For configurations about the basic SSH authentication item and command line authorization, see Step
5 and Step 6 in Configuring an SSH User and Specifying the Service Type.
3. Enable the SCP service to allow the SCP client to log in to the SCP server.
Procedure
Step 1 Configuring SSH for the VTY User Interface
1. Run:
system-view

2. Run:

3. Run:

NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
4. Run:

5. Run:
quit
Return to the system view from the VTY user interface view.
Step 2 Configuring an SSH User
Table 9-2 shows how to configure an SSH user.
Table 9-2 Configuring an SSH User

Proc Operation Description
edur
e
1 Run the ssh user user-name -

command to create SSH user in
the system view.
2 Run the rsa local-key-pair After generating a local key pair, you can run the
create or dsa local-key-pair display rsa local-key-pair public , display dsa
createcommand to generate the local-key-pair public command to view the
local RSA, DSAkey pair in the public key in the local key pair.
system view.


edur
e
3 Run the ssh user user-name l Configure password authentication for the SSH
authentication-type user.
{ password | rsa | password- – Run:
rsa | all | dsa | password-dsa } ssh user user-name authentication-
command to configure the type password
Password authentication is configured.

– Run:
ssh authentication-type default
password
The default password authentication is

configured.
For the local authentication or
HWTACACS authentication, if the number
of SSH users is small, you can adopt the
former command; if the number of SSH
users is large, adopt the later command to
simplify the configuration.
l Configure RSA or DSA authentication for the
SSH user.
1. Run:
ssh user user-name authentication-
type { rsa | dsa
RSA or DSA authentication is configured.

2. Run:
rsa peer-public-key key-nameor dsa
peer-public-key key-name encoding-
type { der | pem }

3. Run:

4. Run:
hex-data
NOTE
l Only strings complying with the public key
format can be typed in the public key view.
Each string is randomly generated on an
SSH client. For detailed procedures, see
manuals for SSH client software.
l After the public key editing view is
displayed, an RSA or DSA public key
generated on the client can be sent to the
server. Copy the RSA or DSA public key to
the switch that serves as the SSH server.


edur
e
authentication mode for SSH 5. Run:

users. public-key-code end

– If the specified hex-data is invalid, the
public key cannot be generated after the
peer-public-key end command is run.
– If the specified key-name is deleted in
other views and the peer-public-key
end command is then run and the system
view is displayed, the system prompts
that the key does not exist.
6. Run:
peer-public-key end
Return to the system view from the public

key view.
7. Run:
ssh user user-name assign { rsa-key |
dsa-key } key-name
The public key is assigned to the SSH user.

NOTE
An SSH user is created. If password, password-DSA or
password-RSA authentication is configured for the SSH
user, create the same SSH user in the AAA view and set
the local user access type to SSH.
2. Run the local-user user-name password cipher
password command to configure a local username
and a password.
3. Run the local-user user-name service-type ssh
command to set the local user access type to SSH.
By default, a local user can use any access type. You can
specify an access type to allow only users configured
with the specified access type to log in to the device.
4 Run the ssh user username By default, the service type of the SSH user is not
service-type { sftp | all } configured.
command to configure the
service type for the SSH user.
Step 3 Run:
scp server enable
SCP services are enabled.
By default, SCP services are disabled.
----End

9.8.3 Configuring the SCP Client

Procedure
Step 1 Run:
system-view

scp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address or a source interface is configured for the SCP client.

It is more secure to configure a source IP address for the SCP client, and use the specified source
IP address to set up an SCP connection between the client and server.At present, the available
source interface must be a loobpack interface.
Step 3 Files are uploaded from the SCP client to the remote SCP server or downloaded from the remote
SCP server to the SCP client.
l Basing on IPv4 address
scp [ -port port-number | { public-net | vpn-instance vpn-instance-name } | { -a source-ip-
address | -i interface-type interface-number } | -r | identity-key { dsa | rsa } | -cipher
{ des | 3des | aes128 } | -c ] * source-filename destination-filename
l Basing on IPv6 address
scp ipv6 [ -port port-number | { public-net | vpn-instance vpn-instance-name } | -a source-
ip-address | -r | identity-key { dsa | rsa } | -cipher { des | 3des | aes128 } | -c ]* source-
filename destination-filename [ -oi interface-type interface-number ]
----End

After using SCP to log in to another device, you can view the source IP address of the SCP client.
Prerequisites
The configuration for using SCP to access files on another device is complete.
Procedure
l Run the display scp-client command to view the source IP address or source interface of
the SCP client.
----End
Example
Run the display scp-client command, and you can view the source IP address of the SCP client.
<Quidway> display scp-client
The source of SCP ipv4 client: 1.1.1.1


This section describes examples for access another device. The examples explain networking
requirements, configuration notes, and configuration roadmap.
9.9.1 Example for Logging in to Another Device by Using Telnet

This section provides an example for logging in to another device by using Telnet.In this
example, the authentication mode and password are configured for users to log in through Telnet.
As shown in Figure 9-7, after logging in to Switch A, the user logs in to Switch B through Telnet
by using the default interface 23.
Figure 9-7 Networking diagram of the remote login of the Ethernet user
PC SwitchA SwitchB
10.10.10.8/24 10.10.10.9/24
SwitchA XGigabitEthernet0/0/1 VLANIF 2 10.10.10.8/24
SwitchB XGigabitEthernet0/0/1 VLANIF 2 10.10.10.9/24
1. Assign IP addresses to Switch A and Switch B.

2. Configure an authentication mode and password on Switch B.
3. Log in to Switch B from Switch A.
Data Preparation
l ID of the VLAN
l IP address and number of the interface on the Switch A that functions as the Telnet client
l IP address and number of the interface on the Switch B that functions as the Telnet server
l Authentication mode and the password for a user to log in to Switch B through Telnet

Procedure
Step 1 Assign IP addresses.
# Assign IP address to Switch A that functions as the Telnet client.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
[SwitchA] interface xgigabitethernet 0/0/1
[SwitchA-XGigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchA-XGigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchA-XGigabitEthernet0/0/1] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.10.10.8 255.255.255.0
[SwitchA-Vlanif2] quit
[SwitchA]
# Assign an IP address to Switch B that functions as the Telnet server.

<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] quit
[SwitchB] interface xgigabitethernet 0/0/1
[SwitchB-XGigabitEthernet0/0/1] port hybrid pvid vlan 2
[SwitchB-XGigabitEthernet0/0/1] port hybrid untagged vlan 2
[SwitchB-XGigabitEthernet0/0/1] quit
[SwitchB] interface vlanif 2
[SwitchB-Vlanif2] ip address 10.10.10.9 255.255.255.0
[SwitchB-Vlanif2] quit
[SwitchB]
Step 2 Configure the authentication mode and password for Switch B.

[SwitchB] user-interface vty 0 4
[SwitchB-ui-vty0-4] authentication-mode password
[SwitchB-ui-vty0-4] set authentication password cipher huawei
[SwitchB-ui-vty0-4] quit
[SwitchB]

# Log in to Switch B on Switch A through Telnet.
<SwitchA> telnet 10.10.10.9
Trying 10.10.10.9 ...
Press CTRL+K to abort
Connected to 10.10.10.9 ...
Login authentication
Password:
The current login time is 2012-03-20 11:04:45.
<SwitchB>
----End
Configuration Files
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 2
#

interface Vlanif2
ip address 10.10.10.8 255.255.255.0
#
#
return
l Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.9 255.255.255.0
#
#
set authentication password cipher %$%$axs[$3*Q;+hUY:0YxNS;X.%
y]:elTpar].gl2eHPIZEDE4+&%$%$
#
return
9.9.2 Example for Configuring the Device as the STelnet Client to

Connect to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server; the public
RSA key is generated on the SSH server and then bound to the STelnet client. In this manner,
the STelnet client can connect to the SSH server.
As shown in Figure 9-8, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode. In this example, the Huawei switch functions as an SSH server.
The following login users need to be configured.
l Client001, with the password as huawei and the authentication mode as password
l Client002, with the password as rsakey001 and the authentication mode as RSA
The user interface supports only the SSH protocol.

Figure 9-8 Networking diagram for logging in to another device by Using STelnet
SSH Server
10.164.39.222/24
10.164.39.220/24 10.164.39.221/24
Client001 Client002
SSH server XGigabitEthernet0/0/1 VLANIF 10 10.164.39.222/24
Client001 XGigabitEthernet0/0/1 VLANIF 10 10.164.39.220/24
1. Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2. Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind
the client client002 to an RSA key to authenticate the client when the client attempts to log
in to the server.
4. Enable STelnet service on the SSH server.
5. Set the service type of Client001 and Client002 to STelnet.
6. Enable first-time authentication on the SSH client.
7. Users Client001 and Client002 log in to the SSH server through STelnet.
Data Preparation
l IP addresses of the FTP server and client, as shown in Figure 9-8

l Client001 with the password as huawei and adopt the password authentication.
l Client002, adopt the RSA authentication and assign the public key RsaKey001 to
Client002.
l IP address of the SSH server is 10.164.39.222.
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.

Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to interface VLANIF10.
[Quidway] vlan 10
Assigning an IP address to the Switch that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
[Quidway] rsa local-key-pair create
NOTES:If the key modulus is greater than 512,
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 3 Create an SSH user on the server.

NOTE
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
# Configure a VTY user interface.

[Quidway-ui-vty0-4] protocol inbound ssh
l Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode as
password for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password
# Set the password of Client001 to huawei.

[Quidway] aaa
[Quidway-aaa] local-user client001 password cipher huawei
[Quidway-aaa] local-user client001 service-type ssh
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002 authentication-type rsa
Step 4 Configure the RSA public key on the server.

# Create a local key pair on the client.

[Quidway] sysname client002
[client002] rsa local-key-pair create
# Check the RSA public key generated on the client.

[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
Step 6 Enable the STelnet service on the SSH server.

# Enable the STelnet service.

[Quidway] stelnet server enable
Step 7 Set the service type of Client001 and Client002 to STelnet.

[Quidway] ssh user client001 service-type stelnet
Step 8 Connect the STelnet and the SSH server.

# You must enable the initial authentication on the SSH client for the first login.
Enabling the first authentication on Client001.
[client001] ssh client first-time enable

# Client001 logs in to the SSH server in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
<Quidway>
# Client002 logs in to the SSH server in RSA authentication mode.

[client002] stelnet 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.137.217.202. Please wait.
..
<Quidway>

After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can view that the STelnet service is enabled, and that the STelnet
client logs in to the server successfully.
# Check the status of the SSH server.

[Quidway] display ssh server status

SSH version :1.99
SFTP server :Disable
Scp server :Disable
# Check the connection of the SSH server.

[Quidway] display ssh server session
Session 1:
Conn : VTY 1
Version : 2.0
State : started
Retry : 1
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Session 2:
Conn : VTY 2
Version : 2.0
State : started
Retry : 1
Authentication Type : rsa
# Check information about the SSH user.

[Quidway] display ssh user-information
User 1:
Sftp-directory : -
Authorization-cmd : No
User 2:
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory : -
----End
Configuration Files
l Configuration file of the Quidway, the SSH server
#
sysname Quidway

#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B 0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %$%$6\ZH#;zYJ*HXE["UyioO-vmd%$%$
#
ssh user client001
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
#
#
#
return
l Configuration file of Client001, the SSH client
#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return
#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#


#
return
9.9.3 Example for Accessing Files on Another Device by Using TFTP

In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. After that, you can upload and download files.
As shown in Figure 9-9, The remote server at 10.1.1.2 functions as the TFTP server.
The Switch acts as a TFTP client,and the IP address is 10.1.1.1/24.
The Switch downloads files from the TFTP server.
Figure 9-9 Networking diagram for accessing files on another device by using TFTP
TFTP session
configuration
PC cable TFTP Client TFTP Server
1. Run the TFTP software on the TFTP server and set the position where the source file is
located on the Switch.
2. Download files through TFTP commands on the Switch.
Data Preparation
l TFTP software installed on the TFTP server
l Path of the source file on the TFTP server
l Name of the destination file and position where the destination file is located on the Switch
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10.
[Quidway] vlan 10


Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file.
<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
Return
9.9.4 Example for Accessing Files on Another Device by Using FTP

This section provides an example for accessing files on another device by using FTP. In this
example, a user logs in to the FTP server from the switch to download system software and
configuration software from the FTP server.
As shown in Figure 9-10, the remote server at 10.1.1.2 serves as the FTP server. The Switch
and the FTP server are directly connected and on the same network segment. The Switch has a
reachable route to the FTP server.
The Switch acts as the FTP client. Interfaces ranging from XGigabitEthernet0/0/1 to
XGigabitEthernet0/0/4 can be used to set up FTP connections and they share the IP address
10.1.1.1.
The Switch downloads files from the FTP server.
Figure 9-10 Networking diagram for accessing files on another device by using FTP
FTP session
configuration
PC cable FTP Client FTP Server

1. Log in to the FTP server from the FTP client.

2. Download files from the server to the storage device of the client.
Data Preparation

l Name of the destination file and position where the destination files are located on the
Switch
l Name of the FTP user set as u1 and the password set as ftppwd on the client
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to
ftppwd.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10.
[Quidway] vlan 10
Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the password
ftppwd.
<Quidway> ftp 10.1.1.2
Trying 10.1.1.2 ...
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.
[ftp]
Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type set to I.
[ftp] lcd flash:/
The current local directory is flash:.
Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.

[ftp] get vrpcfg.cfg vrpcfg.cfg

150 Opening BINARY mode data connection for vrpcfg.cfg.

FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec.
[ftp] quit
<Quidway>
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
#
#
#
#
return
9.9.5 Example for Accessing Files on Another Device by Using SFTP

In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
As shown in Figure 9-11, after the SFTP service is enabled on the SSH server, the SFTP Client
can log in to the SSH server with the password, RSA, password-rsa, or all authentication. In this
example, the Huawei switch functions as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in the authentication
mode of password and RSA respectively.

Figure 9-11 Networking diagram for accessing files on another device by using SFTP
SSH Server
10.164.39.222/24
10.164.39.220/24 10.164.39.221/24
Client001 Client002
interface.
2. Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
3. Create a local RSA key pair on the client Client002 and the SSH server, and bind the client
client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
4. Enable the SFTP service on the SSH server.
5. Configure the service mode and authorization directory for the SSH user.
6. Client001 and Client002 log in to the SSH server by using SFTP to access files on the
server.
Data Preparation

l Client001 with the password as huawei and adopt the password authentication.
l Client002, adopt the RSA authentication and assign the public key RsaKey001 to
Client002.
l IP address of the SSH server is 10.164.39.222.
Procedure

Create VLAN 10 on the S6700 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
[Quidway] vlan 10
[Quidway] quit
Assigning an IP address to the S6700 that functions as Client001 or Client002 is the same as
Step 2 Create a local key pair on the SSH server.

Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++

NOTE
l In password ,password-rsa or password-dsa authentication mode, you must configure a local user.
l In RSA,DSA,password-rsa,password-dsa or all authentication mode, you must copy the RSA or DSA

l Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode as
password for the user.

[Quidway] aaa
[Quidway-aaa] local-user client001 privilege level 3
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.


# Check the RSA public key created on the client.

=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
# Send the RSA public key created on the client to the server.
Step 5 Bind the RSA public key of the SSH client to Client002.
Step 6 Enable the SFTP service on the SSH server.

# Enable the SFTP service.

[Quidway] sftp server enable
Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.
Two SSH users are configured on the SSH server: Client001 in the password authentication
mode and Client002 in the RSA authentication mode.
[Quidway] ssh user client001 service-type sftp
[Quidway] ssh user client001 sftp-directory flash:/
Step 8 Connect the SFTP client and the SSH server.


# Client001 logs in to the SSH server in password authentication mode.

[client001] sftp 10.164.39.222
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
..
Enter password:
sftp-client>
# Client002 logs in to the SSH server in RSA authentication mode.

[client002] sftp 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Connected to 10.137.217.207 ...
..
sftp-client>

After the configuration, run the display ssh server status and display ssh server session
commands on the SSH server. You can view that the SFTP service is enabled, and that the SFTP
client logs in to the server successfully.
SSH version :1.99


SFTP server :Enable
Stelnet server :Disable
Scp server :Disable

Session 1:
Conn : VTY 1
Version : 2.0
State : started
Retry : 1
Public Key : rsa
Service Type : sftp
Session 2:
Conn : VTY 2
Version : 2.0
State : started
Retry : 1
Public Key : rsa
Service Type : sftp
# Check information about the SSH user.

[Quidway] display ssh user-information
User 1:
User-public-key-type : -
Sftp-directory : flash:/
Service-type : sftp
User 2:
Authentication-type : rsa
User-public-key-name : RsaKey001
User-public-key-type : rsa
Sftp-directory : flash:/
Service-type : sftp
----End
Configuration Files

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 sftp-directory flash:/
#
#
#
return
#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return
#
sysname client002
#
vlan batch 10
#
interface Vlanif10

ip address 10.164.39.221 255.255.255.0

#
#
#
return
9.9.6 Example for Accessing Files on Another Device by Using FTPS

You can log in to an FTPS server from an FTPS client to operate files transmitted between the
server and the client.
As shown in Figure 9-12,

l An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identity of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
l An SSL policy needs to be configured on and a digital certificate needs to be loaded to an
FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.
Figure 9-12 Accessing Files on Another Device by Using FTPS
FTP-Client FTP-Server
VLANIF20 VLANIF30
1.1.1.1/24 1.1.1.2/24
Network
VLANIF40
192.168.0.2/24
PC1
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.

1. Upload certificates.
l Upload the digital certificate saved on PC2 to the FTP server.
l Upload the trusted-CA file saved on PC1 to the FTP client.
2. Load the certificates and configure SSL policies.
l Copy the digital certificate from the system directory of the FTP server to the
security sub-directory, configure an SSL policy, and load the digital certificate.
l Copy the trusted-CA file from the system directory of the FTP client to the security
sub-directory, configure an SSL policy, and load the trusted-CA file.
3. Enable the FTPS server function on the FTP server.
4. Configure IP addresses for the interfaces that interconnect the FTP client and server to
ensure that the client and server are routable.
5. Run the ftp command on the FTP client to log in to the FTPS server to remotely manage
files.
Data Preparation
l IP addresses of the FTP client and server

l FTP user name and password
l SSL trusted-CA file and digital certificate
Procedure
Step 1 Upload certificates.
l Perform the following steps on the FTP server:
# Configure an IP address for the FTP server so that the PC and FTP server are reachable.
[Quidway] sysname FTP-Server
[FTP-Server] interface xgigabitethernet0/0/1

[FTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for
an FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password cipher huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei privilege level 15
[FTP-Server-aaa] local-user huawei ftp-directory flash:
[FTP-Server-aaa] quit
[FTP-Server] quit
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the
correct user name and password to set up an FTP connection to the FTP server, as shown in
Figure 9-13.

Figure 9-13 Logging in to an FTP server from a user terminal
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
9-14.
After the preceding configurations are complete, run the dir command on the FTP server.
The command output shows that the digital certificate has been successfully uploaded to the
server.
<FTP-Server> dir


0 drw- - May 10 2011 05:05:40 src
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
5 drw- - May 10 2011 05:43:39 security
304,292 KB total (303,766 KB free)
l Perform the following steps on the FTP client:

The procedure for uploading the trusted-CA file to the FTP client is similar to the procedure
for uploading the digital certificate to the FTP server. For detailed configurations, see the
configuration file of the FTP client in this example.
After the trusted-CA file is uploaded to the FTP client, run the dir command on the FTP
client. The command output shows that the trusted-CA file has been successfully uploaded
to the FTP client.
<FTP-Client> dir

1 -rw- 1,237 May 10 2011 05:55:33 1_cacert_pem_rsa.pem
2 -rw- 1,241 May 10 2011 05:55:44 1_rootcert_pem_rsa.pem
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 web.zip
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 19 2011 04:24:28 snmpnotilog.txt
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam
304,292 KB total (300,270 KB free)
Step 2 Load the certificates and configure SSL policies.

l Perform the following steps on the FTP server:
<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/
directory on the FTP server. The command output shows that the digital certificate has been
<FTP-Server> cd security/
<FTP-Server> dir

304,292 KB total (303,766 KB free)

<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-
code 123456
[FTP-Server-ssl-policy-ftp_server] quit
FTP server. The command output shows detailed information about the loaded certificate.
[FTP-Server] display ssl policy


Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
l Configure the FTP client.

# Create a sub-directory named security and copy the trusted-CA file to this sub-directory.
The configuration procedure is similar to that on the FTP server. For detailed configurations,
see the configuration file of the FTP client in this example.
After the trusted-CA file is copied to the security sub-directory, run the dir command in this
sub-directory. The command output shows that the trusted-CA file has been successfully
copied to this sub-directory.
<FTP-Client> cd security/
<FTP-Client> dir

0 -rw- 1,237 May 10 2011 05:57:15 1_cacert_pem_rsa.pem
1 -rw- 1,241 May 10 2011 05:57:29 1_rootcert_pem_rsa.pem
304,292 KB total (300,266 KB free)
# Create an SSL policy and load the trusted-CA file.

<FTP-Client> system-view
[FTP-Client] ssl policy ftp_client
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] quit
FTP client. The command output shows detailed information about the trusted-CA file.
[FTP-Client] display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Step 3 Enable the FTPS server function.

NOTE
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server.
# Configure the FTP server.

[FTP-Server] interface xgigabitethernet 0/0/2
# Configure the FTP client.

[FTP-Client] vlan 20
[FTP-Client-vlan20] quit
[FTP-Client] interface xgigabitethernet 0/0/2
[FTP-Client-XGigabitEthernet0/0/2] port hybrid pvid vlan 20
[FTP-Client-XGigabitEthernet0/0/2] port hybrid untagged vlan 20
[FTP-Client-XGigabitEthernet0/0/2] quit
[FTP-Client] interface vlanif 20
[FTP-Client-Vlanif20] ip address 1.1.1.1 24
[FTP-Client-Vlanif20] quit
[FTP-Client] quit
Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.
<FTP-Client> ftp ssl-policy ftp_client 1.1.1.2
Trying 1.1.1.2 ...
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(1.1.1.2:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
The client can log in to the FTP server only after the correct user name and password are entered.
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
Max user number 5
User count 1
Listening port 21
Acl number 0
You can use the FTP client to remotely manage files on the FTPS server.
----End
Configuration Files
l Configuration file of the FTP server
#
sysname FTP-Server
#

FTP secure-server enable

ftp secure-server ssl-policy ftp_server
#
vlan batch 10 30
#
ssl policy ftp_server
#
aaa
local-user huawei password cipher %$%$xl8:AIK&k*X.D6$JN#rF-\SJ%$%$
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif30
ip address 1.1.1.2 255.255.255.0
#
#
#
return
l Configuration file of the FTP client

#
sysname FTP-Client
#
FTP server enable
#
vlan batch 20 40
#
ssl policy ftp_client
trusted-ca load pem-ca 1_cacert_pem_rsa.pem
trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
#
aaa
#
interface Vlanif20
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.0.2 255.255.255.0
#
#

#
return
9.9.7 Example for Accessing Files on Another Device by Using SCP

In this example, the SCP client accesses the SCP server to download files.
Unlike SFTP, SCP allows file uploading or downloading without user authentication and public
key assignment, and also supports file uploading or downloading in batches.
As shown in Figure 9-15, the device functioning as the SCP client has a reachable route to the
SCP server, and can download files from the SCP server.
Figure 9-15 Networking diagram for accessing files on another device by using SCP
SCP Server
172.16.104.110/24
1.1.1.1/32
SCP Client
1. Create a local RSA key pair on the SSH server.

2. Create an SSH user on the SSH server.
3. Enable SCP services on the SSH server.
4. Enable first-time authentication on the SSH client.
5. Configure an IP address of the source interface on the SCP client.
6. Download files from the SSH server to the SCP client.
Data Preparation
l SSH user name, authentication mode, and authentication password

l IP address of the source interface on the SCP client
l The name and path of the destination files and the source files.

Procedure
Step 1 Create a local RSA key pair on the SSH server.
The key name will be: SSH Server_Host
Generating keys...
.....++++++++++++
....++++++++++++
......++++++++
................................++++++++
Step 2 Create an SSH user on the SCP server.

# Configure the VTY user interface.
# Configure the password authentication for the SSH user Client001.

[SSH Server] ssh user client001
# Configure the password of the SSH user Client001 to huawei.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher huawei
# Configure the service type for the SSH users Client001 to all.
[SSH Server] ssh user client001 service-type all
Step 3 Enable SCP services on the SCP server.

[SSH Server] scp server enable
Step 4 Download files from the SCP server to the SCP client.
# For the first login, you need to enable the first authentication on SSH client.
[Quidway] sysname SCP Client
[SCP Client] ssh client first-time enable
# Configure the IP address 1.1.1.1 of a loopback interface as the source IP address for the SCP
client.
[SCP Client] scp client-source -a 1.1.1.1
# Use 3des to encrypt the file license.txt, and then download the file to the local working
directory from the remote SCP server with the IP address of 172.16.104.110.
[SCP Client] scp -a 1.1.1.1 -cipher 3des client001@172.16.104.110:license.txt
license.txt

Run the display scp-client command on the SCP client. The command output is as follows:

<Quidway> display scp-client

The source of SCP ipv4 client: 1.1.1.1
The IP address of the source interface on the SCP client is 1.1.1.1.
----End
Configuration Files
l Configuration file of the SCP server
#
sysname SSH Server
#
aaa
local-user client001 password cipher %$%$}twU5v;.BOKdou5Ry'L$-XOF%$%$
#
scp server enable
ssh user client001
ssh user client001 service-type all
#
#
return
l Configuration file of the SCP client

#
sysname SCP Client
#
scp client-source 1.1.1.1
#
return
9.9.8 Example for Configuring the SSH Server to Support the Access
from Another Port
In this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.
If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.
Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:
l Negotiating the version of the SSH protocol
l Negotiating the algorithm

l Generating the session key

l Authenticating
l Sending a request for a session
l Performing the interactive session
Figure 9-16 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server
10.164.39.222/24
10.164.39.220/24 10.164.39.221/24
Client001 Client002
interface.
2. Configure Client001 and Client002 on the SSH server.
3. Create a local key pair on the SFTP client and SSH server separately.
4. Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5. Enable the STelnet and SFTP services on the SSH server.
6. Configure the type of the service and authenticated directory for the SSH user.
7. Set the listening port number on the SSH server.
8. Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.
Data Preparation

l SSH user name and authentication mode
l Password or RSA public key of the SSH user

l Server name
l Listening port number on the SSH server
Procedure
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
[Quidway] vlan 10
Assigning an IP address to theSwitch that functions as Client001 or Client002 is the same as

Step 2 A local key pair generated on the SSH server
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++

# Check the RSA public key generated on the client.

=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001



=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client to the server.
NOTE
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA

# Create an SSH user named Client001, and configure the authentication mode as password
for the user.

[Quidway] aaa


[Quidway-aaa] quit
# Set the type of service of Client001 to STelnet.

# Create an SSH user named Client002, and configure the authentication mode as RSA for the
user. Bind the RSA public key of the SSH client to Client002.
# Set the type of service of Client002 to SFTP and the authorized directory as flash:/.
Step 5 Enable the STelnet and SFTP services on the SSH server.
Step 6 Configure the new listening port number on the SSH server.
[Quidway] ssh server port 1025
Step 7 Connect the SSH client and the SSH server.


# The STelnet client logs in to the SSH server by using the new listening port.
[client001] stelnet 10.164.39.222 1025
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
..
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
<Quidway>
# The SFTP client logs in to the SSH server by using the new listening port.
[client002]sftp 10.164.39.222 1025
Trying 10.164.39.222 ...

Connected to 10.164.39.222 ...

..
sftp-client>

Attackers fail to log in to the SSH server by using port 22.
[client002] sftp 10.164.39.222
Trying 10.164.39.222 ...
Can't establish tcp connection to server
After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can check the current listening port number on the SSH server,
and that the STelnet or SFTP client logs in to the server successfully.
SSH version :1.99
SFTP server :Enable
Scp server :Disable
SSH server port :1025

Session 1:
Conn : VTY 3
Version : 2.0
State : started
Retry : 1
Session 2:
Conn : VTY 4
Version : 2.0
State : started
Retry : 1
Service Type : sftp
----End

Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
sftp server enable
ssh server port 1025
ssh user client001
ssh user client002
#
#
#
return

#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return

#
sysname client002

#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#
#
return
9.9.9 Example for Authenticating SSH Through RADIUS

In this example, a user that attempts to access the SSH server is authenticated by the RADIUS
server, and the SSH server determines whether to set up a connection with the user according
to the authentication result.
When an RADIUS user is connected to an SSH server, the SSH server sends the user name and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (passed or failed) back to the
SSH server. If the authentication is successful, the user level is sent along with the result. The
SSH server determines whether the SSH client is allowed to set up a connection according to
the authentication result.
Figure 9-17 shows the networking diagram.
Figure 9-17 Networking diagram of authenticating the SSH through RADIUS
10.164.39.221/24 10.164.6.41/24
10.164.39.222/24 10.164.6.49/24
SSH Client SSH Server Radius Server
1. Configure the RADIUS template on the SSH server.

2. Configure a domain on the SSH server.
3. Create a user on the RADIUS server.
4. Generate the local key pair on SSH server respectively. The SSH server monitors the port
number.
5. Enable the STelnet and SFTP services on the SSH server.

6. Configure the service mode and authorization directory of the SSH user.
7. Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
l Configure the password authentication for the two SSH users .
l RADIUS authentication
l Name of the RADIUS template
l Name of the RADIUS domain
l Name and password of the RADIUS user
Procedure
Step 1 Generate a local key pair on the SSH server.
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Create the SSH user.

On the RADIUS server, add two users named ssh1@ssh.com and ssh2@ssh.com ; in addition,
designate the NAS address 10.164.39.222 and the key huawei. The NAS address refers to the
address of the SSH server that connects to the RADIUS server.
# Configure the VTY user interface on the SSH server.
# Create SSH users asssh1@ssh.com and ssh2@ssh.com on the SSH server.

[Quidway] ssh user ssh1@ssh.com
[Quidway] ssh user ssh1@ssh.com authentication-type password
[Quidway] ssh user ssh1@ssh.com service-type stelnet
[Quidway] ssh user ssh2@ssh.com
[Quidway] ssh user ssh2@ssh.com authentication-type password
[Quidway] ssh user ssh2@ssh.com service-type sftp
Step 3 Configure the RADIUS template.

# Configure the authentication scheme newscheme and authentication mode RADIUS.
[Quidway] aaa
[Quidway-aaa] authentication-scheme newscheme
[Quidway-aaa-authen-newscheme] authentication-mode radius

[Quidway-aaa-authen-newscheme] quit
# Configure the RADIUS template of SSH server as ssh.

[Quidway] radius-server template ssh
# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812.
[Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812
# Configure the key of RADIUS server as huawei.

[Quidway-radius-ssh] radius-server shared-key huawei
[Quidway-radius-ssh] quit
Step 4 Configure RADIUS domain name.
# Configure the RADIUS domain of SSH server as ssh.com, applying authentication scheme
newscheme and RADIUS template ssh.
[Quidway] aaa
[Quidway-aaa] domain ssh.com
[Quidway-aaa-domain-ssh.com] authentication-scheme newscheme
[Quidway-aaa-domain-ssh.com] radius-server ssh
[Quidway-aaa-domain-ssh.com] quit
[Quidway-aaa] quit
Step 5 Connect the SSH client and the SSH server.
# Enable STelnet and SFTP services on the SSH server.

# For the first login, you need to enable the first authentication on SSH client.
[client] ssh client first-time enable
[client] quit
# Connect the STelnet client to the SSH server in the RADIUS authentication.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username:ssh1@ssh.com
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
..
Enter password:
Enter the password Huawei and view as follows:

<Quidway>
# Connect the SFTP client to the SSH server in the RADIUS authentication.
<client> system-view
[client] sftp 10.164.39.222
Please input the username:ssh2@ssh.com
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...

Enter password:
sftp-client>

After the configuration, run the display radius-server configuration and display ssh server
session commands on the SSH server. You can view the configuration of the RADIUS server
on the SSH server. You can also view that the STelnet or SFTP client is connected to the SSH
server successfully with RADIUS authentication.
# Display the configuration of the RADIUS server.
[Quidway-aaa] display radius-server configuration
-------------------------------------------------------------------
Server-template-name : ssh
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : huawei
Timeout-interval(in second) : 5
Primary-authentication-server : 10.164.6.49 :1812 LoopBack:NULL
Primary-accounting-server : 0.0.0.0 :0 LoopBack:NULL
Secondary-authentication-server : 0.0.0.0 :0 LoopBack:NULL
Secondary-accounting-server : 0.0.0.0 :0 LoopBack:NULL
Retransmission : 3
Domain-included : YES
Calling-station-id MAC-format : xxxx-xxxx-xxxx
-------------------------------------------------------------------
Total of radius template :1
# Display the connection of the SSH server.

Session 1:
Conn : VTY 0
Version : 2.0
State : started
Username : ssh1@ssh.com
Retry : 1
Session 2:
Conn : VTY 1
Version : 2.0
State : started
Username : ssh2@ssh.com
Retry : 1
Service Type : sftp
----End
Configuration Files
Configuration file of the SSH server
#
sysname Quidway

#
radius-server template ssh
radius-server authentication 10.164.6.49 1812
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
#
sftp server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh1@ssh.com authentication-type password
ssh user ssh2@ssh.com authentication-type password
ssh user ssh1@ssh.com service-type stelnet
ssh user ssh2@ssh.com service-type sftp
#
#
Return

Configuration Guide - Basic Configuration 10 Web System Configuration
10 Web System Configuration
About This Chapter
Before configuring the device in Web mode, you need to configure the device as the Web server.
10.1 Overview of Web System

Through the Web system, users can manage and maintain the device in the graphical user
interface (GUI).
10.2 Starting Web System
This topic describes how to load the Web system and create an account of the Web system.

10.1 Overview of Web System

Through the Web system, users can manage and maintain the device in the graphical user
interface (GUI).
The device is installed with a built-in Web server. Thus, the terminal (such as a PC) connected
to the device can access the device through the Web browser.
Figure 10-1 shows the running environment of the Web system.
Figure 10-1 Running environment of the Web System

Switch
HTTP
Connection
PC
10.2 Starting Web System

This topic describes how to load the Web system and create an account of the Web system.
10.2.1 Setting the Management IP Address of the Device

This section describes how to configure the management IP address of the device. This IP address
is used by users to log in to the web network management system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface meth 0/0/1

The MEth interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
The IP address of the interface is configured.
----End
10.2.2 Uploading Web Page Files

This section describes how to obtain the Web page files and upload them to the device through
FTP.
Prerequisites
The web page file has been saved on the S6700 before delivery, so you do not need to upload
this file when using the S6700 for the first time. (You still need to load the file). When the
S6700 is upgraded, upload the web page file to the S6700 again.
To obtain the Web page file of the device, log in to http://support.huawei.com/enterprise, and
then choose Software > Product Software > Enterprise Networking > Datacom Network >
Campus Switch. Download the software package based on the product name and version. The
Web page file is contained in the software package. The file name is Product Name - the
Version of Software.the Version of Web page file.web.zip.
Before uploading the Web page file, copy the Web page file to the client from which you log in
to the device.
Context
NOTE
You can also download Web files through TFTP. In this case, the device functions as the TFTP client, and
the terminal that stores the Web files functions as the TFTP server. For details, see 9.4.4 Downloading
Files Using TFTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ftp server enable
The FTP server is enabled.
Step 3 Run:
aaa
Step 4 Run:
An FTP client is configured and the password is set to huawei.

Step 5 Run:
The local user level is set.
NOTE
The local user level must be set to 3 or higher.
Step 6 Run:
local-user user-name ftp-directory directory
The directory is set for the FTP client.
Step 7 Run:
local-user user-name service-type ftp
The service type of an FTP login user is set.
Step 8 Run the following command in the cmd view of the PC:
ftp ip-address
The user name and password are displayed. The PC can log in to the device.
C:\>ftp 10.1.1.132
User (10.1.1.132:(none)): client
331 Password required for client.
Password:
230 User logged in.
ftp>
Step 9 Run the following command in the FTP view:

put local-filename
The web.zip file is uploaded from the PC to the device.

ftp> put web.zip
150 Opening ASCII mode data connection for web.zip.
ftp: 251047 bytes sent in 3.36Seconds 74.74Kbytes/sec.
ftp>
----End
10.2.3 Loading a Web Page File

This section describes how to load a Web file.
Context
Before loading the Web page file, upload it to the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
http server load file-name
The Web page file is loaded to the device.
----End
10.2.4 Creating a Web Account

Before logging in to the device in Web mode, you need to create a Web account on the device.
Context
Before enabling the HTTP server,load the Web Page File to device.
The device provides a default user account for logging in to the web network management
system, with the user name admin and password admin. You can use the default account to log
in to the web network management system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
http server enable
The HTTP server is enabled.
NOTE
The HTTP server function can be enabled only when the Web page loaded exists.

http server port port-number
The monitoring port number of the HTTP server is set.
Step 4 Run:
aaa
Step 5 Run:
An HTTP client is configured and the password of the client is set.
Step 6 Run:
The HTTP user level is set.
NOTE
Set the HTTP user level to 3 or higher so that the HTTP user can have management-level rights. Users at
levels 0, 1 and 2 have only visit-level rights.

Step 7 Run:
local-user user-name service-type http
The access type of the user is set to HTTP.

Step 8 Run:
quit
Return to the system view.

http timeout timeout
The timeout period of an HTTP connection is set.

By default, the timeout period of an HTTP connection is 20 minutes.
free http user-id user-id
Release a web user of the VTY number.
----End
10.2.5 Logging In to the Web System

This section describes how to log in to the device in Web mode.
Procedure
Step 1 Open the Web browser on the PC, and then enter the management address of the device in the
address bar (the PC and the device have reachable routes to each other). Then, press Enter to
display the Login dialog box. As shown in Figure 10-2, enter the pre-set Web user name,
password and verify code, and then choice the language.
Figure 10-2 Login

NOTE
If you select Save my password before clicking Login, you do not need to enter the password at next
login.
Step 2 Click Login or press enter to display the homepage of the Web system.
You can configure the device after logging in to the Web system. For details on how to configure
the device on the Web system, see the S6700 Series Ethernet Switches Web System Guide.
----End


S6700 Configuration Guide Basic Configuration

Încărcat de

Informații document

Drepturi de autor

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

S6700 Configuration Guide Basic Configuration

Încărcat de

Drepturi de autor:

S6700 Series Ethernet Switches

Configuration Guide - Basic

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 05 (2013-04-10) Huawei Proprietary and Confidential i

About This Document

Indicates a hazard with a high level of risk, which if not

Indicates a hazard with a medium or low level of risk, which

Indicates a potentially hazardous situation, which if not

NOTE Provides additional information to emphasize or supplement

Issue 05 (2013-04-10) Huawei Proprietary and Confidential ii

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Interface Numbering Conventions

Password Setting Conventions

Issue 05 (2013-04-10) Huawei Proprietary and Confidential iii

Changes in Issue 05 (2013-04-10)

Changes in Issue 04 (2012-10-20)

Changes in Issue 03 (2012-07-03)

Changes in Issue 02 (2012-05-23)

Changes in Issue 01 (2012-03-15)

Issue 05 (2013-04-10) Huawei Proprietary and Confidential iv

About This Document.....................................................................................................................ii

3 How to Use Interfaces.................................................................................................................21

Issue 05 (2013-04-10) Huawei Proprietary and Confidential v

3.2.5 Starting and Shutting Down an Interface................................................................................................26

5 Configuring User Interfaces......................................................................................................43

6 Configuring User Login.............................................................................................................63

Issue 05 (2013-04-10) Huawei Proprietary and Confidential vi

6.1 Overview of User Login...................................................................................................................................64

Issue 05 (2013-04-10) Huawei Proprietary and Confidential vii

7 Managing the File System.......................................................................................................116

8 Configuring System Startup....................................................................................................157

Issue 05 (2013-04-10) Huawei Proprietary and Confidential viii

8.1.1 System Software....................................................................................................................................158

9 Accessing Another Device.......................................................................................................171

Issue 05 (2013-04-10) Huawei Proprietary and Confidential ix

9.4.4 Downloading Files Using TFTP............................................................................................................188

10 Web System Configuration...................................................................................................256

Issue 05 (2013-04-10) Huawei Proprietary and Confidential x

10.2 Starting Web System....................................................................................................................................257

Issue 05 (2013-04-10) Huawei Proprietary and Confidential xi

1 Logging In to the System for the First Time

About This Chapter

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 1

The console port is a linear port on the main control board.

1.2 Logging In to the Device Through the Console Port

1.2.1 Establishing the Configuration Task

l Install terminal emulation program on the PC (for example, Windows XP HyperTerminal).

1 Terminal communication parameters

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 2

1.2.2 Establishing the Physical Connection

1.2.3 Logging In to the Device

Figure 1-1 Connection creation

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 3

Step 2 Set an interface, as shown in Figure 1-2.

Figure 1-2 Interface settings

Figure 1-3 Communication parameter settings

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 4

Issue 05 (2013-04-10) Huawei Proprietary and Confidential 5