Professional Documents
Culture Documents
Configuration Guide - Basic Configurations (V600R003C00 - 02)
Configuration Guide - Basic Configurations (V600R003C00 - 02)
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: Email:
Issue 02 (2011-09-10)
l This document takes interface numbers and link types of the NE40E-X8 as an example. In working situations, the actual interface numbers and link types may be different from those used in this document. l On NE80E/40E series excluding NE40E-X1 and NE40E-X2, line processing boards are called Line Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). On the NE40E-X1 and NE40E-X2, there are no LPUs and SFUs, and NPUs implement the same functions of LPUs and SFUs to exchange and forward packets.
Related Versions
The following table lists the product versions related to this document. Product Name HUAWEI NetEngine80E/40E Router Version V600R003C00
Intended Audience
This document is intended for: l l l l Commissioning Engineer Data Configuration Engineer Network Monitoring Engineer System Maintenance Engineer
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ii
Symbol
Description
DANGER
Alerts you to a high risk hazard that could, if not avoided, result in serious injury or death. Alerts you to a medium or low risk hazard that could, if not avoided, result in moderate or minor injury. Alerts you to a potentially hazardous situation that could, if not avoided, result in equipment damage, data loss, performance deterioration, or unanticipated results. Provides a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points in the main text.
WARNING
CAUTION
TIP
NOTE
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Issue 02 (2011-09-10)
iii
Change History
Changes between document issues are cumulative. The latest document issue contains all the changes made in earlier issues.
Issue 02 (2011-09-10)
iv
Contents
Contents
About This Document.....................................................................................................................ii 1 Logging In to the System for the First Time............................................................................1
1.1 Introduction to Log In to the Device for the First Time.....................................................................................2 1.2 Logging In to the Device Through the Console Port..........................................................................................2 1.2.1 Establishing the Configuration Task.........................................................................................................2 1.2.2 Establishing the Physical Connection........................................................................................................3 1.2.3 Logging in to the router.............................................................................................................................3 1.3 Logging In to the router That Supports the Plug-and-Play Function.................................................................5
2 CLI Overview.................................................................................................................................7
2.1 CLI Introduction.................................................................................................................................................8 2.1.1 Command Line Interface...........................................................................................................................8 2.1.2 Command Levels.......................................................................................................................................8 2.1.3 Command Line Views.............................................................................................................................11 2.2 Online Help.......................................................................................................................................................12 2.2.1 Full Help..................................................................................................................................................12 2.2.2 Partial Help..............................................................................................................................................13 2.2.3 Error Messages of the Command Line Interface.....................................................................................13 2.3 CLI Features.....................................................................................................................................................14 2.3.1 Editing.....................................................................................................................................................14 2.3.2 Displaying................................................................................................................................................14 2.3.3 Regular Expressions................................................................................................................................15 2.3.4 Previously-Used Commands...................................................................................................................18 2.3.5 Batch Command Execution.....................................................................................................................19 2.4 Shortcut Keys...................................................................................................................................................20 2.4.1 Classifying Shortcut Keys.......................................................................................................................20 2.4.2 Defining Shortcut Keys...........................................................................................................................22 2.4.3 Use of Shortcut Keys...............................................................................................................................22 2.5 Configuration Examples...................................................................................................................................23 2.5.1 Example for Running Commands in Batches..........................................................................................23 2.5.2 Example for Using Tab............................................................................................................................24 2.5.3 Example for Using Shortcut Keys...........................................................................................................25 2.5.4 Example for Copying Commands Using Shortcut Keys.........................................................................25 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
3 Basic Configuration.....................................................................................................................27
3.1 Configuring the Basic System Environment....................................................................................................28 3.1.1 Establishing the Configuration Task.......................................................................................................28 3.1.2 Switching the Language Mode................................................................................................................28 3.1.3 Configuring the Equipment Name...........................................................................................................29 3.1.4 Setting the System Clock.........................................................................................................................29 3.1.5 Configuring a Header..............................................................................................................................30 3.1.6 Configuring Command Levels................................................................................................................31 3.1.7 Configuring the Undo Command to Match in the Previous View Automatically..................................32 3.2 Displaying System Status Messages.................................................................................................................33 3.2.1 Displaying System Configuration...........................................................................................................33 3.2.2 Displaying System Status........................................................................................................................34 3.2.3 Collecting System Diagnostic Information.............................................................................................34
Contents
4.5.2 Example for Configuring AUX User Interface.......................................................................................61 4.5.3 Example for Configuring VTY User Interface........................................................................................63
Contents
5.7.3 Example for Configuring User Login by Using Telnet...........................................................................98 5.7.4 Example for Configuring User Login by Using STelnet.......................................................................101
Contents
7.1.2 Configuration Files................................................................................................................................141 7.1.3 Configuration Files and Current Configurations...................................................................................141 7.2 Managing Configuration Files........................................................................................................................142 7.2.1 Establishing the Configuration Task.....................................................................................................142 7.2.2 Saving Configuration Files....................................................................................................................143 7.2.3 Clearing a Configuration File................................................................................................................144 7.2.4 Comparing Configuration Files.............................................................................................................145 7.2.5 Checking the Configuration...................................................................................................................146 7.3 Specifying a File for System Startup..............................................................................................................147 7.3.1 Establishing the Configuration Task.....................................................................................................147 7.3.2 Configuring System Software for a router to Load for the Next Startup..............................................147 7.3.3 Configuring the Configuration File for Router to Load for the Next Startup.......................................148 7.3.4 Checking the Configuration...................................................................................................................148 7.4 Configuration Examples.................................................................................................................................149 7.4.1 Example for Configuring System Startup.............................................................................................149
Contents
8.5.4 Downloading Files by Using TFTP.......................................................................................................169 8.5.5 Uploading Files by Using TFTP............................................................................................................169 8.5.6 Checking the Configuration...................................................................................................................170 8.6 Accessing Files on Another Device by Using FTP........................................................................................170 8.6.1 Establishing the Configuration Task.....................................................................................................171 8.6.2 (Optional) Configuring Source IP Address and Interface of the FTP Client........................................171 8.6.3 Connecting to Other Devices by Using FTP Commands......................................................................172 8.6.4 Operating Files by Using FTP Commands............................................................................................173 8.6.5 Changing Login Users...........................................................................................................................175 8.6.6 Disconnecting from the FTP Server......................................................................................................176 8.6.7 Checking the Configuration...................................................................................................................176 8.7 Accessing Files on Another Device by Using SFTP......................................................................................177 8.7.1 Establishing the Configuration Task.....................................................................................................177 8.7.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................178 8.7.3 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on the SSH Client)...............................................................................................................................................178 8.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSH Server)............................................................................................................................................................179 8.7.5 Connecting to Other Devices by Using SFTP.......................................................................................180 8.7.6 Operating Files by Using SFTP Commands..........................................................................................181 8.7.7 Checking the Configuration...................................................................................................................183 8.8 Configuration Examples.................................................................................................................................183 8.8.1 Example for Logging in to Another Device by Using Telnet...............................................................183 8.8.2 Example for Logging in to Another Device by Using the Telnet Redirection Function.......................186 8.8.3 Example for Logging in to Another Device by Using Telnet on a VPN...............................................187 8.8.4 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server..................189 8.8.5 Example for Accessing Files on Another Device by Using TFTP........................................................195 8.8.6 Example for Configuring the Access of the TFTP Server on the Public Network When the Management VPN Instance Is Used.....................................................................................................................................197 8.8.7 Example for Accessing Files on Another Device by Using FTP..........................................................199 8.8.8 Example for Configuring the Access of the FTP Server on the Public Network When the Management VPN Instance Is Used.....................................................................................................................................201 8.8.9 Example for Accessing Files on Another Device by Using SFTP........................................................202 8.8.10 Example for Configuring the Access of the SFTP Server on the Public Network When the Management VPN Instance Is Used.....................................................................................................................................208 8.8.11 Example for Accessing the SSH Server Through Other Port Numbers..............................................213 8.8.12 Example for an SSH Client in the Public Network to Access an SSH Server in the Private Network ........................................................................................................................................................................219
Contents
9.2.2 Setting Basic Configurations for Clock Synchronization......................................................................231 9.2.3 Checking the Configuration...................................................................................................................232 9.3 Configuring an External BITS Clock Source.................................................................................................232 9.3.1 Establishing the Configuration Task.....................................................................................................233 9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock............................233 9.3.3 Configuring an External Clock Source and Its Signal Type on the router............................................233 9.3.4 Checking the Configuration...................................................................................................................234 9.4 Configuring a Clock Reference Source Manually or Forcibly.......................................................................234 9.4.1 Establishing the Configuration Task.....................................................................................................234 9.4.2 Configuring a Clock Reference Source.................................................................................................235 9.4.3 Checking the Configuration...................................................................................................................236 9.5 Configuring Clock Protection Switching Based on SSM Levels...................................................................237 9.5.1 Establishing the Configuration Task.....................................................................................................237 9.5.2 Configuring the Router to Automatically Select Clock Sources...........................................................237 9.5.3 Enabling SSM........................................................................................................................................238 9.5.4 Configuring the SSM Level of the Clock Reference Source.................................................................238 9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs..........................................239 9.5.6 Setting the Modes of Extracting SSM Levels.......................................................................................239 9.5.7 Checking the Configuration...................................................................................................................240 9.6 Configuring Clock Protection Switching Based on Priorities........................................................................241 9.6.1 Establishing the Configuration Task.....................................................................................................241 9.6.2 Configuring the Router to Automatically Select Clock Sources...........................................................241 9.6.3 Disabling SSM.......................................................................................................................................242 9.6.4 Setting Priorities of Clock Reference Sources......................................................................................242 9.6.5 Checking the Configuration...................................................................................................................243 9.7 Configuring Ethernet Clock Synchronization................................................................................................243 9.7.1 Establishing the Configuration Task.....................................................................................................243 9.7.2 Enabling Ethernet Clock Synchronization............................................................................................244 9.7.3 Configuring Ethernet Clock Source......................................................................................................245 9.7.4 Checking the Configuration...................................................................................................................245 9.8 Configuration Examples of Clock Synchronization.......................................................................................246 9.8.1 Example for Configuring Protection Switchover of Clock Sources......................................................246
10 Device Maintenance................................................................................................................254
10.1 Introduction of Device Maintenance............................................................................................................256 10.1.1 Overview of Device Maintenance.......................................................................................................256 10.1.2 Maintenance Features Supported by the NE80E/40E.........................................................................256 10.2 Powering off the MPU..................................................................................................................................256 10.2.1 Establishing the Configuration Task...................................................................................................256 10.2.2 Powering off the Slave MPU...............................................................................................................257 10.2.3 Checking the Configuration.................................................................................................................258 10.3 Powering off the SFU...................................................................................................................................258 10.3.1 Establishing the Configuration Task...................................................................................................259 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xi
Contents
10.3.2 Powering off the SFU..........................................................................................................................259 10.3.3 Checking the Configuration.................................................................................................................260 10.4 Powering off the NPU..................................................................................................................................260 10.4.1 Establishing the Configuration Task...................................................................................................261 10.4.2 Powering off the NPU.........................................................................................................................261 10.4.3 Checking the Configuration.................................................................................................................262 10.5 Powering off the LPU...................................................................................................................................262 10.5.1 Establishing the Configuration Task...................................................................................................262 10.5.2 Powering off the LPU..........................................................................................................................263 10.5.3 Checking the Configuration.................................................................................................................263 10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s....................................264 10.6.1 Establishing the Configuration Task...................................................................................................264 10.6.2 Restoring the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s............................265 10.6.3 Checking the Configuration.................................................................................................................265 10.7 Switching Between the Operation Modes of the LPUF-10..........................................................................266 10.7.1 Establishing the Configuration Task...................................................................................................266 10.7.2 Switching Between the Operation Modes of the LPUF-10.................................................................267 10.7.3 Checking the Configuration.................................................................................................................267 10.8 Configuring a Working Mode for an LPUF-40 or LPUF-20/21..................................................................268 10.8.1 Establishing the Configuration Task...................................................................................................268 10.8.2 Configuring a Service Mode for an LPUF-20/21 or LPUF-40...........................................................269 10.8.3 Checking the Configuration.................................................................................................................270 10.9 Configuring the CMU...................................................................................................................................271 10.9.1 Establishing the Configuration Task...................................................................................................271 10.9.2 Configuring Monitor Items for a CMU...............................................................................................271 10.10 Configuring a Cleaning Cycle for the Air Filter.........................................................................................272 10.10.1 Establishing the Configuration Task.................................................................................................272 10.10.2 Configuring a Cleaning Cycle for the Air Filter................................................................................272 10.10.3 Remonitoring the Cleaning Cycle of the Air Filter...........................................................................273 10.10.4 Checking the Configuration...............................................................................................................273 10.11 Monitoring the Device Status.....................................................................................................................274 10.11.1 Displaying the System Version Information.....................................................................................274 10.11.2 Displaying Basic Information About the Router...............................................................................274 10.11.3 Displaying the Electronic Label........................................................................................................275 10.11.4 Displaying the Soft Boot Mode.........................................................................................................275 10.11.5 Displaying the Threshold of the Memory Usage...............................................................................276 10.11.6 Displaying the Threshold of CPU Usage..........................................................................................276 10.11.7 Displaying Alarm Information..........................................................................................................276 10.11.8 Displaying the Board Temperature....................................................................................................277 10.11.9 Displaying the Board Voltage...........................................................................................................277 10.11.10 Displaying the Power Supply Status...............................................................................................278 10.11.11 Displaying Current Information About Boards...............................................................................278 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xii
Contents
10.11.12 Displaying Entironment Information About the Device.................................................................279 10.11.13 Displaying the Fan Status................................................................................................................279 10.11.14 Displaying the Sequence Number of the MPU...............................................................................279 10.11.15 Displaying the Next Start Mode of the Board.................................................................................280 10.11.16 Displaying the Number of the Registered SFUs By Default...........................................................280 10.12 Board Maintence ........................................................................................................................................281 10.12.1 Resetting a Board...............................................................................................................................281 10.12.2 Clearing the Maximum CPU Usage..................................................................................................281 10.13 Configuring NAP-based Remote Deployment...........................................................................................282 10.13.1 Establishing the Configuration Task.................................................................................................282 10.13.2 Configuring and Starting the NAP Master Interface.........................................................................283 10.13.3 Remote Login....................................................................................................................................285 10.13.4 Disabling NAP on the Slave Device..................................................................................................285 10.13.5 Checking the Configuration...............................................................................................................286 10.14 Configuration Examples of the Device Maintenance.................................................................................287 10.14.1 Example for Powering off the MPU..................................................................................................287 10.14.2 Example for Powering off the SFU...................................................................................................289 10.14.3 Example for Powering off the LPU...................................................................................................290 10.14.4 Example for Configuring the Operation Mode of the LPUF-10.......................................................291 10.14.5 Example for Configuring NAP-based Remote Deployment in Automatic Mode.............................292 10.14.6 Example for Configuring NAP-based Remote Deployment in Static Mode.....................................293
11 Device Upgrading....................................................................................................................296
11.1 Overview of Device Upgrade.......................................................................................................................297 11.2 Upgrade Modes Supported by the NE80E/40E............................................................................................297
12 Patch Management..................................................................................................................299
12.1 Introduction of Patch Management..............................................................................................................300 12.1.1 Overview of Patch Management.........................................................................................................300 12.1.2 Patches Supported by the NE80E/40E................................................................................................301 12.2 Checking the Running of Patch in the System.............................................................................................302 12.2.1 Establishing the Configuration Task...................................................................................................302 12.2.2 Checking the Running of Patch in the System....................................................................................303 12.2.3 (Optional) Deleting a Patch.................................................................................................................303 12.3 Loading a Patch............................................................................................................................................304 12.3.1 Establishing the Configuration Task...................................................................................................304 12.3.2 Loading a Patch...................................................................................................................................304 12.3.3 Checking the Configuration.................................................................................................................305 12.4 Installing a Patch..........................................................................................................................................306 12.4.1 Establishing the Configuration Task...................................................................................................306 12.4.2 Loading a Patch...................................................................................................................................307 12.4.3 Activating a Patch................................................................................................................................307 12.4.4 Running a Patch...................................................................................................................................308 12.4.5 (Optional) Synchronizing Patches.......................................................................................................308 Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Contents
12.4.6 Checking the Configuration.................................................................................................................309 12.5 (Optional) Unactivating the activating of Patch...........................................................................................313 12.5.1 Establishing the Configuration Task...................................................................................................313 12.5.2 Deactivating a Patch............................................................................................................................313 12.5.3 Checking the Configuration.................................................................................................................313 12.6 Configuration Examples of the Patch Management.....................................................................................314 12.6.1 Example for Installing a Patch.............................................................................................................314
Issue 02 (2011-09-10)
xiv
Issue 02 (2011-09-10)
When a device is powered on for the first time, you must log in to the device through the console port. It is a prerequisite for other login modes. For example, the IP address for Telnet login must be configured by logging in to the device through the console port.
The plug-and-play function only can be configured on the X1 , X2 and X3 models of the NE80E/40E.
During site deployment, the routers reside far away from the equipment room. Sending software commissioning engineers to deploy the network at the site is quite costly. After the plug-andplay function is enabled, however, the router automatically obtains an IP address. Software commissioning engineers are able to remotely deliver configurations to the router through the NMS after installation personnel finishes hardware installation. This greatly simplifies installation and reduces costs with minimized site visits. The plug-and-play function is controlled by a PAF file and users do not need to configure it manually. This function is automatically disabled after the router correctly obtains an IP address.
Applicable Environment
When the router is powered on for the first time, you need to use the console port to log in to the router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2
l l
Installing terminal emulation program on the PC (such as Windows XP HyperTerminal) Preparing the RS-232 cable
Data Preparation
To log in to the router through the console port, you need the following data. No. 1 Data Terminal communication parameters l Baud rate l Data bit l Parity l Stop bit l Flow-control mode
NOTE
When the router is logged in for the first time, the system automatically uses default parameter values.
Procedure
Step 1 Power on all devices to perform a self-check. Step 2 Connect the COM port on the PC and the console port on the router by a cable. ----End
Context
You need to configure terminal attributes for the PC according to the attributes configured for the console port, including the transmission rate, data bit, parity bit, stop bit, and flow control mode. As the router is logged in for the first time, every terminal attribute uses the default value of the router.
Procedure
Step 1 Start a terminal emulator on the PC, and create a new connection, as shown in Figure 1-1.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3
Step 2 Set interface,as shown in Figure 1-2. Figure 1-2 Interface setting
Step 3 Set communication parameter, same as the default of router,as shown in Figure 1-3.
Issue 02 (2011-09-10)
Step 4 Press Enter. A command line prompt such as <HUAWEI> appears, and the user view is displayed for you to configure the router. ----End
Context
NOTE
The plug-and-play function only can be configured on the X1 , X2 and X3 models of the NE80E/40E.
During site deployment, the routers reside far away from the equipment room. Sending software commissioning engineers to deploy the network at the site is quite costly. After the plug-andplay function is enabled, however, the router automatically obtains an IP address. Software commissioning engineers are able to remotely deliver configurations to the router through the NMS after installation personnel finishes hardware installation. This greatly simplifies installation and reduces costs with minimized site visits. The plug-and-play function is controlled
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5
by a PAF file and users do not need to configure it manually. This function is automatically disabled after the router correctly obtains an IP address. The process of logging in to the router supporting the plug-and-play function is as follows:
Procedure
Step 1 After planning the network, network planning engineers provide a planning list for software commissioning engineers. Step 2 Based on the planning list, software commissioning engineers configure the mappings between the router locations and IP addresses on the DHCP server, compile configuration scripts, and configure the mappings between the router locations and scripts. Step 3 Hardware installation personnel installs the router and power them on at the site. Step 4 The router sends a DHCPREQUEST message to the DHCP server, and then the interface connecting to the DHCP server obtains an IP address. Step 5 The NMS delivers configurations to the router. ----End
Follow-up Procedure
If there is no DHCP server on the network or the router cannot obtain an IP address for some reason, the router displays the following information:
PNP State!!!PLEASE UNDO PNP enable for manual Setup! You can undo PNP in system view with "undo pnp enable"
At this time, do as follows to disable the plug-and-play function: 1. 2. 3. Run the system-view command to enter the system view. Run the undo pnp enable command to disable the plug-and-play function. Run the undo pnp default route command to delete the default route generated by the plug-and-play function.
Issue 02 (2011-09-10)
2 CLI Overview
2
About This Chapter
CLI Overview
The command line interface (CLI) is used to configure and maintain devices. 2.1 CLI Introduction After you log in to the router, a prompt is displayed, indicating that you enter the command line interface (CLI). The CLI is used by users to interact with the router. 2.2 Online Help When inputting command lines or configuring services, you can use the online help function to obtain real-time help. 2.3 CLI Features The CLI provides the following features to help users flexibly use it. 2.4 Shortcut Keys Using the system or user-defined shortcut keys makes it easier to enter commands. 2.5 Configuration Examples This section provides several examples for using command lines.
Issue 02 (2011-09-10)
2 CLI Overview
l l
l l l
l The system supports the command with up to 512 characters. The command can be incomplete. This means that you can input initial characters (one or some) of the command to represent the whole command. The incomplete command, however, must be unqiue in the system. For example, to use the display current-configuration command, just input d cu, di cu, or dis cu. d c or dis c, however, cannot be input, becuse they are not unique to represent the display current-configuration command. l The system saves the incomplete command to the configuration files in the complete form; therefore, the command may have more than 512 characters. When the system is restarted, however, the incomplete command cannot be restored. Therefore, pay attention to the length of the incomplete command.
2 CLI Overview
The default command levels are as follows: Table 2-1 Command line levels Level 0 Name Visit level Description Commands of this level include commands of network diagnosis tool (such as ping and tracert) and commands that start from the local device and visit external device (such as Telnet client side). Commands of this level, including the display commands, are used for system maintenance and fault diagnosis. Commands of this level are service configuration commands that provide direct network service to the user, including routing and network layer commands. Commands of this level are commands that influence the basic operation of the system and provide support to the service. They include file system commands, FTP commands, TFTP commands, XModem downloading commands, configuration file switching commands, power supply control commands, backup board control commands, user management commands, level setting commands, system internal parameter setting commands, and debugging commands that are used for fault diagnosis.
1 2
To implement efficient management, you can increase the command levels to 0-15. For the increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring Command Levels in the HUAWEI NetEngine80E/40E Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the command level defined according to the command rules in application. l The level of the command that a user can run is determined by the level of this user. l Login users have the same 16 levels as the command levels. The login users can use only the command of the levels that are equal to or lower than their own levels. The user privilege level level command sets the user level.
Issue 02 (2011-09-10)
2 CLI Overview
3.
Enter a desired command level in the "Type in the word(s) to search for" textbox and click "List Topics". All commands of the specified level will be displayed as shown in Figure 2-2.
Issue 02 (2011-09-10)
10
2 CLI Overview
# Run the aaa command in the system view to enter the AAA view.
[HUAWEI] aaa [HUAWEI-aaa]
Issue 02 (2011-09-10)
11
2 CLI Overview
l l
The command prompt "HUAWEI" is the default host name. The prompt indicates a specific view. For example, "<HUAWEI>" indicates the user view, and "[HUAWEI-ui-console0]" indicates the console user interface view.
Some commands can be used in both system and other views, but have different effects. For example, the mpls command can be run in the system view to enable MPLS globally or in the interface view to enable MPLS only on this interface.
Procedure
l You can obtain the full help of a command line in the following manners. Enter a question mark (?) in any command line view to display all the commands and their simple descriptions.
<HUAWEI> ? User view commands: arp-ping backup batch-cmd board-channel-check capture-packet cd ... ... ARP-ping Backup information Batch commands Board-Channel-Check enable/disable enable capturing packet Change current directory
Enter a command and a question mark (?) separated by a space. If the key word is at this position, all key words and their simple descriptions are displayed. For example:
<HUAWEI> language-mode ? Chinese Chinese environment English English environment
Chinese and English are keywords; Chinese environment and English environment describe the keywords respectively. Enter a command and a question mark (?) separated by a space, and if a parameter is at this position, the related parameter names and parameter descriptions are displayed. For example:
[HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout (in minutes) [HUAWEI] ftp timeout 35 ? <cr> Please press ENTER to execute command [HUAWEI] ftp timeout 35
In the preceding display, INTEGER<1-35791> describes the parameter value; The value of FTP timeout (in minutes) is a simple description of the parameter usage; <cr> indicates that no parameter is at this position. The command is repeated in the next command line. You can press Enter to run the command. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 12
2 CLI Overview
Procedure
l You can obtain the partial help of a command line in the following manners. Enter a character string with a question mark (?) closely following it to display all commands that begin with this character string.
<HUAWEI> d? debugging dir delete display
Enter a command and a character string with a question mark (?) closely following it to display all the key words that begin with this character string.
<HUAWEI> display b? bas-interface bgp board-power bootmode-current bootrom buffer bfd board-current board-type bootmode-next btv bulk-stat
Enter the first several letters of a key word in the command and then press Tab to display the complete key word on the condition that the letters uniquely identify the key word. Otherwise, if you continue to press Tab, different key words are displayed. You can select the needed key word. ----End
Issue 02 (2011-09-10)
13
2 CLI Overview
2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain help by using certain keys. The command line supports multi-line edition. The maximum length of each command is 512 characters. Keys for editing that are often used are shown in Table 2-3. Table 2-3 Keys for editing Key Common key Function Inserts a character in the current position of the cursor if the editing buffer is not full and the cursor moves to the right. Otherwise, an alarm is generated. Deletes the character on the left of the cursor that moves to the left. When the cursor reaches the head of the command, an alarm is generated. Moves the cursor to the left by the space of a character. When the cursor reaches the head of the command, an alarm is generated. Moves the cursor to the right by the space of a character. When the cursor reaches the end of the command, an alarm is generated. Press Tab after typing the incomplete key word and the system runs the partial help: l If the matching key word is unique, the system replaces the typed one with the complete key word and displays it in a new line with the cursor a space behind. l If there are several matches or no match at all, the system displays the prefix first. Then you can press Tab to view the matching key word one by one. In this case, the cursor closely follows the end of the word and you can type a space to enter the next word. l If a wrong key word is entered, press Tab and the word is displayed in a new line.
Backspace
2.3.2 Displaying
All command lines have the same displaying feature. You can construct the displaying mode as required. You can control the display of information on the CLI as follows:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 14
2 CLI Overview
l l
Prompts and help information can be displayed in both Chinese and English. You can use the language-mode language-name command to change the language mode. If output information cannot be displayed on a full screen, you have three options to view the information, as shown in Table 2-4.
Table 2-4 Keys for displaying Key Ctrl_C Function Stops the display and running of the command.
NOTE You can also press any of the keys except the spacebar and Enter key to stop the display and running of the command.
Space Enter
Allows information to be displayed on the next screen. Allows information to be displayed on the next line.
Issue 02 (2011-09-10)
15
2 CLI Overview
Defines an escape character, which is used to mark the next character (common or particular) as the common character. Matches the starting position of the string. Matches the ending position of the string. Matches the preceding element zero or more times.
\* matches "*".
^ $ *
^10 matches "10.10.10.1" instead of "20.10.10.1". 1$ matches "10.10.10.1" instead of "10.10.10.2". 10* matches "1", "10", "100", and "1000". (10)* matches "null", "10", "1010", and "101010".
10+ matches "10", "100", and "1000". (10)+ matches "10", "1010", and "101010".
Matches the preceding element zero or one time. Matches any single character.
10? matches "1" and "10". (10)? matches "null" and "10". 0.0 matches "0x0" and "020". .oo matches "book", "look", and "tool".
()
Defines a subexpression, which can be null. Both the expression and the subexpression should be matched. Matches x or y.
100(200)+ matches "100200" and "100200200". 100|200 matches "100" or "200". 1(2|3)4 matches "124" or "134", instead of "1234", "14", "1224", and "1334".
x|y
Matches any single character in the regular expression. Matches any character that is not contained within the brackets. Matches any character within the specified range. Matches any character beyond the specified range.
[123] matches the character 2 in "255". [^123] matches any character except for "1", "2", and "3". [0-9] matches any character ranging from 0 to 9. [^0-9] matches all non-numeric characters.
Issue 02 (2011-09-10)
16
2 CLI Overview
Particul ar characte r _
Syntax
Example
Matches a comma "," left brace "{", right brace "}", left parenthesis "(", and right parenthesis ")". Matches the starting position of the input string. Matches the ending position of the input string. Matches a space.
_2008_ matches "2008", "space 2008 space", "space 2008", "2008 space", ",2008,", "{2008}", "(2008)", "{2008", and "(2008}".
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Degeneration of particular characters Certain particular characters, when being placed at the following positions in the regular expression, degenerate to common characters. The particular characters following "\" is transferred to match particular characters themselves. The particular characters "*", "+", and "?" placed at the starting position of the regular expression. For example, +45 matches "+45" and abc(*def) matches "abc*def". The particular character "^" placed at any position except for the start of the regular expression. For example, abc^ matches "abc^". The particular character "$" placed at any position except for the end of the regular expression. For example, 12$2 matches "12$2". The right bracket such as ")" or "]" being not paired with its corresponding left bracket "(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions serve as subexpressions within parentheses.
Combination of common and particular characters In actual application, a regular expression combines multiple common and particular characters to match certain strings.
Issue 02 (2011-09-10)
17
2 CLI Overview
CAUTION
The HUAWEI NetEngine80E/40E uses a regular expression to implement the filtering function of the pipe character. A display command supports the pipe character only when there is excessive output information. When the output information is queried according to the filtering conditions, the first line of the command output starts with the information containing the regular expression. The command can carry the parameter | count to display the number of matching entries. The parameter | count can be used together with other parameters. For the commands supporting regular expressions, the three filtering methods are as follows: l l l | begin regular-expression: displays the information that begins with the line that matches regular expression. | exclude regular-expression: displays the information that excludes the lines that match regular expression. | include regular-expression: displays the information that includes the lines that match regular expression.
NOTE
Issue 02 (2011-09-10)
18
2 CLI Overview
Setting the number of saved previously-used commands to a proper value is recommended. If a large number of previously-used commands are saved, it will take a long time to locate a needed previouslyused command, affecting efficiency.
The operations are shown in Table 2-6 Table 2-6 Access the previously-used commands Action Display previouslyused commands. Access the last previouslyused command. Access the next previouslyused command. Key or Command display historycommand Result Display previously-used commands entered by users.
Up cursor key () or Display the last previously-used command if there is an earlier previously-used command. Otherwise, Ctrl_P an alarm is generated. Down cursor key () or Ctrl_N Display the next previously-used command if there is a later previously-used command. Otherwise, the command is cleared and an alarm is generated.
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
When you use previously-used commands, note the following points: l l The saved previously-used commands are the same as that those entered by users. For example, if the user enters an incomplete command, the saved command also is incomplete. If the user runs the same command several times, the earliest command is saved. If the command is entered in different forms, they are considered as different commands. For example, if the display ip routing-table command is run several times, only one previously-used command is saved. If the disp ip routing command and the display ip routing-table command are run, two previously-used commands are saved.
Procedure
Step 1 In the user view, run:
batch-cmd edit
Commands are edited to be executed in batches. The batch-cmd edit command can be used by only one user at a time.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 19
2 CLI Overview
The maximum length of a command (including the incomplete command) to be entered is 512 characters. When editing commands, press Enter to complete the editing of each command.
NOTE
l After the batch-cmd edit command is run successfully to edit the commands to be executed in batches, the system deletes the original commands to be run in batches. l The commands that are already edited are saved in memory and are deleted for ever when the system is restarted.
Step 2 After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing state and return to the user view. Step 3 In the user view, run:
batch-cmd execute
The commands are executed in batches. The batch-cmd execute command can be used by only one user at a time. The sequence of running commands is the same as the sequence of editing commands. You can view the execution of these commands on the CLI. After the execution is complete, the user view is displayed.
NOTE
If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in batches, the system displays an error when executing the batch-cmd edit or batch-cmd execute command and continues to execute the following commands.
----End
Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may be different from those listed in this section.
Issue 02 (2011-09-10)
20
2 CLI Overview
Table 2-7 System-defined shortcut keys Key CTRL_A CTRL_B CTRL_C CTRL_D CTRL_E CTRL_F CTRL_H CTRL_K CTRL_N CTRL_P CTRL_R CTRL_T CTRL_V CTRL_W CTRL_X CTRL_Y CTRL_Z CTRL_] ESC_B ESC_D ESC_F ESC_N ESC_P ESC_SHIFT_< ESC_SHIFT_> Function The cursor moves to the beginning of the current line. The cursor moves to the left by the space of a character. Terminates the running function. Deletes the character where the cursor lies. The cursor moves to the end of the current line. The cursor moves to the right by the space of a character. Deletes one character on the left of the cursor. Stops the creation of the outbound connection. Displays the next command in the previously-used command buffer. Displays the previous command in the previously-used command buffer. Repeats the display of the information of the current line. Terminates the outbound connection. Pastes the contents on the clipboard. Deletes a character string or character on the left of the cursor. Deletes all the characters on the left of the cursor. Deletes all the characters on the place of the cursor and the right of the cursor. Returns to the user view. Terminates the inbound or redirection connections. The cursor moves to the left by the space of a word. Deletes a word on the right of the cursor. The cursor moves to the right to the end of next word. The cursor moves downward to the next line. The cursor moves upward to the previous line. Sets the position of the cursor to the beginning of the clipboard. Sets the position of the cursor to the end of the clipboard.
Issue 02 (2011-09-10)
21
2 CLI Overview
NOTE
When defining the shortcut keys, use double quotation marks to define the command if this command contains several commands words, that is, if spaces exist in the command.
By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commands respectively: l l l CTRL_G: display current-configuration CTRL_L: display ip routing-table CTRL_O: undo debugging all
The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcut keys of the terminal conflict with those of the router, the input shortcut keys are captured by the terminal program and hence the shortcut keys do not function.
Run the following command in any view to display the use of shortcut keys. Action Check the usage of shortcut keys. Command display hotkey
Issue 02 (2011-09-10)
22
2 CLI Overview
Context
If commands are frequently used consecutively, especially a large number of commands, you can run the commands in batches to improve efficiency. For example, during the preventive maintenance inspection (PMI), you can run commands in batches. That is, enter all PMI commands once and then send all the command output information to the PMI tool, which can improve the PMI efficiency. Log in to the router and do as follows:
Procedure
Step 1 Edit the display users, display startup, and display clock commands to be run in batches.
<HUAWEI> batch-cmd edit Info: Begin editing batch commands. Press "Ctrl+Z" to abort this session. display users display startup display clock <HUAWEI>
cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/vrp.cfg cfcard:/vrp.cfg default default default default NULL NULL
Issue 02 (2011-09-10)
23
2 CLI Overview
----End
Context
Usually, you do not need to input complete keywords. Instead, you can just input one or a few beginning characters of a keyword and press Tab to complete the keyword. The Tab key helps search for and use commands.
Procedure
l Tab can be used in three ways as shown in the following example. The matching key word is unique after the incomplete key word is input. 1. 2. Input the incomplete key word.
[HUAWEI] info-
Press Tab. The system replaces the input one with the complete key word and displays it in a new line with the cursor leaving a space behind.
[HUAWEI] info-center
There are several matches or no match after the incomplete key word is input. # info-center can be followed by three key words.
[HUAWEI] info-center log? logbuffer logfile loghost
1. 2.
Press Tab. The system displays the prefix first. The prefix in this example is "log".
[HUAWEI] info-center log
Continue to press Tab. The cursor is closely following the end of the word.
[HUAWEI] info-center loghost [HUAWEI] info-center logbuffer [HUAWEI] info-center logfile
Stop pressing Tab after the key word logfile that you need is displayed. 3. Input a space to enter the next word channel.
[HUAWEI] info-center logfile channel
Input an incorrect keyword and press Tab to check the correctness of the keyword. 1. 2. Input a wrong keyword loglog.
[HUAWEI] info-center loglog
Press Tab.
[HUAWEI] info-center loglog
Issue 02 (2011-09-10)
24
2 CLI Overview
The system displays information in a new line, but the keyword loglog remains unchanged and there is no space between the cursor and the keyword, indicating that this keyword is inexistent. ----End
Context
If the login router is defined with shortcut keys, the shortcut keys can be used by any user regardless of the user level.
Procedure
Step 1 Correlate Ctrl_U with the display ip routing-table command and run the shortcut keys.
<HUAWEI> system-view [HUAWEI] hotkey ctrl_u "display ip routing-table"
NOTE
When defining shortcut keys for a command, use double quotation marks to quote the command if the command consisting of multiple words, which are separated by spaces. No double quotation marks are required for single-word commands.
----End
Context
If you need to repeatedly run a command, you can use shortcut keys to copy the command.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 25
2 CLI Overview
The copied command is saved on the clipboard and is available for only the current logged-in user. After the user logs out of the router, the clipboard is cleared. You can use shortcut keys to copy a command in any view.
Procedure
Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor to the end and press Esc_Shift_>.
<HUAWEI> display ip routing-table
Step 2 Run the display clipboard command to view the contents on the clipboard.
<HUAWEI> display clipboard ---------------- CLIPBOARD----------------display ip routing-table
Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard.
<HUAWEI> display ip routing-table
NOTE
If you press shortcut keys to copy a new command, you can paste only the new command by using shortcut keys.
----End
Issue 02 (2011-09-10)
26
3 Basic Configuration
3
About This Chapter
Basic Configuration
This chapter describes how to configure the router to follow your using habits and the actual environment requirements after logging in to the router. 3.1 Configuring the Basic System Environment This section describes how to configure the basic system environment. 3.2 Displaying System Status Messages This section describes how to use display commands to check basic configurations of the current system.
Issue 02 (2011-09-10)
27
3 Basic Configuration
Applicable Environment
Before configuring services, you need to configure the basic system environment (such as the language mode, time, device name, login information, and command level) to meet the environment requirement.
Pre-configuration Tasks
Before configuring the basic system environment, complete the following task: l Powering on the router
Data Preparation
To configure the basic system environment, you need the following data. No. 1 2 3 4 5 Data Language mode System time Host name Login information Command level
Context
After the language mode is switched, the system displays prompts and outputs of command lines in the specified language. Language information (Chinese and English) has been stored in the system software and does not need to be loaded. Do as follows in the user view:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 28
3 Basic Configuration
Procedure
l Run:
language-mode { chinese | english }
The language mode is switched. By default, the English mode is used. The help information on the router can be in English or in Chinese. The language mode is stored in the system software and does not need to be loaded. ----End
Context
The new equipment name takes effect immediately.
Procedure
Step 1 Run:
system-view
The equipment name is set. By default, the equipment name of the router is HUAWEI. You can change the name of the router that appears in the command prompt. ----End
Context
The system clock displays the current time and date of the system, time zone to which the system belongs, and daylight saving time. The NE80E/40E supports the configurations of the time zone and the daylight saving time. Do as follows in the user view:
Procedure
Step 1 Run:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 29
3 Basic Configuration
The time zone is set. l If add is configured, the current time is the UTC time plus the time offset. That is, the default UTC time plus offset is equal to the time of time-zone-name. l If minus is configured, the current time is the UTC time minus the time offset. That is, the default UTC time minus offset is equal to the time of time-zone-name.
NOTE
Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]
The daylight saving time is set. By default, the daylight saving time is not set. During the configuration of the daylight saving time, you can configure the starting time and ending time in one of the following modes: date+date, week+week, date+week, and week+date. For details, see clock daylight-saving-time.
CAUTION
When the device is upgraded from an earlier version to the V600R003C00 version, the configured daylight saving time does not take effect and needs to be reconfigured. ----End
Context
A header text is a message displayed by the system when and after a user is logging in to the router. If you need to provide information for login users, you can configure a header that the system displays during login or after login.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 30
3 Basic Configuration
Procedure
Step 1 Run:
system-view
The header displayed after login is set. To display the header when the terminal connection has been activated but the user is not being authenticated, configure the parameter login. To display the header after the user logs in successfully, configure the parameter shell. If the user can log in to the router without authentication, the system directly displays the header after the login.
CAUTION
l The header text starts and ends with the same character. After a character is input and Enter is pressed, an interactive interface is displayed. You can input the required information ended with the first character. The system then exits from the interactive interface. l If a user logs in to the router by using SSH1.X, the login header is not displayed during login, but the shell header is displayed after login. l If a user logs in to the router by using SSH2.0, both login and shell headers are displayed. ----End
Context
If the user does not adjust a command level separately, after the command level is updated, all originally-registered command lines adjust automatically according to the following rules: l l l The commands of Level 0 and Level 1 remain unchanged. The commands of Level 2 are updated to Level 10 and the commands of Level 3 are updated to Level 15. No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust the command lines to these levels separately to refine the management of privilege.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 31
Issue 02 (2011-09-10)
3 Basic Configuration
CAUTION
Changing the default level of a command is not recommended. If the default level of a command is changed, some users may be unable to use the command any longer.
Procedure
Step 1 Run:
system-view
Update the command level in batches. When no password is configured for a Level 15 user, the system prompts the user to set a superpassword for the level 15 user. At the same time, the system asks if the user wants to continue with the update of command line level. Then, just select "N" to set a password. If you select "Y", the command level can be updated in batches directly. This results in the user not logging in through the Console port and failing to update the level. Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level and view multiple commands at one time (command-key). All commands have default command views and levels. You do not need to reconfigure them. ----End
3.1.7 Configuring the Undo Command to Match in the Previous View Automatically
You can run the undo command in the current view and thus the system automatically matches the previous view.
Context
If the user allows the undo command to automatically match the previous view and the user runs the undo command that is not registered in the current view, the system searches the undo command in the previous view.
CAUTION
The undo command has disadvantages due to automatically matching. For example, when the user runs the undo ospf command in the interface view where the command is not registered, the system searches in system view automatically. This may lead to global deletion of the OSPF feature.
Issue 02 (2011-09-10)
32
3 Basic Configuration
Procedure
Step 1 Run:
system-view
The undo command is configured to match the upper level view. By default, the undo command does not match the previous view automatically.
NOTE
l The matched upper-view command is valid for current login users who run this command. l It is not recommended that you configure the undo command to automatically match the upper level view, unless necessary.
----End
Context
You can use the display commands to collect information about the system status. The display commands are classified according to the following functions: l l l l Displays system configurations. Displays the running status of the system. Displays the diagnostic information about a system. Displays the restart information about the main control board.
See the related sections for display commands for protocols and interfaces. The following part only shows the system-level display commands. Run the following commands in any view.
Prerequisite
Basic configuration are complete.
Procedure
l l
Issue 02 (2011-09-10)
Run the display version command to display the system version. Run the display clock [ utc ] command to display the system time.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 33
3 Basic Configuration
l l l
Run the display calendar command to display system calendar. Run the display saved-configuration command to display the original configuration. Run the display current-configuration command to display the current configuration.
NOTE
l The display version command can be used to display the software version of the system, the chassis type, and the information about the main control board and interface board. l The original configuration refers to information about configuration files used by the device when the device has been powered on and is being initialized. The current configuration refers to the configuration files taking effect during the device operation. For details, see the chapter "Configuring System Startup" in the NE80E/40E Basic-Configuration.
----End
Prerequisite
Basic configurations are complete.
Procedure
l Run the display this command to display the configuration of the current view. ----End
Context
When the system fails to perform routine maintenance, you need to collect a lot of information to locate faults. Then, you have to run different display commands to collect all information. In this case, you can use the display diagnostic-information command to collect all information about the current running modules in the system.
Procedure
l Run:
display diagnostic-information [ file-name ]
The system diagnosis information is displayed. The display diagnostic-information command collects all information collected by running the following commands, including display clock, display version, display cpuusage, display interface, display current-configuration, display saved-configuration, display history-command, and so on. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 34
4
About This Chapter
A user can log in to the router by using a console port or an AUX port, or by means of Telnet or SSH (STelnet). For users logging in to router in different modes, the system uses different user interfaces to manage the sessions between the router and the users. 4.1 User Interface Overview The system supports console, AUX, and VTY user interfaces. 4.2 Configuring the Console User Interface When a user logs in to the router by using a console port for local maintenance, you can configure attributes for the corresponding console user interface are needed. 4.3 Configuring the AUX User Interface When a user logs in to the router for local or remote configuration by using an AUX port, configuring attributes in the corresponding AUX user interface is needed. 4.4 Configuring VTY User Interface If you need to log in to the router for local or remote maintenance by using Telnet or SSH, you can configure the corresponding VTY user interface as needed. 4.5 Configuration Examples This section provides examples for configuring console, AUX, and VTY user interfaces. These configuration examples explain networking requirements, configuration roadmap, and configuration notes.
Issue 02 (2011-09-10)
35
Table 4-1 Example for the absolute numbering Absolute number 0 33 34 35 36 37 38 User-interface CON0 AUX0 The first virtual interface (VTY0) The second virtual interface (VTY1) The third virtual interface (VTY2) The fourth virtual interface (VTY3) The fifth virtual interface (VTY4)
NOTE
The absolute numbers allocated for AUX and VTY interfaces are device-specific.
The numbers from 1 to 32 are reserved for the TTY user interfaces. Run the display user-interface command to view the absolute number of user interfaces.
Issue 02 (2011-09-10)
37
Applicable Environment
If you need to log in to the router for local maintenance by using a console port, you can configure the corresponding console user interface, including the physical attributes, terminal attributes, user priority, and user authentication mode. The preceding parameters have default values on the router and additional configuration is not needed. You can configure these parameters as needed.
Pre-configuration Tasks
Before configuring a console user interface, complete the following tasks: l Logging in to the router by using a terminal
Data Preparation
To configure a console user interface, you need the following data. No. 1 2 3 4 Data Baud rate, flow-control mode, parity, stop bit, and data bit Idle timeout period, number of lines displayed in a terminal screen, and the size of history command buffer User priority User authentication method, user name, and password
NOTE
All the default values (excluding the password and username) are stored on the router and do not need additional configuration.
Context
Physical attributes of a console port have default values on the router and no additional configuration is needed.
NOTE
When a user logs in to a router through a console port, the physical attributes set for the console port on the HyperTerminal should be consistent with the attributes of the console user interface on the router. Otherwise, the user cannot log in to the router.
Procedure
Step 1 Run:
system-view
The baud rate is set. By default, the baud rate is 9600 bit/s. Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the flow-control mode is none. Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set. By default, the value is none. Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set. By default, the value is 1 bit. Step 7 Run:
databits { 5 | 6 | 7 | 8 }
Context
Terminal attributes of the console user interface have default values on the router and you can set them as needed.
Procedure
Step 1 Run:
system-view
The idle timeout period is set. If the connection keeps idle within the timeout period, the system automatically terminates the connection. By default, the idle timeout period on the user interface is 10 minutes. Step 5 Run:
screen-length screen-length [temporary]
The length of a terminal screen is set. The parameter temporary is used to display the number of lines to be temporarily displayed on a terminal screen. By default, the length of a terminal screen is 24 lines. Step 6 Run:
history-command max-size size-value
The history command buffer is set. By default, the size of history command buffer on a user interface is 10 entries. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 40
Context
l l Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater the number, the higher the user level. This process is to set the priority for a user who logs in through the console port. A user can only use the commands with the level corresponding to the user level.
For details about command levels, see "Command Level" in the chapter "CLI Overview" of the Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
system-view
l By default, users logging in through the console user interface can use commands at level 3, and users logging in through other user interfaces can use commands at level 0. l If the command level is inconsistent with the user level, the user level takes precedence.
----End
4.2.5 Configuring the User Authentication Mode of the Console User Interface
The system provides three authentication modes: AAA, password authentication, and nonauthentication. Configuring the user authentication mode can improve the security of the router.
Context
By default, the user authentication mode of the console user interface is non-authentication.
Procedure
l Configuring AAA Authentication 1. Run:
system-view
Issue 02 (2011-09-10)
41
Name and password of the local user are created. l Configuring Password Authentication 1. Run:
system-view
Prerequisite
The configurations of the user management function are complete.
Procedure
l l l l Run the display users [ all ] command to check information about the user interface. Run the display user-interface console ui-number1 [ summary ] command to check physical attributes and configurations of the user interface. Run the display local-user command to check the local user list. Run the display access-user command to check the local user list.
----End
Example
Run the display users command, and you can view information about the current user interface.
<HUAWEI> display users User-Intf Delay 0 CON 0 00:00:44 Username : Unspecified Type Network Address AuthenStatus pass AuthorcmdFlag no
Run the display user-interface console ui-number1 [ summary ] command, and you can view the physical attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 0 CON 0 9600 3 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int -
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed
Issue 02 (2011-09-10)
43
Applicable Environment
If you need to log in to the router for remote maintenance by using an AUX port, you can configure the corresponding AUX user interface as needed by setting the physical attributes, terminal attributes, user priority, and user authentication mode. The preceding parameters have default values on the router and additional configuration is not needed.
Pre-configuration Tasks
Before configuring an AUX user interface, complete the following tasks: l Logging in to the router by using a terminal
Data Preparation
Before configuring an AUX user interface, you need the following data. No. 1 2 3 4 5 6 Data Baud rate, flow-control mode, parity, stop bit, and data bit Idle timeout period, number of lines displayed in a terminal screen, and the size of history command buffer User priority Modem attributes (Optional) Auto-execute commands User authentication method, user name, and password
NOTE
All the default values (excluding the auto-run commands, password, and username) are stored on the router and do not need additional configuration.
Context
Physical attributes of the AUX user interface have default values on the router and no additional configuration is needed.
Procedure
Step 1 Run:
system-view
The transmission rate is set. By default, the baud rate is 9600 bit/s. Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set. By default, the flow-control mode is none. Step 5 Run:
parity { even | mark | none | odd | space }
The parity mode is set. By default, the value is none. Step 6 Run:
stopbits { 1.5 | 1 | 2 }
The stop bit is set. By default, the value is 1 bit. Step 7 Run:
databits { 5 | 6 | 7 | 8 }
When the user logs in to a router through an AUX port, the configured attributes for the console port on the HyperTerminal should be in accordance with the attributes of the AUX user interface on the router. Otherwise, the user cannot log in to the router.
----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 45
Context
Terminal attributes of the AUX user interface have default values on the router and you can configure them as needed.
Procedure
Step 1 Run:
system-view
User idle timeout is enabled. If the connection keeps idle within the timeout period, the system automatically terminates the connection. By default, idle timeout period on the interface is 10 minutes. Step 5 Run:
screen-length screen-length [temporary]
The length of a terminal screen is set. The parameter temporary is used to display the number of lines to be temporarily displayed on a terminal screen. By default, the length of a terminal screen is 24 lines. Step 6 Run:
history-command max-size size-value
The size of the history command buffer is configured. By default, the size of history command buffer on user interface is 10 entries. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 46
Context
l l Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater the number, the higher the user level. This process is to set the priority for a user who logs in through the console port. A user can only use the commands with the level corresponding to the user level.
For details about command levels, see "Command Level" in the chapter "CLI Overview" of the Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
system-view
l By default, users logging in by using the AUX user interface can use commands at level 0. l If the authority to use commands is inconsistent with the user level, the user level takes precedence.
----End
Procedure
Step 1 Run:
system-view
Step 3 Run:
modem timer answer seconds
The period between the system receiving the ring signal and the system waiting for the CD_UP is set. That is the time that elapses between picking up the signal to detecting the carrier, since the call is established. By default, the waiting time is 30 seconds. Step 4 Run:
modem [ both | call-in ]
The switch of incoming call or outgoing call is set. By default, incoming and outgoing calls are prohibited. Step 5 Run:
modem auto-answer
Context
CAUTION
After the auto-execute command command is run, you cannot perform general configuration in the system through a terminal. Before configuring the auto-execute command command and the save command to save the existing configurations, ensure that you can log in to the system using other methods to delete the configurations. Do as follows on the router that the user logs in to:
Procedure
Step 1 Run:
system-view
Step 3 Run:
auto-execute command command
A command is specified as an auto-execute command. Generally, the auto-execute command command is run to configure Telnet on a terminal. After the configuration, the user can automatically connect to a designated host. ----End
Context
By default, the user authentication mode of the AUX user interface is non-authentication.
Procedure
l Configuring AAA Authentication 1. Run:
system-view
Local user and password are configured. l Configuring Password Authentication 1. Run:
system-view
Issue 02 (2011-09-10)
49
Prerequisite
Configurations of the AUX user interface are complete.
Procedure
l l l l Run the display users [ all ] command to check usage information about the AUX user interface. Run the display user-interface aux interface-number [ summary ] command to check physical attributes and configurations of the user interface. Run the display local-user command to check the local user list. Run the display access-user command to check the local user list.
----End
Example
Run the display users command, and you can view information about the current user interface.
<HUAWEI> display users User-Intf Delay 33 AUX 0 00:00:44 Username : Unspecified Type Network Address AuthenStatus pass AuthorcmdFlag no
Issue 02 (2011-09-10)
50
Run the display user-interface aux ui-number1 [ summary ] command, and you can view the physical attributes and configurations of the user interface.
<HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 33 AUX 0 9600 0 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int -
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed
Applicable Environment
If you need to log in to the router for local or remote maintenance by using Telnet or SSH, you can configure the corresponding VTY user interface, including the maximum number of VTY user interfaces, limit of incoming and outgoing calls, user priority, and user authentication mode. The preceding parameters have default values on the router. You can also set these parameters as needed.
Pre-configuration Tasks
Before configuring VTY user interface, complete the following tasks: l Logging in to the router by using a terminal
Data Preparation
To configure a VTY user interface, you need the following data.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 51
No. 1 2 3 4 5
Data Maximum VTY user interfaces (Optional) ACL code to limit VTY user interface to call in and out Idle timeout period, number of characters in each line displayed in a terminal screen User priority User authentication method, user name, and password
NOTE
All the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user interfaces, password, and user name) have default values on the router, and no additional configuration is needed.
Context
The maximum number of VTY user interfaces is the total number of users logging in to the router by using Telnet and SSH.
Procedure
Step 1 Run:
system-view
The maximum VTY user interfaces that can log in to the router is set.
NOTE
When the maximum number of VTY user interfaces is set to zero, any user (including the NMS user) cannot log in to the router by using a VTY user interface.
If the maximum number of VTY user interfaces to be configured is smaller than the maximum number of current interfaces, current online users will not be affected and no addition configuration is needed. If the maximum number of VTY user interfaces to be configured is larger than the maximum number of current interfaces, the authentication mode and password need to be configured for newly added user interfaces. For newly added user interfaces, the system defaults to password authentication. For example, a maximum of five users are allowed online. To allow 15 VTY users online at the same time, you need to run the authentication-mode command and the set authentication
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 52
password command to configure authentication modes and passwords for user interfaces from VTY 5 to VTY 14. The command is run as follows:
<HUAWEI> system-view [HUAWEI] user-interface maximum-vty 15 [HUAWEI] user-interface vty 5 14 [HUAWEI-ui-vty5-14] authentication-mode password [HUAWEI-ui-vty5-14] set authentication password cipher huawei
----End
4.4.3 (Optional)Setting Limit on Incoming and Outgoing Calls of VTY User Interfaces
This section describes how to configure an ACL to limit incoming and outgoing calls of the VTY user interface.
Context
Before setting the limit on incoming and outgoing calls of the VTY user interface, run the acl command in the system view to create an ACL and enter the ACL view. Then, run the rule command to add rules to the ACL.
NOTE
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL ranging from 3000 to 3999.
Procedure
Step 1 Run:
system-view
The limits to calling in/out of VTY are configured. l When you need to prevent a user of certain address or segment address from logging in to the router, use the inbound command. l When you need to prevent a user who logs in to a router from accessing other routers, use the outbound command. ----End
Context
Terminal attributes of the VTY user interface have default values on the router and you can set them as needed.
Procedure
Step 1 Run:
system-view
User idle timeout is enabled. If the connection keeps idle within the timeout period, the system automatically terminates the connection. By default, the timeout period is 10 minutes. Step 5 Run:
screen-length screen-length [temporary]
The length of a terminal screen is set. The parameter temporary is used to display the number of lines to be temporarily displayed on a terminal screen. By default, the length of a terminal screen is 24 lines. Step 6 Run:
history-command max-size size-value
Set the size of the history command buffer. By default, a maximum number of 10 commands can be cached in the history command buffer. ----End
Context
l l Similar to command levels, users are classified into 16 levels numbered 0 to 15. The greater the number, the higher the user level. This process is to set the priority for a user who logs in through the console port. A user can only use the commands with the level corresponding to the user level.
For details about command levels, see "Command Level" in the chapter "CLI Overview" of the Configuration Guide - Basic Configuration.
Procedure
Step 1 Run:
system-view
The user priority is set. By default, users logging in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view is inconsistent with the user priority, the user priority takes effect.
----End
Context
By default, the user authentication mode of the VTY user interface is password authentication.
Procedure
l Configuring AAA Authentication 1. Run:
system-view
3.
Run:
authentication-mode aaa
Name and password of the local user are created. l Configuring Password Authentication 1. Run:
system-view
A password for this authentication mode is set. l Configuring Non-Authentication 1. Do as follows on the router, run:
system-view
4.4.7 (Optional) Configuring NMS Users to Log In Through VTY User Interfaces
Network Management System (NMS) users can log in to a device through VTY user interfaces to set parameters about the device.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 56
Context
NMS users can log in to the router through VTY user interfaces to set parameters about the router.
Procedure
Step 1 Run:
system-view
The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as special channels of the network management. The channels do not support the RSA authentication mode but support the password authentication.
Step 8 Run:
quit
l This command is invisible to terminals and cannot be obtained by using the online help. In man-tomachine mode, exercise caution when using this command. l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS user can log in through VTYs. A common user cannot log in through Telnet but can log in by using the five reserved user interfaces. l In the machine-to-machine mode, the system does not output logs, alarms, and debugging information to the screen. l In the machine-to-machine mode, the save and reboot commands can be used directly. l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. The value can be adjusted by using the screen-length command. In addition, you can run the screen-length temporary command to adjust the number of lines temporarily displayed on the screen.
----End
Prerequisite
The configurations of the VTY user interface are complete.
Procedure
l l l l l Run the display users [ all ] command to check information about user interfaces. Run the display user-interface maximum-vty command to check the maximum number of VTY user interfaces. Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ] command to check the physical attributes and configurations of user interfaces. Run the display local-user command to check the local user list. Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command, and you can view information about the current user interfaces.
<HUAWEI> display users User-Intf Delay Type 34 VTY 0 00:00:12 TEL Username : Unspecified + 35 VTY 1 00:00:00 TEL Username : Unspecified Network Address 10.138.77.38 10.138.77.57 AuthenStatus AuthorcmdFlag no no
Run the display user-interface maximum-vty command, and you can view the maximum number of VTY user interfaces.
<HUAWEI> display user-interface maximum-vty Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check the physical attributes and configurations of user interfaces.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 58
Int -
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed
Run the display vty mode command, and you can view the prompt message indicating that the machine-to-machine interface is enabled. For example:
<HUAWEI> display vty mode current VTY mode is Machine-Machine interface
Networking Requirements
To initialize configurations of the router or locally maintain the router, a user can log in to the router through a console user interface. To allow the user to log in, you can set attributes of the console user interface as needed (for security reasons, for example). In the console user interface view, the user priority is set to 15, and the password authentication mode is set (the password is huawei). After a user logs in, if the user takes no action on the router for more than 30 minutes, the connection between the user and the router is torn down.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 59
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Enter the interface view and set physical attributes of the console user interface. Set terminal attributes of the console user interface. Set the user priority of the console user interface. Set the user authentication mode and password of the console user interface.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l l l Transmission rate of the console user interface: 4800 bit/s Flow control mode of the console user interface: None Parity of the console user interface: even Stop bit of the console user interface: 2 Data bit of the console user interface: 6 Timeout period for disconnecting from the console user interface: 30 minutes Number of lines that a terminal screen displays: 30 Size of the history command buffer: 20 User priority: 15 User authentication mode: password (password: huawei)
Procedure
Step 1 Set physical attributes of the console user interface.
<HUAWEI> system-view [HUAWEI] user-interface console 0 [HUAWEI-ui-console0] speed 4800 [HUAWEI-ui-console0] flow-control none [HUAWEI-ui-console0] parity even [HUAWEI-ui-console0] stopbits 2 [HUAWEI-ui-console0] databits 6
Step 4 Set the user authentication mode in the console user interface to password.
[HUAWEI-ui-console0] authentication-mode password [HUAWEI-ui-console0] set authentication password simple huawei [HUAWEI-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can log in to the router through a console port, implementing local maintenance of the router. For details on how a user logs in to the router, see the 5 Configuring User Login. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 60
Configuration Files
# sysname HUAWEI # user-interface con 0 authentication-mode password user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30 databits 6 parity even stopbits 2 speed 4800 screen-length 30 # return
Networking Requirements
To maintain the router locally or remotely, a user can log in to the router through an AUX user interface. To allow the user login, an operator can set attributes of the AUX user interface as needed (for security reasons, for example). In the AUX user interface, the user priority is set to 15, and the authentication mode is set to AAA, with the user name of user123 and the password of huawei. After a user logs in, if the user takes no action on the router for more than 30 minutes, the connection between the user and the router is torn down.
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Enter the interface view and set physical attributes of the AUX user interface. Set terminal attributes of the AUX user interface. Set the user priority of the AUX user interface. Set modem attributes of the AUX user interface. Set the authentication mode and password in the AUX user interface.
Data Preparation
To complete the configuration, you need the following data: l l
Issue 02 (2011-09-10)
Transmission rate of the AUX user interface: 9600 bit/s Flow control mode of the AUX user interface: None
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 61
l l l l l l l l l
Parity of the AUX user interface: None Stop bit of the AUX user interface: 1 Data bit of the AUX user interface: 8 Timeout period for disconnecting from the AUX user interface: 30 minutes Number of lines that a terminal screen displays: 30 Size of the history command buffer: 20 User priority: 15 Modem attributes: idle timeout from off-hook to carrier detection (45 seconds), call-in permission, and automatic response User authentication mode and password in the AUX user interface
Procedure
Step 1 Set physical attributes of the AUX user interface.
<HUAWEI> system-view [HUAWEI] user-interface aux 0 [HUAWEI-ui-aux0] speed 9600 [HUAWEI-ui-aux0] flow-control none [HUAWEI-ui-aux0] parity none [HUAWEI-ui-aux0] stopbits 1 [HUAWEI-ui-aux0] databits 8
All the preceding physical attributes of the AUX user interface are set with default values. In fact, if a user chooses to use the default values, the user does not need to set them. The preceding settings only mean to provide the configuration method. Step 2 Set terminal attributes of the AUX user interface.
[HUAWEI-ui-aux0] [HUAWEI-ui-aux0] [HUAWEI-ui-aux0] [HUAWEI-ui-aux0] shell idle-timeout 30 screen-length 30 history-command max-size 20
Step 5 Set the authentication mode of the AUX user interface to AAA.
[HUAWEI-ui-aux0] authentication-mode aaa [HUAWEI-ui-aux0] quit [HUAWEI] aaa [HUAWEI-aaa] local-user user123 password simple huawei [HUAWEI-aaa] quit
After the AUX user interface is configured, a user in AAA authentication mode can log in to the router through an AUX port, implementing maintenance of the router. For details on how a user logs in to the router, refer to the 5 Configuring User Login. ----End
Configuration Files
# sysname HUAWEI
Issue 02 (2011-09-10)
62
Networking Requirements
A user logs in to the router through a VTY channel by using Telnet or SSH. To allow the user login, an operator can set attributes of the VTY user interface as needed (for security reasons, for example). In the VTY user interface, the user priority is set to 15, the authentication mode is set to password, with the password of "huawei", and the user with the IP address of 10.1.1.1 is prohibitted from logging in to the router. After logging in, if the user takes no action on the router for more than 30 minutes, the connection between the user and the router is torn down.
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Enter the interface view and set the maximum number of VTY user interfaces to 15. Set the call-in and call-out limit of the VTY user interface, limiting the access of an IP address or an IP address segment to the router. Set terminal attributes of the VTY user interface. Set the user priority in the VTY user interface. Set the authentication mode and password in the VTY user interface.
Data Preparation
To complete the configuration, you need the following data: l l l l l
Issue 02 (2011-09-10)
Maximum number of VTY user interfaces: 15 ACL applied to limit call-in in the VTY user interface: 2000 Timeout period for disconnecting from the VTY user interface: 30 minutes Number of lines that a terminal screen displays: 30 Size of the history command buffer: 20
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 63
l l
Procedure
Step 1 Set the maximum number of VTY user interfaces.
<HUAWEI> system-view [HUAWEI] user-interface maximum-vty 15
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] [HUAWEI-acl-basic-2000] [HUAWEI] user-interface [HUAWEI-ui-vty0-14] acl rule deny source 10.1.1.1 0 quit vty 0 14 2000 inbound
Step 5 Set the authentication mode and password in the VTY user interface.
[HUAWEI-ui-vty0-14] authentication-mode password [HUAWEI-ui-vty0-14] set authentication password simple huawei [HUAWEI-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can log in to the router by using Telnet or SSH (Stelnet), implementing local or remote maintenance of the router. For details on how a user logs in to the router, see the 5 Configuring User Login. ----End
Configuration Files
# sysname HUAWEI # acl number 2000 rule 5 deny source 10.1.1.1 0 rule permit source any # user-interface maximum-vty 15 user-interface vty 0 14 acl 2000 inbound user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30 # return
Issue 02 (2011-09-10)
64
5
About This Chapter
A user can log in to the router through a console port, an AUX port, or by using Telnet or SSH (STelnet). After the login, the user can maintain the router locally or remotely. 5.1 Overview of User Login Users can manage and maintain the router only after logging in to the router. Users can log in to the router by using the AUX port, console port, Telnet, or STelnet (SSH Telnet). 5.2 Logging in to the Devices Through the Console Port When a user needs to configure the router that is powered on for the first time or locally maintain the router, the user can log in to the router through a console port. 5.3 Logging in to the Devices Through the AUX Port When a user terminal and the router have no reachable route between each other, the user can remotely configure and manage or locally maintain the router by logging in to the router through an AUX port. 5.4 Logging in to the Devices by Using Telnet If multiple routers need to be configured and managed, you do not need to connect the routers and maintain them locally one by one. Instead, you can log in to the routers from a terminal by using Telnet. This implements remote maintenance of the router and greatly facilitates device management. 5.5 Logging in to the Devices by Using STelnet STelnet provides secured remote access over an insecure network. After the client/server negotiation is complete and a secured connection is established, a user can log in to the router in a similar way as Telnet. 5.6 Common Operations After Login After logging in to the router, you can perform following operations as needed, such as user priority switching and terminal window locking. 5.7 Configuration Examples This section provides several examples describing how to configure user login by using a console port, Telnet, or STelnet. You can understand the configuration procedures by referring to the
Issue 02 (2011-09-10)
65
configuration flowchart. The configuration examples provide information about the networking requirements, configuration notes, and configuration roadmap.
Issue 02 (2011-09-10)
66
Table 5-1 User login modes Login Mode Console port Application Users log in to the router through the console port to configure the router locally. Login through the console port is required when the router is powered on for the first time. Users log in to the router by using Telnet for local and remote maintenance. Telnet helps users maintain remote devices but brings security threats. Users log in to the router through the AUX port to maintain the router locally when there is no available route and Telnet is unsuitable. SSH (STelnet) provides security protection for users logging in to the router to maintain the router locally or remotely.
NOTE
Logins by using Telnet bring security risks because no secure authentication mechanism is available and data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees secure data transmission on a conventional insecure network by authenticating the client and encrypting data in both directions. SSH supports security Telnet (STelnet). For detailed information about SSH, see the NE80E/40E Feature Description - Basic Configurations.
Issue 02 (2011-09-10)
67
Applicable Environment
A user can log in to the router locally through a console port. If the router is powered on for the first time, the user has to log in through a console port.
Pre-configuration Tasks
Before configuring user login through a console port, complete the following tasks: l l Configuring the PC/terminal (including the serial port and RS-232 cable) Installing the terminal emulator (such as HyperTerminal of Windows XP) to the PC
Data Preparation
To configure user login through a console port, you need the following data. No. 1 Data l Transmission rate, flow control mode, parity mode, stop bit, data bit l Number of lines displayed in a terminal screen, size of the history command buffer l User priority l User authentication mode, user name, and password
Context
Attributes of an console user interface have default values on the router, and generally need no additional settings. To meet specific application requirements or ensure network security, you can set attributes of the console user interface, such as terminal attributes and user authentication mode. For detailed settings, see Configuring Console User Interface.
Context
For details, see Login Through the Console Portrouter.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 68
l Communication parameters of the user terminal must be consistent with the physical attribute parameters of the console user interface on the router. l If a user authentication mode is specified in the console user interface, a user can log in to the router only after passing the authentication. This enhances network security.
Prerequisite
Configurations of user login through a console port are complete.
Procedure
l l l l Run the display users [ all ] command to check information about the user interface. Run the display user-interface console ui-number1 [ summary ] command to check physical attributes and configurations of the user interface. Run the display local-user command to check the local user list. Run the display access-user command to check the local user list.
----End
Example
Run the display users command, and you can view information about the current user interface.
<HUAWEI> display users User-Intf Delay 0 CON 0 00:00:44 Username : Unspecified Type Network Address AuthenStatus pass AuthorcmdFlag no
Run the display user-interface console ui-number1 [ summary ] command, and you can view the physical attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 0 CON 0 9600 3 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int -
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0
Issue 02 (2011-09-10)
69
Applicable Environment
You can configure and maintain the router locally or remotely through an AUX port. In local configuration of the router, the AUX login method is similar to the console login method. The only difference between the two login methods lies in the default user priority: The default user priority of the console user interface is 3, whereas that of the AUX user interface is 0. Therefore, Logging in by using the console login method is recommended in the local configuration. The following part mainly describes remote login of the router through an AUX port.
NOTE
To manage and maintain the router through an AUX port, firstly modify the user priority of the AUX user interface.
When there is no reachable route between a PC and the router, you can connect the serial port of the PC to the AUX port of the router by using a modem. In this manner, you can use the PSTN to configure and maintain the router remotely. As shown in Figure 5-1, The COM interface of the PC is connected to the modem that is connected to the PSTN. The AUX port of the router is connected to another modem that is connected to the PSTN. Figure 5-1 Networking diagram of remote login through an AUX port
Pre-configuration Tasks
Before configuring user login through an AUX port, complete the following tasks:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 70
l l l
Connecting the PC to the router through modems Configuring the modem Installing a terminal emulator (such as HyperTerminal of Windows XP) in the PC
Data Preparation
To configure user login through an AUX port, you need the following data. No. 1 Data l Transmission rate, flow control mode, parity, stop bit, data bit l Number of lines displayed in a terminal screen, size of the history command buffer l user priority l modem attributes l (Optional) Auto-run commands l User authentication mode, user name, password 2 Telephone number of the modem at the remote router side.
Context
Attributes of an AUX user interface have default values on the router, and generally need no additional settings. To meet specific application requirements or ensure network security, you can also set attributes of the AUX user interface, such as terminal attributes and user authentication mode. For detailed settings, see Configuring AUX User Interface.
Procedure
Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) in the PC to establish a connection with the router, as shown in Figure 5-2.
Issue 02 (2011-09-10)
71
Step 2 Set dialing information, as shown in Figure 5-3. Figure 5-3 Dialing information setting
Issue 02 (2011-09-10)
72
If certain communication parameters need to be modified, press Modify in the Figure 5-4, as shown in Figure 5-5, and then press Set, as shown in Figure 5-6. Figure 5-5 Connection attribute modification
Issue 02 (2011-09-10)
73
Step 4 Press Dialing. If user authentication is needed, input the corresponding authentication information, and wait till the command line prompt of the user view appears, such as <HUAWEI>. This indicates that the user view is entered and relevant configurations can be input. ----End
Prerequisite
Configurations of user login through the AUX port are complete.
Procedure
l l Run the display users [ all ] command to check usage information about the AUX user interface. Run the display user-interface aux interface-number [ summary ] command to check physical attributes and configurations of the user interface.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 74
Issue 02 (2011-09-10)
l l
Run the display local-user command to check the local user list. Run the display access-user command to check the local user list.
----End
Example
Run the display users command, and you can view information about the current user interface.
<HUAWEI> display users User-Intf Delay 33 AUX 0 00:00:44 Username : Unspecified Type Network Address AuthenStatus pass AuthorcmdFlag no
Run the display user-interface aux ui-number1 [ summary ] command, and you can view the physical attributes and configurations of the user interface.
<HUAWEI> display user-interface aux 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth 33 AUX 0 9600 0 N + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Int -
Run the display local-user command, and you can view the local user list.
<HUAWEI> display local-user ---------------------------------------------------------------------------Username State Type CAR Access-limit Online ---------------------------------------------------------------------------user123 Active All Dft No 0 ll Active F Dft No 0 user1 Active F Dft No 0 ---------------------------------------------------------------------------Total 3,3 printed
Issue 02 (2011-09-10)
75
Applicable Environment
If you have known the IP address of the router to be accessed, you can log in to the router from a terminal by using Telnet, and remotely maintain the device. This allows you to maintain multiple routers on the same terminal, greatly facilitating device management. Note that IP addresses of the routers need to be preset through console ports.
Pre-configuration Tasks
Before configuring user login in Telnet mode, complete the following tasks: l Configuring reachable routes between the terminal and the device
Data Preparation
Before configuring user login in Telnet mode, you need the following data. No. 1 Data l Maximum number of VTY user interfaces l (Optional) ACL for limiting call-in and call-out in VTY user interfaces l Connection timeout period of terminal users, number of lines displayed in a terminal screen, size of the history command buffer l User priority l User authentication mode, user name, password 2 3 TCP port number for the remote router to provide Telnet services, VPN instance name IPv4/IPv6 address or host name of the router
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before a user logs in to the router by using Telnet, the user authentication mode in the VTY user interface must be set. Otherwise, the user cannot log in to the router. You can log in to the router through a console port to set the user authentication mode in the VTY user interface. Other attributes of the VTY user interface in the router, such as terminal attributes and user priorities, can also be set as needed. These attributes, however, generally do not need to be set because they have default values. For detailed settings, see Configuring VTY User Interface.
Issue 02 (2011-09-10)
76
Context
If the user authentication mode of the VTY user interface is non-authentication or password authentication, the following configurations are not needed. By default, a local user can apply for any access type. You can specify an access type to allow only users configured with the specified access type to log in to the router. Do as follows on the router that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
The local user name and password are set. Step 4 Run:
local-user user-name service-type telnet
Context
By default, the function of the Telnet server is enabled. Do as follows on the router that serves as an Telnet server. Select and perform one of the following two steps for IPv4 or IPv6.
Procedure
l For the IPv4 network 1. Run:
system-view
Issue 02 (2011-09-10)
77
l If the undo telnet [ipv6] server enable command is run when a user logs in by using Telnet, the command does not take effect. l After the Telnet server function is disabled, you can log in to the device only using SSH or an asynchronous serial port rather than using Telnet.
----End
Context
By default, the listening port number of a Telnet server is 23. Users can directly log in to the router using the default listening port number. Attackers may access the default listening port, consuming bandwidth, deteriorating server performance, and causing authorized users unable to access the server. After the listening port number of the Telnet server is changed, attackers do not know the new listening port number. This effectively prevents attackers from accessing the listening port. Do as follows on the router that functions as a Telnet server:
Procedure
Step 1 Run:
system-view
If a new listening port number is set, the Telnet server terminates all established Telnet connections, and then uses the new port number to listen to new requests for Telnet connections. ----End
Context
If you need to log in to the router by using Telnet, you can use either windows command lines or a third-party software in the terminal. In this part, the windows command line prompt is used. Do as follows on the user terminal:
Procedure
Step 1 Use the windows command line. Step 2 Run the telnet ip-address command to telnet the router. 1. Input the IP address of the Telnet server.
2.
Press "Enter" to display the command line prompt of the system view, such as <HUAWEI>. This indicates that you have accessed the Telnet server.
Issue 02 (2011-09-10)
79
----End
Prerequisite
Configurations of logins by using Telnet are complete.
Procedure
l l l Run the display users [ all ] command to check information about logged-in users on user interfaces. Run the display tcp status command to check TCP connections. Run the display telnet server status command to check the configuration and status of the Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
<HUAWEI> display users User-Intf Delay 34 VTY 0 00:00:12 Username : Unspecified + 35 VTY 1 00:00:00 Username : Unspecified Type TEL TEL Network Address 10.138.77.38 10.138.77.57 AuthenStatus AuthorcmdFlag no no
Run the display tcp status command to view TCP connections. In the command output, Established indicates that a TCP connection has been established.
<HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port State 39952df8 36 /1509 0.0.0.0:0 Closed 32af9074 59 /1 0.0.0.0:21 Listening 34042c80 73 /17 10.164.39.99:23 Established Foreign Add:port 0.0.0.0:0 0.0.0.0:0 10.164.6.13:1147 VPNID 0 14849 0
Run the display telnet server status command to view the configuration and status of the Telnet server.
<HUAWEI> display telnet server status Telnet IPV4 server Telnet IPV6 server Telnet server port :Enable :Enable :23
Issue 02 (2011-09-10)
80
Applicable Environment
Logins by using Telnet bring security risks because no secure authentication mechanism is available and data is transmitted by using TCP in plain text mode. Unlike Telnet, SSH guarantees secure data transmission on a conventional insecure network by authenticating the client and encrypting data in both directions. STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner as using the Telnet service.
Pre-configuration Tasks
Before configuring users to log in by using STelnet, complete the following task: l Configuring reachable routes between the terminal and the device
Data Preparation
To configure users to log in by using STelnet, you need the following data: No. 1 Data Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and call-out in VTY user interfaces, connection timeout period of terminal users, number of rows displayed in a terminal screen, size of the history command buffer, user authentication mode, user name, and password User name, password, authentication mode, and service type of an SSH user and remote public RSA key pair allocated to the SSH user (Optional) Name of an SSH server, number of the port monitored by the SSH server, preferred encryption algorithm from the STelnet client to the SSH server, preferred encrypted algorithm from the SSH server to the STelnet client, preferred HMAC algorithm from the STelnet client to the SSH server, preferred HMAC algorithm from the SSH server to the STelnet client, preferred algorithm of key exchange, name of the outgoing interface, and source address
2 3
Issue 02 (2011-09-10)
81
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before a user logs in to the router by using STelnet, the user authentication mode in the VTY user interface must be set. Otherwise, the user cannot log in to the router. You can log in to the router through a console port to set the user authentication mode in the VTY user interface. Other attributes of the VTY user interface in the router, such as terminal attributes and user priorities, can also be set as needed. These attributes, however, generally do not need to be set because they have default values. For detailed settings, see Configuring VTY User Interface.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, users cannot log in to the router by using STelnet. Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
If a VTY user interface is configured to support SSH, the VTY user interface must be configured with AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.
----End
5.5.4 Configuring an SSH User and Specifying STelnet as One of Service Types
To allow a user to log in to the router by using STelnet, you must configure an SSH user, configure the router to generate a local RSA key pair, configure a user authentication mode, and specify a service type for the SSH user.
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and all. Password authentication depends on Authentication, Authorization and Accounting (AAA). Before a user logs in to the router in password or password-RSA authentication mode, you must create a local user with the specified user name in the AAA view. Configuring the router to generate a local RSA key pair is a key step for SSH login. If an SSH user logs in to an SSH server in password authentication mode, configure the server to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA authentication mode, configure both the server and the client to generate local RSA key pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication. The all authentication mode requires success of either password authentication or RSA authentication.
Procedure
Step 1 Run:
system-view
1.
Run:
aaa
Name and password of the local user are created. Step 3 Run:
rsa local-key-pair create
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create command to generate a local key pair. l After generating the local key pair,you can perform the display rsa local-key-pair public command to view the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
The authentication mode for SSH users is configured. Perform the following as required: l Authenticate the SSH user through the password. Run:
ssh user user-name authentication-type password
The default password authentication is configured for the SSH user. For the local authentication or HWTACACS authentication, if the number of SSH users is small, you can adopt the former command; if the number of SSH users is large, adopt the later command to simplify the configuration. l Authenticate the SSH user through RSA. 1. Run:
ssh user user-name authentication-type rsa
l In the public key view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After the public key editing view is displayed, the RSA public key generated on the client can be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end
l If the specified hex-data is invalid, the public key cannot be generated after the peerpublic-key end command is run. l If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. 6. Run:
peer-public-key end
Return to the system view from the public key view. 7. Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user. Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users 1. Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured. By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating. 2. Run:
ssh server timeout seconds
The timeout period of the SSH authentication is set. By default, the timeout period is 60 seconds. 3. Run:
ssh server authentication-retries times
The number of retry times of the SSH authentication is set. By default, the retry times is 3. Step 6 (Optional) Authorizing SSH Users Through the Command Line SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSA authentication mode, you can configure SSH users to be authorized based on command levels. Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user. After configuring the authorization through command lines for the SSH user to perform RSA authentication, you have to configure the AAA authorization. Otherwise, the command line authorization for the SSH user does not take effect. Step 7 Run:
ssh user username service-type { stelnet | all }
The service type for the SSH user is configured. By default, the service type of the SSH user is not configured. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 85
Context
By default, no router is enabled with the STelnet server function. Users can establish connections to the router by using STelnet only after the router is enabled with the STelnet server function. Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
The STelnet server function is enabled. By default, the STelnet server function is disabled. ----End
Context
Table 5-2 lists server parameters. Table 5-2 Server parameters Server Parameter Earlier SSH version compatibility Description SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Compared with SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key exchange methods. SSH2.0 also supports more advanced services such as SFTP. The HUAWEI NetEngine80E/40E supports SSH versions ranging from 1.3 to 2.0.
Issue 02 (2011-09-10)
86
Description The default listening port number of an SSH server is 22. Users can log in to the device by using the default listening port number. Attackers may access the default listening port, consuming bandwidth, deteriorating server performance, and causing authorized users unable to access the server. After the listening port number of the SSH server is changed, attackers do not know the new port number. This effectively prevents attackers from accessing the listening port and improves security. After the interval is set, the key pair of the SSH server is updated periodically to improve security.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Perform one or more operations shown in Table 5-3 as needed. Table 5-3 Configurations of server parameters Server Parameter Earlier SSH version compatibility Operation Run the ssh server compatible-ssh1x enable command. By default, an SSH server running SSH2.0 is compatible with SSH1.X. To prevent clients running SSH1.3 to SSH1.99 to log in, run the undo ssh server compatible-ssh1x enable command to disable the system from supporting earlier SSH protocol versions. Run the ssh server port port-number command. If a new listening port is set, the SSH server cuts off all established STelnet and SFTP connections, and uses the new port number to listen to connection requests. By default, the listening port number is 22. Run the ssh server rekey-interval hours command. By default, the interval is 0, indicating that the key pair will never be updated.
----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 87
Context
In STelnet login mode, a third-party software can be used in the terminal. In this part, the thirdparty software OpenSSH and windows command line are used. After installing OpenSSH in the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, refer to the installation guide of the software. For details on how to use OpenSSH commands to log in to the router, refer to the help document of the software.
Procedure
Step 1 Use the windows command line. Step 2 Run relevant OpenSSH commands to log in to the router in STelnet mode.
----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 88
Prerequisite
Configurations of logins by using STelnet are complete.
Procedure
l l l Run the display ssh user-information username command on the SSH server to check information about SSH users. Run the display ssh server status command on the SSH server to check its configurations. Run the display ssh server session command on the SSH server to check sessions for SSH users.
----End
Example
Run the display ssh user-information username command to view information about a specified SSH user.
<HUAWEI> display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : Sftp-directory : Service-type : stelnet Authorization-cmd : No
If no SSH user is specified, information about all SSH users logging in to an SSH server will be displayed. Run the display ssh server status command to view configurations of an SSH server.
<HUAWEI> display ssh server status SSH version SSH connection timeout SSH server key generating interval SSH Authentication retries SFTP server Stelnet server :1.99 :60 seconds :0 hours :3 times :Disable :Enable
Run the display ssh server session command. The command output shows that the session information between SSH server and client.
<HUAWEI> display ssh server Session 1: Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type session : : : : : : : : : : : : VTY 3 2.0 started client001 1 aes128-cbc aes128-cbc hmac-md5 hmac-md5 diffie-hellman-group-exchange-sha1 stelnet password
Issue 02 (2011-09-10)
89
Applicable Environment
To ensure that the operator manages routers safely, you need to configure the switching of user levels, enable message sending between user interfaces, and clear designated users.
Pre-configuration Tasks
Before performing operations after login, complete the following tasks: l Connecting the terminal to the router
Data Preparations
Before performing operations after login, you need the following data: No. 1 2 3 Data Password used for switching user levels Type and number of the user interface Contents of the message to be sent
Context
To prevent an unauthorized user from using high-level commands, a password is required to increase the user level. When configuring the switchover of user levels on the router, users can perform HWTACACS Authentication. For detailed configurations, refer to the HUAWEI NetEngine80E/40E router Configuration Guide - Security.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 90
Procedure
Step 1 Run:
system-view
The password for switching user levels is configured. By default, the password for the user is set to Level 3.
CAUTION
If simple is configured, the password is saved in the configuration file in plain text. This means that low-level login users can easily obtain and change the password by checking the configuration file, compromising the network security. Therefore, selecting cipher to save the password in the cipher text is recommended. If cipher is used to set the password, the password cannot be obtained from the system. Save the password to avoid oblivion or missing. Step 3 Run:
quit
User levels are switched. By default, the level is 3. Step 5 Follow the prompt and enter a password. If the password entered is correct, the user can switch to a higher level. If the user enters a password incorrectly for three consecutive times, the user remains at the current login level and returns to the user view.
NOTE
When the login user of lower level is switched to the user of higher level through the super command, the system automatically sends trap messages and records the switchover in a log. When the switched level is lower than that of the current level, the system only records the switchover in a log.
----End
Context
The user interface can be classified into the Console user interface, AUX user interface, and VTY user interface.
Procedure
Step 1 Run:
lock
The user interface is locked. Step 2 Follow the system prompt and input an unlock password, and then confirm the input.
<HUAWEI> lock Enter Password: Confirm Password:
If the locking is successful, the system prompts that the user interface is locked. You must enter a correct password to unlock the user interface. ----End
Context
Users logging in to the router can send messages from the current user interface to users in other user interfaces as needed.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces. Step 2 Following the prompt, you can view the message to be sent. You can press Ctrl_Z or Enter to end the display, and press Ctrl_C to abort the display. ----End
Context
User information includes the user name, address, and authentication and authorization information.
Procedure
l
Issue 02 (2011-09-10)
Run the display users [ all ] command to view information about logged-in users.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 92
If all is configured, information about logged-in users on all user interfaces is displayed. ----End
Context
You can run the display users command to view users logging in to the router.
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
Online users are cleared. Step 2 Based on displayed information, you can confirm whether specified logged-in users have been cleared. ----End
Context
Before configuring configuration locking, check whether the configuration set is locked by another user. If no user locks the configuration set, you can exclusively lock the configuration.
Procedure
Step 1 Run:
configuration exclusive
The user obtains exclusive configuration access. After enabling the configuration locking function, you can exclusively enjoy the configuration authority in an explicit manner.
NOTE
This command can be run in any view. You can run the display configuration-occupied user command to check information about the user who locks the configuration set at the moment. If the configuration set is already locked, an prompt message is displayed after this command is run.
Step 2 Run:
system-view
Issue 02 (2011-09-10)
93
The timeout period for automatically unlocking the configuration set is set. After the timeout period expires, the configuration set is automatically unlocked, allowing other users to configure the device. By default, the timeout period is 30s.
NOTE
l When a user without exclusive configuration access runs this command, the system prompts an error message. l If the configuration set is locked by another user, this command cannot be configured, and the system prompts an error message. l If the configuration set is locked by the current user, the current user can run this command.
----End
Networking Requirements
If a user modifies default values of certain parameters in the console user interface, the user needs to reset corresponding parameters in the PC when logging in to the router through the console port next time. Figure 5-7 Networking diagram of user login through a console port
PC
Router
Configuration Roadmap
1. 2.
Issue 02 (2011-09-10)
Connect a PC to the router through a console port. Perform login settings on the PC.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 94
3.
Data Preparation
Communication parameters of the PC (baud rate: 4800 bps, data bit: 6, parity: even, stop bit: 2, flow control mode: none)
Procedure
Step 1 Establish the configuration environment by connecting the serial port of the PC to the console port of the router through standard RS-232 cable. Step 2 Start a terminal emulator on the PC, and set the communication parameters of the PC, as shown in Figure 5-8 to Figure 5-10. Figure 5-8 Connection creation
Issue 02 (2011-09-10)
95
Step 3 Power on the router and wait for the completion of the self-check. After the router starts normally and finishes the self-check, the system prompts you to press Enter.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 96
Wait till the prompt (mostly the <HUAWEI>) appears, and then you can use a command to view the running status of the router or configure the router. ----End
Networking Requirements
If you cannot configure the router by local login and no router is reachable to other routers, connect the serial port of the PC with the AUX port of the router through the modem. The detailed configuration environment is shown in Figure 5-11. Figure 5-11 Networking diagram of logging in through the AUX port
Modem PSTN Router COM Modem
PC
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Establish the physical connection. Configure the name, authentication mode, and password of a user that logs in. Configure the AUX port to support the modem dialup. Configure modem parameters.
Data Preparation
To complete the configuration, you need the following data: l l l l Type of terminals Terminal communication parameters User name, password, and authentication mode used for user login, which are huawei, hello, and password respectively. Modem communication parameters
Procedure
Step 1 Establish the physical connection, as shown in Figure 5-11.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 97
Step 3 Configure modem parameters. # Run the PC emulation terminal, see Logging in to the router Through an AUX Port Press Enter on the PC emulation terminal or terminal until a command line prompt of the modem such as ">" appears. Configure the modem to meet the requirements of AUX communication. For details, see modem descriptions. Step 4 Log in to the router. Enter the user name and password in the remote terminal emulation program. After authentication succeeds, a command line prompt such as <HUAWEI> appears. Enter the command to check the running status of the router or configure the router. Enter "?" for help. ----End
Networking Requirements
A user can log in to the router on another network segment from a PC to remotely maintain the router. Figure 5-12 Networking diagram of user login by using Telnet
After a Telnet user logs in to the router in AAA authentication mode, the Telnet user is prohibited from logging in to another router through the router.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 98
Configuration Roadmap
1. 2. 3. 4. 5. Establish a physical connection. Assign IP addresses to interfaces on the router. Set parameters of the VTY user interface, including limit on call-in and call-out. Set user login parameters. Log in to the router.
Data Preparation
To complete the configuration, you need the following data: l l l l l l l l IP address of the PC IP address of the Ethernet interface on the router: 10.137.217.221 Maximum number of VTY user interfaces: 10 Number of the ACL that is used to prohibit users from logging into another router: 3001 Timeout period for disconnecting from the VTY user interface: 20 minutes Number of lines that a terminal screen displays: 30 Size of the history command buffer: 20 Telnet user information (authentication mode: AAA, user name: huawei, password: hello)
Procedure
Step 1 Respectively connection the PC and the router to the network. Step 2 Configure a login address.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] undo shutdown [HUAWEI-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0 [HUAWEI-GigabitEthernet1/0/1] quit
Step 3 Configure the VTY user interface on the router. # Set the maximum number of VTY user interfaces.
[HUAWEI] user-interface maximum-vty 10
# Configure an ACL that is used to prohibit users from logging into another router.
[HUAWEI]acl 3001 [HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet [HUAWEI-acl-adv-3001]quit [HUAWEI] user-interface vty 0 9 [HUAWEI-ui-vty0-9] acl 3001 outbound
Issue 02 (2011-09-10)
99
Step 4 Set parameters of the login user on the router. # Specify the user authentication mode.
[HUAWEI] aaa [HUAWEI-aaa] [HUAWEI-aaa] [HUAWEI-aaa] [HUAWEI-aaa] local-user huawei password cipher hello local-user huawei service-type telnet local-user huawei level 3 quit
Step 5 # Configure user login. Use the windows command line to telnet the router. The Telnet login window is shown in the following figure. Figure 5-13 Telnet login window on the PC
Press Enter, and then input the user name and password in the login window. If user authentication succeeds, a command line prompt of the system view is displayed. It indicates that you have entered the user view. Figure 5-14 Window after login of the router
Click Yes and then input the user name and password in the login window. If user authentication succeeds, a command line prompt such as HUAWEI is displayed. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 100
Configuration Files
Configuration file of the Router
# sysname HUAWEI # acl number 3001 rule 5 deny tcp destination-port eq telnet # aaa local-user huawei password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!! local-user huawei service-type telnet local-user huawei level 3 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.221 255.255.0.0 # user-interface maximum-vty 10 user-interface con 0 user-interface vty 0 9 acl 3001 outbound authentication-mode aaa history-command max-size 20 idle-timeout 20 0 screen-length 30 # return
Networking Requirements
As shown in Figure 5-15, after the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH server with the password, RSA, password-rsa, or all authentication mode. In this configuration example, the password authentication mode is used. Figure 5-15 Networking diagram of configuring user login by using STelnet
GE1/0/1 10.137.217.225/16 SSH Server
Network PC
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 101
1. 2. 3. 4.
Configure a local key pair on the SSH server for secure data exchange between the STelnet client and the SSH server. Configure the VTY user interface on the SSH server. Configure an SSH client, which involves the setting of the user authentication mode, user name, and password. Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data: l l l SSH user authentication mode: password, user name: client001, password: huawei User level of client001: 3 IP address of the SSH server: 10.164.39.210
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: HUAWEI_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++
NOTE
If SSH is configured as the login protocol, the NE80E/40E automatically disables Telnet.
Step 5 Verify the configuration. # Log in to the device through the software putty, and specify the IP address of the device being 10.164.39.210 and the login protocol being SSH.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 102
# Log in to the device through the software putty, and enter the user name client001 and the password huawei.
----End
Configuration Files
l Configuration file of the SSH server
# sysname SSH Server # aaa local-user client001 password cipher huawei local-user client001 level 3
Issue 02 (2011-09-10)
103
Issue 02 (2011-09-10)
104
6
About This Chapter
The file system manages the files and directories in the storage devices on the router. It can move and delete a file or directory and display the contents of the file. 6.1 File System Overview The router effectively manages all files by means of the file system. 6.2 Performing File Operations by Means of the File System Users can perform file operations by means of the file system, including managing storage devices, directories, and files. 6.3 Performing File Operations by Means of FTP FTP can transmit files between local and remote hosts, and is widely used for version upgrade, log downloading, file transmission, and configuration saving. 6.4 Performing File Operations by Means of SFTP SFTP enables users to log in to the router securely from the remote device to manage files. This improves the security of data transmission for the remote end to update its system. 6.5 Performing File Operations by Means of Xmodem This section describes how to transfer files through XModem. 6.6 Configuration Examples This section provides an example for performing files by accessing the system and using FTP or SFTP.These configuration examples explain networking requirements, configuration roadmap, and configuration notes.
Issue 02 (2011-09-10)
105
Issue 02 (2011-09-10)
106
Table 6-1 File management methods File Management Method Logging in to the system Implementation You can log in to the system through the Console or AUX port or by using Telnet or STelnet to manage files. The router needs to be enabled with FTP. Most terminals support the FTP client function. l SFTP provides secure file transfer services based on SSH, irrelevant to the standard FTP protocol. l The router needs to be enabled with SFTP. Terminals need to be installed with the SFTP client software.
FTP
SFTP
Applicable Environment
When the router fails to save or obtain data, you can log in to the file system to repair the faulty storage devices or manage files or directories on the router. You can especially manage storage devices by logging in to the file system.
Pre-configuration Tasks
Before performing file operations by logging in to the file system, complete the following tasks: l Connecting the client with the server correctly
Data Preparation
To perform file operations by logging in to the file system, you need the following data: No. 1 2
Issue 02 (2011-09-10)
No. 3
Context
When the file system on a storage device fails, the terminal of the router prompts you to rectify the fault. You can format a storage device when you fail to repair the file system or you do not need any data saved on the storage device.
CAUTION
Formatting storage devices may lead to data loss. Therefore, exercise caution when perform this operation.
Procedure
l Run:
fixdisk device-name
After this command is run, if the prompt that the system should be repaired is still received, it indicates that the physical medium may be damaged.
Run:
format device-name
If the storage device cannot work after running the format device-name command, a fault may occur to the hardware.
----End
Issue 02 (2011-09-10)
108
Context
You can manage directories by changing and displaying directories, displaying files in directories and sub-directories, and creating and deleting directories.
Procedure
l Run:
cd directory
The file and sub-directory list in the directory is displayed. Either the absolute path or relative path is applicable. l Run:
mkdir directory
Context
l Managing files include: displaying contents, copying, moving, renaming, compressing, deleting, undeleting, deleting files in the recycle bin, running files in batch and configuring prompt modes. You can run the cd directory command to enter the required directory from the current directory.
Procedure
l Run:
more filename [ offset | all ]
The content of the file is displayed. By specifying parameters in the more command, you can view files flexibly: By running the more file-name command, you can view the file named file-name. Contents of a text file are displayed screen after screen. If you hold and press the spacebar on the current terminal, all contents of the current file can be displayed.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 109
There are two preconditions if you want to display the contents of a text file screen after screen: The value configured by screen-length screen-length temporary command must be larger than 0. The total lines of the file must be larger than the value configured by screenlength command. By running the more file-name offset command, you can view the file named filename. Contents of a text file are displayed from the line specified by offset screen after screen. If you hold and press the spacebar on the current terminal, all contents of the current file can be displayed. There are two preconditions if you want to display the contents of a text file screen after screen: The value configured by screen-length screen-length command must be larger than 0. The result of the number of file characters subtracted by the value of offset must be larger than the value configured by screen-length command. By running the more file-name all command, you can view the file named file-name. Contents of a text file are completely displayed without pausing after each screenful of information. l Run:
copy source-filename destination-filename
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
Run:
move source-filename destination-filename
The file is deleted. If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after being deleted. l Run:
undelete filename
If the current directory is not the parent directory, you must operate the file by using the absolute path.
Run:
reset recycle-bin [ filename ]
The file is deleted. You can permanently delete files in the recycle bin. l Running Files in Batch You can upload the files and then process the files in batches. The edited batch files need to be saved in the storage devices on the router. When the batch file is created, you can run the batch file to implement routine tasks automatically. 1. Run:
system-view
The batched file is executed. l Configuring Prompt Modes The system displays prompts or warning messages when you operate the device (especially the operations leading to data loss). If you need to change the prompt mode for file operations, you can configure the prompt mode of the file system. 1. Run:
system-view
The prompt mode of the file system is configured. By default, the prompt mode is alert.
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation. ----End
Issue 02 (2011-09-10)
111
Applicable Environment
When the router serves as the FTP server, after the client logs in to the router through FTP, the user can transfer files between the client and the server.
Pre-configuration Tasks
Before performing file operations by means of FTP, complete the following task: l Connecting the FTP client to the server
Data Preparation
To perform file operations by means of FTP, you need the following data:
NOTE
No. 1 2 3
Data FTP user name and password, File directory authorized to the FTP user (Optional) Listening port number specified on the FTP server (Optional) Source IP address or source interface of the FTP server (Optional) Timeout period of the disconnection from the FTP server
Context
To perform file operations by means of FTP, you need to configure a local user name and a password on the router and specify the service type and the directories that can be accessed. Otherwise, you cannot access the router by using FTP. Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
112
Step 3 Run:
aaa
The local user name and the password are configured. Step 5 Run:
local-user user-name service-type ftp
Context
By default, the listening port number of an FTP server is 21. Users can directly log in to the router by using the default listening port number. Attackers probably access the default listening port, reducing available bandwidth, affecting performance of the server, and causing valid users unable to access the server. After the listening port number of the FTP server is changed, attackers do not know the new listening port number. This effectively prevents attackers from accessing the listening port.
NOTE
If the FTP is not enabled, change the FTP port as required. If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and then change the FTP port.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
113
The port number of the FTP server is configured. If a new number of a monitored port is configured, the FTP server interrupts all the FTP connections and monitors the port of the new number. ----End
Context
By default, the FTP server is disabled on the router. Therefore, you must enable the FTP server before using FTP. Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
When the file operation between clients and the router ends, run the undo ftp [ ipv6 ] server command to disable the FTP server function. This ensures the security of the router.
----End
Context
l l You can configure a source IP address for the FTP server. This limits the destination address that the client can access and therefore guarantee the security. You can configure the timeout period for FTP connections on the FTP server. When the timeout period of an FTP connection expires, the system breaks the connection to release resources.
Procedure
Step 1 Run:
system-view
The source IP address and source interface of an FTP server is configured. To log in to the FTP server, you must specify the same source IP address in the ftp command. Otherwise, you cannot log in to the FTP server. Step 3 Run:
ftp [ ipv6 ] timeout minutes
The timeout period of the FTP server is configured. If the client is idle for the configured time, the connection is removed from the FTP server. By default, the timeout value is 30 minutes. ----End
Context
When the routerdevice functions as an FTP server, you can configure an ACL to allow the clients that meet the matching rules to access the FTP server. Do as follows on the router that serves as the FTP server:
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
115
Step 4 Run:
quit
Context
If you need to log in to the router by using FTP, you can use either windows command line prompt or a third-party software. Here uses the windows command line prompt as an example. Do as follows on the PC:
Procedure
Step 1 Use the windows command line. Step 2 Run the ftp ip-address command to log in to the router by using FTP. Enter the user name and password at the prompt, and press Enter. When the windows command line prompts are displayed in the FTP client view, such as ftp>, you have entered the working directory of the FTP server.
----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 116
Context
After logging in to the FTP server, you can perform the following operations: l l l l Configuring data type for the file Uploading or downloading files Creating directories on or deleting directories from the FTP server Displaying information about a specified remote directory or a file of the FTP server, or deleting a specified file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the following one or more operations:
Procedure
l Configuring data type and transmission mode for the file. Run:
ascii or binary
FTP supports the ASCII type and the binary type. Their differences are as follows: l In ASCII transmission mode, ASCII characters are used to separate carriage returned from line feeds. l In binary transmission mode, characters can be transferred without format conversion or formatting. The selection of the FTP transmission mode is client-customized. The system defaults to the ASCII transmission mode. The client can use a mode switch command to switch between the ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
The FTP file is downloaded from the FTP server and saved to the local file. Upload or download multiple files. Run the mput local-filenames command to upload multiple local files synchronously to the remote FTP server. Run the mget remote-filenames command to download multiple files from the FTP server and save them locally.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 117
l When you are uploading or downloading files, and the prompt command is run in the FTP client view to enable the file transmission prompt function, the system will prompt you to confirm the uploading or downloading operation. l If the prompt command is run again in the FTP client view, the file transmission prompt function will be disabled.
Run one or more commands in the following order to manage directories. Run:
cd pathname
A directory is removed from the FTP server. l Run one or more commands in the following to manage files. Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. Run:
delete remote-filename
The specified file on the FTP server is deleted. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need other FTP operations,you can perform the help [ command ] command to get help in the Windows command line.
----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 118
Prerequisite
All configurations for operating files by using FTP are complete.
Procedure
l l Run the display [ ipv6 ] ftp-server command to check the configuration of the FTP server. Run the display ftp-users command to check how many users are currently logged in FTP server.
----End
Example
Run the display [ ipv6 ] ftp-server to view the FTP server is working.
<HUAWEI> display ftp-server FTP server is running Max user number User count Timeout value(in minute) Listening Port Acl number FTP server's source address
5 1 30 1080 0 1.1.1.1
Run the display ftp-users command to view the user name, port number, authorization directory of the FTP user configured presently.
<HUAWEI> display ftp-users username host zll 100.2.150.226 port 1383 idle 3 topdir cfcard:
Applicable Environment
SSH guarantees secure data transmission on a conventional insecure network by authenticating the client and encrypting data in both directions. SSH supports SFTP. SFTP is a secure FTP service and enables users to log in to the FTP server for data transmission.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 119
Pre-configuration Tasks
Before performing file operations by using SFTP, complete the following task: l Configuring reachable routes between the terminal and the device
Data Preparation
Before performing file operations by using SFTP, you need the following data. No. 1 Data Maximum number of VTY user interfaces, (optional) ACL for limiting call-in and call-out in VTY user interfaces, connection timeout period of terminal users, number of rows displayed in a terminal screen, size of the history command buffer, user authentication mode, user name, and password User name, password, authentication mode, and service type of an SSH user and remote public RSA key pair allocated to the SSH user, SFTP working directory of the SSH user (Option) Number of the port monitored by the SSH server (Option) The interval for updating the key pair on the SSH server 4 Name of the SSH server,Number of the port monitored by the SSH server,Preferred encrypted algorithm from the SFTP client to the SSH server,Preferred encrypted algorithm from the SSH server to the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSH server,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of key exchange,Name of the outgoing interface,Source address Directory name and File name
Context
By default, the user authentication mode in the VTY user interface is password. Therefore, before a user logs in to the router by using SFTP, the user authentication mode in the VTY user interface must be set. Otherwise, the user cannot log in to the router. Other attributes of the VTY user interface in the router, such as terminal attributes and user priorities, can also be set as needed. These attributes, however, generally do not need to be set because they have default values. For detailed settings, see Configuring VTY User Interface.
Context
By default, user interfaces support Telnet. If no user interface is configured to support SSH, users cannot log in to the router by using SFTP.
Procedure
Step 1 Run:
system-view
If a VTY user interface is configured to support SSH, the VTY user interface must be configured with AAA authentication. Otherwise, the protocol inbound ssh command cannot be configured.
----End
6.4.4 Configuring an SSH User and Specifying SFTP as One of Service Types
To allow a user to log in to the router by using SFTP, you must configure an SSH user, configure the router to generate a local RSA key pair, configure a user authentication mode, specify a service type and authorized directory for the SSH user.
Context
l SSH users can be authenticated in four modes: RSA, password, password-RSA, and all. Password authentication depends on Authentication, Authorization and Accounting (AAA). Before a user logs in to the router in password or password-RSA authentication mode, you must create a local user with the specified user name in the AAA view. Configuring the router to generate a local RSA key pair is a key step for SSH login. If an SSH user logs in to an SSH server in password authentication mode, configure the server to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA authentication mode, configure both the server and the client to generate local RSA key pairs.
NOTE
Password-RSA authentication requires success of both password authentication and RSA authentication. The all authentication mode requires success of either password authentication or RSA authentication.
Issue 02 (2011-09-10)
121
Procedure
Step 1 Run:
system-view
1.
Run:
aaa
Name and password of the local user are created. Step 3 Run:
rsa local-key-pair create
l Before performing the other SSH configurations, you must configure the rsa local-key-pair create command to generate a local key pair. l After generating the local key pair,you can perform the display rsa local-key-pair public command to view the public key in the local key pair.
Step 4 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
The authentication mode for SSH users is configured. Perform the following as required: l Authenticate the SSH user through the password. Run:
ssh user user-name authentication-type password
The default password authentication is configured for the SSH user. For the local authentication or HWTACACS authentication, if the number of SSH users is small, you can adopt the former command; if the number of SSH users is large, adopt the later command to simplify the configuration. l Authenticate the SSH user through RSA. 1. Run:
ssh user user-name authentication-type rsa
2.
Run:
rsa peer-public-key key-name
l In the public key view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After the public key editing view is displayed, the RSA public key generated on the client can be sent to the server. Copy the RSA public key to the router that serves as the SSH server.
5.
Run:
public-key-code end
Quit the public key editing view. l If the specified hex-data is invalid, the public key cannot be generated after the peerpublic-key end command is run. l If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. 6. Run:
peer-public-key end
Return to the system view from the public key view. 7. Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user. Step 5 (Optional) Configuring the Basic Authentication Information for SSH Users 1. Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured. By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating. 2. Run:
ssh server timeout seconds
The timeout period of the SSH authentication is set. By default, the timeout period is 60 seconds. 3. Run:
ssh server authentication-retries times
By default, the retry times is 3. Step 6 (Optional) Authorizing SSH Users Through the Command Line SSH users can be authenticated in four modes: password, RSA, password-RSA, and all. In RSA authentication mode, you can configure SSH users to be authorized based on command levels. Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user. After configuring the authorization through command lines for the SSH user to perform RSA authentication, you have to configure the AAA authorization. Otherwise, the command line authorization for the SSH user does not take effect. Step 7 Run:
ssh user username service-type { SFTP | all }
The service type of an SSH user is set to SFTP or all. By default, the service type of the SSH user is not configured. Step 8 Run:
ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for SSH users is configured. By default, the authorized directory of the SFTP service for SSH users is cfcard:. ----End
Context
By default, the router is not enabled with the SFTP server function. Users can establish connections with the router by using SFTP only after the router is enabled with the SFTP server function. Do as follows on the router that serves as an SSH server:
Procedure
Step 1 Run:
system-view
The SFTP service is enabled. By default, the SFTP service is disabled. ----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 124
Context
Table 6-2 lists server parameters. Table 6-2 Server parameters Server Parameter Earlier SSH version compatibility Description SSH has two versions: SSH1.X (earlier than SSH2.0) and SSH2.0. Compared with SSH1.X, SSH2.0 is extended in structure and supports more authentication modes and key exchange methods. SSH2.0 also supports more advanced services such as SFTP. The HUAWEI NetEngine80E/40E supports SSH versions ranging from 1.3 to 2.0. The default listening port number of an SSH server is 22. Users can log in to the device by using the default listening port number. Attackers may access the default listening port, consuming bandwidth, deteriorating server performance, and causing authorized users unable to access the server. After the listening port number of the SSH server is changed, attackers do not know the new port number. This effectively prevents attackers from accessing the listening port and improves security. After the interval is set, the key pair of the SSH server is updated periodically to improve security.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Perform one or more operations shown in Table 6-3 as needed.
Issue 02 (2011-09-10)
125
Table 6-3 Configurations of server parameters Server Parameter Earlier SSH version compatibility Operation Run the ssh server compatible-ssh1x enable command. By default, an SSH server running SSH2.0 is compatible with SSH1.X. To prevent clients running SSH1.3 to SSH1.99 to log in, run the undo ssh server compatible-ssh1x enable command to disable the system from supporting earlier SSH protocol versions. Run the ssh server port port-number command. If a new listening port is set, the SSH server cuts off all established STelnet and SFTP connections, and uses the new port number to listen to connection requests. By default, the listening port number is 22. Run the ssh server rekey-interval hours command. By default, the interval is 0, indicating that the key pair will never be updated.
----End
Context
The third-party software can be used to access the router from the user terminal by using SFTP. Here uses the third-party software OpenSSH and windows command line as an example. After installing OpenSSH on the user terminal, do as follows on the user terminal:
NOTE
For details on how to install OpenSSH, see the installation guide of the software. For details on how to use OpenSSH commands to log in to the router, see the help document of the software.
Procedure
Step 1 Use the windows command line. Step 2 Run relevant OpenSSH commands to log in to the router in SFTP mode. When the command line prompt is displayed in the SFTP client view, such as sftp>, users have entered the working directory of the SFTP server.
Issue 02 (2011-09-10)
126
----End
Context
After logging in to the SFTP server, you can perform the following operations: l l l Displaying the SFTP client command help Managing the directory on the SFTP server Managing the directory on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform the following one or more operations.
Procedure
l Run:
help [ all | command-name ]
Run:
cd [ remote-directory ]
A directory is created on the server. l You can perform one or multiple of the following operations as required. Run:
rename old-name new-name
Prerequisite
The configuration of SSH Users are complete.
Procedure
l l Run the display ssh user-information username command to check the information about the SSH client on the SSH server. Run the display ssh server status command on the SSH server to check its global configurations.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 128
Issue 02 (2011-09-10)
Run the display ssh server session command on the SSH server to check information about connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named clinet001 is authenticated by password.
[HUAWEI] display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : Sftp-directory : Service-type : sftp Authorization-cmd : No
If no SSH user is specified, information about all SSH users logging in to an SSH server will be displayed. Run the display ssh server status command to view global configurations of an SSH server.
<HUAWEI> display ssh server status SSH version SSH connection timeout SSH server key generating interval SSH Authentication retries SFTP server Stelnet server SSH server port
NOTE
: : : : :
: Enable : 55535
If the default interception port is in use, information about the current interception port is not displayed.
Run the display ssh server session command to view information about sessions between the SSH server and SSH clients.
<HUAWEI> display ssh server Session 2: Conn Version State Username Retry CTOS Cipher STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type session : : : : : : : : : : : : VTY 4 2.0 started client002 1 aes128-cbc aes128-cbc hmac-md5 hmac-md5 diffie-hellman-group-exchange-sha1 sftp password
Issue 02 (2011-09-10)
129
Applicable Environment
Configure XModem to transfer files through serial interfaces.
Pre-configuration Tasks
Before configuring XModem, complete the following tasks: l l l Powering on the router Connecting the router and the PC through an AUX port or a console port Logging in to the router through the terminal emulation program and specifying a file path in the terminal emulation program
Data Preparation
To configure XModem, you need the following data. No. 1 2 Data Name of a specific file Absolute path of the file
Context
XModem file transfer consists of receiving program and sending program. l l l l l The receiving program first sends the negotiation character to negotiate the check mode. After the negotiation is successful, the sending program begins to send packets. When the receiving program receives a complete packet, it checks the packet in the negotiated mode. If the check is successful, the receiving program sends the acknowledgement character and then the sending program sends the next packet. If the check fails, the receiving program sends the denial character and the sending program retransmits the packet.
NE80E/40E provides the function of XModem receiving program, which is applied to the AUX port and supports 128-byte packets and CRC. The function of XModem sending program is automatically included in the HyperTerminal. Do as follows on the router:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 130
Procedure
l Run:
xmodem get { filename | devicename }
l Before getting the file, confirm the path and the name of the file that are to be sent. l For the filename, an absolute path name is required. l If the filename is similar to an existing one, the system sends a prompt asking you whether to overwrite the file or not.
----End
6.6.1 Example for Performing File Operations by Means of the File System
This section describes how to perform file operations by means of the file system. In this example, you can log in to the router to view and copy directories.
Networking Requirements
You can log in to the router through the Console interface, AUX interface, Telnet, or STelnet to perform file operations on the router. The file path in the storage device must be correct. If the user does not specify a target file name, the source file name is the name of the target file by default.
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Check the files under a certain directory. Copy a file to this directory. Check this directory and view that the file is copied successfully to the specified directory.
Data Preparation
To complete the configuration, you need the following data: l l
Issue 02 (2011-09-10)
Source file name and target file name Source file path and target file path
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 131
Procedure
Step 1 Display the file information in the current directory, cfcard:/ is the flash memory identifier.
<HUAWEI> dir cfcard:/ Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw64 1 -rw418 2 -rw38017 3 -rw2292 4 -rw7041 5 -rw117013076 V600R003C00SPC300.cc 500192 KB total (347760 KB free) Nov Jul Aug Aug Aug Jul Date 15 2006 26 2007 01 2007 21 2006 02 2007 13 2007 Time 13:07:44 19:52:14 11:02:00 15:35:50 11:02:00 10:40:44 FileName patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt
Step 3 Display the file information about the current directory, and you can view that the file is copied to the specified directory.
<HUAWEI> dir cfcard:/ Directory of cfcard:/ Idx Attr Size(Byte) 0 -rw64 1 -rw418 2 -rw38017 3 -rw2292 4 -rw7041 5 -rw117013076 V600R003C00SPC300.cc 6 -rw1605 500192 KB total (346155 KB free) Nov Jul Aug Aug Aug Jul Date 15 2006 26 2007 01 2007 21 2006 02 2007 13 2007 Time 13:07:44 19:52:14 11:02:00 15:35:50 11:02:00 10:40:44 FileName patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt sample1.txt
----End
Networking Requirements
As shown in Figure 6-1, after the FTP server is enabled on the router, you can log in to the FTP server from the HyperTerminal to upload or download files.
Issue 02 (2011-09-10)
132
Network PC
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Configure the IP address of the FTP server. Enable the FTP server. Configure the authentication information, authorization mode, and directories to be accessed for an FTP user. Log in to the FTP server by using the correct user name and password. Upload files to or download files from the FTP server.
Data Preparation
To complete the configuration, you need the following data: l l l l IP address of the FTP server, that is, 10.137.217.221 Timeout period for the FTP connection, that is, 30 minutes FTP username as huawei and password as huawei on the server The destination file name and its position in the FTP client
Procedure
Step 1 Configure the IP address of the FTP server.
[server] interface gigabitethernet1/0/1 [server-GigabitEthernet1/0/1] undo shutdown [server-GigabitEthernet1/0/1] ip address 10.137.217.221 255.255.0.0 [server-GigabitEthernet1/0/1] quit
Step 3 Configure the authentication information, authorization mode, and authorized directories for an FTP user on the FTP server.
[server] aaa [server-aaa] [server-aaa] [server-aaa] [server-aaa] local-user huawei password simple huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard: quit
Step 4 Run the FTP commands at the windows command line prompt, and enter the correct user name and password to set tup an FTP connection with the FTP server.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 133
Step 5 Upload and download files, as shown in the following figure. Figure 6-3 Performing file operations by means of FTP
NOTE
You can run the dir command before downloading a file or after uploading a file to view the detailed information of the file.
----End
Issue 02 (2011-09-10)
134
Configuration Files
l Configuration file of the FTP server.
# sysname Server # FTP server enable # interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.221 255.255.0.0 # aaa local-user huawei password simple Huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard: authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # return
Networking Requirements
As shown in Figure 6-4, after SFTP services are enabled on the router functioning as an SSH server, you can log in to the server in password, RSA, password-rsa, or all authentication mode from a PC on the SFTP client. Configure a user to log in to the SSH server in password authentication mode. Figure 6-4 Networking diagram for operating files by using SFTP
GE1/0/1 10.137.217.225/16 SSH Server
Network PC
Configuration Roadmap
The configuration roadmap is as follows: 1. 2.
Issue 02 (2011-09-10)
Configure a local key pair on the SSH server to securely exchange data between the SFTP client and the SSH server. Configure VTY user interfaces on the SSH server.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 135
3. 4.
Configure an SSH user, including user authentication mode, user name, password, and authorization directory. Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
To complete the configuration, you need the following data: l l l SSH user authentication mode: password, user name: client001, password: huawei User level of client001: 3 IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure a local key pair on the SSH server.
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: HUAWEI_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++
Step 3 Configure the SSH user name and password on the SSH server.
[SSH [SSH [SSH [SSH [SSH Server] aaa Server-aaa] Server-aaa] Server-aaa] Server-aaa] local-user client001 password cipher huawei local-user client001 level 3 local-user client001 service-type ssh quit
Step 4 Enable SFTP and configure the user service type to be SFTP.
[SSH Server] sftp server enable [SSH Server] ssh user client001 authentication-type password
Issue 02 (2011-09-10)
136
----End
Configuration Files
l Configuration file of the SSH server
# sysname SSH Server # aaa local-user client001 password cipher huawei local-user client001 level 3 local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.137.217.225 255.255.255.0 # sftp server enable ssh user client001 authentication-type password # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return
Networking Requirements
The router is connected to PC through the AUX port. Log in to the router through the AUX port, to receive files from the AUX port and save the received files to the cfcard.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 137
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Run the HyperTerminal on the PC and log in to the router. Use the xmodem get command to download files on the router, and specify the file path on the HyperTerminal.
Data Preparation
To complete the configuration, you need the following data: l l Files that are copied to the PC The path of the file in the PC
Procedure
Step 1 Log in to the router through the AUX port. Refer to Chapter 2 "Logging in to the Devices Through the AUX Port" in the NE80E/ 40EConfiguration Guide - Basic Configuration. Step 2 Use the XModem protocol to receive the file form the AUX port. The received file is saved on the cfcard memory of the router and the file name is paf.txt.
<HUAWEI> xmodem get cfcard:/paf.txt **** WARNING **** xmodem is a slow transfer protocol limited to the current speed settings of the auxiliary ports. During the course of the download no exec input/output will be available! ---- ******* ---Proceed?[Y/N]y Destination filename [cfcard:/ paf.txt]? Before press ENTER you must choose 'YES' or 'NO'[Y/N]:y Download with XMODEM protocol....
Step 3 Specify the file to be sent on the HyperTerminal. Figure 6-6 Specifying the file to be sent
Step 4 The system prompts that the file is sent successfully. Then, you can view the directory of the filed named cfcard.
<HUAWEI> Download successful! <HUAWEI> dir Directory of cfcard:/ Idx Attr Size(Byte) Date 0 -rw- 10014764 Jun 20 1 -rw98776 Jul 27 2 -rw28 Jul 27 3 -rw480 May 10 4 -rw- 10103172 Jul 22 5 -rw1515 Jul 19 6 -rw3844 Jul 14 7 -rw8628372 Jun 01 8 -rw45 Jul 27
Time 15:00:28 09:36:12 09:34:39 11:25:18 16:40:37 17:39:55 11:51:45 10:14:34 10:51:26
FileName ne20-vrp5.10-c01b070.bin matnlog.dat private-data.txt vrpcfg.zip ne20-vrp5.10-c01db90.bin vrpcfg.cfg exception.dat ne20-vrp330-0521.01.bin paf.txt
----End
Issue 02 (2011-09-10)
139
7
About This Chapter
When the router starts, system software is started and configuration files are loaded. To ensure smooth running of the router, you need to efficiently manage system software and configuration files. 7.1 System Startup Overview When the router starts, system software is started and configuration files are loaded. 7.2 Managing Configuration Files You can manage the configuration files for the current and next startup operations on the router. 7.3 Specifying a File for System Startup You can specify a file for system startup by specifying the system software and configuration file for the next startup of the router. 7.4 Configuration Examples This section provides an example for configuring system startup.These configuration examples explain networking requirements, configuration roadmap, and configuration notes.
Issue 02 (2011-09-10)
140
l l
l The system can run the command with the maximum length of 512 characters, including the command in an incomplete form. l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the command length in the configuration file may exceed 512 characters. When the system restarts, these commands cannot be restored.
Issue 02 (2011-09-10)
141
Concept Configuration Files Initial configurations: On powering on, the router retrieves the configuration files from a default save path to initiate itself. If configuration files do not exist in the default save path, the router uses the default parameters.
Identifying Method l Run the display startup command to view the configuration files for the current and next startup operations on the router. l Run the display savedconfiguration command to view the configuration file for the next startup operation on the router. Run the display currentconfiguration command to view the current configurations on the router.
Current Configurations
Current configurations: indicates the effective configurations of the currently running router.
Users can modify the current configurations of the router through the command line interface. Use the save command to save the current configuration to the configuration file of the default storage devices, and the current configuration becomes the initial configuration of the router when the router is powered on next time.
Applicable Environment
You can manage configuration files by saving, clearing, and comparing configuration files. To upgrade the router, take preventive measures, repair configuration files, and view configurations after the router starts, you need to manage configuration files.
Pre-configuration Tasks
Before managing configuration files, complete the following task: l Installing the router and starting it properly
Data Preparation
To manage configuration files, you need the following data.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 142
No. 1 2 3
Data Configuration file and its name Saving configuration files interval and delay interval The number of the start line from which the comparison of the configuration files begins
Context
The system can save the configuration files periodically or in real time to prevent data loss when the router is powered off or accidentally restarted. Run one of the following commands to save configuration files.
Procedure
l Run:
CAUTION
When the automatic saving function is enabled and the LPU is not properly installed, corresponding configurations may be lost. 1. 2.
system-view
The configuration file is saved at intervals. After the parameter interval interval is specified, the device saves the configuration file at specified intervals regardless of whether the configuration file is changed. If the set save-configuration command is not run, the system does not automatically save configurations. If the set save-configuration command without specified interval is run, the system automatically saves configurations at 30-minute intervals. When you configure the automatic saving function, to prevent that function from affecting system performance, you can set the upper limit of the CPU usage for the system during automatic saving. When automatic saving is triggered by the expiry of the timer, the CPU usage is checked. If the CPU usage is higher than the set upper limit, automatic saving will be canceled.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 143
After delay delay-interval is specified, if the configuration is changed, the device automatically saves the configuration after the specified delay. After automatic saving of configurations is configured, the system automatically saves the changed configurations to the configuration file for the next startup and configuration files are changed accordingly with the saved configurations. Before configuring the automatic configure file saving on the server, you need to run the set save-configuration backup-to-server server server-ip [ transport-type { ftp | sftp } ] user user-name password password [ path folder ] or set saveconfiguration backup-to-server server server-ip transport-type tftp [ path folder ] command to configure the server, including the IP address, user name, password of the server, destination path, and mode of transporting the configuration file to the server.
NOTE
If TFTP is used, run the tftp client-source command to configure a loopback interface address as a client source IP address on the router, improving security.
Run:
save [ all ] [ configuration-file ]
The current configurations are saved. The filename extension of the configuration file must be .cfg or .zip. The system startup configuration file must be saved in the root directory of a storage device. The user can modify the current configuration through the command line interface. To set the current configuration as initial configuration when the router starts next time, you can use the save command to save the current configuration in the cfcard memory. You can use the save all command to save all the current configurations, including the configurations of the boards that are not inserted, to the default directory.
NOTE
When saving the configuration file for the first time, if you do not specify the optional parameter configuration-file, the router asks you whether to save the file as "vrpcfg.zip" or not. "vrpcfg.zip" is the default configuration file and initially contains no configuration.
----End
Context
The configuration file stored in cfcard memory needs to be cleared in the following cases: l l The system software does not match the configuration file after the router has been upgraded. The configuration file is destroyed or an incorrect configuration file has been loaded.
Issue 02 (2011-09-10)
144
Procedure
l Clear the currently loaded configuration file. Run the reset saved-configuration command to clear the currently loaded configuration file. If the configuration file of the router used for the current startup is the same as that used for the next startup, running the reset saved-configuration command will clear both the configuration files. The router will uses the default configuration file for the next startup. If the configuration file of the router used for the current startup is different from that used at the next startup, running the reset saved-configuration command will clear the configuration file used for the current startup. If the configuration file of the router used for the current startup is empty, the system will prompt you that the configuration file does not exist after you run the reset savedconfiguration command.
CAUTION
l After the contents of a configuration file are cleared, the empty configuration file with the original file name is left. l If you do not run the startup saved-configuration configuration-file command to specify a new correct configuration file, or do not run the save command to save the configuration file after the configuration file is cleared, the router will use the default configuration file at the next startup. l Exercise caution when running this command. If necessary, do it under the guidance of Huawei technical support personnel. l Clear the inactive configurations of the boards that are not installed in slots. 1. 2. ----End Run the system-view command to enter the system view. Run the clear inactive-configuration slot command to clear the inactive configurations of the boards that are not installed in slots.
Context
You can determine whether to specify the current configuration file as the one for the next startup operation by comparing the current configuration file with the one for the next startup operation.
Procedure
l Run:
compare configuration [ configuration-file ] [ current-line-number save-linenumber ]
The current configuration is compared with the configuration file for next startup.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 145
If configuration-file is configured, the system checks whether the current configuration file is the same as the specified configuration file. If no parameter is set, the comparison begins with the first lines of configuration files. current-line-number and save-line-number are used to continue the comparison by ignoring the differences between the configuration files. When comparing differences between the configuration files, the system displays the contents of the current configuration file and saved configuration file from the first different line. By default, 150 characters are displayed for each configuration file. If the number of characters from the first different line to the end is less than 150, the contents after the first different line are all displayed.
NOTE
In comparing the current configurations with the configuration file for next startup, if the configuration file for next startup is unavailable or its contents are null, the system prompts that reading files fails.
----End
Prerequisite
The configuration of Managing Configuration Files are complete.
Procedure
l Run the display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ] [ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display current-configuration [ all | inactive ]command to check current configurations. Run the display startup command to check files for startup. Run the dir [ /all ] [ filename ] command to check files saved in the storage device. Run the display saved-configuration configuration command to view configurations of the autosave function, including the status of the autosave function, time for autosave check, threshold for the CPU usage, and period during which configurations are unchanged (when the period expires, configurations are automatically saved). Run the display changed-configuration time command to check the time of the last configuration change.
l l l
----End
Example
Run the display startup command to check files for startup.
<HUAWEI> display startup MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file:
Issue 02 (2011-09-10)
146
Applicable Environment
To enable the router to provide user-defined configurations during the next startup, you need to correctly specify the system software and configuration file for the next startup.
Pre-configuration Tasks
Before specifying a file for the system startup, complete the following task: l Installing the router and powering it on properly
Data Preparation
To specify a file for system startup, you need the following data. No. 1 2 Data System software and its file name on the NE80E/40E Configuration file and its file name on the NE80E/40E
7.3.2 Configuring System Software for a router to Load for the Next Startup
To upgrade the system software of a router, you can specify the NE80E/40E system software to be loaded for the next startup.
Context
If no system software is specified for the next startup operation of the router, the system software loaded this time will be started during the next startup operation. To change system software for the next startup operation, you need to specify the required one.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 147
The filename extension of the system software must be .cc and must be stored in the root directory of a storage device.
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The NE80E/40E system software for the router to load next time when it starts is configured. You can specify the system-file and use the system software for the next startup that is saved on the device. slave-board is valid only on the router with dual main control boards. ----End
7.3.3 Configuring the Configuration File for Router to Load for the Next Startup
Before restarting a router, you can specify the configuration files that are loaded for the next startup.
Context
You can run the display startup command on the router to check whether the configuration file to be loaded during the next startup operation is specified. If no configuration file is specified, the default configuration file is loaded during the next startup operation. The filename extension of the configuration file must be .cfg or .zip, and must be stored in the root directory of a storage device. When the router turns on, it initiates by reading the configuration file from the cfcard memory by default. Thus, the configuration in this configuration file is called initial configuration. If no configuration file is saved in the cfcard, the router initiates with default parameters.
Procedure
l Run:
startup saved-configuration configuration-file
Configuration file is saved for the router to load next time on startup. ----End
Prerequisite
The file has been specified for system startup.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 148
Procedure
l Run the display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ] [ feature feature-name [ filterfilter-expression ] | filterfilter-expression ] command to check current configurations. Run the display saved-configuration [ last | time | configuration ] command to check the contents of the configuration file to be loaded during the next startup. Run the display startup command to check information about the files to be used during the next startup. Run the display current-configuration slave command to check the configuration of the slave board.
l l l
----End
Example
Run the display startup command to check information about the files to be used during the next startup.
<HUAWEI> display startup MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package:
cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/vrp.cfg cfcard:/vrp.cfg default default default default NULL NULL
Networking Requirements
The router is installed with double main control boards. After the router is configured, new configurations take effect after the system restarts.
Configuration Roadmap
The configuration roadmap is as follows: 1.
Issue 02 (2011-09-10)
2. 3.
Specify the configuration file to be loaded during the next startup of the router. Specify the system software to be loaded during the next startup of the router.
Data Preparation
To complete the configuration, you need the following data: l l Name of the configuration file File name of the system software
Procedure
Step 1 Check the configuration file and system software that are used during the current startup.
<HUAWEI> display startup MainBoard: Configured startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/vrp.cfg cfcard:/vrp.cfg default default default default NULL NULL
The system prompts you whether to save the current configuration to the file named vrpcfg.cfg on the master and slave main control boards. After entering y at the prompt, you save the configuration successfully. Step 3 Specify the configuration file to be loaded during the next startup of the router.
<HUAWEI> startup saved-configuration vrpcfg.cfg
Step 4 Specify the system software to be loaded during the next startup of the router. Specify the system software to be loaded during the next startup of the master main control board.
<HUAWEI> startup system-software V600R003C00SPC300.cc
Specify the system software to be loaded during the next startup of the slave main control board.
<HUAWEI> startup system-software V600R003C00SPC300.cc slave-board
NOTE
l The slave main control board automatically synchronizes with the master main control board after the configuration file to be loaded during the next startup is specified for the master main control board. l Ensure that the system software to be loaded during the next startup of the router is saved on the master and slave main control boards of the router. Configure the system software to be loaded during the next startup of the master and slave main control boards respectively.
Step 5 Verify the configuration. After the configuration is complete, run the following command to check the configuration file and system software to be loaded during the next startup of the router.
<HUAWEI> display startup
Issue 02 (2011-09-10)
150
cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/vrp.cfg cfcard:/vrpcfg.cfg default default default default NULL NULL
----End
Configuration Files
None.
Issue 02 (2011-09-10)
151
8
About This Chapter
To manage configurations or operate files of another device, you can access the device by using Telnet, STelnet, TFTP, FTP, or SFTP from the device that you have logged in to. 8.1 Accessing Another Device This section describes how to access another device on the network by using Telnet, FTP, TFTP, or SSH. 8.2 Logging in to Other Devices by Using Telnet On the network, a large number of routers need to be managed and maintained. Not all routers, however, can be connected to terminal PCs. In addition, there are not reachable routes between some routers and terminal PCs. To manage and maintain routers remotely, you can log in to them by using Telnet from a device that you have logged in to. 8.3 Connecting to Another Device by Using the Telnet Redirection Function If the client is not connected to the remote device on an IP network, you can manage the device by using the Telnet redirection function on the router. 8.4 Logging in to Another Device by Using STelnet STelnet ensures secure Telnet services. You can log in to another router from the router that you have logged in to by using STelnet, and thus to manage the device remotely. 8.5 Accessing Files on Another Device by Using TFTP You can configure the router as a TFTP client, and log in to the TFTP server to upload and download files. 8.6 Accessing Files on Another Device by Using FTP This section describes how to configure the router as an FTP client to log in to the FTP server, and to upload files to or download files from the server. 8.7 Accessing Files on Another Device by Using SFTP SFTP is a secure FTP service. After the router is configured as an SFTP client. The SFTP server authenticates the client and encrypts data in both directions to provide secure data transmission. 8.8 Configuration Examples This section describes examples for access another device. The examples explain networking requirements, configuration notes, and configuration roadmap.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 152
Network PC Client
Network
Server
As shown in Figure 8-1, when you run the terminal emulation program or Telnet program on a PC to connect to the router successfully, the router can still function as a client to access another device on the network by using the following one or more methods.
Redirection terminal services: You can run the Telnet client program on a PC to log in to the router through a specified port number. Then connect with the serial interface devices that are connected with the asynchronous interface of the router, as shown in Figure 8-3. The typical application is to connect the asynchronous interface of the router with multiple devices for their remote configuration and maintenance.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 153
Issue 02 (2011-09-10)
Router1
Switch
Modem
Router2
NOTE
Only the devices that provide the asynchronous interface support the Telnet redirection service.
Interruption of Telnet services In Telnet connection, you can use two types of shortcut keys to interrupt the connection. As shown in Figure 8-4, Router A logs in to Router B through Telnet, and Router B logs in to Router C through Telnet. Thus, a cascade network is formed. In this case, Router A is the client of Router B and Router B is the client of Router C. Figure 8-4 illustrates the usage of the two types of shortcut keys. Figure 8-4 Usage of Telnet shortcut keys
Telnet Session 1 Telnet Client Telnet Session2 Telnet Server
RouterA
RouterB
RouterC
<Ctrl_]>: The server interrupts the connection. If the network connection is normal, when you press Ctrl_], the Telnet server interrupts the current Telnet connection actively. For example:
<RouterC>
Issue 02 (2011-09-10)
154
If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to the server.
<Ctrl_T>: The client interrupts the connection. When the server fails and the client is unaware of the failure, the server does not respond to the input of the client. In this case, if you press Ctrl_T, the Telnet client interrupts the connection actively and quits the Telnet connection. For example:
<RouterC>
Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.
<RouterA>
CAUTION
When the number of remote login users reaches to the maximum number of VTY user interfaces, the system prompts that all user interfaces are in use and you cannot use Telnet to log in.
TFTP transfers the files in two formats: l l The binary format: transfers program files. The ASCII format: transfers text files.
At present, the NE80E/40E serves only as the TFTP client and transfers files in the binary format.
SSH Overview
When users on an insecure network log in to the router through Telnet, the Secure Shell (SSH) feature ensures information security and authentication. It protects the router from attacks such as IP address spoofing and interception of plain text password. The SSH client function allows users to establish SSH connections with router serving as SSH server or with UNIX hosts.
When the SFTP server or the connection between it and the client is faulty, the client must detect the fault in time and releases the connection voluntarily. To implement this, when logging in to the server through SFTP, the client must be configured with the period of sending the keepalive packet and the number of times for no reply restriction on the server if no packet is received by the client. If a client does not receive any packet within specified period, the client sends a keepalive packet to the server. If the number of times of no reply restriction exceeds the specified number, the client takes the initiative to release the connection.
Applicable Environment
Figure 8-5 Networking diagram for accessing another device from the router that you have logged in to
Network
As shown in Figure 8-5, you can log in to Router A from a PC by using Telnet, but cannot manage Router B remotely. This is because there is no reachable route between the PC and Router B. To manage Router B remotely, you can log in to it from Router A by using Telnet. In this situation, Router A functions as a Telnet client, and Router B that you attempt to log in to functions as a server.
Pre-configuration Tasks
Before logging in to another device on the network by using Telnet, complete the following tasks: l Ensuring that the router that you attempt to log in to works properly, and enabling Telnet services on the device
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 157
Issue 02 (2011-09-10)
Ensuring that there is a reachable route between the router that you have logged into and the router that you attempt to log in to
Data Preparation
To log in to another device by using Telnet, you need the following data: No. 1 2 Data IP address or host name of RouterB Number of the TCP port used by the RouterB to provide Telnet services
Context
An IP address is configured for an interface on the router and functions as the source IP address of an telnet connection. In this manner, security checks can be implemented. The source address of a client can be configured as a source interface or a source IP address. Do as follows on a router that functions as an Telnet client.
Procedure
Step 1 Run:
system-view
A source IP address of an Telnet client is configured. After the configuration, the source IP address of the Telnet client displayed on the Telnet server must be the same as the configured one. ----End
Issue 02 (2011-09-10)
158
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can log in to a host, and then remotely log in to another host by using Telnet to configure and manage the remote host. In this manner, not each host is required to connect to a hardware terminal. Do as follows on the router that serves as a Telnet client:
Procedure
l Select and perform one of the following two steps for IPv4 or IPv6. Run:
telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] hostname [ port-number ]
Prerequisite
All configurations for logging in to another device are complete.
Procedure
l Run the display tcp status command to check the status of all TCP connections. ----End
Example
Run the display tcp status command to view the status of TCP connections. The Established status indicates that a TCP connection has been established.
<HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port 39952df8 36 /1509 0.0.0.0:0 Closed 32af9074 59 /1 0.0.0.0:21 Listening 34042c80 73 /17 10.164.39.99:23 Established Foreign Add:port 0.0.0.0:0 0.0.0.0:0 10.164.6.13:1147 VPNID 0 14849 0 State
Issue 02 (2011-09-10)
159
Applicable Environment
If a remote device needs to be managed and maintained but is not connected with the terminal PC on the IP network, such as a new device on the network, you can log in to the remote device from a router by using the Telnet redirection function. The remote device can be a device that supports serial interfaces, such as a router, a switch, or a modem. Figure 8-6 Schematic diagram of redirecting the client login to another device by using Telnet
Session
Network
PC
As shown in Figure 8-6, remote Router B is not connected with the client over the IP network. If Router B needs to be managed remotely, you can use the Telnet redirection function of Router A. That is, connect the asynchronous serial interface of Router A to the serial interface of Router B. This allows you to run the Telnet client program on the PC to log in to Router B by using a specified interface, and thus to manage and maintain the device remotely. Router B in the diagram above has been configured with serial interfaces. Router A is directly connected with Router B.
Pre-configuration Tasks
Before redirecting the client to another device by using Telnet, complete the following tasks: l l
Issue 02 (2011-09-10)
Configuring a reachable route between the client and Router A Powering on the remote device
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 160
Data Preparation
To log in to another device by using the Telnet redirection function, you need the following data: No. 1 Data IP address of routerRouter A
Context
The Telnet redirection function is supported by the products whose AUX ports or TTY interfaces can be configured with this function. Perform the following steps on the router:
Procedure
Step 1 Run:
system-view
Terminal services are disabled on the AUX0 user interface. Step 4 Run:
redirect
l After the Telnet redirection function is enabled, the interface number used for redirection will be assigned. AUX0 is numbered as 33, and the interface number is therefore 2033. l You can log in to the remote device that needs to be managed and maintained from the Telnet client by using the specified interface.
----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 161
Context
Users attempt to log in to another device by using a specified interface of the client. Perform the following step on the client:
Procedure
l Run:
telnet host-name port-number
Logging in to the remote device succeeds. The host-name parameter specifies the IP address or host name of the router that has enabled the redirection function. ----End
Prerequisite
The configurations for logging in to another device by using the Telnet redirection function are complete.
Context
l Run the display tcp status command to check status information about the established TCP connection.
Example
Run the display tcp status command to view status information about the established TCP connection.
<HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port 348d3c50 6 /1 0.0.0.0:21 Listening 3b558554 128/1 0.0.0.0:23 Listening 31cf1978 128/4 0.0.0.0:2033 Listening 31cf1bb0 128/6 0.0.0.0:4033 Listening 11a22ad8 128/3 10.137.217.225:23 Established Foreign Add:port 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 10.138.77.38:3670 VPNID 23553 23553 23553 23553 0 State
Issue 02 (2011-09-10)
162
Applicable Environment
Logins by using Telnet bring security risks because no secure authentication mechanism is available and data is transmitted by using TCP in plain text mode. STelnet is short for SSH Telnet that is a secure Telnet protocol. STelnet is on the basis of SSH. SSH users can use STelnet services as Telnet services. In this configuration, the Router that you have logged in to functions as a Telnet client, and theRouter that you attempt to log in to functions as an SSH server.
Pre-configuration Tasks
Before logging in to another device by using STelnet, complete the following tasks: l Configuring a reachable route between the client and SSH server
Data Preparation
To log in to another device by using STelnet, you need the following data: No. 1 2 Data Name of the SSH server,Public key that is assigned by the client to the SSH server IPv4 or IPv6 address or host name of the SSH server,Number of the port monitored by the SSH server,Preferred encrypted algorithm from the SFTP client to the SSH server,Preferred encrypted algorithm from the SSH server to the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSH server,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of key exchange The user information for logging in to the SSH server
8.4.2 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on the SSH Client)
After the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 163
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After the login, the system automatically allocates the RSA public key and saves it for authentication in next login. Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The first-time authentication on the SSH client is enabled. By default, the first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH server. l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA public key in advance to the SSH server on the SSH client in addition to enabling the first-time authentication on the SSH client.
----End
8.4.3 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSH Server)
To configure the first successful login to another device on the SSH client, you need to allocate an RSA public key to the SSH server before the login.
Context
If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity and cannot log in to the server.So you need to allocate an RSA public key to the SSH server before the STelnet client logs in to the SSH server. Do as follows on the router that serves as an SSH client:
Issue 02 (2011-09-10)
164
Procedure
Step 1 Run:
system-view
The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key.
NOTE
Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo the validity check on the RSA public key of the SSH server.
Step 5 Run:
public-key-code end
Quit the public key editing view. l If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run. l If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. Step 6 Run:
peer-public-key end
Return to the system view from the public key view. Step 7 Run:
ssh client servername assign rsa-key keyname
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server.
----End
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 165
Context
When accessing an SSH server, the STelnet client can carry the source address and the VPN instance name and choose the key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the keepalive function. Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 According to the address type of the SSH server, select and run one of the following two commands. l For IPv4 addresses, Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instancename ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through STelnet. l For IPv6 addresses, Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through STelnet. ----End
Prerequisite
The configurations for logging in to another device by using STelnet are complete.
Issue 02 (2011-09-10)
166
Procedure
l Run the display ssh server-info command to check the mappings between all SSH servers of the SSH client and the RSA public keys on the client.
----End
Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and the RSA public keys on the SSH client.
<HUAWEI> display ssh server-info Server Name(IP) Server public key name ________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222
Applicable Environment
You can transfer files through TFTP between the server and the client in a simple interaction environment. The current Router functions as a TFTP client, and theRouter to be accessed functions as a TFTP server.
Pre-configuration Tasks
Before accessing another device by using TFTP, complete the following tasks: l Configuring a reachable route between the client and TFTP server
Data Preparation
To access another device by using TFTP, you need the following data. No. 1 Data (Optional) Source address or source interface of the router that functions as a TFTP client
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 167
Issue 02 (2011-09-10)
No. 2 3
Data IP address or host name of the TFTP server Name of the specific file in the TFTP server and the file directory
Context
An IP address is configured for an interface on the router and functions as the source IP address of a TFTP connection. In this manner, security checks can be implemented. The source address of a client can be configured as a source interface or a source IP address. Do as follows on a router that functions as a TFTP client.
Procedure
Step 1 Run:
system-view
A source IP address of a TFTP client is configured. After the configuration, the source IP address of the TFTP client displayed on the TFTP server must be the same as the configured one. ----End
Context
An Access Control List (ACL) is a set of sequential rules. These rules are described based on the source address, destination address, and port number of a packet. Routers use the ACL rules to filter packets. With the rule applied to the interface on a router, the router permits or denies the packets. Each ACL can define multiple rules. ACL rules are classified into the interface ACL, basic ACL, and advanced ACL based on the functions of ACL rules.
NOTE
TFTP supports only the basic ACL (whose number ranges from 2000 to 2999).
Issue 02 (2011-09-10)
168
Procedure
Step 1 Run:
system-view
The ACL can be used to limit the access to the TFTP server. ----End
Procedure
l Run the following commands according to the type of the server IP addresses. The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ]
The router is configured to download files through TFTP. The IP address of the server is IPv6 address, run:
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] get source-filename [ destination-filename ]
Procedure
l Run the following commands according to the type of the server IP addresses. The IP address of the server is IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ]
The router is configured to upload files through TFTP. The IP address of the server is IPv6 address, run:
tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type interface-number ] put source-filename [ destination-filename ]
Prerequisite
Configurations of using the device as a TFTP client are complete.
Procedure
l l Run the display tftp-client command to check the device address that is set to the source address of the TFTP client. Run the display acl { name acl-name | acl-number | all } command to check the ACL rule that is configured on the TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured on the TFTP client.
<HUAWEI> display acl 2001 Basic acl 2001, 2 rules, Acl's step is 5 rule 5 permit rule 10 permit source 1.1.1.1 0
Issue 02 (2011-09-10)
170
Applicable Environment
Before transmitting files between a client and a remote FTP server, or managing directories of the server, you can configure the router that you have logged in to as an FTP client. Then, you can access the FTP server by using FTP for file transmission or directory management.
Pre-configuration Tasks
Before establishing the configuration task of accessing files on another device by using FTP, complete the following tasks: l Configuring a reachable route between the router and the FTP server
Data Preparation
To establish the configuration task of accessing files on another device by using FTP, you need the following data: No. 1 2 3 Data (Optional) Source IP address or source interface of the router functioning as an FTP client Host name or IP address of the FTP server, port number of connecting FTP, login username and password Local file name and file name on the remote FTP server,working directory name of the remote FTP server, local working directory of the FTP client, or directory name of the remote FTP server
8.6.2 (Optional) Configuring Source IP Address and Interface of the FTP Client
This section describes how to configure the source IP address and interface of FTP client to establish the connection with FTP server.
Prerequisite
An IP address is configured for an interface on the router and functions as the source IP address of an FTP connection. In this manner, security checks can be implemented. The source address of a client can be configured as a source interface or a source IP address. The interface configuration is possible, only if the system has a loopback interface.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 171
Procedure
Step 1 Run:
system-view
Then, run the display ftp-client command on the router to view the current configuration of the FTP client.
----End
Context
You can log in to the FTP server in the user view or the FTP view. Do as follows on the router that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address. l If the IP address of the server is an IPv4 address, do as follows: In the user view, establish a connection to the FTP server. Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ portnumber ] [ public-net | vpn-instance vpn-instace-name ]
The router is connected to the FTP server. In the FTP view, establish a connection to the FTP server. 1. In the user view,Run:
ftp
Before logging in to the FTP server, you can run the set net-manager vpn-instance command to configure a default VPN instance. After that, the default VPN instance is used in the FTP operation.
l If the IP address of the server is an IPv6 address, do as follows: In the user view, establish a connection to the FTP server. Run:
ftp ipv6 host [ port-number ]
The router is connected to the FTP server. In the FTP view, establish a connection to the FTP server. 1. In the user view,Run:
ftp
Context
After logging in to the FTP server, you can perform the following operations: l l l l l Configure a data type for transmission files and a file transmission method. Check the online help about FTP commands in the FTP client view. Upload local files to the remote FTP server, or download files from the FTP server and save them locally. Create directories on or delete directories from the FTP server. Display information about a specified remote directory or a file of the FTP server, or delete a specified file from the FTP server.
After logging in to the router that functions as a client and entering the FTP client view, you can perform the following steps:
Procedure
l Configuring data type and transmission mode for the file. Run:
ascii | binary
FTP supports the ASCII type and the binary type. Their differences are as follows: l In ASCII transmission mode, ASCII characters are used to separate carriage returned from line feeds. l In binary transmission mode, characters can be transferred without format conversion or formatting. The selection of the FTP transmission mode is client-customized. The system defaults to the ASCII transmission mode. The client can use a mode switch command to switch between the ASCII mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
Run:
passive
The verbose mode for FTP is enabled. When verbose is enabled, all FTP responses are displayed. After file transmission, the statistics about transmission efficiency will be displayed. l Viewing online help of the FTP command.
remotehelp [ command ]
The online help of the FTP command is displayed. l Upload or download files. Upload or download a file. Run:
put local-filename [ remote-filename ]
The FTP file is downloaded from the FTP server and saved to the local file. Upload or download multiple files. Run the mput local-filenames command to upload multiple local files synchronously to the remote FTP server. Run the mget remote-filenames command to download multiple files from the FTP server and save them locally.
NOTE
l When you are uploading or downloading files, and the prompt command is run in the FTP client view to enable the file transmission prompt function, the system will prompt you to confirm the uploading or downloading operation. l If the prompt command is run again in the FTP client view, the file transmission prompt function will be disabled.
Run one or more commands in the following order to manage directories. Run:
cd pathname
The working path of the FTP server is switched to the upper-level directory. Run:
pwd
l The directory to be created can comprise letters and digits, but not special characters such as <, >, ?, \ and :. l When running the mkdir /abc command, you create a sub-directory named "abc".
The specified directory or file on the remote FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. Run:
delete remote-filename
The specified file on the FTP server is deleted. If the directory name is not specified when a specific remote file is selected, the system searches the working directory for the specific file. When local-filename is set, related information about the file can be downloaded locally. ----End
Issue 02 (2011-09-10)
175
Context
From the NE80E/40E (an FTP client) that you have logged in to, you can log in to the FTP server by using another username without logging out of the FTP client view. The established FTP connection is identical with that established by running the ftp command. Perform the following steps on the router that functions as a client:
Procedure
l Run:
user user-name [ password ]
The user that have logged in to the FTP server is changed and the new user logs in to the server. When the username that is used to log in to the FTP server is changed, the original connection between the user and the FTP server is interrupted. ----End
Context
You can select different commands to terminate the connection with the FTP server in the FTP client view. Do as follows on the router that serves as the client.
Procedure
l Run the following commands according to different configurations. Run:
bye
Or,
quit
The client router is disconnected from the FTP server. Return to the user view. Run:
close
Or,
disconnect
The client router is disconnected from the FTP server. Return to the FTP view. ----End
Prerequisite
The configurations of accessing other devices by using FTP are complete.
Procedure
l Run the display ftp-client command to view the source parameters of the FTP client. ----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<HUAWEI> display ftp-client The source address of FTP client is 1.1.1.1.
Applicable Environment
SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensures that users can log in to a remote device securely for file management and transmission, and enhances the security in data transmission. In addition, you can log in to a remote SSH server from the router that functions as an SFTP client.
Pre-configuration Tasks
Before establishing the configuration task of accessing files on another device by using SFTP, complete the following tasks: l Configuring a reachable route between the client and SSH server
Data Preparation
To access files on another device by using SFTP, you need the following data: No. 1 2
Issue 02 (2011-09-10)
Data (Optional) Source address of the device that functions as the SFTP client (Optional) Name of the SSH server
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 177
No. 3 4 5
Data (Optional) Public key that is assigned by the client to the SSH server IPv4 or IPv6 address or host name of the SSH server Number of the port monitored by the SSH server,Preferred encrypted algorithm from the SFTP client to the SSH server,Preferred encrypted algorithm from the SSH server to the SFTP client,Preferred HMAC algorithm from the SFTP client to the SSH server,Preferred HMAC algorithm from the SSH server to the SFTP client,Preferred algorithm of key exchange,Name of the outgoing interface,Source address The user information for logging in to the SSH server
Context
An IP address is configured for an interface on the router and functions as the source IP address of an FTP connection. In this manner, security checks can be implemented. The source address of a client can be configured as a source interface or a source IP address. Do as follows on a router that functions as an SFTP client.
Procedure
Step 1 Run:
system-view
8.7.3 Configuring the First Successful Login to Another Device (Enabling the First-Time Authentication on the SSH Client)
After the first-time authentication on the SSH client is enabled, the SFTP client does not check the validity of the RSA public key when logging in to the SSH server for the first time.
Context
If the first-time authentication on the SSH client is enabled, the SFTP client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After the
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 178
login, the system automatically allocates the RSA public key and saves it for authentication in next login. Do as follows on the router that serves as an SSH client:
Procedure
Step 1 Run:
system-view
The first-time authentication on the SSH client is enabled. By default, the first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH server. l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA public key in advance to the SSH server on the SSH client in addition to enabling the first-time authentication on the SSH client.
----End
8.7.4 Configuring the First Successful Login to Another Device (Allocating an RSA Public Key to the SSH Server)
To configure the first successful login to another device on the SSH client, you need to allocate an RSA public key to the SSH server before the login.
Context
If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to the SSH server for the first time, the SFTP client fails to pass the check on the RSA public key validity and cannot log in to the server. Do as follows on the router functioning as an SSH client:
Procedure
Step 1 Run:
system-view
The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key.
NOTE
Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo the validity check on the RSA public key of the SSH server.
Step 5 Run:
public-key-code end
Quit the public key editing view. l If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run. l If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. Step 6 Run:
peer-public-key end
Return to the system view from the public key view. Step 7 Run:
ssh client servername assign rsa-key keyname
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server.
----End
Context
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the SSH server, the SFTP can carry the source address and the name of the VPN instance and choose
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 180
the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the keepalive function. Do as follows on the router that serves as an SSH client.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 According to the address type of the SSH server, select and perform one of the two configurations below. l For IPv4 addresses, Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]
You can log in to the SSH server through SFTP. l For IPv6 addresses, Run:
sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interfacenumber ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]
----End
Context
After logging in to the SSH server from the SFTP client, you can perform the following operations on the SFTP client: l l l Create or delete a directory on the SSH server, and display the current working directory, the specified directory and information about the file in the specified directory. Change a file name, delete a file, display a file list, and upload or download a file. Displaying the SFTP client command help.
After logging in to the router that functions as an SSH client and entering the SFTP client view, you can perform the following steps:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 181
Procedure
l Managing the directory Perform the following as required: Run:
cd [ remote-directory ]
A directory is created on the server. l Managing the file Perform the following as required: Run:
rename old-name new-name
The file on the server is removed. l Displaying the SFTP client command help
help [all | command-name ]
Prerequisite
The configuration of accessing files on another device by using SFTP is complete.
Procedure
l l Run the display sftp-client command to check the source IP address of the SFTP client on the SSH client. Run the display ssh server-info command to check the mapping between the SSH server and the RSA public key on the SSH client.
----End
Example
Run the display sftp-client command on the client to view the source parameters of the device functioning as an SFTP client.
<HUAWEI> display sftp-client The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view the mappings between all servers and the RSA public keys on the SSH client.
<HUAWEI> display ssh server-info Server Name(IP) Server public key name ________________________________________________________________________ 1000::1 1000::1 10.164.39.223 10.164.39.223 11.11.11.23 11.11.11.23 10.164.39.204 10.164.39.204 10.164.39.222 10.164.39.222
Networking Requirements
As shown in Figure 8-7, users can telnet Router A but cannot telnet Router B. The route between Router A and Router B is reachable. In this case, users can telnet Router B from Router A to remotely configure and manage Router B.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 183
Figure 8-7 Networking diagram for logging in to another device by using Telnet
Session Session
Network PC
GE1/0/1 1.1.1.1/24
Network
RouterA
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. On Router B, configure the authentication mode and password for users on Router A to log in to Router B.. Configure a Telnet server port number on Router B to ensure that users log in through this port only.
Data Preparation
To complete the configuration, you need the following data: l l l Host address of Router B is 2.1.1.1 Password hello for users' login Telnet server port number is 1028
Procedure
Step 1 Configure the authentication mode and password for Telnet services on Router B.
<HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode password [RouterB-ui-vty0-4] set authentication password simple hello [RouterB-ui-vty0-4] quit
To configure an ACL for Telnetting another device, run the following commands on Router B.
[RouterB] acl 2000 [RouterB-acl-basic-2000] rule permit source 1.1.1.1 0 [RouterB-acl-basic-2000] quit [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] acl 2000 inbound [RouterB-ui-vty0-4] quit
NOTE
Issue 02 (2011-09-10)
184
Step 4 Use the port number 1028 to log in to Router B from Router A through Telnet.
<RouterA> telnet 2.1.1.1 1028 Trying 2.1.1.1 ... Press CTRL+K to abort Connected to 2.1.1.1 ... Login authentication Password: Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. The current login time is 2010-02-22 14:33:48. <RouterB>
----End
Configuration Files
l Configuration file of Router A
# sysname RouterA # interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # return
Issue 02 (2011-09-10)
185
8.8.2 Example for Logging in to Another Device by Using the Telnet Redirection Function
This section describes an example for logging in to another device on the network by using the Telnet redirection function. This allows users to manage the device remotely.
Networking Requirements
As shown in Figure 8-8, there is a reachable route between the PC and Router A, and Router A is not connected with Router B on the IP network. To manage Router B remotely, you can enable the Telnet redirection function on Router A, and connect the asynchronous serial interface of Router A to the serial interface of Router B. Then, you can log in toRouter B remotely from the terminal PC by using the specified port number of Router A to manage Router B. Figure 8-8 Networking of logging in to another device by using the Telnet redirection function
Network
PC
RouterA
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Use the AUX interface of Router A to connect withRouter B. Enable the Telnet redirection function on Router A.
Data Preparation
To complete the configuration, you need the following data: l IP address of Router A: 10.1.1.1
Procedure
Step 1 Open the AUX interface of Router A.
<HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface Aux 0/0/1 [RouterA-Aux0/0/1] undo shutdown [RouterA-Aux0/0/1] quit
Issue 02 (2011-09-10)
186
Step 4 Verify the configuration. Run the telnet 10.1.1.1 2033(or 4033) command on the PC to log in to Router B. ----End
Configuration Files
l Configuration file of Router A
# sysname RouterA # interface Aux0/0/1 undo shutdown # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.1 255.255.255.0 # user-interface con 0 user-interface aux 0 undo shell redirect # return
Networking Requirements
As shown in Figure 8-9, Router A and Router B can ping through each other. Users can log in to Router A from Router B through Telnet. Figure 8-9 Networking diagram for logging in to another device by using Telnet on a VPN
RouterB
Issue 02 (2011-09-10)
187
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a VPN on Router B. Configure the authentication mode and the password of the user interface VTY0 to VTY4 on Router B. Set the user to enter the password to log in to Router B from Router A in Telnet mode.
Data Preparation
To complete the configuration, you need the following data: l l l Host IP address of Router B Authentication mode and password VPN instance
Procedure
Step 1 Configure the VPN instance and IP address. # Configure Router A.
<HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface gigabitethernet1/0/0 [RouterA-GigabitEthernet1/0/0] undo shutdown [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
# Configure Router B.
<HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] ip vpn-instance tt [RouterB-vpn-instance-tt] route-distinguisher 1000:1 [RouterB-vpn-instance-tt] quit [RouterB] interface gigabitethernet1/0/0 [RouterB-GigabitEthernet1/0/0] undo shutdown [RouterB-GigabitEthernet1/0/0] ip binding vpn-instance tt [RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24 [RouterB-GigabitEthernet1/0/0] quit [RouterB] quit
Issue 02 (2011-09-10)
188
Step 3 Verify the configuration. After the configuration is complete, you can log in to Router B from Router A through Telnet.
<RouterA> telnet 1.1.1.2 Trying 1.1.1.2 ... Press CTRL+K to abort Connected to 1.1.1.2 ... Login authentication Password: Note: The max number of VTY users is 10, and the current number of VTY users on line is 1. <RouterB>
----End
Configuration Files
l Configuration file of Router A
# sysname RouterA # interface GigabitEthernet1/0/0 undo shutdown ip address 1.1.1.1 255.255.255.0 # return
8.8.4 Example for Configuring the Device as the STelnet Client to Connect to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this example, the local key pairs are generated on the STelnet client and the SSH server; the public RSA key is generated on the SSH server and then bound to the STelnet client. In this manner, the STelnet client can connect to the SSH server.
Networking Requirements
As shown in Figure 8-10, after the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH server with the password, RSA, password-rsa, or all authentication mode. In this example, the Huawei router functions as an SSH server.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 189
Two users client001 and client002 are configured to log in to the SSH server in the authentication mode of password and RSA respectively. Figure 8-10 Networking diagram for logging in to another device by Using STelnet
SSH Server
GE1/0/1 10.10.1.1/16
GE1/0/1 10.10.2.2/16
GE1/0/1 10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure Client001 and Client002 to log in to the SSH server in different authentication modes. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind the client client002 to an RSA key to authenticate the client when the client attempts to log in to the server. Enable STelnet service on the SSH server. Set the service type of Client001 and Client002 to STelnet. Enable first-time authentication on the SSH client. Users Client001 and Client002 log in to the SSH server through STelnet.
3. 4. 5. 6.
Data Preparation
To complete the configuration, you need the following data: l l l Client001 with the password as huawei and adopt the password authentication. Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002. IP address of the SSH server is 10.10.1.1.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .......++++++++++++ ..........++++++++++++
Issue 02 (2011-09-10)
190
The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all. l When the SSH adopts the password or password-rsa authentication mode, configure a local user with the same name. l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should save the RSA public key for the SSH client.
l Create SSH user Client001. # Configure the password authentication for the SSH user Client001.
[SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password
l Create SSH user Client002. # Configure the RSA authentication for the SSH user Client002.
[SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key on the server. # Generate a local key pair on the client.
<HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create
Issue 02 (2011-09-10)
191
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client002]
# Send the RSA public key generated on the client software to the server.
[SSH Server]rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key]public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code]3047 [SSH Server-rsa-key-code]0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [SSH Server-rsa-key-code] 1D7E3E1B [SSH Server-rsa-key-code]0203 [SSH Server-rsa-key-code]010001 [SSH Server-rsa-key-code]public-key-code end [SSH Server-rsa-public-key]peer-public-key end
Step 4 Bind the SSH user Client002 to the RSA public key of the SSH client.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet service on the SSH server. # Enable the STelnet service.
[SSH Server] stelnet server enable
Step 6 Configure the STelnet service for the SSH users Client001 and Client002.
[SSH Server] ssh user client001 service-type stelnet [SSH Server] ssh user client002 service-type stelnet
Step 7 Connect the STelnet client to the SSH server. # For the first login, you need to enable the first authentication on SSH client. Enabling the first authentication on Client001.
<HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable
# Client001 of the STelnet connects to SSH server with the password authentication mode . Enter the user name and password.
<client001> system-view
Issue 02 (2011-09-10)
192
[client001] stelnet 10.10.1.1 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait... Enter password:
Enter the password huawei. It shows that the login is successful, as follows:
Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42. <SSH Server>
# Connect the STelnet client Client002 to the SSH server with the RSA authentication mode.
<client002> system-view [client002] stelnet 10.10.1.1 Please input the username: client002 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait... Info: The max number of VTY users is 20, and the number of current VTY users on line is 6. The current login time is 2010-09-06 11:42:42. <SSH Server>
Step 8 Verify the configuration. After the configuration, run the display ssh server status and display ssh server session commands. You can view that the STelnet service is enabled and the STelnet client is connected to the SSH server successfully. # Display the SSH status.
[SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server : Disable Stelnet server : Enable
Issue 02 (2011-09-10)
193
----End
Configuration Files
l Configuration file of the SSH server
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password cipher huawei local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # stelnet server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type stelnet # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh #
Issue 02 (2011-09-10)
194
Networking Requirements
As shown in Figure 8-11, the IP address of the TFTP server is 10.111.16.160/24. Log in to the router from the HyperTerminal and then download the file V600R003C00SPC300.cc from the TFTP server. Figure 8-11 Networking diagram for accessing files on another device by using TFTP
10.111.16.160/24
PC
TFTP Client
TFTP Server
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Run the TFTP application on the TFTP server, and set the location of the file on the server. Use the TFTP command on the router to download the file. Use the TFTP command on the router to upload the file.
Data Preparation
To complete the configuration, you need the following data: l
Issue 02 (2011-09-10)
l l
The path of the file on the TFTP server The destination file name and its path on the router
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the V600R003C00SPC300.cc file resides. Figure 8-12 shows the interface. Figure 8-12 Setting the Base Directory of the TFTP server
NOTE
The display may be different depending on different TFTP server applications run in the computer.
Step 2 Log in to the router from the computer HyperTerminal and enter the following command to download the file.
<HUAWEI>tftp 10.111.16.160 get V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory on the router.
<HUAWEI> dir cfcard: Directory of cfcard:/ Idx Attr Size(Byte) 1 -rw40 2 -rw396 3 -rw540 4 -rw2718 5 -rw14343 6 -rw1004 7 -rw6247 8 -rw14343 9 -rw- 86235884 Date Jun 24 May 19 May 19 Jun 21 May 19 Feb 05 May 19 May 16 Feb 05 Time 09:30:40 15:00:10 15:00:10 17:46:46 15:00:10 09:51:22 15:00:10 14:13:42 10:23:46 FileName private-data.txt rsahostkey.dat rsaserverkey.dat 1.cfg paf.txt vrp1.zip license.txt paf.txt.bak V600R003C00SPC300.cc
Issue 02 (2011-09-10)
196
Step 4 Log in to the router from the computer HyperTerminal and enter the following command to upload the file.
<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.
----End
8.8.6 Example for Configuring the Access of the TFTP Server on the Public Network When the Management VPN Instance Is Used
This part provides an example for configuring the access of the TFTP server on the public network when the management VPN instance is used. In this example, after logging in to the router that is configured with the management VPN instance, you can download files from the TFTP server on the public network.
Networking Requirements
As shown in Figure 8-13, a management VPN instance is configured on the router. Users use the VPN instance to access the FTP server from the router. To enable the client to access the TFTP server on the public network, you need to connect the router to the TFTP server on the public network. Log in to the router from the HyperTerminal and then download the file V600R003C00SPC300.cc from the TFTP server. Figure 8-13 Networking diagram of configuring the access of the TFTP server on the public network when the management VPN instance is used
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Run the TFTP application on the TFTP server, and set the location of the file on the server. Use the TFTP command on the router to download the file. Use the TFTP command on the router to upload the file.
Data Preparation
To complete the configuration, you need the following data: l
Issue 02 (2011-09-10)
l l
The path of the file on the TFTP server The destination file name and its path on the router
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the V600R003C00SPC300.cc file resides. Figure 8-14 shows the interface. Figure 8-14 Setting the Base Directory of the TFTP server
NOTE
The display may be different depending on different TFTP server applications run in the computer.
Step 2 Log in to the router from the computer HyperTerminal and enter the following command to download the file.
<HUAWEI>tftp 10.111.16.160 public-net get V600R003C00SPC300.cc cfcard:/ V600R003C00SPC300.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory on the router.
<HUAWEI> dir cfcard: Directory of cfcard:/ Idx Attr Size(Byte) 1 -rw40 2 -rw396 3 -rw540 4 -rw2718 5 -rw14343 6 -rw1004 7 -rw6247 8 -rw14343 Date Jun 24 May 19 May 19 Jun 21 May 19 Feb 05 May 19 May 16 Time 09:30:40 15:00:10 15:00:10 17:46:46 15:00:10 09:51:22 15:00:10 14:13:42 FileName private-data.txt rsahostkey.dat rsaserverkey.dat 1.cfg paf.txt vrp1.zip license.txt paf.txt.bak
Issue 02 (2011-09-10)
198
Step 4 Log in to the router from the computer HyperTerminal and enter the following command to upload the file.
<HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.
----End
Configuration Files
None.
Networking Requirements
As shown in Figure 8-15, the route between Router A that functions as the FTP client and the FTP server is reachable. A user needs to download system software and configuration software from the FTP server. The Huawei router functions as an FTP server. Figure 8-15 Networking diagram for accessing files on another device by using FTP
GE1/0/1 2.1.1.1/24 RouterA GE1/0/1 1.1.1.1/24 FTP Server
Network
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Configure the user name and password for an FTP user to log in to the FTP server. Enable the FTP server on the router. Run certain login commands to log in to the FTP server. Configure the file transmission mode and directories for the client before downloading required files from the FTP server.
Data Preparation
To complete the configuration, you need the following data: l l
Issue 02 (2011-09-10)
User name huawei and password 123 for a user's login IP address of the FTP server, that is, 1.1.1.1
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 199
Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view [HUAWEI] aaa [HUAWEI-aaa] local-user huawei password simple 123 [HUAWEI-aaa] local-user huawei service-type ftp [HUAWEI-aaa] local-user huawei ftp-directory cfcard: [HUAWEI-aaa] quit
Step 4 On Router A, configure the binary format as the file transfer mode and flash:/ as the working directory.
[ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ Info: Local directory now cfcard:.
Step 5 On Router A, download the latest system software from the remote FTP server.
[ftp] get V600R003C00SPC300.cc 200 Port command okay. 150 Opening ASCII mode data connection for V600R003C00SPC300.cc. 226 Transfer complete. FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec. [ftp] quit
You can run the dir command to check whether the required file is downloaded to the client. ----End
Configuration Files
l Configuration file on the FTP server
# FTP server enable # aaa local-user huawei password simple 123 local-user huawei service-type ftp local-user huawei ftp-directory cfcard: # interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 Return
Issue 02 (2011-09-10)
200
8.8.8 Example for Configuring the Access of the FTP Server on the Public Network When the Management VPN Instance Is Used
This part provides an example for configuring the access of the FTP server on the public network when the management VPN instance is used. In this example, after logging in to the router that is configured with the management VPN instance, you can download files from the FTP server on the public network.
Networking Requirements
As shown in Figure 8-16, a management VPN instance is configured on Router A. Users use the VPN instance to access the FTP server. To enable Router A to access the FTP server on the public network, you need to connect the router to the FTP server on the public network. The route between router that functions as the FTP client and the FTP server is reachable. A user needs to download system software and configuration software from the FTP server on the public network. Figure 8-16 Networking diagram of configuring the access of the FTP server on the public network when the management VPN instance is used
GE1/0/1 2.1.1.1/24 RouterA GE1/0/1 1.1.1.1/24 FTP Server
Network
Configuration Roadmap
1. 2. Log in to the FTP server from the FTP client on the Public Network. Download the system files form the server to the storage devices on the client side.
Data Preparation
To complete the configuration, you need the following data: l l l IP address of the FTP server is 1.1.1.1 User name huawei and password huawei The destination file name and its position in the router
Procedure
Step 1 Log in to the FTP server from the router.
<HUAWEI> ftp 1.1.1.1 public-net Trying 1.1.1.1 Press CTRL+K to abort
Issue 02 (2011-09-10)
201
Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcard memory on the router..
[ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ Info: Local directory now cfcard:.
Step 3 Download the newest system software from the remote FTP server on the router.
[ftp] get V600R003C00SPC300.cc 200 Port command okay. 150 Opening ASCII mode data connection for V600R003C00SPC300.cc. 226 Transfer complete. FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec. [ftp] quit
----End
Configuration Files
None.
Networking Requirements
As shown in Figure 8-17, after the SFTP service is enabled on the SSH server, the SFTP Client can log in to the SSH server with the password, RSA, password-rsa, or all authentication. In this example, the Huawei router functions as an SSH server. Two users client001 and client002 are configured to log in to the SSH server in the authentication mode of password and RSA respectively. Figure 8-17 Networking diagram for accessing files on another device by using SFTP
SSH Server
GE1/0/1 10.10.1.1/16
GE1/0/1 10.10.2.2/16
GE1/0/1 10.10.3.3/16
Client 001
Client 002
Issue 02 (2011-09-10)
202
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure Client001 and Client002 to log in to the SSH server in different authentication modes. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind the client client002 to an RSA key to authenticate the client when the client attempts to log in to the server. Enable the SFTP service on the SSH server. Configure the service mode and authorization directory for the SSH user. Client001 and Client002 log in to the SSH server by using SFTP to access files on the server.
3. 4. 5.
Data Preparation
To complete the configuration, you need the following data: l l l Client001 with the password as huawei and adopt the password authentication. Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002. IP address of the SSH server is 10.10.1.1.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .........++++++++ ......................++++++++ ......................+++++++++ .....+++++++++
The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all. l When the SSH adopts the password or password-rsa authentication, configure a local user with the same name. l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the RSA public key for the SSH client.
l Create Client001 for the SSH user. # Create an SSH user with the name Client001. The authentication mode is password.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 203
[SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password
# Set huawei as the password for the Client001 of the SSH user.
[SSH [SSH [SSH [SSH Server] aaa Server-aaa] local-user client001 password simple huawei Server-aaa] local-user client001 service-type ssh Server-aaa] quit
l Create Client002 for the SSH user. # Create an SSH user with user name Client002 and RSA authentication.
[SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key of the server. # Generate a local key pair on the client.
<HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key] public-key-code begin
Issue 02 (2011-09-10)
204
Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code] 3047 [SSH Server-rsa-key-code] 0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [SSH Server-rsa-key-code] 1D7E3E1B [SSH Server-rsa-key-code] 0203 [SSH Server-rsa-key-code] 010001 [SSH Server-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet service on the SSH server. # Enable the STelnet service.
[SSH Server] sftp server enable
Step 6 Configure the service type and authorized directory of the SSH user. Two SSH users are configured on the SSH server, namely, Client001 and Client002. The password authentication mode is configured for Client001 and the RSA authentication mode is configured for Client002.
[SSH [SSH [SSH [SSH Server] Server] Server] Server] ssh ssh ssh ssh user user user user client001 client001 client002 client002 service-type sftp sftp-directory cfcard: service-type sftp sftp-directory cfcard:
Step 7 Connect the STelnet client to the SSH server. # For the first login, you need to enable the first authentication on the SSH client. Enabling the first authentication on Client001.
<HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable
# Connect the STelnet client Client001 to the SSH server with the password authentication mode.
<client001> system-view [client001] sftp 10.10.1.1 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] : y The server's public key will be saved with the name 10.10.1.1. Please wait. .. Enter password: sftp-client>
# Connect the STelnet client Client002 to the SSH server with the RSA authentication mode.
<client002> system-view [client002] sftp 10.10.1.1 Please input the username: client002 Trying 10.10.1.1 ...
Issue 02 (2011-09-10)
205
Press CTRL+K to abort The server is not authenticated. Continue to access it? [Y/N] :y Save the server's public key? [Y/N] :y The server's public key will be saved with the name 10.10.1.1. Please wait. .. sftp-client>
Step 8 Verify the configuration. After the configuration, run the display ssh server status and display ssh server session commands. You can view that the STelnet service is enabled and the SFTP client is connected to the SSH server successfully. # Display the SSH status.
[SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable Stelnet server: Disable
Issue 02 (2011-09-10)
206
----End
Configuration Files
l Configuration file of the SSH server.
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password simple huawei local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type sftp ssh user client002 service-type sftp ssh user client001 sftp-directory cfcard:. ssh user client002 sftp-directory cfcard:. # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # Return
Issue 02 (2011-09-10)
207
8.8.10 Example for Configuring the Access of the SFTP Server on the Public Network When the Management VPN Instance Is Used
This part provides an example for configuring the access of the SFTP server on the public network when the management VPN instance is used. In this example, after generating the local key pair on the SFTP client and SSH server, generating the RSA public key on the SSH server, and binding the RSA public key to the client, you can connect the SFTP client to the SFTP server on the public network when using the management VPN instance.
Networking Requirements
As shown in Figure 8-18, a management VPN instance is configured for Client001 and Client002. Users use the VPN instance to access the FTP server. To enable the client to access the SFTP server on the public network, you need to connect the router to the SFTP server on the public network. The Huawei router functions as an SSH server. Two users client001 and client002 are configured to access the SSH server in the authentication mode of password and RSA respectively. Figure 8-18 Networking diagram of configuring the access of the SFTP server on the public network when the management VPN instance is used
SSH Server
GE1/0/1 10.10.1.1/16
GE1/0/1 10.10.2.2/16
GE1/0/1 10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure Client001 and Client002 to log in to the SSH server in different authentication modes.. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind the client client002 to an RSA key to authenticate the client when the client attempts to log in to the server. Enable the SFTP service on the SSH server. Configure the service mode and authorization directory for the SSH user. Configure Client001 and Client002 to log in to the SSH server on the Public Network through SFTP..
3. 4. 5.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 208
l l l
Client001 with the password as huawei and adopt the password authentication. Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002. IP address of the SSH server is 10.10.1.1.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: HUAWEI_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .........++++++++ ......................++++++++ ......................+++++++++ .....+++++++++
The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all. l When the SSH adopts the password or password-rsa authentication, configure a local user with the same name. l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the RSA public key for the SSH client.
l Create Client001 for the SSH user. # Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password
# Set huawei as the password for the Client001 of the SSH user.
[SSH [SSH [SSH [SSH Server] aaa Server-aaa] local-user client001 password simple huawei Server-aaa] local-user client001 service-type ssh Server-aaa] quit
l Create Client002 for the SSH user. # Create an SSH user with user name Client002 and RSA authentication.
[SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key of the server. # Generate a local key pair on the client.
<HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create
[client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client]
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code] 3047 [SSH Server-rsa-key-code] 0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [SSH Server-rsa-key-code] 1D7E3E1B [SSH Server-rsa-key-code] 0203 [SSH Server-rsa-key-code] 010001 [SSH Server-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.
[SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet service on the SSH server. # Enable the STelnet service.
[SSH Server] sftp server enable
Step 6 Configure the service type and authorized directory of the SSH user.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 210
Two SSH users are configured on the SSH server, namely, Client001 and Client002. The password authentication mode is configured for Client001 and the RSA authentication mode is configured for Client002.
[SSH [SSH [SSH [SSH Server] Server] Server] Server] ssh ssh ssh ssh user user user user client001 client001 client002 client002 service-type sftp sftp-directory cfcard: service-type sftp sftp-directory cfcard:
Step 7 Connect the STelnet client to the SSH server. # For the first login, you need to enable the first authentication on the SSH client. Enabling the first authentication on Client001.
<HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable
# Connect the STelnet client Client001to the SSH server with the password authentication mode.
<client001> system-view [client001] sftp 10.10.1.1 public-net Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... Enter password: sftp-client>
# Connect the STelnet client Client002 to the SSH server with the RSA authentication mode.
<client002> system-view [client002] sftp 10.10.1.1 public-net Please input the username: client002 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... sftp-client>
Step 8 Verify the configuration. After the configuration, run the display ssh server status and display ssh server session commands. You can view that the STelnet service is enabled and the SFTP client is connected to the SSH server successfully. # Display the SSH status.
[SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Disable
Issue 02 (2011-09-10)
211
----End
Configuration Files
l Configuration file of the SSH server.
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password simple huawei local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0
Issue 02 (2011-09-10)
212
8.8.11 Example for Accessing the SSH Server Through Other Port Numbers
This section provides an example for accessing the SSH server through other port numbers.In this example, the monitoring port number of the SSH server is set to a port number other than the standard monitoring port number so that only valid users can set up connections with the SSH server.
Networking Requirements
The standard monitored port number of the SSH protocol is 22. The frequent malicious accesses to the standard port consume bandwidth and affect the performance of the server, and other users cannot access the standard port. After the number of the port monitored by the SSH server is set to other port numbers, the attacker does not know the change of the number of the monitored port and keeps sending socket connection requests with the standard port 22. After detecting that the port number inthe connection requests is not the number of the monitored port, the SSH does not set up the socket connection. Thus, only the valid user can set up the socket connection through the non-standard monitored port set by the SSH server, and follow the procedure of negotiating the SSH version number,
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 213
negotiating the algorithm, generating the session key, authenticating, sending session request, and performing the interactive session. The Huawei router functions as an SSH server. The client client001 is configured to log in to the SSH server by using STelnet in the authentication mode of password; the client client002 is configured to log in to the SSH server by using SFTP in the authentication mode of RSA. Figure 8-19 Networking diagram of accessing the SSH server through other port numbers
SSH Server
GE1/0/1 10.10.1.1/16
GE1/0/1 10.10.2.2/16
GE1/0/1 10.10.3.3/16
Client 001
Client 002
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure Client001 and Client002 to log in to the SSH server in different authentication modes.. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind the client client002 to an RSA key to authenticate the client when the client attempts to log in to the server. Enable the STelnet and SFTP service on the SSH server. Configure the service mode and authorization directory of the SSH user. Configure the interception port number for the SSH server so that the client can access the server through other port numbers. Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively.
3. 4. 5. 6.
Data Preparation
To complete the configuration, you need the following data: l l l l Client001 with the password as huawei and adopt the password authentication. Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002. IP address of the SSH server is 10.10.1.1. Number of the port monitored by the SSH server is 1025.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create
Issue 02 (2011-09-10)
214
Step 2 Configure the RSA public key of the server. # Generate a local key pair of client on the client.
<HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [SSH Server-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [SSH Server-rsa-key-code] 3047 [SSH Server-rsa-key-code] 0240 [SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
Issue 02 (2011-09-10)
215
Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 Server-rsa-key-code] 1D7E3E1B Server-rsa-key-code] 0203 Server-rsa-key-code] 010001 Server-rsa-key-code] public-key-code end Server-rsa-public-key] peer-public-key end
The SSH user can be authenticated in four modes: password, RSA, password-rsa, and all. l When the SSH adopts the password or password-rsa authentication mode, configure a local user at the same name. l When the SSH user adopts the RSA, password-rsa, or all authentication modes, the server should save the RSA public key for the SSH client.
l Create Client001 for the SSH user. # Create an SSH user with the name Client001. The authentication mode is password.
[SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password
l Create Client002 for the SSH user. Create an SSH user with the name of Client002 and RSA authentication, bound to RSA public key of the SSH client.
[SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa [SSH Server] ssh user client002 assign rsa-key RsaKey001
# Configure the service type of Client002 as SFTP and the authorization directory.
[SSH Server] ssh user client002 service-type sftp [SSH Server] ssh user client002 sftp-directory cfcard:
Step 4 Enable the STelnet service and the SFTP service on the SSH server. # Enable the STelnet service and the SFTP service.
[SSH Server] stelnet server enable [SSH Server] sftp server enable
Step 5 Configure a new number of the port monitored by the SSH server.
[SSH Server] ssh server port 1025
Step 6 Connect the STelnet client to the SSH server. # For the first login, you need to enable the first authentication on SSH client. Enabling the first authentication on Client001.
<HUAWEI> system-view
Issue 02 (2011-09-10)
216
# Connect the STelnet client to the SSH server through the new port number.
[client001] stelnet 10.10.1.1 1025 Please input the username:client001 Trying 10.10.1.1 ... Press CTRL+K to abort Connected to 10.10.1.1 ... he server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y he server's public key will be saved with the name 10.10.1.1. Please wait... Enter password:
# Connect the SFTP client to the SSH server through the new port number.
[client002] sftp 10.10.1.1 1025 Please input the username:client002 Trying 10.10.1.1 ... Press CTRL+K to abort The server is not authenticated. Continue to access it?(Y/N):y Save the server's public key?(Y/N):y The server's public key will be saved with the name 10.10.1.1. Please wait. .. sftp-client>
Step 7 Verify the configuration. The attacker fails to access the SSH server through port 22.
[client002] sftp 10.10.1.1 Please input the username:client002 Trying 10.10.1.1 ... Press CTRL+K to abort Error: Failed to connect to the server.
After the configuration, run the display ssh server status and display ssh server session commands. You can view the number of the port monitored by the SSH server and that the STelnet client or SFTP client is connected to the SSH server successfully. # Display the SSH status.
[SSH Server] display ssh server status SSH version : 1.99 SSH connection timeout : 60 seconds SSH server key generating interval : 0 hours SSH Authentication retries : 3 times SFTP server: Enable STELNET server: Enable SSH server port: 1025
Issue 02 (2011-09-10)
217
----End
Configuration Files
l Configuration file of the SSH server.
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password simple huawei local-user client001 service-type ssh # interface GigabitEthernet1/0/1 undo shutdown ip address 10.10.1.1 255.255.0.0 # sftp server enable stelnet server enable ssh server port 1025 ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type RSA ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftp ssh user client002 sftp-directory cfcard:. # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh #
Issue 02 (2011-09-10)
218
8.8.12 Example for an SSH Client in the Public Network to Access an SSH Server in the Private Network
In this example, SSH attributes of users on the public network are configured so as to access the SSH server on the private network through STelnet or SFTP.
Networking Requirements
As shown in Figure 8-20, PE1 as an SSH client resides on an MPLS backbone network, and CE1 as an SSH server is located at a private network of AS 65410. The users in the public network can safely access and manage CE1 on the private network through PE1. The Huawei router functions as an SSH server. The client client001 is configured to log in to the SSH server by using STelnet in the authentication mode of password; the client client002 is configured to log in to the SSH server by using SFTP in the authentication mode of RSA.
Issue 02 (2011-09-10)
219
Figure 8-20 Networking diagram of configuring the SSH client in public network accessing the SSH server in the private network
MPLS Backbone AS:100 Loopback1 1.1.1.9/32 PE1 (SSH Client) Loopback1 2.2.2.9/32 Loopback1 3.3.3.9/32 POS1/0/1 200.1.1.2/30 P POS1/0/2 200.1.1.1/30 GE1/0/1 10.1.2.2/24 GE1/0/1 10.1.2.1/24 CE2 PE2
VPN Site
VPN Site
Configuration Roadmap
The roadmap for configuring SSH supporting access from the private network as follows: 1. 2. 3. Configure a VPN instance on the PE functioning as an SSH client so that the CE can access the PE. Set up EBGP peer relationships between PEs and CEs and import VPN routes. Create a local RSA key pair on the STelnet client Client002 and the SSH server, and bind the client client002 to an RSA key to authenticate the client when the client attempts to log in to the server. Enable the STelnet and SFTP service on the SSH server. Users in the public network access devices in the private network through STelent and SFTP.
4. 5.
Data Preparation
To complete the configuration, you need the following data. l l l l l l Name of vpn-instance vpn1 on PE VPN-target on PE is 111:1 IP address 10.1.1.2 of PE1; IP address 10.1.2.2 of PE2 Client001 with the password as huawei and adopt the password authentication Client002, adopt the RSA authentication and assign the public key RsaKey001 to Client002 IP address of the SSH server CE1 on the private network, that is, 10.1.1.1
Issue 02 (2011-09-10)
220
Procedure
Step 1 Configure the MPLS backbone network With IGP configured on the MPLS backbone network, the PE on the backbone network can communicate with P; configure the MPLS basic capability and MPLS LDP, and create LDP LSPs. The detailed configurations are not mentioned here. For more information, refer to the configuration file of this example. Step 2 Configure the VPN instance. Configure VPN on PE and connect CE to PE. # Configure PE1.
[PE1] ip vpn-instance vpn1 [PE1-vpn-instance-vpn1] route-distinguisher 100:1 [PE1-vpn-instance-vpn1] vpn-target 111:1 both [PE1-vpn-instance-vpn1] quit [PE1] interface gigabitethernet 1/0/1 [PE1-GigabitEthernet1/0/1] ip binding vpn-instance vpn1 [PE1-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [PE1-GigabitEthernet1/0/1] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1 [PE2-vpn-instance-vpn1] route-distinguisher 200:1 [PE2-vpn-instance-vpn1] vpn-target 111:1 both [PE2-vpn-instance-vpn1] quit [PE2] interface gigabitethernet 1/0/1 [PE2-GigabitEthernet1/0/1] ip binding vpn-instance vpn1 [PE2-GigabitEthernet1/0/1] undo shutdown [PE2-GigabitEthernet1/0/1] ip address 10.1.2.2 24 [PE2-GigabitEthernet1/0/1] quit
# Configure IP addresses of interfaces on CEs as shown in Figure 8-20. The detailed configurations are not mentioned here. After the configuration, run the display ip vpn-instance verbose command on PE. You can view the configuration of VPN. Each PE can ping through the accessed CE.
NOTE
In case of several VPN interfaces bound with PE, you have to run the ping -vpn-instance vpn-instancename -a source-ip-address dest-ip-address command to ping the CE that connects to the peer PE. The source IP address must be specified. Otherwise, it may fail to ping through.
Issue 02 (2011-09-10)
221
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=60 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=90 ms --- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/108/260 ms
Step 3 Establish EBGP peer relationship between PEs and CEs and import VPN router. # Configure CE1.
[CE1] bgp [CE1-bgp] [CE1-bgp] [CE1-bgp] 65410 peer 10.1.1.2 as-number 100 import-route direct quit
# Configure PE1.
[PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410 [PE1-bgp-vpn1] import-route direct [PE1-bgp-vpn1] quit [PE1-bgp] quit
# Configure CE2.
[CE2] bgp [CE2-bgp] [CE2-bgp] [CE2-bgp] 65420 peer 10.1.2.2 as-number 100 import-route direct quit
# Configure PE2.
[PE2] bgp 100 [PE2-bgp] ipv4-family vpn-instance vpn1 [PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420 [PE2-bgp-vpn1] import-route direct [PE2-bgp-vpn1] quit [PE2-bgp] quit
After configuration, run the display bgp vpnv4 vpn-instance peer command on PE. You can view that the BGP peer relationship between PE and CE is created and in the established state. Take the peer relationship between PE 1 and CE 1 as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State 10.1.1.1 4 65410 3 3 0 00:00:37 Established
PrefRcv 1
# Establish MP-BGP peer relationship between PEs. The detailed configurations are not mentioned here. For more information, refer to the configuration file of this example. Step 4 Generate a local key pair on the server.
[CE1] rsa local-key-pair create The key name will be: CE1_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .......++++++++++++
Issue 02 (2011-09-10)
222
Step 5 Configure the RSA public key of the server. # Generate a local key pair of client on the client.
[PE1] rsa local-key-pair create The key name will be: PE1_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++
# Send the RSA public key generated on the client to the server.
[CE1] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [CE1-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [CE1-rsa-key-code] 3067 [CE1-rsa-key-code] 0240 [CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
Issue 02 (2011-09-10)
223
[CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695 [CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D [CE1-rsa-key-code] E2EE8EB5 [CE1-rsa-key-code] 0203 [CE1-rsa-key-code] 010001 [CE1-rsa-key-code] public-key-code end [CE1-rsa-public-key] peer-public-key end [CE1-rsa-public-key] quit
The SSH user can be authenticated in four modes namely, password, RSA, password-rsa, and all. l When the SSH adopts the password or password-rsa authentication, a local user must be configured with the same name. l When the SSH user adopts the RSA, password-rsa, or all authentication, the server should save the RSA public key for the SSH client.
l Create Client001 for the SSH user. # Create an SSH user with the name Client001. The authentication mode is password.
[CE1] ssh user client001 [CE1] ssh user client001 authentication-type password
# Set huawei as the password for the Client001 of the SSH user.
[CE1] aaa [CE1-aaa] local-user client001 password simple huawei [CE1-aaa] local-user client001 service-type ssh [CE1-aaa] quit
l Create an SSH user with the name of Client002 and RSA authentication, bound to RSA public key of the SSH client.
[CE1] ssh user client002 [CE1] ssh user client002 authentication-type rsa [CE1] ssh user client002 assign rsa-key RsaKey001
# Configure the service type of Client002 as SFTP and the authorization directory.
[CE1] ssh user client002 service-type sftp [CE1] ssh user client002 sftp-directory cfcard:
Step 8 PE logs in to CE as the SSH client. # For the first login, you need to enable the first authentication on SSH client.
[PE1] ssh client first-time enable
Issue 02 (2011-09-10)
224
The server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):y The server's public key will be saved with the name:10.1.1.1. Please wait... Enter password:
After successful login, the following information is displayed, and then you can continue.
sftp-client>
Step 9 Check the Configuration When running the display this command in the PE interface view, you can view that the configuration of the VPN instance is successful; when running the display ssh server session command on CE, you can view that the STelnet client or SFTP client is connected to the SSH server successfully. # View information about SSH server connection.
[PE1] display ssh server session Session 1: Conn : VTY 0 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password
----End
Configuration Files
l Configuration file of CE1
# sysname CE1 # rsa peer-public-key RsaKey001 public-key-code begin 3067 0260 9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3 0203 010001 public-key-code end
Issue 02 (2011-09-10)
225
Issue 02 (2011-09-10)
226
Configuration file of P
# sysname P # mpls lsr-id 2.2.2.9 mpls # mpls ldp # interface Pos1/0/1 link-protocol ppp ip address 100.1.1.2 255.255.255.0 mpls mpls ldp # interface Pos1/0/2 link-protocol ppp ip address 200.1.1.1 255.255.255.0 mpls mpls ldp # interface LoopBack1 ip address 2.2.2.9 255.255.255.255 # ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 100.1.1.0 0.0.0.255 network 200.1.1.0 0.0.0.255 # return
Issue 02 (2011-09-10)
227
Issue 02 (2011-09-10)
228
Issue 02 (2011-09-10)
229
Definition
Synchronization must be maintained on Data Communications Networks (DCN). The sending end places a pulse in a specified timeslot at the end of the digital pulse signal. The receiving end extracts the pulse in the specified timeslot, so that normal communications between sending and receiving ends are guaranteed. A clock ensures that signals are sent in a certain timeslot and then received and extracted from that timeslot.
Purpose
Clock synchronization is used to keep differences in clock frequency and phase among network elements on a digital network within a specific range. If the differences exceed the specified range, bit errors and jitter occur and transmission performance is degraded.
Pre-configuration Tasks
None.
Data Preparation
None.
Procedure
Step 1 Run:
system-view
or
controller { e1 | cpos } controller-number
Return to the system view from the interface view. Step 7 (Optional) Run:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 231
SSM control is enabled. By default, SSM control is enabled. Step 8 (Optional) Run:
clock run-mode
The running mode of the Ethernet Equipment Clock (EEC) is set. By default, an EEC works in normal mode. Step 9 (Optional) Run:
clock switch { revertive | non-revertive }
The recovery mode for a clock is configured. By default, a clock is revertive. Step 10 (Optional) Run:
clock wtr
The Wait to Recovery (WTR) time is configured. By default, the WTR time is five minutes. Step 11 (Optional) Run:
clock source-lost holdoff-time
The holdoff time is set for a clock when the timing signal is invalid. By default, the holdoff time is 1000 ms. Step 12 (Optional) Run:
clock max-out-ssm
The max out ssm value of the interface clock source is configured. Step 13 (Optional) Run:
clock freq-deviation-detect enable
Clock frequency offset detection is enabled. By default, clock frequency offset detection is disabled. ----End
Check whether basic configurations for clock synchronization take effect. ----End
Applicable Environment
On a synchronous Ethernet network, if the site where the router is located has a BITS clock, the router must be set to trace the BITS clock. The router serves as the primary clock to provide a clock source for the entire synchronous Ethernet network. There are four types of BITS clocks: 2.048 MHz, 2.048 Mbit/s, 1 pps, and DCLS. You can use commands to specify the type of external BITS clock source on the clock board.
Pre-configuration Tasks
None.
Data Preparation
None.
9.3.2 Configuring the Lower Threshold of the Clock Signals Output by the BITS Clock
Context
Do as follows on all routers on the clock synchronization network.
Procedure
Step 1 Run:
system-view
The lower threshold (the lowest quality level) of clock signals output by the BITS clock is configured. ----End
9.3.3 Configuring an External Clock Source and Its Signal Type on the router
The router supports four types of signals (2mhz, 2mbps, dcls, and 1pps).
Context
Do as follows on every routers on the clock synchronization network.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 233
Procedure
Step 1 Run:
system-view
An external BITS clock source and its signal type are configured. For information about clock source IDs and signal types, refer to the HUAWEI NetEngine80E/ 40E Router - Command Reference. ----End
Procedure
l l Run the display clock source command to check the status and attributes of the clock reference source. Run the display clock config command to check the configuration informations of the clock reference source.
----End
The clock reference source is in the Abnormal state. The QL of the clock reference source is QL-DNU. The clock works in hold mode. You can switch the mode of configuring the clock reference source from manual to forcible through command lines. The clock reference source should be specified on the master clock, as shown in Figure 9-1. On Router A, the external clock interface, bits0, on the master clock board is connected to BITS0, one reference clock source; the external clock interface, bits0, on the slave clock board is connected to BITS1, another reference clock source. The output clock signals of BITS0 and BITS1 are same. Router A is manually or forcibly configured to trace the clock signal input through bits0. In normal situations, Router A traces the BITS0 clock reference source. When the master clock board fails, a switchover of the clock boards is performed. After that, Router A traces the BITS1 clock reference source. Figure 9-1 Diagram of configuring the clock reference source manually
Router B
Router C
Pre-configuration Tasks
Before configuring the clock reference source manually, complete the following tasks: Configuring an External Clock Reference Source and Its Signal Type on the device. l l Configuring an external clock reference source Configuring signal type of the external clock reference source
Data Preparation
None.
Procedure
l Configure a clock reference source manually. 1. Run:
system-view
Forcible specification of a clock reference source is cancelled. If forcible specification of a clock reference source has been configured, you need to run the clock clear command to cancel the configuration before configuring manual specification of a clock reference source. 3. Run:
clock manual { 2msync-1 | 2msync-2 } source interface interface-type interface-number
or
clock manual source { bits0 | bits1 | bits2 | ptp | interface interfacetype interface-number}
A clock reference source is manually configured. l Configure a clock reference source forcibly. 1. Run:
system-view
or
clock force source { bits0 | bits1 | bits2 | ptp | interface interfacetype interface-number}
Procedure
Step 1 Run:
display clock { config | source }
Pre-configuration Tasks
Before configuring protection switchover of clock sources based on SSM levels, complete the following tasks: l Configuring an external clock reference source and its signal type on the device.
Data Preparation
To configure protection switchover of clock sources based on SSM levels, you need SSM levels of clock sources.
Procedure
Step 1 Run:
system-view
Issue 02 (2011-09-10)
237
If the clock sources are manually or forcibly specified, you need to run the clock clear command to enable the system to automatically select clock sources. By default, the router automatically selects clock sources.
Step 3 Run:
clock run-mode normal
The Ethernet Equipment Clock (EEC) is configured to work in normal mode. By default, the EEC works in normal mode. ----End
Context
Do as follows on every router on the clock synchronization network:
Procedure
Step 1 Run:
system-view
Procedure
l Configuring the SSM level of the clock reference source 1. Run:
system-view
Configuring the SSM level of the clock reference source on the interface 1. Run:
system-view
or
controller { e1 | cpos } controller-number
The SSM level of the clock reference source on the interface is configured. ----End
9.5.5 Setting a Timeslot of the 2.048 Mbit/s BITS Clock Signal to Carry SSMs
Context
Do as follows on the router that are connected with external BITS clock sources:
Procedure
Step 1 Run:
system-view
The setting timeslot of the 2.048 Mbit/s BITS clock signal is set to carry SSMs. ----End
By default, the SSM level is extracted from the interface. If the SSM level is forcibly set, the forcibly-set SSM level takes effect. Do as follows on all routers in the clock synchronization network:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 239
Procedure
l Forcibly configuring the SSM levels of clock reference sources 1. Run:
system-view
Repeat Step 2 to configure SSM levels for multiple clock reference sources.
To forcibly configure the SSM level of a clock reference source on the interface, you can first enter the corresponding interface view and run the clock ssm { dnu | prc | sec | ssua | ssub | unk } commands. This can achieve the same effect as that of Step 2. l Extracting the SSM level of the clock reference source from the interface 1. Run:
system-view
Forcibly configuring the SSM level of a clock reference source is disabled. To extract the SSM level of a clock reference source from the interface, you can first enter the corresponding interface view and run the undo clock ssm command. This can achieve the same effect as that of Step 2.
NOTE
The current version only supports extracting the SSM level of a clock reference source from the Ethernet interface, GigabitEthernet interface and CE1 interface. To extract the SSM level of a clock reference source from the CE1 interface , you need to configure the frame format as crc4.
----End
Procedure
l Run:
display clock { config | source }
Pre-configuration Tasks
Before configuring protection switchover of clock sources based on priorities, complete the following tasks: l Configuring an external clock reference source and its signal type on the device.
Data Preparation
To configure protection switchover of clock sources based on priorities, you need the priorities of different clock sources.
Procedure
Step 1 Run:
system-view
If the clock sources are manually or forcibly specified, you need to run the clock clear [ 2msync-1 | 2msync-2 ] command to enable the system to automatically select clock sources. By default, the router automatically selects clock sources.
Step 3 Run:
clock run-mode normal
Set the Ethernet Equipment Clock (EEC) to work in normal mode. By default, the EEC work in normal mode. ----End
Procedure
Step 1 Run:
system-view
SSM is disabled.
NOTE
When SSM is disabled, the router selects a clock source based on priorities.
----End
Procedure
l Setting priorities for the clock reference sources BITS and 1588 1. Run:
system-view
Priorities are set for the clock reference sources BITS and 1588.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 242
Repeat the preceding step to configure priorities for multiple clock reference sources. You can set the same priority for multiple clock reference sources. The clock reference source is selected according to the priority. In the case of the same priority, the clock reference source is selected based on the type of the clock reference source and port number. l Setting the priority of a clock reference source on the interface 1. Run:
system-view
or
controller { e1 | cpos } controller-number
The priority of the clock reference source on the interface is set. ----End
Procedure
Step 1 Run:
display clock { config | source }
sent to the data communication devices that connect the BTS after pass through the Ethernet clock synchronization. The Ethernet clock synchronization can ensure reliable quality of clock transmission. Figure 9-2 Networking diagram of applying Ethernet clock synchronization
BITS
FE BTS
Router C
Pre-configuration Tasks
Before configuring the Ethernet clock synchronization, complete the following tasks: l l Configuring the parameters of the link layer protocols and assign IP addresses to the interfaces so that the link layer protocol status of the interface is Up. Configuring a static route or the Interior gateway protocol (IGP) protocol to so that there is reachable IP route between the nodes.
Data Preparation
To configure the Ethernet clock synchronization, you need the following data. l Slot number, sub-card number, and port number of the Ethernet clock source
Ethernet clock signals can be transmitted only after the Ethernet clock synchronization is enabled on all the router in an IP bearer network.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
or
controller { e1 | cpos } controller-number
Procedure
l Run:
display clock { config | source }
Follow-up Procedure
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working situations, the actual interface numbers and link types may be different from those used in this document.
Issue 02 (2011-09-10)
246
BITS 0 GE1/0/0 W GE1/0/0 E Router A Router B GE2/0/0 W GE2/0/0 E 50.1.1.1 GE1/0/0 W 40.1.1.2 Router F E GE1/0/0 20.1.1.1 W GE1/0/0 20.1.1.2 E GE2/0/0 30.1.1.1 W GE2/0/0 30.1.1.2 BITS 1 GE2/0/0 E 10.1.1.1 GE2/0/0 W 10.1.1.2
Router C
Router E
Router D
GE1/0/0 E 40.1.1.1
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Configure the external BITS clock signal types of Router A and Router D. Configure the priorities of all clock sources for the router.
Data Preparation
To complete the configuration, you need the following data: Table 9-1 Clock sources of all router and the priorities Router Router A Router A Router A Router B Router B Router B
Issue 02 (2011-09-10)
Available Clock Sources BITS0 GE1/0/0 Internal clock GE1/0/0 GE2/0/0 Internal clock
Priority 1 2 3 1 2 3
247
Router Router C Router C Router C Router D Router D Router D Router E Router E Router E Router F Router F Router F
Current Clock Source GE2/0/0 GE2/0/0 GE2/0/0 GE1/0/0 GE1/0/0 GE1/0/0 GE1/0/0 GE1/0/0 GE1/0/0 GE2/0/0 GE2/0/0 GE2/0/0
Available Clock Sources GE2/0/0 GE1/0/0 Internal clock GE1/0/0 BITS1 Internal clock GE1/0/0 GE2/0/0 Internal clock GE2/0/0 GE1/0/0 Internal clock
Priority 1 2 3 1 2 3 1 2 3 1 2 3
Procedure
Step 1 Connect the router and the BITS clock sources as shown inFigure 9-3 Step 2 Configure the IP addresses of the interfaces. The details are not mentioned here. Step 3 Set the priorities of all clock sources for the router as shown inFigure 9-3. # Configure Router A
<RouterA> system-view [RouterA] clock ethernet-synchronization enable [RouterA] clock source bits0 synchronization enable [RouterA] clock source bits0 ssm prc [RouterA] clock source bits0 priority 1 [RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] clock synchronization enable [RouterA-GigabitEthernet1/0/0] clock priority 2 [RouterA-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterA-GigabitEthernet2/0/0] clock synchronization enable
# Configure Router B
<RouterB> system-view [RouterB] clock ethernet-synchronization enable [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] clock synchronization enable [RouterB-GigabitEthernet1/0/0] clock priority 1 [RouterB-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterB-GigabitEthernet2/0/0] clock synchronization enable [RouterB-GigabitEthernet2/0/0] clock priority 2
# Configure Router C
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 248
<RouterC> system-view [RouterC] clock ethernet-synchronization enable [RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] clock synchronization enable [RouterC-GigabitEthernet1/0/0] clock priority 2 [RouterC-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterC-GigabitEthernet2/0/0] clock synchronization enable [RouterC-GigabitEthernet2/0/0] clock priority 1
# Configure Router D
<RouterD> system-view [RouterD] clock ethernet-synchronization enable [RouterD] clock source bits1 synchronization enable [RouterD] clock source bits1 ssm ssua [RouterD] clock source bits1 priority 2 [RouterD] interface GigabitEthernet 1/0/0 [RouterD-GigabitEthernet1/0/0] clock synchronization enable [RouterD-GigabitEthernet1/0/0] clock priority 1 [RouterD-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterD-GigabitEthernet2/0/0] clock synchronization enable
# Configure Router E
<RouterE> system-view [RouterE] clock ethernet-synchronization enable [RouterE] interface GigabitEthernet 1/0/0 [RouterE-GigabitEthernet1/0/0] clock synchronization enable [RouterE-GigabitEthernet1/0/0] clock priority 1 [RouterE-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterE-GigabitEthernet2/0/0] clock synchronization enable [RouterE-GigabitEthernet2/0/0] clock priority 2
# Configure Router F
<RouterF> system-view [RouterF] clock ethernet-synchronization enable [RouterF] interface GigabitEthernet 1/0/0 [RouterF-GigabitEthernet1/0/0] clock synchronization enable [RouterF-GigabitEthernet1/0/0] clock priority 2 [RouterF-GigabitEthernet1/0/0] interface GigabitEthernet 2/0/0 [RouterF-GigabitEthernet2/0/0] clock synchronization enable [RouterF-GigabitEthernet2/0/0] clock priority 1
Step 5 Check the clock source attributes of other router. # The displayed information about Router B, Router C, Router D, Router E, and Router F is similar. The following uses Router B as an example.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 249
Pri(sys/2m-1/2m-2) In-SSM
Out-SSM
Step 6 Verify the configuration. When the master BITS clock source fails, all NEs trace the clock signal from the slave BITS clock source. The following takes Router A as an example. # Run the following command on Router A.
<RouterA> display clock source System trace source State: lock mode into pull-in range Current system trace source: GigabitEthernet1/0/0 Current 2M-1 trace source: system PLL Current 2M-2 trace source: system PLL Master board source Pri(sys/2m-1/2m-2) In-SSM Out-SSM State -------------------------------------------------------------------------bits0 1 /---/--prc ssua abnormal GigabitEthernet1/0/0 2 /---/--ssua dnu normal GigabitEthernet2/0/0 ---/---/--ssua ssua normal Slave board source In-SSM Out-SSM State -------------------------------------------------------------------------bits0 prc ssua abnormal
# After the connection between the BITS clock source and Router A is closed, all router perform clock source tracing switchover/ Figure 9-4shows the clock source tracing after the connection between the BITS clock source and Router A is closed.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 250
Figure 9-4 Networking diagram of the clock source tracing after the connection between the BITS clock source and Router A is closed
E W E W Router E E
----End
Configuration Files
l Router A Configuration Files
# sysname RouterA # clock clock clock clock # interface GigabitEthernet1/0/0 undo shutdown clock priority 2 clock synchronization enable # interface GigabitEthernet2/0/0 undo shutdown clock synchronization enable # return ethernet-synchronization enable source bits0 priority 1 source bits0 ssm prc source bits0 synchronization enable
Issue 02 (2011-09-10)
251
Issue 02 (2011-09-10)
252
Issue 02 (2011-09-10)
253
10 Device Maintenance
10
About This Chapter
Device Maintenance
With routine device maintenance, you can detect potential operation threats on devices and then eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably. 10.1 Introduction of Device Maintenance Device maintenance involves replacing boards and monitoring the internal environment. 10.2 Powering off the MPU To ensure non-stop services, you can power off the slave MPU only. If the device has only one MPU, confirm the action before powering off the MPU. 10.3 Powering off the SFU When the SFU is faulty or you need to routinely maintain the SFU, you can power off the SFU. 10.4 Powering off the NPU This section describes how to power off the NPU. 10.5 Powering off the LPU When the LPU is faulty or you need to routinely maintain the LPU, you can power off the LPU. 10.6 Restoring the Bandwidth of 10GE LAN/WAN Interfaces on an NPU to 10 Gbit/s To restore the bandwidth of 10GE LAN/WAN interfaces on an NPU to 10 Gbit/s, you need to bind a valid Global Trotter License (GTL) file to the NPU. 10.7 Switching Between the Operation Modes of the LPUF-10 You can run a command to configure the LPUF-10 to work in either FR or ATM mode. 10.8 Configuring a Working Mode for an LPUF-40 or LPUF-20/21 LPUF-20/21 or LPUF-40 support various service modes, which can be configured using commands. 10.9 Configuring the CMU 10.10 Configuring a Cleaning Cycle for the Air Filter This section describes the procedure for configuring a cleaning cycle for the air filter. 10.11 Monitoring the Device Status Monitoring the device status facilitates fault location and cause analysis.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 254
10 Device Maintenance
10.12 Board Maintence Board Maintenance involves resetting a board and clearing the maximum CPU usage. 10.13 Configuring NAP-based Remote Deployment Using NAP, you can remotely log in to devices with empty configurations to implement remote deployment. 10.14 Configuration Examples of the Device Maintenance This section provides examples for powering off different types of boards to describe common device maintenance operations.
Issue 02 (2011-09-10)
255
10 Device Maintenance
Concept
The stable running of a routerdepends on the mature network planning and the routine maintenance. In addition, fast location of the hidden hazards is necessary. The maintenance personnel must check the alarm information in time and deal with the fault properly to keep the device in normal operation and reduce the failure rate. Thus, the system runs in a safe, stable, and reliable environment.
Maintenance Operation
Maintenance such as board replacement and internal environment check ensures the normal operation of the router.
Powering off
You can power on or power off the boards through command lines to perform hot plugging without interrupting the services on the router.
Monitoring
In routine maintenance of the device, you can run the display commands to view the working status of the router. This can help the maintenance personnel fast locate the fault during the troubleshooting procedure.
10 Device Maintenance
Applicable Environment
The two Main Processing Units (MPUs) are in 1:1 backup mode. During operation, one MPU serves as the master MPU and the other as the slave MPU. Remove the MPUs in the following situations: l l l Maintenance of the MPU such as dust removing Upgrade of the hardware on the MPUs such as memory capacity extending Failure of the MPU
Pre-configuration Tasks
Before powering off the MPU, complete the following tasks: l l Checking the slot of the MPU to be powered off Running the display device command to check the status of the MPU If the MPU is the master MPU, perform the master and slave switchover first.
Data Preparation
To power off the MPU, you need the following data. No. 1 Data Slot number of the MPU to be powered off
Context
WARNING
The router cannot work with a single MPU for a long time. If the single MPU fails, the whole system breaks down. After powering off the slave MPU, restore the MPU immediately. Do as follows on the router to be configured:
Procedure
Step 1 Run:
power off slot slot-id
10 Device Maintenance
If there is no terminal on the deployment site, you can power off the slave MPU by using the OFL (offline) button. The OFL button is in the upper part of the slave MPU. Press the button for six seconds. If the OFL indicator is on, it means that the slave MPU is powered off successfully.
----End
Context
Run the following commands to check the previous configuration.
Procedure
l Run:
display device
Example
After the power-off operation, run the display device command. If the slave SRU/MPU is in the abnormal state, it means that the operation succeeds. For example:
<HUAWEI> display device NE80E's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Unregistered NA Registered Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA
10 Device Maintenance
Applicable Environment
During normal operation of the device, four Switch and Fabric Units (SFUs) work in 3+1 load balancing mode. Remove the SFUs in the following situations: l l Maintenance of the SFU such as dust removing Failure of the SFU and replacement or repair of the SFU
Pre-configuration Tasks
Before powering off the SFU, complete the following tasks: l Checking the slot of the SFU to be powered off
Data Preparation
To power off the SFU, you need the following data. No. 1 Data Slot number of the SFU to be powered off
Context
Do as follows on the router to be configured:
Procedure
Step 1 Run:
power off slot slot-id
Issue 02 (2011-09-10)
259
10 Device Maintenance
SFU is not supported on the X1 and X2 models of the NE80E/40E. If there is no terminal on the deployment site, you can power off the slave SFU by using the OFL button. The OFL button is in the upper part of the slave SFU. Press the button for six seconds. If the OFL indicator is on, it means that powering off the SFU succeeds.
----End
Context
Run the following commands to check the previous configuration.
Procedure
Step 1 Run:
display device
Example
After the power-off operation, run the display device command. If the SFU is in the unregistered state, it means that the operation succeeds. For example:
<HUAWEI> display device NE80E's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Registered NA Unregistered Registered Registered Registered Registered Registered Registered Registered Registered Registered Normal Normal Normal Normal Normal Normal Normal Normal Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA
10 Device Maintenance
NOTE
Pre-configuration Tasks
Before powering off the NPU, complete the following tasks: None.
Data Preparation
To power off the NPU, you need the following data. No. 1 Data Slot number of the NPU to be powered off
Procedure
Step 1 Run:
power off slot slot-id
If there is no terminal on the deployment site, you can power off the slave NPU by using the OFL button. The OFL button is in the upper part of the slave NPU. Press the button for six seconds. If the OFL indicator is on, it means that powering off the NPU succeeds.
----End
Issue 02 (2011-09-10)
261
10 Device Maintenance
Procedure
Step 1 Run:
display device
Example
After the power-off operation, run the display device command. If the NPU is in the unregistered state, it means that the operation succeeds. For example:
<HUAWEI> display device NE40E-X1's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 NPU Present Unregistered Abnormal NA 2 PIC Present Registered Normal NA 3 PIC Present Registered Normal NA 4 PIC Present Registered Normal NA 5 PIC Present Registered Normal NA 7 MPU Present NA Normal Master 8 PWR Present Registered Normal NA 10 FAN Present Registered Normal NA 12 CLK Present Registered Normal Master
Applicable Environment
Power off the LPU in the following situations: l l Maintenance of the LPU such as dust removing Failure of the LPU and replacement of the LPU
Pre-configuration Tasks
Before powering off the LPU, you need finish the following task: l
Issue 02 (2011-09-10)
10 Device Maintenance
Data Preparation
To power off the LPU, you need the following data: No. 1 2 Data The slot number of the LPU to be powered off A slave LPU whose board type and Physical Interface Card (PIC) type are the same as those of the LPU to be powered off
Context
Do as follows on the router to be configured:
Procedure
Step 1 Run:
power off slot slot-id
l To power off the sub-cards of the FPICs, Run:power off slot slot-id card card-idcommand. l If there is no terminal on the deployment site, you can power off the LPU by using the OFL button. The OFL button is in the upper part of the LPU. Press the button for six seconds. If the OFL indicator is on, it means that powering off the LPU succeeds.
----End
Context
Run the following commands to check the previous configuration.
Procedure
l Run:
display device
10 Device Maintenance
Example
After the power-off operation, run the display device command. If the LPU is in the unregistered state, it means that the operation succeeds. Take powering off the LPU in slot 5 for example:
<HUAWEI> display device NE80E's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Unregistered Registered Registered Registered Registered Registered Registered NA Registered Registered Registered Registered Registered Registered Registered Registered Registered Registered Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA
Application Environment
By default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.
Pre-configuration Tasks
None.
Issue 02 (2011-09-10)
264
10 Device Maintenance
Data Preparation
To restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, you need the following data. No. 1 Data GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s
Context
By default, the bandwidth of 10GE LAN/WAN interfaces on an NPU is 10 Mbit/s. To restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s, purchase a legitimate GTL file.
Procedure
Step 1 Run:
license active file-name
The GTL file for enabling 10GE LAN/WAN interfaces is activated. Step 2 Run:
system-view
The GTL file used to restore the bandwidth of 10GE LAN/WAN interfaces to 10 Gbit/s is bound to the NPU.
NOTE
The active 10ge-interface command takes effect only in the view of the slot where the NPU resides. After binding the GTL file to the NPU, you are recommended to run the save command to save the configuration. Otherwise, you need to bind the GTL file again once the device is restarted.
----End
10 Device Maintenance
Context
Run the following command to check the previous configuration.
Procedure
Step 1 Run the display device pic-status command to view the current PIC cards on the device. ----End
Example
# View the current PIC cards on the device.
<HUAWEI> display device pic-status Pic-status information in Chassis 1: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SLOT PIC Status Type Port_count Init_result Logic down 7 0 Registered LAN_WAN_2x10GX_V_CARD 2 SUCCESS SUCCESS 7 6 Registered ETH_8xGF_B_CARD 8 SUCCESS SUCCESS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Application Environment
When configuring FR or ATM services on the LPUF-10, you need to manually switch the operation mode of the LPUF-10. An LPUF-10 can operate in either of the following modes: l support-atm mode When operating in support-atm mode, the LPUF-10 can support ATM services, instead of FR services. l support-fr mode When operating in support-fr mode, the LPUF-10 can support FR services, instead of ATM services.
Pre-configuration Tasks
Before switching the operation mode of the LPUF-10, complete the following task: l
Issue 02 (2011-09-10)
10 Device Maintenance
Data Preparation
To switch the operation mode of the LPUF-10, you need the following data. No. 1 Data Slot ID of the LPU and the ID of the subcardwhose operation mode needs to be switched
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
Follow-up Procedure
NOTE
l FR and ATM services are mutually exclusive on an LPUF-10. l When the board is switched to a slot where FR is configured for a POS interface, the operation mode of the LPUF-10 is automatically switched to support-fr. The FR configuration for the POS interface needs to be deleted if ATM services are required to be configured. l If the operation mode of the board is not set, the board adopts the support-atm mode by default when starting.
Context
Run the following command to check the previous configuration.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 267
10 Device Maintenance
Procedure
Step 1 Run the display work-mode [slot slot-id] command to view the operation mode of the board. ----End
Example
# View the current operation mode of the board in slot 1.
<HUAWEI> display work-mode slot 1 NE40E-4's Slot - - - - 1 current work-mode on lpuf-10: Type Current-workmode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - LPUF-10 SUPPORT-ATM
Applicable Environment
An LPUF-20/21 or LPUF-40 cannot be configured with the 1588v2 ACR server function and NetStream at the same time. Before configuring either the 1588v2 ACR server function or NetStream, configure a corresponding service mode for the LPU. l l netstream-1-mode: When working in this mode, the LPU can be configured with NetStream, but not the 1588v2 ACR server function. ptp-1-mode: When working in this mode, the LPU can be configured with the 1588v2 ACR server function, but not NetStream.
The LAN_WAN_10G_TM_CARD, ETH_10XGF_TM_CARD, or ETH_6XGF_TM_CARD subcard can be configured with a service mode to support specified functions. The service modes and supported service types are as follows: l l reassemble-mode: When working in this mode, the subcard supports packet fragmentation and reassembly, but not 1588v2 or the 1588v2 ACR client function. ptp-slave-mode: When working in this mode, the subcard supports 1588v2 and the 1588v2 ACR client function, but not packet reassembly.
Pre-configuration Tasks
Before configuring a service mode for an LPU, complete the following task:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 268
10 Device Maintenance
Data Preparation
To configure a service mode for an LPU, you need the following data. No. 1 2 Data Slot ID of the LPU whose service mode needs to be configured Card ID of the subcard whose service mode needs to be configured
Context
An LPUF-20/21 or LPUF-40 cannot be configured with the 1588v2 ACR server function and NetStream at the same time. Before configuring either the 1588v2 ACR server function or NetStream, configure the service mode for the LPU. The LAN_WAN_10G_TM_CARD, or ETH_10XGF_TM_CARD subcard can be configured with a service mode to support specified functions. The service modes and supported service types are as follows. You can configure a service mode for the subcard based on the required service type. l l reassemble-mode: When working in this mode, the subcard supports packet fragmentation and reassembly, but not 1588v2 or the 1588v2 ACR client function. ptp-slave-mode: When working in this mode, the subcard supports packet fragmentation, 1588v2, and the 1588v2 ACR client function, but not packet reassembly.
Perform the following steps on the router to configure a service mode for the LPU:
Procedure
Step 1 Run:
system-view
A service mode is configured for the LPU to support the 1588v2 ACR server function or NetStream.
Issue 02 (2011-09-10)
269
10 Device Maintenance
CAUTION
This command can take effect on the LPUF-20/21 or LPUF-40. Step 3 Run:
set service-mode slot { slot-id card card-id | all card all } { reassemble-mode | ptp-slave-mode }
A service mode is configured for a subcard. The default service mode of a subcard is reassemble-mode. The service mode of a subcard is irrelevant to the service mode of the LPU where the subcard resides.
CAUTION
This command can take effect on a LAN_WAN_10G_TM_CARD or ETH_10XGF_TM_CARD of the LPUF-21. To query the type of a subcard, run the display device pic-status command. ----End
Context
Run the following command to check the configurations:
Procedure
Step 1 Run the display service-mode slot slot-id command to check the service mode of an LPU or a subcard. ----End
Example
# Run the display service-mode command in the system view to display the current working mode of the LPU in slot 1.
[HUAWEI] display service-mode slot 1 The device can work under the following mode: =======================================================================: Service-mode Functions: NETSTREAM-1-MODE Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.can not suppo rt 1588 ACR serverSupport 4095 Mep,4095 Rmep, 4095 Ma EOAM/MPLS-TP sessions.Support Netstr eam.
Issue 02 (2011-09-10)
270
10 Device Maintenance
Support 2047 MPLS OAM sessions.support (2048 3.3ms | 2048 10ms) bfd sessions.support 1588 ACR serverSupport 4095 Mep,4095 Rmep,4095 Ma EOAM/MPLS-TP sessions.Does not Support Netst ream. =======================================================================: The current service-mode is PTP-1-MODE!
Application Environment
In remote and unattended equipment rooms, router providing the environment monitoring function can monitor the working environment in real time. Upon receiving an input signal indicating that a specific environment variable is abnormal, a router will generate an alarm. Then, the maintenance personnel can take immediate actions to adjust the environment variable, without having to wait on site for environment monitoring. This effectively reduces equipment room maintenance costs for carriers. The CMU on the AUXQ can be connected to an environment monitoring device. Based on the received input signals from the environment monitoring device, the CMU generates an alarm and reports the alarm to the NMS so that the maintenance personnel can be informed of the problem and come to the site to address the problem.
Pre-configuration Tasks
None.
Data Preparation
None.
10 Device Maintenance
Procedure
Step 1 Run:
system-view
Monitor items such as objects to be monitored and an alarm mode are configured for a CMU.
NOTE
A router can monitor four types of environment variables at a time. You need to run the cmu-switch command to configure each environment variable that needs to be monitored and the associated alarm mode.
----End
Context
NOTE
Pre-configuration Tasks
None.
Data Preparation
To configure a cleaning cycle for the air filter, you need the following data. No. 1 Data Cleaning cycle of the air filter
10 Device Maintenance
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The air filter is a component without memory. All the monitored information is saved on the MPU, which may be inserted, removed, switched, or replaced during usage. Therefore, the monitoring cycle may differ from the set cycle, but this does not affect the monitoring function.
----End
Procedure
Step 1 Run:
reset dustproof run-time
The alarm is cleared. The cleaning cycle of the air filter is monitored. ----End
10 Device Maintenance
Example
Run the display dustproof command. You can view information about the cleaning cycle of the air filter, the last time when the air filter was cleaned (referring to the time on the router), how many days the router had been run since the previous cleaning, and how long the alarm about cleaning the air filter exists. For example:
<HUAWEI> display dustproof Clean Dustproof-Net cycle : Last clean date : Up to last clean days : Clean alarm existence days: 365(days) 2009/02/07 1(day) 0(day)
Procedure
Step 1 Run:
display version
The system version information is displayed. In practice, using this command in any view, you can view the system version information. The main information is as follows: l System software version l Hardware and software version of the MPUs l Hardware and software version of the SFUs l Hardware and software version of the LPUs . l Hardware and software version of the Fan and Black Plane . ----End
Procedure
Step 1 Run:
display device [ pic-status | slot-id]
10 Device Maintenance
In practice, using this command in any view, you can view the basic device information. Enter slot-id to view information about the board in the specified slot. l Choose a board in a certain slot. You can view basic information about this board. l Run: display device pic-status Basic information about the PIC card of the LPU is displayed. ----End
Procedure
Step 1 Run: The electronic label is displayed. In practice, using this command in the user view, you can view information about the electronic label of the boards. Enter slot-id to view information about the electronic label of the board in the specified slot.
NOTE
For the range of numbers of the slots on the router, refer to the HUAWEI NetEngine80E/40E Router Hardware Description.
Information displayed includes the type of the board and PIC card, bar code, BOM, English description, production date, supplier name, issuing number, CLEI (Common Language Equipment Identification) code, and sales BOM.
NOTE
You can back up the electronic label of the specified board in the following methods: l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label to the CF card on the router. l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command to back up the electronic label to the specified FTP server.
----End
Procedure
Step 1 Run the display system soft-bootmode command, you can view the soft boot mode.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 275
10 Device Maintenance
By default, the soft boot mode function is automatically enabled, which shortens the time spent on system startup during reset. You can run the undo set system soft-bootmode command in the system view to disable the boot function as required.
----End
Procedure
Step 1 Run:
display memory-usage [ slave | slot slot-id ]
The threshold of the memory usage of the main MPU and LPU are displayed.
NOTE
To set the threshold of the memory usage in the main MPU and LPU, you can run the set memory-usage threshold threshold [ slot slot-id ]command.
----End
Procedure
Step 1 Run:
display cpu-usage entry-number [ offset ] [ verbose ] [ slave | slot slot-id ] [ history ]
The threshold of the CPU usage of the main MPU and LPU are displayed. Select the following parameters as required when you run this command: l entry-number: specifies the number of entries to be displayed. l offset: specifies the entry with the offset value before the current entry. l verbose: displays information about each record. l history: displays history records of the CPU usage.
NOTE
To set the threshold of the CPU usage on the main MPU and LPU, you can run the set cpu-usage threshold threshold-value [ slave | slot slot-id ] command, and run the [ slave | slot slot-id ] command can display the current configuration of the CPU usage.
----End
10 Device Maintenance
Procedure
Step 1 Run:
display alarm { slot-id | all }
Information about the alarm is displayed. In the operation, using this command in any view, you can view current information about the alarm of the router. Alarm information includes the following: l Alarm level l Alarm date and time l Alarm description
NOTE
After displaying the alarm of the router, you can run the clear alarm index index-id { send-trap | notrap } command to clear the alarm at the specified index-id.
----End
Procedure
Step 1 Run:
display temperature [ lpu | mpu | sfu | slot slot-id ]
l Run the display temperature [ lpu slot slot-id [ pic pic-id ] ] command to view the temperature of the specified subcard in the specified slot. l Run the display temperature command to view the temperature of each module of all the boards on the router.
In practice, using this command in any view, you can view the current temperature of the router.The temperature information includes the following: l Current temperature status of the board l Threshold to the alarm temperature of the board l Actual temperature of the board ----End
10 Device Maintenance
Procedure
Step 1 Run:
display voltage [ lpu | mpu | sfu | slot slot-id]
l Run the display voltage [lpu | slot slot-id [pic pic-id]] command to view the voltage of the specified subcard on the specified LPU. l Run the display voltage command to view the voltage of all the boards on the router.
In practice, using this command in any view, you can view the voltage of all the boards. The voltage information includes the following: l Number of the voltage sensors l Working voltage sensors l Working status of the voltage sensors l Alarm field value of the voltage l Actual board voltage l Normal working temperature of the voltage sensors ----End
Procedure
Step 1 Run:
display power[{environment-info|manufacture-info}slot slot-id|slot[slot-id]]
The power supply status is displayed. In practice, using this command in any view, you can view the power supply status. The displayed information includes the following: l Slot number of the power supply module l Presence status of the power supply module l Operation mode of the power supply module l Cable status of the power supply module ----End
10 Device Maintenance
Procedure
Step 1 Run:
display board-current [ slot slot-id ]
Context
Do as follows on the router:
Procedure
Step 1 Run:
display device [ CMU-slotID ]
Entironment information about the device is displayed. This command is supported only on the NE40E-X8 and NE40E-X16 on which the entironment monitoring board is installed and runs normally. ----End
Procedure
Step 1 Run:
display fan
The fan status is displayed. In practice, using this command in any view, you can view the fan status. The information includes the following: l Slot number of the fan module l Presence and registration status of the fan module l Working status of the fan module l Fan speed mode of the fan module ----End
10 Device Maintenance
Procedure
Step 1 Run:
display esn
The sequence number of the MPU is displayed. In the operation, using this command in any view, you can view the sequence number of the MPU on the router. ----End
Procedure
Step 1 Run:
display bootmode-next
The next start mode of the board is displayed. In the operation, you can use the command in any view to check the next start mode of each board on the router, including the MPU, LPU, and SFU. The start modes are as follows: l The fast start mode l The normal start mode ----End
Context
NOTE
Procedure
Step 1 Run:
system-view
The number of the registered SFUs that the device requires by default is displayed. In the operation, if the number of the SFUs that is actually used is smaller than the number of the SFUs that the device requires for registration, the trap is generated. Run the least
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 280
10 Device Maintenance
sfuboardindex-id command to change the number of the SFUs that the device requires for registration. ----End
Context
In the case that a board is faulty, you can use the reset slot command to reset the board.
WARNING
Back up important data before resetting the board. Do as follows on the router:
Procedure
Step 1 Run:
reset slot slot-id [card card-id]
l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset with the CPU being powered on. If a slave MPU exists, this command performs master/slave MPU switchover. l If the board is still abnormal after being reset, contact the Huawei technical support personnel.
----End
Context
CAUTION
The maximum CPU usage cannot be restored after you clear it. So, confirm the action before you use the command.
Issue 02 (2011-09-10)
281
10 Device Maintenance
To clear the maximum CPU usage statistics, run the following reset command in the system view.
Procedure
Step 1 Run the reset cpu-usage record [ slot slot-id | slave ] command to clear the maximum CPU usage. ----End
Context
CAUTION
After the device with an empty configuration is powered on and started, you must make sure that its interfaces connected to the devices on the current network are Up and support NAP; otherwise, the function of NAP-based remote deployment cannot take effect.
Applicable Environment
To deploy devices having empty configurations, you can use NAP to perform remote login to the devices from a device in the current network. In this manner, you can implement remote deployment of devices.
Pre-configuration Tasks
Before configuring NAP-based remote deployment, complete the following tasks: l l Connecting the device having an empty configuration to a device in the current network via a single hop by using network cables Ensuring that the interfaces connecting the device with an empty configuration and the device in the current network are both in the Up state, and support NAP.
Issue 02 (2011-09-10)
282
10 Device Maintenance
Data Preparation
NOTE
l If the IP addresses used for establishing NAP connections are to be manually configured, you need to prepare the following data before configuring NAP. l Conversely, if the IP addresses for establishing NAP connections are to be automatically configured, you can skip this.
To configure NAP-based remote deployment, you need the following data. No. 1 Data Two primary IP addresses. The two IP addresses are primary IP addresses for the master interface and the slave interface respectively, and should be on the same network segment. Two secondary IP addresses. The two IP addresses are secondary IP addresses for the master interface and the slave interface respectively, and should be on the same network segment.
Context
CAUTION
If commands affecting the IP address configuration or IP packet forwarding (such as configurations and commands related to the VPN, Eth-Trunk, IP-Tunk, or Layer 2 interface) exist on device of the master interface, NAP enabled on the master interface becomes unavailable. You are recommended to delete these commands and re-enable NAP. Do as follows on the router to configure and start the NAP master interface. In NAP, IP addresses can be allocated either automatically or manually.
Procedure
l Automatic allocation of IP addresses 1. Run:
system-view
10 Device Maintenance
3.
Run:
nap port master
The NAP Master interface is configured and started. l Manual IP address allocation Two methods are available for manually allocating IP addresses. You can choose the method according to actual needs. You can specify the NAP IP address pool. Then, IP addresses are automatically allocated to the IP address pool. To use this method, do as follows. 1. Run:
system-view
An IP address pool is configured for NAP. The default IP address pool for establishing NAP connections is 10.167.253.0/24. You can run the nap ip-pool ip-address mask-length command to change the IP address pool.
NOTE
After NAP is started on the master device, the IP address pool cannot be changed.
3.
Run:
interface interface-type interface-number
The NAP Master interface is configured and started. You can also specify the NAP IP addresses. To use this method, do as follows. 1. Run:
system-view
IP addresses are configured for establishing NAP connections. The default IP address pool for establishing NAP connections is 10.167.253.0/24.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 284
10 Device Maintenance
When configuring IP addresses, ensure that the primary IP addresses of both the master and the slave interfaces are on the same network segment, and that the secondary IP addresses of both the master and the slave interfaces are on the same network segment. ----End
Context
Using the display nap interface command, you can view the NAP status of an interface to ensure that the interface is assigned a correct IP address. Do as follows on the router where the NAP master interface is configured.
Procedure
Step 1 Run:
system-view
The login to the slave device from the master device is performed. l If the slave device has an empty configuration, you can log in to the slave device from the master device without a user name and a password. l If, however, the slave device is configured with user name(s) and password(s), you must enter the correct user name and password to perform a NAP-based remote login to the slave device.
NOTE
To ensure security for NAP, the slave device having an empty configuration checks the source address of the Telnet login. If the Telnet source address is the NAP address of the master device that is telnetting to the slave device, the slave device allows the master device to directly log in without being authenticated. This is because by default, the user level of the remote login based on the NAP address is the same as the login through the console interface, which enjoys the highest user level. If the Telnet source address is not the NAP address of the master device, the remote login fails.
----End
10 Device Maintenance
Context
The master device has logged in to the slave device through Telnet. The NAP function is no longer required, and to ensure security of the network, NAP should be globally disabled on the slave interface of the slave device. Do as follows on the router that is configured as the NAP slave device.
Procedure
Step 1 Run:
system-view
Prerequisite
NAP-based remote deployment has been completed.
Procedure
Step 1 Using the display nap status command, you can view the current NAP status. Step 2 Using the display nap interface [ interface-type interface-number ] command, you can view the NAP status of the specified interface. ----End
Example
Run the display nap status command to view the current NAP status.
<HUAWEI> display nap status Slave port status : Enable Nap ip-pool/Mask : 12.12.12.0/24
Run the display nap interface interface-type interface-number command to view the NAP status of the specified interface.
<HUAWEI> display nap interface gigabitethernet1/0/1
Issue 02 (2011-09-10)
286
10 Device Maintenance
Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : NULL Peer primary ip : NULL Local secondary ip : NULL Peer secondary ip : NULL Hello time : 3s Linked time : 00:00:00 -----------------------------------------------------Port property : Master Current status : DETECTING Local port : GigabitEthernet1/0/2 Peer port : GigabitEthernet1/0/2 Local primary ip : NULL Peer primary ip : NULL Local secondary ip : NULL Peer secondary ip : NULL Hello time : 3s Linked time : 00:00:00 ------------------------------------------------------
Follow-up Procedure
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working situations, the actual interface numbers and link types may be different from those used in this document.
10 Device Maintenance
Networking Requirements
After checking the alarm information, you find that the hardware on the master MPU fails. Then, check the hardware by powering off the master MPU.
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Switch the master MPU to the slave MPU through the master and slave switchover. Power off the slave MPU
Data Preparation
To complete the configuration, you need the following data: l l Slot number of the master MPU In this example, the slot number of the master MPU is.17
Procedure
Step 1 Perform the master and slave switchover on the router.
<HUAWEI> system-view [HUAWEI] slave switchover enable
Before performing the master and slave switchover, make sure that the user interfaces such as AUX, console, and VTY are connected to the two MPUs. Otherwise, the users that use the interfaces connected with the former master MPU automatically quit the login after the master and slave switchover.
[HUAWEI] slave switchover Caution!!! Confirm switch slave to master[Y/N]?y Switching...................................................................... ......
Step 3 Verify the configuration. # Check the registration status of the MPU. You can view that the MPU in slot 17 is in the unregistered and abnormal state. It means that powering off the MPU succeeds.
<HUAWEI> display device NE80E's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 LPU LPU LPU LPU LPU LPU MPU MPU Present Present Present Present Present Present Present Present Registered Registered Registered Registered Registered Registered Unregistered NA Normal Normal Normal Normal Normal Normal Abnormal Normal NA NA NA NA NA NA Slave Master
Issue 02 (2011-09-10)
288
10 Device Maintenance
----End
Configuration Files
None
Networking Requirements
NOTE
Configuration Roadmap
The configuration roadmap is as follows: l Power off the SFU.
Data Preparation
To complete the configuration, you need the following data: Slot number of the current SFU In this example, the slot number of the SFU is 19.
Procedure
Step 1 Power off the SFU in slot 19
<HUAWEI> power off slot 19 Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y
Step 2 Verify the configuration. # Check the registration status of the SRU in slot 19. You can view that the SRU is in the unregistered and abnormal state. It means that powering off the SRU succeeds.
<HUAWEI> display device NE80E's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 LPU LPU Present Present Registered Registered Normal Normal NA NA
Issue 02 (2011-09-10)
289
10 Device Maintenance
NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA
----End
Configuration Files
None
Networking Requirements
NOTE
None
Configuration Roadmap
The configuration roadmap is as follows: Replace the failed LPU.
Data Preparation
To complete the configuration, you need the following data: l l Slot number of the LPU that needs replacement In this example, the slot number of the LPU is 5. Service part whose PIC card type and board type are the same as that of the LPU to be replaced
Procedure
Step 1 Power off the LPU in slot 5.
<HUAWEI> power off slot 5 Caution!!! This command may affect operation by wrong use, please carefully use it with HUAWEI engineer's direction. Are you sure to do this operation?[Y/N]?y
10 Device Maintenance
# Check the registration status of the LPU in slot 51. You can view that the LPU is in the unregistered and abnormal state. It means that powering off the LPU succeeds.
<HUAWEI> display device NE80E's Device status: Slot # Type Online Register Status Primary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - 5 6 9 12 11 16 17 18 19 20 21 22 23 24 25 26 27 28 LPU LPU LPU LPU LPU LPU MPU MPU SFU SFU SFU SFU CLK CLK PWR PWR FAN FAN Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Present Unregistered Registered Registered Registered Registered Registered Registered NA Registered Registered Registered Registered Registered Registered Registered Registered Registered Registered Abnormal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal NA NA NA NA NA NA Slave Master NA NA NA NA NA NA NA NA NA NA
----End
Configuration Files
None
Networking Requirements
It is required that the FR service be configured for the POS interface on the LPUF-10. If the LPUF-10 operates in support-atm mode, you need to switch the operation mode to support-fr.
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Check the current operation mode of the LPUF-10. Switch the operation mode of the LPUF-10.
Data Preparation
To complete the configuration, you need the following data:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 291
10 Device Maintenance
Configuration Procedure
1. Check the operation mode of the LPUF-10 in slot 1. You can find that the LPUF-10 operates in support-atm mode.
<HUAWEI> display work-mode slot 1 NE40E-4's Slot - - - - 1 current work-mode on lpuf-10: Type Current-workmode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - LPUF-10 SUPPORT-ATM
2.
3.
You can find that the LPUF-10 in slot 1 operates in support-fr mode.
Configuration Files
None.
Networking Requirements
As shown in Figure 10-1, the user needs to perform a remote login to Router B from Router A. Router B is the master device, and temporary neighbor relationship is to be set up between Router B and Router C having an empty configuration. Router B and Router C need to be directly connected via a single hop. Both the interfaces connecting Router B and Router C should be in the Up state, and should support NAP. Figure 10-1 Networking diagram of configuring NAP-based remote deployment
Issue 02 (2011-09-10)
292
10 Device Maintenance
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a primary IP address and a secondary IP address on Router B. Configure the NAP master interface on Router B. Telnet to Router C from Router B by means of NAP.
Data Preparation
None
Procedure
Step 1 Configuring the NAP master interface # Do as follows on Router B.
<HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface gigabitethernet1/0/1 [RouterB-GigabitEthernet1/0/1] undo shutdown [RouterB-GigabitEthernet1/0/1] nap port master
Step 2 Logging in to the slave device from the master device. # Do as follows on Router B.
[RouterB-GigabitEthernet1/0/1] nap login neighbor Trying 10.167.253.10 ... Press CTRL+K to abort Connected to 10.167.253.10 ... Info: The max number of VTY users is 10, and the number of current VTY users on line is 1. <HUAWEI>
----End
Configuration Files
None
10 Device Maintenance
Networking Requirements
As shown in Figure 10-2, the user needs to perform a remote login to Router B from Router A. Router B is the master device, and temporary neighbor relationship is to be set up between Router B and Router C having an empty configuration. Router B and Router C need to be directly connected via a single hop. Both the interfaces connecting Router B and Router C should be in the Up state, and should support NAP. Figure 10-2 Networking diagram of configuring NAP-based remote deployment
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a NAP master interface on Router B. Configure an IP address for establishing a NAP connection on Router B. Use NAP to log in to Router C from Router B by means of Telnet.
Data Preparation
To complete the configuration, you need the following data: l l Two primary IP addresses. The two IP addresses are primary IP addresses for the master interface and the slave interface respectively, and should be on the same network segment. Two secondary IP addresses. The two IP addresses are secondary IP addresses for the master interface and the slave interface respectively, and should be on the same network segment.
Procedure
Step 1 Configure a NAP master interface on Router B
<HUAWEI> system-view [HUAWEI] sysname RouterB [RouterB] interface gigabitethernet1/0/1 [RouterB-GigabitEthernet1/0/1] nap port master
# After the preceding configuration is complete, run the display nap status command on Router B. You can view that NAP has been enabled on Router B. Then, run the display nap interface command. You can view that the primary and secondary IP addresses have been assigned to the master and slave interfaces. For example:
[RouterB-GigabitEthernet1/0/1] display nap status
Issue 02 (2011-09-10)
294
10 Device Maintenance
Slave port status : Enable Nap ip-pool/Mask : 10.167.253.0/24 [RouterB-GigabitEthernet1/0/1] display nap interface -----------------------------------------------------NAP master port list Port count : 1 -----------------------------------------------------Port property : Master Current status : IP-ASSIGNED Local port : GigabitEthernet1/0/1 Peer port : GigabitEthernet1/0/1 Local primary ip : 12.12.12.5 Peer primary ip : 12.12.12.6 Local secondary ip : 12.12.12.9 Peer secondary ip : 12.12.12.10 Hello time : 3s Linked time : 00:02:33 ------------------------------------------------------
Step 3 Log in to the slave device from the master device. # Configure Router B.
[RouterB-GigabitEthernet1/0/1] nap login neighbor Trying 12.12.12.10 ... Press CTRL+K to abort Connected to 12.12.12.10 ... Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.
----End
Configuration Files
None
Issue 02 (2011-09-10)
295
11 Device Upgrading
11
About This Chapter
11.1 Overview of Device Upgrade
Device Upgrading
When you need to add new features, optimize existing features, or solve problems in the current version, you can upgrade the device.
Issue 02 (2011-09-10)
296
11 Device Upgrading
Note
Before upgrading the NE80E/40E, pay attention to the following items: l l l l l When upgrading the NE80E/40E at the site, prepare a spare part for each board. Obtain the new system software, the Product Adaptive File (PAF) or license file, and the corresponding documents of the new version from Huawei. Back up configuration files, and collect and save service configurations. Enable the log function to record all the operations during the upgrade process. Check software versions of all modules on each board, including versions of the BootROM, Firmware, and MonitorBus.
11 Device Upgrading
USB interface on the MPU/SRU. For operation details, refer to the "Version Upgrade Instructions" of the corresponding system software version.
Issue 02 (2011-09-10)
298
12 Patch Management
12
About This Chapter
12.1 Introduction of Patch Management This section describes the basics of the patch.
Patch Management
Patch management includes checking the running patch, loading patch files, and installing patches.
12.2 Checking the Running of Patch in the System The system allows only one patch to run. Therefore, confirm that no patch is running before loading a new patch. 12.3 Loading a Patch Patches can be loaded through FTP, TFTP, or XModem. 12.4 Installing a Patch To repair the system that has vulnerabilities or defects, you can install a patch on the system. By installing a patch, you can upgrade the system without upgrading the system software. 12.5 (Optional) Unactivating the activating of Patch If an installed patch does not take effect, you need to deactivate the patch. 12.6 Configuration Examples of the Patch Management This section describes some Configuration Examples.
Issue 02 (2011-09-10)
299
12 Patch Management
Patch Overview
During the operation of the device, you need to revise the system software sometimes such as remove the system defects or add new functions for service requirements. We used to upgrade the software after shutting down the system. This static upgrade affects the service on the device and does not improve the communication. If we load a patch to the system software, we can upgrade it online without interrupting the operation of the device. This dynamic upgrade does not affect the service and can improve the communication.
Patch Area
In the memory of the Main Processing Unit (MPU) and Line Processing Unit (LPU), a certain space is reserved to save the patch. This space is called patch area. To install the patch, save the patch to the patch area in advance in the memory of the board. The patch saved in the patch area is numbered uniquely. Up to 200 patches can be saved to the patch area in the memory of the MPU or LPU.
Patch States
Patch status can be idle, deactive, active, and running. For details, seeTable 12-1, Table 12-1 Patch states State No patch (idle) deactive Description The patch file is saved to the CF card but not loaded to the patch area in the memory. The patch is loaded to the patch area but disabled. States Conversion When the patch is loaded to the patch area, the patch status is set to deactive. The patch in the deactive state can be as follows: l Uninstalled, that is, deleted from the patch area. l Enabled temporarily and turns to the active state.
Issue 02 (2011-09-10)
300
12 Patch Management
State active
Description The patch is loaded to the patch area and enabled temporarily. If the board is reset, the active patch on that board turns to the deactive state.
States Conversion The patch in the active state can be as follows: l Uninstalled, that is, deleted from the patch area. l Enabled temporarily and turned into the active state. l Enabled permanently, and turns to the running state.
running
The patch is loaded to the patch area and enabled permanently. If the board is reset, the patch on the board keeps in the running state.
The patch in the running state can be uninstalled and deleted from the patch area.
Figure 12-1shows the conversion between patch states. Figure 12-1 Conversion between the statuses of a patch
Deactive patch
Active patch
Running
Run patch
Activated
Issue 02 (2011-09-10)
301
12 Patch Management
Patch Functions
Installing patches can improve system functions or fix bugs. By installing a patch, you can upgrade the system without upgrading the system software. In some special scenarios, you can install patches specific to an MPU or LPU to optimize board functions.
Run VRP
No
No
Disable patch
End
Unload patch
Applicable Environment
At a certain time, the system allows the running of only one patch. Therefore, you need to confirm no patch is running in the current system before installing a patch. If a patch runs, delete the patch before installing the new patch.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 302
12 Patch Management
Pre-configuration Tasks
Before checking the running of patch in the system, complete the following tasks: l l Ensuring that the router is started normally after power-on Ensuring that the router can be logged in to
Data Preparation
None
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Run:
display patch-information
All the information about the current patch is displayed, including information about the patch units that are running, the patch units that are activated, and the patch units that are deactivated. ----End
Example
<PE> display patch-information Info: No patch exists.
If there are patches running, you must delete them before loading new patches.
Context
Before installing a patch, you need to delete the running patch. Do as follows on the router to be upgraded.
Procedure
Step 1 Run:patch delete all
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 303
12 Patch Management
Applicable Environment
Before a patch is installed, it should be uploaded to the root directory of the CF card of the master and slave MPUs. Upload the patch to the root directory of the CF card of the master MPU. Then, copy the patch to the root directory of the CF card of the slave MPU. The three methods to upload a patch are FTP, TFTP and XModem.
Pre-configuration Tasks
Before loading a patch, complete the following tasks: l l Ensuring that the router is started normally after power-on Ensuring that the router can be logged in to
Data Preparation
Before running a patch, you need to obtain a patch that is consistent with the board. No. 1 2 Data Uploading a Patch to the Root Directory of the CF Card of the Master MPU Copying a Patch to the Root Directory of the CF Card of the Slave MPU
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Upload a patch to the root directory of the CF card of the master MPU.
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 304
12 Patch Management
The router supports the uploading of files through FTP, TFTP and XModem, for more infirmation ,please see: "FTP, TFTP and XModem". Choose an uploading method based on the requirements. Step 2 Run:
copy source-filename slave#cfcard:/destination-filename
The patch is copied to the root directory of the CF card of the slave MPU. Step 3 Run:
startup patch file-name
The patch package is specified for the master MPU on the next startup. Step 4 Run:
startup patch file-name slave-board
The patch package is specified for the slave MPU on the next startup. ----End
Context
Run the following commands to check the previous configuration.
Procedure
l Run:
dir cfcard:/
Check the patch file used in the next system startup. ----End
Example
After uploading the files, run the commands of dir cfcard:/ and dir slave#cfcard:/. The patch.pat file is contained in the files on the CF card. For example, check the files on the CF card of the master MPU:
<HUAWEI> dir cfcard:/ Directory of cfcard:/ Idx Attr Size(Byte) Date Time FileName
Issue 02 (2011-09-10)
305
12 Patch Management
patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt
For example, check the files on the CF card of the slave MPU:
<HUAWEI> dir slave#cfcard:/ Directory of slave#cfcard:/ Idx Attr Size(Byte) 0 -rw64 1 -rw418 2 -rw38017 3 -rw2292 4 -rw7041 5 -rw117013076 V600R003C00SPC300.cc 6 -rw134213212 V600R003C00SPC300.cc 7 -rw4041 500192 KB total (343160 KB free) Nov Jul Aug Aug Aug Jul Date 15 2006 26 2007 01 2007 21 2006 02 2007 13 2007 Time 13:07:44 19:52:14 11:02:00 15:35:50 11:02:00 10:40:44 FileName patchnpstate.dat vrpcfg.zip paf.txt vrp.zip license.txt
For example, check the patch file used in the next system startup.
<HUAWEI>display startup MainBoard: Configed startup system software: Startup system software: Next startup system software: Startup saved-configuration file: Next startup saved-configuration file: Startup paf file: Next startup paf file: Startup license file: Next startup license file: Startup patch package: Next startup patch package: cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/V600R003C00SPC300.cc cfcard:/current_cfg.cfg cfcard:/current_cfg.cfg cfcard:/paf-V600R003C00SPC300.txt cfcard:/paf-V600R003C00SPC300.txt cfcard:/license-V600R003C00SPC300.txt cfcard:/license-V600R003C00SPC300.txt Null cfcard:/patch.pat
Issue 02 (2011-09-10)
306
12 Patch Management
Applicable Environment
CAUTION
When installing a patch, it is recommended to specify all to install the patch for all boards at one time rather than specify slot to install the patch for boards one by one. In some special scenarios, you must specify slot to install a patch for the master and slave MPUs, and then for all LPUs one by one. Installing patches can fix system vulnerabilities or correct system defects. By installing a patch, you can upgrade the system without upgrading the system software. When a patch is uploaded, the system checks that the patch version is the same as the system version. If the two versions are not the same, the system prompts that the patch uploading fails.
Pre-configuration Tasks
Before installing a patch, upload the patch to the root directory of the CF card of the master and slave MPUs.
Data Preparation
None
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Run:
patch load file-name all
Follow-up Procedure
When a patch is loaded, the system checks that the patch version is the same as the system version. If the two versions are not the same, the system prompts that the patch loading fails. When the patch is loaded successfully, it's status is Deactive and keeps Deactive after the board is reset.
12 Patch Management
Context
Do as follows on the router to be upgraded:
Procedure
Step 1 Run:
patch active all
Follow-up Procedure
A patch can be activated only when it is correctly loaded and is in the deactivated state. When a patch is activated, it becomes valid immediately. After the board is reset, however, the status of the patch becomes Deactive , and the patch does not remain valid.
Context
Do as follows on the router be upgraded:
Procedure
Step 1 Run:
patch run all
Follow-up Procedure
A patch can be run only after it is activated. Running a patch means that the patch is activated permanently and the patch remains valid after the board is reset. The status of the patch keeps Running.
Context
Do as follows on the router:
Issue 02 (2011-09-10) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 308
12 Patch Management
Procedure
Step 1 Enter the user view. Step 2 Run:
patch configuration-synchronize
The patch is synchronized to the standby MPU. After patch configurations and patch files are synchronized from the active MPU to the standby MPU, the patch files, patch configurations, and patch status can remain unchanged if the activestandby MPU switchover occurs. ----End
Procedure
l Run:
display patch-information
Example
After the patch is loaded, run the display patch-information command. The results are as follows:
<HUAWEI> display patch-information Service pack Version:V600R003C00SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch ----------The patch information of slot This slot does not need patch ----------The patch information of slot This slot does not need patch 3---------4---------6----------
----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1 ----------The patch information of slot 34---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1 <HUAWEI>display patch-information configure-file Codes: M(Max patch ID in the board) -------------------------------------------------------------
Issue 02 (2011-09-10)
309
12 Patch Management
After the patch is actived, run the display patch-information command. The results are as follows:
<HUAWEI> display patch-information Service pack Version:V600R003C00SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch ----------The patch information of slot This slot does not need patch ----------The patch information of slot This slot does not need patch 3---------4---------6----------
----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : 1 - 1 Deactive Patch Unit :
Issue 02 (2011-09-10)
310
12 Patch Management
After running the patch , run the display patch-information command. The results are as follows:
<HUAWEI> display patch-information Service pack Version:V600R003C00SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch ----------The patch information of slot This slot does not need patch 3---------4----------
Issue 02 (2011-09-10)
311
12 Patch Management
----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : 1 - 1 Active Patch Unit : Deactive Patch Unit : ----------The patch information of slot 34---------Total Patch Unit : 1 Running Patch Unit : 1 - 1 Active Patch Unit : Deactive Patch Unit : <HUAWEI>display patch-information configure-file Codes: M(Max patch ID in the board) ------------------------------------------------------------Slot State Run Active Deactive NPPatch ------------------------------------------------------------1 registered M run 2 registered M run 3 unregistered M run 4 unregistered M run 5 unregistered M run 6 unregistered M run 7 unregistered M run 8 unregistered M run 9 unregistered M run 10 unregistered M run 11 unregistered M run 12 unregistered M run 13 unregistered M run 14 unregistered M run 15 unregistered M run 16 unregistered M run 17 registered M idle 18 registered M idle ------------------------------------------------------<HUAWEI>display patch-information configure-file next-startup Codes: M(Max patch ID in the board) ----------------------------------------Slot Run Active Deactive NPPatch ----------------------------------------1 M run 2 M run 3 M run 4 M run 5 M run 6 M run 7 M run 8 M run 9 M run 10 M run 11 M run 12 M run 13 M run 14 M run 15 M run 16 M run 17 M idle 18 M idle --------------------------------------
Issue 02 (2011-09-10)
312
12 Patch Management
Applicable Environment
After a patch is activated, you need to judge that the patch has achieved the expected effect. If the patch does not become valid, you need to activate the patch. A patch can be deactivated only after it is activated.
Pre-configuration Tasks
None
Data Preparation
None
Procedure
Step 1 Run:
patch deactive all
Procedure
l Run:
display patch-information
12 Patch Management
Example
After the preceding configuration succeeds, run the display patch-information command. The results are as follows:
<HUAWEI> display patch-information Service pack Version:V600R003C00SPH001 Pack file name cfcard:/patch.pat ----------The patch information of slot This slot does not need patch ----------The patch information of slot This slot does not need patch ----------The patch information of slot This slot does not need patch 3---------4---------6----------
----------The patch information of slot 33---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1 ----------The patch information of slot 34---------Total Patch Unit : 1 Running Patch Unit : Active Patch Unit : Deactive Patch Unit : 1 - 1
Networking Requirements
Figure 12-3shows that some urgent bug occurs to the system software at the Provider Edge (PE) connected to the Internet. Huawei provides the patch file to remove the bug. The patch in this patch file must be installed to remove the bug. Figure 12-3 Networking diagram of installing a patch
Issue 02 (2011-09-10)
314
12 Patch Management
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. Save the patch file to the root directory of the CF card on the master and slave MPUs. Load the patch. Activate the patch. Run the patch.
Data Preparation
To complete the configuration, you need the following data: l l File name of the patch: patch.pat Path the patch saved to on the MPU: cfcard:/
Procedure
Step 1 Upload the patch file for the system software. # Log in to the FTP server.
<PE> ftp 10.1.1.2 Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 192.168.1.2. 220 FTP service ready. User(10.1.1.2:(none)):huawei 331 Password required for huawei. Password: 230 User logged in. [ftp]
# Configure the binary transmission format and the working directory of the CF card on PE.
[ftp] binary 200 Type set to I. [ftp] lcd cfcard:/ % Local directory now cfcard:.
# Load the patch file for the current system software from the remote FTP server.
[ftp] get patch.pat 200 Port command okay. 150 Opening ASCII mode data connection for license.txt. 226 Transfer complete. FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec. [ftp] bye 221 Server closing. <PE>
12 Patch Management
----End
Configuration Files
None
Issue 02 (2011-09-10)
316
A Glossary
A
This appendix collates frequently used terms in this document. A Accounting Agent AH
Glossary
A network security service that records the user's access to the network. A process that is used in all managed devices. It receives request packets from the NM Station and performs the Read or Write operation on managed variables according to packet types and generates response packets and sends them to the NM Station. Authentication Header. A security protocol that provides data authentication and integrity for IP packets. AH is used in the transmission mode and in the tunneling mode. Analogue Sensor Signal Processes. An error tolerance protocol that provides the interface backup in the multiple access, multicast and broadcast in LAN (such as Ethernet). A method used to prove user identity. A method used to prove identity of users to use the service.
ASSP
Authentication Authorization
B Backup center A mechanism in which the interfaces on a device back up each other and trace the status of the interface. If an interface is Down, the backup center provides a backup interface to undertake the service. Bidirectional Forwarding Detection. A unified detection mechanism that is used to detect and monitor the link or IP routes forwarding at a fast pace. A filtering mode that is used to filter the packet according to the source IP address. Compared with the ACL, the black list can filter the packet at a high speed because its matching region is simple. It can shield the packet from the specified IP address.
BFD
Black list
Issue 02 (2011-09-10)
317
A Glossary
C CLI Command Line Interface. An interface that allows the user to interact with the operating system. Users can configure and manage the NE80E/40E by entering commands through the CLI. A flow control mechanism by which the network overload is relieved by adjusting the network traffic. When the congestion occurs and becomes worse, the packet is discarded by monitoring the network resource.
Congestion avoidance
Congestion management A flow control measure to solve the problem of network resource competition. When the network congestion occurs, it places the packet into the queue for buffer and determines the order of forwarding the packet. Command line level The priority of the system command that is divided into 4 levels. Users of a level can run the command only of the same or lower level.
E Ethernet A baseband LAN specification created by Xerox and developed by Xerox, Intel, and Digital Equipment Corporation (DEC). This specification is similar to IEEE802.3. An encapsulation format of the Ethernet frame. Ethernet_II that contains a 16-bit protocol type field is the standard ARPA Ethernet Version 2.0 encapsulation. An encapsulation format of the Ethernet frame. The frame format complies with RFC 1042 and enables the transmission of the Ethernet frame on the IEEE 802.2 media.
Ethernet_II
Ethernet_SNAP
F FIFO File system First In First Out. A queuing scheme in which the first data into the network is also the fist data out of the network. A method in which files and directories in the storage devices are managed, such as creating a file system, creating, deleting, modifying and renaming a file or directory or displaying the contents of the file. File Transfer Protocol. An application protocol in the TCP/IP stack, used for transferring files between remote hosts. FTP is implemented based on the file system.
FTP
Issue 02 (2011-09-10)
318
A Glossary
HGMPv2
Huawei Group Management Protocol Version 2. A protocol with which the discovery, topology collection, centralized management and remote maintenance are implemented on Layer 2 devices of a cluster that are connected with the router.
I Information center Interface mirroring IPv6 The information hinge in the MA5200G that can classify and filter the output information. A method of copying the packet of the mirrored interface to the other mirroring interfaces to forward the packet. Internet Protocol Version 6. Replacement for the current version of IP (version 4) designed by the IETF. It is the second generation standard protocol of the internet layer and it is also called IPng (next generation). The length of the IP address in IPv6 is 128 bits and the length of the IP address in IPv4 is 32 bits. An attribute of the interface. When the user accesses the Internet through the ISP, the IP address is usually allocated by the peer server. The PPP packet must be encapsulated and the IP address negotiated attribute must be configured on the interface so that the local interface accepts the IP address allocated by the peer end through the PPP negotiation. A mechanism in which the interface that is not configured with an IP address can borrow the IP address of the interface that is configured with an IP address to save the IP address resource. Intra-site Automatic Tunnel Addressing Protocol. A protocol that is used for the IPv4/IPv6 host in the IPv4 network to access the IPv6 network. The ISATAP tunnel can be established between the ISATAP hosts or between the ISATAP host and the ISATAP router. Traffic engineering of IS-IS. (For the information of IS-IS, refer to )
IP negotiated
IP unnumbered
ISATAP tunnel
ISIS-TE
L LAN interface Local Area Network interface. Often an Ethernet interface through which the router can exchange data with the network device in a LAN. Permission of some features that dynamically control the product. A configured interface that can exchange data but does not exist physically. A logical interface can be a sub-interface, virtualtemplate interface, virtual Ethernet interface, Loopback interface, Null interface and Tunnel interface.
Issue 02 (2011-09-10)
319
A Glossary
M MIB Management Information Base. A database of variables of the monitored network device. It can uniquely define a managed object. Modulator-demodulator. Device that converts digital and analog signals. A process of transmitting packets of data from one source to many destinations. The destination address of the multicast packet uses Class D address, that is, the IP address ranges from 224.0.0.0 to 239.255.255.255. Each multicast address represents a multicast group rather than a host.
Modem Multicast
N NDP Neighbor Discovery Protocol. A protocol that is used to discover the information of the neighboring Huawei device that is connected with the local device. Network Management System. A system that sends various query packets and receives the response packet and trap packet from the managed devices and displays all the information. A protocol that is used to collect the information of the adjacency and the backup switch of each device in the network. Network Time Protocol. An application protocol that is used to synchronize the distributed server and the client side.
NMS
NTDP NTP
P Policy-based routing A routing scheme that forwards packets to specific interfaces based on user-configured policies.
R Regular expression When a lot of information is output, you can filter the unnecessary contents out with regular expressions and display the necessary contents. Remote monitoring. An MIB agent specification defined by the IETF that defines functions for the remote monitoring of the data flow of a network segment or the whole network.
RMON
Issue 02 (2011-09-10)
320
A Glossary
router
A device on the network layer that selects routes in the network. The router selects the optimal route according to the destination address of the received packet through a network and forwards the packet to the next router. The last router is responsible for sending the packet to the destination host. Rapid Ring Protection Protocol. A protocol that is applied on the data link layer. When the Ethernet ring is complete, it can prevent the broadcast storm caused by the data loop. When a link is disconnected on an Ethernet ring, it can rapidly restore the communication link between the nodes on the ring network. Traffic engineering of RSVP. (For the information of RSVP, refer to )
RRPP
RSVP-TE
S Service tracing A method of service debugging, diagnosis and error detection that is mainly used for service personnel to locate the fault in user access. The service tracing can output the status change and the result of the protocol processing of the specified user during the access to the terminal or the server for the reference and analysis of the service personnel. Secure Shell. A protocol that provides a secure connection to a router through a TCP application. A protocol that binds some IP addresses to a specified gateway. The packet of these IP addresses must be forwarded through this gateway. Basic parameters for running the MA5200G such as host name, language mode and system time. After configuration, the system environment can meet the requirements of the actual environment.
System environment
T Telnet Terminal Traffic policing An application protocol of the TCP/IP stack that provides virtual terminal services for a wide variety of remote systems. A device that is connected with other devices through the serial port. The keyboard and the display have no disk drives. A process used to measure the actual traffic flow across a given connection and compare it to the total admissible traffic flow for that connection. When the traffic exceeds the flow that is agreed upon , some restrictions or penalties are adopted to protect the interest and the network resource of the operator. A flow control measure to shape the flow rate. It is often used to control the flow in regular amounts to ensure that the traffic is within the traffic stipulated for the downstream router and prevents unnecessary discard and congestion.
Traffic shaping
Issue 02 (2011-09-10)
321
A Glossary
Tunnel
Secure communication path between two peers in the VPN that protect the internal information of the VPN from the interruption.
V VPN Virtual Private Network. A new technology developed with the Internet to provide an apparent single private network over a public network. "Virtual" means the network is a logical network. Versatile Routing Platform. A versatile routing operating system platform developed for all data communication products of Huawei. With the IP service as its core, the NE80E/40E adopts the componentized architecture. The NE80E/40E realizes rich functions and provides tailorability and scalability based on applications. Virtual router Redundancy Protocol. An error tolerant protocol defined in RFC 2338. It forms a backup group for a group of router in a LAN that functions as a virtual router. Virtual type terminal. A terminal line that is used to access a router through Telnet.
VPR
VRRP
VTY
X X.25 A protocol applied on the data link layer that defines how connections between DTE and DCE are maintained for remote terminal access and computer communications in PDNs. A transmission protocol in the format of the binary code. X.25 over TCP. A protocol that implements the interconnection between two X.25 networks through the TCP packet bearing X.25 frames.
XModem XOT
Issue 02 (2011-09-10)
322
B
Numerics 3DES A AAA ACL ARP AES ASPF AUX
This appendix collates frequently used acronyms and abbreviations in this document.
Authentication, Authorization and Accounting Access Control List Address Resolution Protocol Advanced Encryption Standard Application Specific Packet Filter Auxiliary port
C CBQ CHAP CQ CR-LDP Class-based Queue Challenge Handshake Authentication Protocol Custom Queuing Constraint-based Routing LDP
Issue 02 (2011-09-10)
323
DHCP DNS
F FR Frame Relay
I IETF IKE IPSec IS-IS ITU-T Internet Engineering Task Force Internet Key Exchange IP Security Intermediate System-to-Intermediate System intra-domain routing information exchange protocol International Telecommunication Union Telecommunications Standardization Sector
L L2TP LAPB LDP Layer Two Tunneling Protocol Link Access Procedure Balanced Label Distribution Protocol
M MAC MBGP MFR Medium Access Control Multiprotocol Extensions for BGP-4 Multiple Frame Relay
Issue 02 (2011-09-10)
324
MultiLink PPP Multiprotocol Label Switching Multicast Source Discovery Protocol Maximum Transmission Unit
N NAT NAT-PT Network Address Translation Network Address Translation - Protocol Translation
O OAM OSPF Operation, Administration and Maintenance Open Shortest Path First
P PAP PE Ping PPP PPPoA PPPoE PPPoEoA PQ Password Authentication Protocol Provider Edge Ping (Packet Internet Groper) Point-to-Point Protocol PPP over AAL5 Point-to-Point Protocol over Ethernet PPPoE on AAL5 Priority Queuing
R RADIUS RIP RPR RSVP Remote Authentication Dial In User Service Routing Information Protocol Resilient Packet Ring Resource Reservation Protocol
Issue 02 (2011-09-10)
325
T TE TCP TFTP Traffic Engineering Transmission Control Protocol Trivial File Transfer Protocol
V VPN VRP VRRP Virtual Private Network Versatile Routing Platform Virtual Router Redundancy Protocol
W WAN WFQ WRED Wide Area Network Weighted Fair Queuing Weighted Random Early Detection
Issue 02 (2011-09-10)
326